Resume
AI Security
WiCyS 2026
Red Teaming

Build, Break, Defend: Securing MCP

Workshop Presenters

Shruti Datta Gupta & Spandana Gorantla (Adobe)

Status

Completed

01 // Workshop Overview

The Model Context Protocol (MCP) is a new open standard that allows LLMs to dynamically discover and use tools and resources from local or remote servers.

By decoupling the tools from the model host, MCP enables a modular "plug-and-play" architecture for AI agents. However, this shifts traditional security assumptions about the trust boundaries between a model and its external capabilities.

Why it changes everything:

  • Models now act as dynamic orchestration engines.
  • Attack surfaces move from static prompts to dynamic tool descriptions.
  • Trust is delegated to ephemeral server connections.

MCP Architecture Flow

HOST (e.g. Claude Desktop)
MCP CLIENT
MCP SERVER (Tools/Resources)
EXTERNAL APIs / DATA

02 // Build Phase

We implemented a local MCP server using FastMCP for Python. The server integrated with the Google Places and Ticketmaster APIs to provide real-time local search and event discovery capabilities.

$mcp inspector server.py
[MCP] Server running on stdio [MCP] Registered tools: find_restaurants, find_events, check_vegetarian_options [MCP] Inspector active at http://localhost:5173

03 // Break Phase

The red teaming phase challenged us to exploit the server using prompt injection and data poisoning techniques.

Challenge 3
Looks Legit To Me

Concept

Metadata Poisoning: Injecting hidden instructions into tool descriptions to manipulate model behavior.

Captured Flag

CTF{p01s0n_1n_th3_m3t4d4t4}

Lesson Learned

"Tool descriptions are part of the context window; they are executable guidance for the LLM."

Challenge 4
Name Your Poison

Concept

Tool Impersonation: Exploiting weak trust boundaries by creating tools with deceptive names.

Captured Flag

CTF{n4m3_m4tch1ng_1s_n0t_4_trust_bound4ry}

Lesson Learned

"Tool selection routing can be easily confused by name collisions and similarity."

Challenge 5
Behind The Curtain

Concept

Structured Parameter Injection: Using JSON/structured fields to pass hidden configuration parsing directives.

Captured Flag

CTF{b3h1nd_th3_curt41n_d1r3ct1v3s}

Lesson Learned

"Even structured inputs can become instructions if not properly sanitized before model consumption."

Challenge 6
Forward Thinking

Concept

Tool Chaining Abuse: Orchestrating multiple 'safe' tools to create a data exfiltration workflow.

Captured Flag

CTF{f0rw4rd_th3_rep0rt_ch41n_1t}

Lesson Learned

"Security must be evaluated at the workflow level, not just at the individual tool level."

04 // Defend Phase

Applied Threat Modeling

We applied the STRIDE framework to analyze trust boundaries between the Host and the MCP Server.

S
SpoofingStable Tool Identities
T
TamperingMetadata Validation
R
RepudiationAudit Logging
I
Information DisclosureLeast Privilege Scopes
D
DoSRate Limiting
E
Elevation of PrivilegeTool Allowlists

Defense Checklist

  • 01.Implement strict Tool Allowlists to prevent rogue tool discovery.
  • 02.Sanitize and validate Metadata as if it were user-generated content.
  • 03.Enforce Least Privilege for API credentials used by MCP tools.
  • 04.Define Chaining Policies to prevent automated exfiltration loops.

Key Takeaways

"MCP turns LLMs into orchestration engines. Security shifts from checking 'what the model says' to 'what the model is allowed to trigger'."
  • Prompt injection extends beyond plain text into metadata.
  • AI systems require intentional security architecture, not just post-hoc filters.

© 2026 Anagha Shyama Prakash • Research & Case Study Archive