{"id":340593,"date":"2025-06-13T05:00:38","date_gmt":"2025-06-13T12:00:38","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=340593"},"modified":"2025-08-14T10:41:17","modified_gmt":"2025-08-14T17:41:17","slug":"cloud-security-model-context-protocol-mcp-security","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2025\/06\/cloud-security-model-context-protocol-mcp-security\/","title":{"rendered":"The New AI Attack Surface \u2014 How Cortex Cloud Secures MCP"},"content":{"rendered":"<p>With remarkable momentum behind its adoption, the Model Context Protocol (MCP) is quickly becoming the de facto interface for connecting large language models (LLMs) to tools, APIs, databases and other services. Think of it as the USB-C of AI development \u2013 an elegant, standardized bridge that enables dynamic interaction between AI models and external environments. Major AI platforms, like ChatGPT, Gemini and Claude, already rely on it. (MCP is in fact <a href=\"https:\/\/www.anthropic.com\/news\/model-context-protocol\" rel=\"nofollow,noopener\" >Anthropic's creation<\/a>, a solution designed for Claude Desktop).<\/p>\n<p>Like anything, though, as MCP adoption accelerates, so does the risk. Because MCP connects models to powerful systems and sensitive data in real time, it creates new attack surfaces that conventional security tools weren\u2019t designed to handle.<\/p>\n<p>To meet this challenge, we\u2019ve built MCP Security to safeguard AI communications at their source.<\/p>\n<h2>MCP \u2014 An Operational Framework<\/h2>\n<p>The Model Context Protocol follows a client-server architecture that defines how AI applications communicate with tools, services and data sources in real time. It\u2019s not just a bridge; it\u2019s an operational framework that allows LLMs to interact with external environments in structured, context-rich ways.<\/p>\n<p>MCP deployments typically include the following components:<\/p>\n<ul>\n<li><strong>MCP Hosts \u2013<\/strong> Applications, such as Claude Desktop, IDEs or AI assistants, that initiate data access through MCP.<\/li>\n<li><strong>MCP Clients \u2013<\/strong> Components that manage and maintain persistent connections to servers.<\/li>\n<li><strong>MCP Servers \u2013<\/strong> Lightweight services that expose capabilities through the standardized protocol.<\/li>\n<li><strong>Local Data Sources \u2013<\/strong> Files, databases and services that MCP servers can access within the local environment.<\/li>\n<li><strong>Remote Services \u2013<\/strong> External APIs and internet-connected systems reachable through the protocol.<\/li>\n<\/ul>\n<p>Unlike traditional APIs, MCP supports complex context structures. Applications can:<\/p>\n<ul>\n<li>Pass rich, structured information with each request.<\/li>\n<li>Expose live data and content to LLMs as \u201cResources.\u201d<\/li>\n<li>Reuse prompt templates called \u201cPrompts.\u201d<\/li>\n<li>Enable models to take defined actions through \u201cTools.\u201d<\/li>\n<li>Request completions through a mechanism called \u201cSampling.\u201d<\/li>\n<\/ul>\n<figure id=\"attachment_340607\" aria-describedby=\"caption-attachment-340607\" style=\"width: 1266px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"1266\"><span class=\"ar-custom\" style=\"padding-bottom:53.48%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-340607 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/word-image-340593-1.png\" alt=\"The traditional approach to AI applications and the MCP approach to AI applications.\" width=\"1266\" height=\"677\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/word-image-340593-1.png 1266w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/word-image-340593-1-230x123.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/word-image-340593-1-500x267.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/word-image-340593-1-768x411.png 768w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/word-image-340593-1-510x273.png 510w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/word-image-340593-1-75x40.png 75w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/word-image-340593-1-561x300.png 561w\" sizes=\"auto, (max-width: 1266px) 100vw, 1266px\" \/><\/span><\/div><figcaption id=\"caption-attachment-340607\" class=\"wp-caption-text\">MCP creates a standardized bridge between AI application and external services.<\/figcaption><\/figure>\n<p>MCP's architecture is designed for the kind of flexible, dynamic integrations that next-generation AI applications require. While adoption is still in early stages, the protocol's potential impact on how AI systems access external resources makes it worth security teams' attention.<\/p>\n<h2><a id=\"post-340593-_8o13icu0wgqv\"><\/a>The Emerging MCP Attack Surface<\/h2>\n<p>MCP enables AI applications to access the same tools and data that human users rely on \u2013 email systems, customer databases, file shares and internal APIs. While this creates powerful capabilities, it also means that AI applications inherit the same access privileges as their users.<\/p>\n<p>Consider common use cases. An AI assistant helping with customer support might need read access to CRM data, or a development copilot might access code repositories and deployment tools. These aren't necessarily \u201csensitive systems\u201d by design, but they contain business-critical information that requires protection, which creates new security considerations. When AI models can dynamically access multiple systems through MCP, several risk categories emerge.<\/p>\n<h3><a id=\"post-340593-_erjyt8pxhs2j\"><\/a>Protocol Design Vulnerabilities<\/h3>\n<p>Because MCP is a relatively new protocol, implementations can vary in their security approaches. For example, some MCP servers might include sensitive session information directly in web addresses where it could be logged or cached. Others might use different authentication methods that don't consistently verify who is making requests.<\/p>\n<p>Perhaps the most concerning aspect is how MCP servers don't always validate the data they receive before processing it. This means an attacker could potentially send malicious commands disguised as legitimate MCP requests \u2013 similar to how SQL injection attacks work against databases but targeting the AI communication layer.<\/p>\n<h3><a id=\"post-340593-_mu3qmaecr99t\"><\/a>Centralized Credential Risk<\/h3>\n<p>MCP servers often store access tokens for multiple systems. A single compromise can grant attackers lateral access to a wide range of services.<\/p>\n<h3><a id=\"post-340593-_42wbp5fcz2d8\"><\/a>Tool Poisoning Attacks<\/h3>\n<p>Attackers can embed hidden prompts or instructions in tool metadata. Although invisible to users, LLMs may interpret these as commands, triggering data exfiltration or unauthorized actions.<\/p>\n<h3><a id=\"post-340593-_xe8rfgeigoq7\"><\/a>Multiserver Conflicts<\/h3>\n<p>In environments with multiple MCP servers, organizations risk prompt hijacking, tool name collisions and uncoordinated server behavior that introduces unpredictable vulnerabilities.<\/p>\n<h3><a id=\"post-340593-_loxrgjll6ix\"><\/a>Implementation Level Flaws<\/h3>\n<p>Poorly implemented MCP servers often contain command injection flaws, improperly evaluate user input, or lack isolation between processes. These issues can enable privilege escalation and lateral movement.<\/p>\n<p>The bottom line? MCP changes how models interact with the broader environment, but also introduces a dynamic, high-risk surface. The security challenges are particularly concerning because MCP facilitates communication between powerful AI models and sensitive systems, potentially enabling sophisticated attack vectors that traditional security tools aren't designed to detect.<\/p>\n<h2><a id=\"post-340593-_meuwydagle11\"><\/a>MCP Security in Cortex Cloud WAAS<\/h2>\n<p>At Palo Alto Networks, we're committed to securing the technologies that drive innovation. Our new MCP Security capability in Cortex Cloud WAAS addresses the unique risks inherent to MCP communications. The feature provides two critical lines of defense.<\/p>\n<h3><a id=\"post-340593-_d5ritymo9ywk\"><\/a>1. Intelligent Protocol Validation<\/h3>\n<p>The WAAS protocol validation engine identifies and inspects MCP communications within general API traffic. It verifies structure against expected patterns, detects manipulation of protocol elements, and detects injection attempts aimed at protocol parsing. While MCP allows for implementation flexibility, the engine adapts to legitimate variations and enforces consistency across requests.<\/p>\n<h3><a id=\"post-340593-_k295kjuuovay\"><\/a>2. API-Based Attack Detection<\/h3>\n<p>WAAS also detects API-layer attacks targeting MCP endpoints. These include parameter tampering and other <a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-layer-7\">Layer 7<\/a> threats. Protections align with the OWASP API Security Top 10 to prevent misuse even when requests are well formed.<\/p>\n<h2><a id=\"post-340593-_74nlbi3930hx\"><\/a>Security Recommendations for MCP Builders<\/h2>\n<p>Teams adopting or building on MCP can reduce their risks by implementing these best practices:<\/p>\n<ul>\n<li><strong>Use Strong Access Controls<\/strong> \u2013 Apply least-privilege to every MCP tool and server.<\/li>\n<li><strong>Protect Credentials<\/strong> \u2013 Avoid hardcoding credentials, rotate keys regularly and isolate secrets.<\/li>\n<li><strong>Isolate Runtime Environments<\/strong> \u2013 Run MCP servers in isolated containers or sandboxed environments to prevent lateral movement if a server is compromised.<\/li>\n<li><strong>Enable Detailed Logging<\/strong> \u2013 Capture full MCP operations logs for anomaly detection.<\/li>\n<li><strong>Validate Server Identities<\/strong> \u2013 Ensure connections go to trusted MCP implementations.<\/li>\n<li><strong>Require Confirmation for Sensitive Actions<\/strong> \u2013 Don't let the model act silently on risky requests.<\/li>\n<\/ul>\n<h2><a id=\"post-340593-_tuoufsw8ce74\"><\/a>Comprehensive AI Protection \u2014 Beyond MCP Security<\/h2>\n<p>Securing MCP communications is imperative, but organizations need a holistic approach to AI security. Cortex Cloud offers additional capabilities that complement MCP Security to provide end-to-end detection for AI applications and infrastructure:<\/p>\n<h3><a id=\"post-340593-_wjohr74bxmj0\"><\/a>AI Security Posture Management (AI-SPM)<\/h3>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cloud\/ai-security-posture-management\">Cortex Cloud AI-SPM<\/a> works alongside MCP Security to provide complete visibility and protection across your entire AI ecosystem, ensuring your teams can:<\/p>\n<ul>\n<li><strong>Discover and inventory AI models<\/strong> deployed across your cloud environments.<\/li>\n<li><strong>Assess AI-specific risks,<\/strong> including data exposure, insecure model configurations and vulnerable dependencies.<\/li>\n<li><strong>Monitor the AI supply chain<\/strong> to identify poisoned datasets or unauthorized models.<\/li>\n<li><strong>Enforce governance policies<\/strong> for responsible AI use and regulatory compliance.<\/li>\n<li><strong>Detect misconfigurations <\/strong>in AI workflows that could lead to sensitive data exposure.<\/li>\n<\/ul>\n<p>The combination of MCP Security and AI-SPM creates layers of defense, protecting how AI applications communicate via MCP and ensuring the underlying models, data and infrastructure follow security best practices.<\/p>\n<h2><a id=\"post-340593-_jra3mqpwahue\"><\/a>What This Means for AI Builders<\/h2>\n<p>The introduction of MCP Security in Cortex Cloud WAAS represents an impactful step in securing the future of AI applications. By validating MCP communications and preventing API-based attacks, organizations can:<\/p>\n<ol>\n<li><strong>Deploy AI Applications Confidently<\/strong> \u2013 Implement MCP-based solutions with the assurance that communications are secured.<\/li>\n<li><strong>Protect Sensitive Data<\/strong> \u2013 Prevent unauthorized access to resources and context information.<\/li>\n<li><strong>Maintain Model Integrity<\/strong> \u2013 Ensure LLMs receive only legitimate requests and context.<\/li>\n<li><strong>Enable Secure Innovation<\/strong> \u2013 Adopt new AI capabilities without compromising security.<\/li>\n<\/ol>\n<p>MCP Security will be available to Cortex Cloud WAAS customers at the end of May 2025. Organizations interested in using MCP Security can <a href=\"https:\/\/www.paloaltonetworks.com\/company\/contact-sales?ts=buy-now-general:contact-us\">contact<\/a> their Palo Alto Networks representative.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MCP Security in Cortex Cloud protects AI applications by securing Model Context Protocol communications and detecting API-layer threats in real time.<\/p>\n","protected":false},"author":723,"featured_media":340594,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9943],"tags":[6613,10085,10198,10178,7459],"coauthors":[7326,6869,7389],"class_list":["post-340593","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-security","tag-ai","tag-cortex-cloud","tag-mcp-server","tag-real-time-security","tag-waas","cloud_sec_category-ai-security-posture-management"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2025\/06\/GettyImages-618195354-edit-scaled.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/340593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/723"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=340593"}],"version-history":[{"count":1,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/340593\/revisions"}],"predecessor-version":[{"id":340620,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/340593\/revisions\/340620"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/340594"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=340593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=340593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=340593"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=340593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}