MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security

TL;DR

This paper introduces a layered security analysis framework for the Model Context Protocol (MCP), highlighting architectural vulnerabilities and guiding defense placement across multiple components to enhance LLM ecosystem security.

Contribution

It presents a layer-aligned taxonomy for attack and defense mapping in MCP, addressing security gaps in multi-party, distributed trust environments.

Findings

Existing defenses are mostly tool-centric with gaps in host, transport, and supply-chain layers.

Many security issues stem from architectural misalignments rather than implementation flaws.

The framework supports principled defense-in-depth strategies for MCP security.

Abstract

The Model Context Protocol (MCP) enables large language models (LLMs) to dynamically discover and invoke third-party tools, significantly expanding agent capabilities while introducing a distinct security landscape. Unlike prompt-only interactions, MCP exposes pre-execution artifacts, shared context, multi-turn workflows, and third-party supply chains to adversarial influence across independently operated components. While recent work has identified MCP-specific attacks and evaluated defenses, existing studies are largely attack-centric or benchmark-driven, providing limited guidance on where mitigation responsibility should reside within the MCP architecture. This is problematic given MCP's multi-party design and distributed trust boundaries. We present a defense-placement-oriented security analysis of MCP, introducing a layer-aligned taxonomy that organizes attacks by the architectural component responsible for enforcement. Threats are mapped across six MCP layers, and primary and secondary defense points are identified to support principled defense-in-depth reasoning under adversaries controlling tools, servers, or ecosystem components. A structured mapping of existing academic and industry defenses onto this framework reveals uneven and predominantly tool-centric protection, with persistent gaps at the host orchestration, transport, and supply-chain layers. These findings suggest that many MCP security weaknesses stem from architectural misalignment rather than isolated implementation flaws.