MCP Dev Summit North America

As MCP adoption accelerates across platforms, the risks of giving LLMs tool access are growing quickly. This session explores the real threat surface of MCP systems: prompt injection, tool poisoning, unsafe permissions, supply-chain “rug pulls,” cross-tool escalation, and data-exfiltration risks that arise when agents can call arbitrary tools. Building on Microsoft's recent work hardening MCP on Windows, we outline a practical reference architecture for secure deployments: signed and verified tool manifests, unique server identities, scoped capabilities, sandboxed execution, authenticated connections, governance via registries, audit logging, and runtime anomaly detection. Attendees will leave with a blueprint for running MCP in production: what to lock down, how to operate it safely, and how enterprises can integrate MCP into existing security, IAM, and compliance frameworks. This talk equips developers, architects, and security teams to build safer agentic systems and contribute to a more secure MCP ecosystem.

MCP servers often begin as simple side projects. You build a quick integration, get a basic connection working, and show a demo. But as users begin to rely on your tool, the stakes change. In this talk, we share the lessons learned from taking multiple of MCP servers from initial Proofs of Concept to robust production standards, supporting tens of thousands of developers across open-source and enterprise environments. These are the real-world realities of treating your MCP server as a shipping product.

To implement "Zero Trust", authorization must be enforced consistently across every layer: inside the agent, in the cloud (like MCP gateways and services), and down to the database. Each layer needs its own dynamic authorization decision engine, yet those decisions must remain aligned and explainable.

As AI agents become first-class actors in enterprise systems, traditional security models start to strain. This session examines how agentic workflows challenge today’s delegation mechanisms, especially when agents act autonomously, chain operations, or cross trust boundaries. We’ll explore where OAuth works well and where it falls short.

The session argues for centralized policy management using Cedar, decoupled from application code to prevent policy drift. It will introduce emerging governance models like GovOps, which treat policies, schemas, and authorization logic as managed assets with lifecycle controls and automated compliance. Attendees will leave with a practical ideas for secure agent delegation and governing agentic systems at scale.

The discussion frame is two narratives: a 15th century myth and a 2025 Apple TV mini-series based Martha Wells' books.

The Model Context Protocol (MCP) has standardized how we connect models to data, but the security layer remains a work in progress. Currently, MCP implements authorization via standard OAuth scopes.

While this works for handling coarse-grained tool access, it presents challenges for finer grained permissions.

To solve this, we must move toward intent-based authorization—a model where agents are authorized to perform actions based on the specific context of a task, rather than a pre-approved list of capabilities.

This presentation will dissect the consequences of the current OAuth model on agent design and present ideas of how to address them. We will discuss how to implement dynamic authorization that allows agents to be helpful without being intrusive, ensuring that security scales alongside intelligence.

With EU AI Act enforcement beginning this year, teams deploying MCP need to understand what regulators will actually look for in production systems.

This talk is a practical guide for builders and IT teams deploying MCP at scale without dodging compliance. We’ll break down the concrete requirements emerging from regulation, including audit logs, traceability, access controls, and oversight mechanisms, and show how they map directly to MCP-based architectures.

We’ll cover how compliance applies across the systems MCP touches, from internal tools and data sources to the emerging MCP Apps ecosystem, where consumer-facing workflows introduce new expectations around transparency, consent, and accountability as AI increasingly mediates how brands and consumers interact.

Attendees will leave with a clear picture of what it takes to deploy MCP that works in production and holds up under regulatory scrutiny.

Shadow IT is back - but this time it's AI-powered. Employees are configuring MCP servers directly in Cursor, Claude Desktop, and VS Code, creating a blind spot that traditional security tools miss. These shadow MCPs operate outside centralized control, enabling data exfiltration, supply chain attacks, and compliance violations.

This talk exposes the shadow MCP problem and presents a comprehensive detection and response framework:

- Why shadow MCPs are uniquely dangerous (AI amplifies access, automates actions, no audit trail)
- Discovery techniques: IDE config scanning, MDM integration, network detection patterns
- Classification: distinguishing managed vs shadow servers across device fleets
- Response playbooks: triage, investigation, remediation by risk level

I'll share real vulnerability examples from official MCPs (GitHub, Asana, Supabase, Postmark) and demonstrate automated detection through IDE hooks (Cursor, Claude Code) and MDM platforms (SimpleMDM, Jamf).

Attendees will leave with practical techniques for gaining visibility into shadow MCP usage and a framework for bringing unauthorized integrations under organizational control.

Here's the thing about being a security company: you can't ship a vulnerable MCP server. For us, getting pwned isn’t just embarrassing - it gets us on the front page of Hacker News. Our customers trust us to protect them from nation-state attackers, well-funded adversaries (and the odd teenager attacking for lolz.)

At the same time, the MCP ecosystem is still maturing. Hardening standards for sophisticated attackers don't exist yet. And with high-profile supply chain attacks now targeting agents, attackers are actively exploiting the trust developers place in their toolchains. Last year, a flaw in mcp-remote turned into a remote code execution nightmare, exposing over 400,000 developers. That's the reality we're building in.


When it came to our MCP server, we built it using the same rigor we use to protect the world's largest companies. This talk covers the threat model we designed against, gaps in MCP's current design that required workarounds, and ultimately how we built an MCP server trusted by enterprise customers, and hardened against even the most novel attacks. If we can secure it here, you can secure it anywhere.

Recent advancements in agentic AI have unlocked powerful new capabilities, however, they also introduce fundamentally new security risks. In this talk, I present a system-level view of the security landscape of agentic AI, drawing on a comprehensive systematization of attacks and defenses across modern agent architectures.

I show how increasing agent flexibility along different dimensions expands attack surfaces and enables threats such as prompt injection, memory poisoning, unsafe data flows, credential leakage, and unauthorized execution. Using real-world incidents and CVE analyses, I illustrate how agents can be manipulated through external content, compromised tools, or poisoned internal components.

The talk also provides a systematic overview of end-to-end automatic red teaming and risk assessment for agentic AI systems as well as a defense-in-depth framework for building secure agentic systems, spanning runtime guardrails, access control, information-flow tracking, privilege separation, and secure-by-design architectures, helping practitioners assess risk, close security gaps, and deploy agents safely at scale.

As MCP adoption grows, teams are facing a new set of challenges: session management across fleets, policy enforcement for agents and users, and operating MCP traffic at scale.

We’ll explore how proxies currently handle stateful MCP sessions, how stateless designs dramatically simplify scaling and operations, and how proxies like Envoy can enforce authorization, tool safety, and policy without becoming bottlenecks. The discussion will also look ahead to emerging MCP proposals, including stateless transports, async tasks, and server discovery, and why alignment between protocol evolution and proxy implementations matters for the ecosystem.

Attendees will leave with concrete architectural insights, practical lessons learned, and a clearer picture of where MCP traffic handling is headed and how to build for it now.

With the recent specification update, MCP moved away from using DCR as the default in favor of Client ID Metadata Documents (CIMD). It's a new approach to client registration already adopted by such projects like Bluesky, and now making its way to the MCP ecosystem. CIMD is significantly easier to use than DCR while providing the same security guarantees and a much more flexible approach to client governance. In this session, you will learn about the transition from DCR to CIMD, how you should design your MCP servers (and MCP clients) around this new requirement, and what the future holds for broader CIMD adoption.

This session will describe the work of the AI Threat Modeling working group within the OpenID Foundation. Security considerations in OAuth were a concern before MCP, and MCP's use of OAuth raises additional concerns including malicious elicitation and code execution requests. I will describe MCP attacks which enable attackers to exfiltrate sensitive data, compromise password-protected accounts, and gain remote control of local machines.

MCP deployments increasingly involve multiple authorization servers / identity providers across tools, registries, gateways, and enterprise environments. That flexibility introduces a classic but under-discussed class of failures: mix up attacks. A mix-up attack is where a client or intermediary confuses which issuer/authorization server it’s interacting with and misroutes sign-in artifacts, such as tokens, to the wrong party, potentially a malicious one.

This talk gives a clear threat model for mix-up in MCP-style topologies (client↔server↔auth server), then focuses on practical mitigations being discussed in the Auth Mix-Up Attack Prevention WG. I’ll also cover what’s realistic to adopt today in SDKs and servers versus what should be standardized in the MCP Core spec or another standard like OAuth.

MCP makes it easy for AI agents to connect to tools, but authorization hasn't kept up. Users connecting an MCP client to a dozen MCP servers face a dozen separate OAuth flows, one for each server, each with its own login and token lifecycle. If we have Single Sign-On, why are users signing in so many times? It's not just a UX problem. Enterprise environments can quickly run into governance issues with unmanaged or scattered permissions. Security teams can't answer basic questions about which agent can access which system under what policy. Every agent-to-server connection is another point-to-point relationship with no central visibility. Cross-App Access (XAA), built on the Identity Assertion JWT Authorization Grant (ID-JAG), solves both problems. By leveraging the existing trust between the MCP client, MCP server, and the organization's Identity Provider, the IdP can broker token exchanges from the user's initial login. Agents gain access to everything the admin has approved with one sign-in. No additional user interaction required. The IdP becomes the policy decision point for approving, scoping, and auditing delegated access across MCP integrations. In this session, Paul Carleton (Anthropic) and Max Gerber (Twilio) explain the technical underpinnings that enable enterprise admins to enforce policies about which users, clients, and servers can interact. They'll also demo an MCP client completing an XAA flow from beginning to end to obtain access tokens securely and silently. Attendees will leave understanding how Cross-App Access works and how to integrate with it.

The MCP security conversation focuses heavily on prompt injection, tool abuse, and session hijacking. These matter. But if you're running a registry of MCP servers, your most likely breach won't be complicated. It will be a compromised server you trusted too quickly.

Supply chain attacks aren't new, and neither are the defenses. But the speed of MCP adoption has outpaced basic hygiene: validation, provenance, versioning, and review processes that mature package ecosystems learned the hard way.

This talk argues that before you harden against novel agent-based attacks, you need to treat your MCP registry like critical infrastructure. We'll cover practical approaches to vetting servers, establishing trust boundaries, detecting drift, and building review workflows that scale.

Prompt injection is a real threat. But the server you added last week without review is a more immediate one.

Security in the MCP ecosystem has primarily followed a "Henhouse Model": building a perimeter to manage who enters with which keys. While we’ve become adept at granting agents the access they need to be productive, a new challenge is emerging. Because agents often operate with the user’s broad privileges, it is no longer just about managing entry; it is about ensuring that an agent's actions remain consistently aligned with the user’s intent.

While sandboxing is vital for isolation, it cannot "undo" the real world. When an agent uses an MCP tool to send an email, modify a calendar, or trigger a financial API, it steps through a "one-way door." Unlike local code, these actions lack a git revert.

We believe the most sustainable path forward is to move the primary authorization boundary to the Host. In this session, we propose an architectural approach that shifts outbound security to the application layer. By centering protection where context is richest, we can simplify server development and provide a more reliable way to manage the unpredictable nature of autonomous workflows.

Model Context Protocol servers are increasingly granted access to critical infrastructure from observability systems and databases to code repositories. This access introduces new supply chain security challenges for teams operating MCP servers in real-world environments.

In this talk, we share lessons learned from Chainguard’s experience building MCP infrastructure for production. Starting with mcp-grafana, our first hardened MCP server, we reduced known CVEs to 0 at publish time while shrinking image size by 65%. We developed repeatable security patterns for MCP delivery, including automated rebuilds, attack surface minimization, SBOM generation, and SLSA provenance.

We then applied these same patterns to a different use case: a documentation MCP serving over 1,500 container image guides, enabling secure access through AI assistants. These implementations demonstrate how consistent supply chain controls can support both infrastructure-integrated and content-focused MCP servers.

Attendees will learn practical approaches to threat modeling MCP servers. We’ll also share our challenges and failures, along with open-source workflows the community can adopt across the MCP ecosystem.

As MCP evolves from local developer workflows to shared, remote infrastructure, new security & identity challenges emerge. Patterns that work for single-user, local MCP setups often break down when MCP servers become gateways serving thousands of users, agents, and tools. This session explores the architectural patterns required to deploy MCP securely in enterprise environments. We’ll examine common failure modes such as data overexposure, unsafe bulk operations, topic-based disclosure, and weak audit controls, and map them to practical MCP-level mitigations including least-privilege access, tool-level guardrails, and privacy-aware logging. A focus of the talk is the “4-Legged” Identity Challenge: when a user interacts with a web app, which calls an agent, which then calls a remote MCP server. This model is not natively handled by standard OAuth flows. We’ll cover approaches such as token exchange, pre-provisioned trust, and interactive authorization, and discuss how emerging MCP capabilities like protected resource metadata support scalable identity discovery. Attendees will leave with a blueprint for moving from local MCP development to secure, production-ready MCP deployments.

Many MCP servers aren't public - they're internal enterprise deployments where security, compliance, and safety aren't optional. Yet MCP currently lacks standardized middleware patterns, forcing teams into shared libraries and bespoke solutions that recreate the NxM problem.

Context middleware lets us intercept, inspect, and transform MCP traffic at trust boundaries. Just as tools were key to end-user MCP adoption, standardized middleware can unlock it for regulated industries: PII redaction, audit logging, prompt injection defense, hallucination detection - all without vendor lock-in or security gaps.

For the emerging gateway and proxy ecosystem, this opens new market opportunities: standardized integration points that transform MCP infrastructure into a composable, enterprise-grade platform.

This talk presents a working implementation as used at a major financial institution, including demos of attack prevention and real-world findings. You'll leave understanding the architecture, the extension, the trust boundary considerations, and how to start building context-aware middleware today.