Is your threat modeling process automated? Because there’s a good chance MCP is doing all the work behind the scenes.

Model Context Protocol (MCP) is quickly becoming the backbone of how modern security platforms structure, analyze, and act on threat modeling data. 

But MCP is not built for security-first thinking. 

It’s fast and scalable, but it’s also vulnerable. And those vulnerabilities can be the very reason for exposed model logic, data leakage, and even silent manipulation of the threat models themselves. Think about that! Your AI says all clear, but the system is compromised from the inside.

Most teams aren’t even aware of how MCP works, let alone how attackers could exploit it. And how can you expect to defend if you don’t understand the protocol?  And if your security tooling depends on MCP, you’re betting your outcomes on something you haven’t audited.

‍

Table of Contents

• Vulnerability #1: Unauthenticated Access to Model Context Endpoints
• Vulnerability #2: Injection via Insecure Context Serialization
• Vulnerability #3: Over-Permissioned Context Tokens
• Vulnerability #4: Lack of Audit Logging and Traceability
• Vulnerability #5: Inconsistent Protocol Implementations Across Environments
• What Security Leaders Should Do Next to Secure MCP
• You’re Already Running MCP Whether You Know It or Not

‍

Vulnerability #1: Unauthenticated Access to Model Context Endpoints

A growing number of AI-augmented threat modeling systems expose Model Context Protocol (MCP) endpoints with little or no authentication. These endpoints manage sensitive architecture models, threat mappings, and mitigation logic. When access controls aren’t enforced at the protocol level, attackers can directly query or manipulate this data (no credentials needed). That opens the door to model poisoning, data leaks, and unauthorized changes that compromise the integrity of your entire threat modeling pipeline.

We’ve seen internal MCP endpoints left open because teams assumed perimeter defenses were enough. Spoiler alert: they’re not! Once inside the network, or through a misconfigured API gateway, attackers can reach these endpoints easily. From there, they can alter how risk is interpreted or escalate trust between components, all without triggering alarms.

What to ask your team

1. Are MCP endpoints protected with strong, protocol-level authentication?
2. Do we use mutual TLS or token-based auth for all model context API access?
3. Are access logs for MCP endpoints being captured and monitored?
4. Are these endpoints ever exposed in lower environments without access control?
5. Has the threat model for MCP itself been reviewed and validated?

‍

Vulnerability #2: Injection via Insecure Context Serialization

Serialized data in MCP becomes a direct path for injection attacks when it’s not properly validated. Most teams treat context objects like clean, trusted data. But if your platform deserializes input without schema checks or input sanitization, you’re giving attackers a way to insert arbitrary payloads, which leads to data manipulation, unauthorized control logic, or even remote code execution depending on the backend handling.

The real risk here is subtle corruption. Once injected, malicious data doesn’t always cause obvious breakage. It might just tweak threat definitions, bypass mitigation logic, or influence model scoring. These changes flow downstream, quietly shifting how your system identifies and prioritizes risk. If your model behavior starts drifting without explanation, this is one place to look.

What to ask your team

1. Do we enforce strict schema validation during serialization and deserialization of model context?
2. Are we sanitizing all inputs before they’re accepted into the context model?
3. Are protocol boundaries clearly defined to prevent cross-system injection?
4. Have we tested the serialization logic for injection vectors using fuzzing or other dynamic methods?
5. Do we support only safe, known serialization formats (e.g. JSON with schema validation over unsafe formats like YAML or binary)?

‍

Vulnerability #3: Over-Permissioned Context Tokens

Context tokens in MCP are supposed to grant controlled access to specific parts of the model. What’s actually happening? They’re often over-permissioned, long-lived, and completely unscoped. That means one token can access multiple model layers, modify logic, and stay active far longer than it should. Attackers love that. Grab one token, and you’ve unlocked read/write access across the threat modeling flow.

And they’re persistent. An attacker can use a single token to laterally move between components, escalate privileges, and reprogram how the model behaves without needing to reauthenticate or trigger any access checks. There’s no friction, no expiry, and no boundaries. This breaks the trust chain across the whole system and makes containment nearly impossible once the token is compromised.

What to ask your team

1. Are context tokens limited by scope and tied to specific actions or components?
2. Do tokens expire quickly, and are refresh tokens handled securely?
3. Can we revoke tokens in real time across services?
4. Are tokens audited and tracked for anomalies like unusual access patterns or long-term usage?
5. Is token creation gated by role-based or attribute-based access controls?

‍

Vulnerability #4: Lack of Audit Logging and Traceability

Most MCP implementations have no audit trail and no visibility into who accessed what, when, or why. Threat actors can manipulate model context, inject malicious changes, or escalate privileges without leaving a trace. No logs means no accountability. No traceability means no incident response. You’re operating without evidence.

This is a control failure. Without trace-level logging baked into every MCP interaction point, you’re handing attackers a free pass to stay invisible. And without SIEM integration, even the logs you do have might as well not exist. There’s no reason a protocol central to your AI-driven security stack should be exempt from enterprise-grade observability.

What to ask your team

1. Are all MCP interactions logged with timestamps, user/service identity, and context changes?
2. Can we trace a full chain of context updates across systems or services?
3. Are logs immutable and tamper-resistant?
4. Is our SIEM ingesting MCP logs in real time?
5. Can we detect unusual or unauthorized changes to model context using alerting rules or anomaly detection?

‍

Vulnerability #5: Inconsistent Protocol Implementations Across Environments

Staging says everything’s fine. Production blows up. And it’s because MCP isn’t running the same way across environments. Behavior changes between dev, test, and prod, and that’s where serialization rules, input handling, even access controls occur. These inconsistencies let bugs sneak into production that were never visible during testing.

Protocol-level drift makes your assumptions worthless. A malformed context input might get rejected in development but trigger undefined behavior in production. Without strict parity, you can’t reliably test edge cases or enforce safe defaults. Teams shipping code into environments with protocol mismatches are setting themselves up for silent failures and high-risk misfires.

What to ask your team

1. Are development, staging, and production running the exact same MCP version and configuration?
2. Do we test malformed and fuzzed context inputs across all environments?
3. Are protocol behaviors and responses validated with automated tests?
4. Can we flag or block protocol deviations during CI/CD?
5. Is there a formal process to sync and version control all MCP deployments?

‍

What Security Leaders Should Do Next to Secure MCP

1. Ask your team if MCP is part of your attack surface. Don’t assume it’s handled. Get a clear answer. If MCP is in use anywhere in your stack, it needs to be treated like any other externally reachable protocol.
2. Validate if controls for these five areas are currently in place. Run a quick review with your AppSec or product security leads. You’re looking for gaps in auth, input handling, token scope, logging, and environment parity.
3. Include MCP in your threat modeling and pentest scopes moving forward. MCP shouldn’t sit outside your formal security assessments. Make it a standard part of threat modeling exercises and red team scenarios.
4. Push for secure-by-default implementations from vendors and platforms using MCP. Ask your vendors what guardrails they’ve built in, and push back if the defaults are wide open. Any protocol-level integration should come hardened out of the box.

‍

You’re Already Running MCP Whether You Know It or Not

AI-powered systems are already deployed, integrated, and making decisions inside your enterprise. And MCP is often the glue holding that automation together. But most teams haven’t even considered that it could be a problem.

Protocol-level risks like unauthenticated access, token overreach, and context manipulation are real, active issues in production environments. So if you’re serious about securing AI, you need to move upstream before these problems hit your incident queue.

What if we show you what’s actually working in the field and where teams are still getting burned? Join our webinar AI Agent Security: The Good, The Bad, and The Ugly on May 8 at 9 AM PST. We’ll break down where most teams are falling short and how to fix it.