MCP Dev Summit North America

As MCP adoption accelerates across platforms, the risks of giving LLMs tool access are growing quickly. This session explores the real threat surface of MCP systems: prompt injection, tool poisoning, unsafe permissions, supply-chain “rug pulls,” cross-tool escalation, and data-exfiltration risks that arise when agents can call arbitrary tools. Building on Microsoft's recent work hardening MCP on Windows, we outline a practical reference architecture for secure deployments: signed and verified tool manifests, unique server identities, scoped capabilities, sandboxed execution, authenticated connections, governance via registries, audit logging, and runtime anomaly detection. Attendees will leave with a blueprint for running MCP in production: what to lock down, how to operate it safely, and how enterprises can integrate MCP into existing security, IAM, and compliance frameworks. This talk equips developers, architects, and security teams to build safer agentic systems and contribute to a more secure MCP ecosystem.

MCP servers often begin as simple side projects. You build a quick integration, get a basic connection working, and show a demo. But as users begin to rely on your tool, the stakes change. In this talk, we share the lessons learned from taking multiple of MCP servers from initial Proofs of Concept to robust production standards, supporting tens of thousands of developers across open-source and enterprise environments. These are the real-world realities of treating your MCP server as a shipping product.

To implement "Zero Trust", authorization must be enforced consistently across every layer: inside the agent, in the cloud (like MCP gateways and services), and down to the database. Each layer needs its own dynamic authorization decision engine, yet those decisions must remain aligned and explainable.

As AI agents become first-class actors in enterprise systems, traditional security models start to strain. This session examines how agentic workflows challenge today’s delegation mechanisms, especially when agents act autonomously, chain operations, or cross trust boundaries. We’ll explore where OAuth works well and where it falls short.

The session argues for centralized policy management using Cedar, decoupled from application code to prevent policy drift. It will introduce emerging governance models like GovOps, which treat policies, schemas, and authorization logic as managed assets with lifecycle controls and automated compliance. Attendees will leave with a practical ideas for secure agent delegation and governing agentic systems at scale.

The discussion frame is two narratives: a 15th century myth and a 2025 Apple TV mini-series based Martha Wells' books.

The Model Context Protocol (MCP) has standardized how we connect models to data, but the security layer remains a work in progress. Currently, MCP implements authorization via standard OAuth scopes.

While this works for handling coarse-grained tool access, it presents challenges for finer grained permissions.

To solve this, we must move toward intent-based authorization—a model where agents are authorized to perform actions based on the specific context of a task, rather than a pre-approved list of capabilities.

This presentation will dissect the consequences of the current OAuth model on agent design and present ideas of how to address them. We will discuss how to implement dynamic authorization that allows agents to be helpful without being intrusive, ensuring that security scales alongside intelligence.

With EU AI Act enforcement beginning this year, teams deploying MCP need to understand what regulators will actually look for in production systems.

This talk is a practical guide for builders and IT teams deploying MCP at scale without dodging compliance. We’ll break down the concrete requirements emerging from regulation, including audit logs, traceability, access controls, and oversight mechanisms, and show how they map directly to MCP-based architectures.

We’ll cover how compliance applies across the systems MCP touches, from internal tools and data sources to the emerging MCP Apps ecosystem, where consumer-facing workflows introduce new expectations around transparency, consent, and accountability as AI increasingly mediates how brands and consumers interact.

Attendees will leave with a clear picture of what it takes to deploy MCP that works in production and holds up under regulatory scrutiny.

Shadow IT is back - but this time it's AI-powered. Employees are configuring MCP servers directly in Cursor, Claude Desktop, and VS Code, creating a blind spot that traditional security tools miss. These shadow MCPs operate outside centralized control, enabling data exfiltration, supply chain attacks, and compliance violations.

This talk exposes the shadow MCP problem and presents a comprehensive detection and response framework:

- Why shadow MCPs are uniquely dangerous (AI amplifies access, automates actions, no audit trail)
- Discovery techniques: IDE config scanning, MDM integration, network detection patterns
- Classification: distinguishing managed vs shadow servers across device fleets
- Response playbooks: triage, investigation, remediation by risk level

I'll share real vulnerability examples from official MCPs (GitHub, Asana, Supabase, Postmark) and demonstrate automated detection through IDE hooks (Cursor, Claude Code) and MDM platforms (SimpleMDM, Jamf).

Attendees will leave with practical techniques for gaining visibility into shadow MCP usage and a framework for bringing unauthorized integrations under organizational control.

Here's the thing about being a security company: you can't ship a vulnerable MCP server. For us, getting pwned isn’t just embarrassing - it gets us on the front page of Hacker News. Our customers trust us to protect them from nation-state attackers, well-funded adversaries (and the odd teenager attacking for lolz.)

At the same time, the MCP ecosystem is still maturing. Hardening standards for sophisticated attackers don't exist yet. And with high-profile supply chain attacks now targeting agents, attackers are actively exploiting the trust developers place in their toolchains. Last year, a flaw in mcp-remote turned into a remote code execution nightmare, exposing over 400,000 developers. That's the reality we're building in.


When it came to our MCP server, we built it using the same rigor we use to protect the world's largest companies. This talk covers the threat model we designed against, gaps in MCP's current design that required workarounds, and ultimately how we built an MCP server trusted by enterprise customers, and hardened against even the most novel attacks. If we can secure it here, you can secure it anywhere.

Recent advancements in agentic AI have unlocked powerful new capabilities, however, they also introduce fundamentally new security risks. In this talk, I present a system-level view of the security landscape of agentic AI, drawing on a comprehensive systematization of attacks and defenses across modern agent architectures.

I show how increasing agent flexibility along different dimensions expands attack surfaces and enables threats such as prompt injection, memory poisoning, unsafe data flows, credential leakage, and unauthorized execution. Using real-world incidents and CVE analyses, I illustrate how agents can be manipulated through external content, compromised tools, or poisoned internal components.

The talk also provides a systematic overview of end-to-end automatic red teaming and risk assessment for agentic AI systems as well as a defense-in-depth framework for building secure agentic systems, spanning runtime guardrails, access control, information-flow tracking, privilege separation, and secure-by-design architectures, helping practitioners assess risk, close security gaps, and deploy agents safely at scale.

As MCP adoption grows, teams are facing a new set of challenges: session management across fleets, policy enforcement for agents and users, and operating MCP traffic at scale.

We’ll explore how proxies currently handle stateful MCP sessions, how stateless designs dramatically simplify scaling and operations, and how proxies like Envoy can enforce authorization, tool safety, and policy without becoming bottlenecks. The discussion will also look ahead to emerging MCP proposals, including stateless transports, async tasks, and server discovery, and why alignment between protocol evolution and proxy implementations matters for the ecosystem.

Attendees will leave with concrete architectural insights, practical lessons learned, and a clearer picture of where MCP traffic handling is headed and how to build for it now.