Since its release by Anthropic in November 2024, Model Context Protocol (MCP) has gained massive adoption and is quickly becoming the connective tissue between AI agents and the tools, APIs, and data they act on.\u00a0<\/p>\n
With just a few lines of configuration, an agent can search code, open tickets, query SaaS systems, or even deploy infrastructure. That kind of flexibility is powerful but it also introduces new security challenges. In fact, security researchers analyzing the MCP ecosystem found command injection flaws affecting 43% of analyzed servers<\/a>. A single misconfigured or malicious server can exfiltrate secrets, trigger unsafe actions, or quietly change how an agent behaves.\u00a0<\/p>\n This guide is for developers and platform teams building with agents. We\u2019ll unpack what makes MCP workflows uniquely risky for AI infrastructure, highlight common missteps like prompt injection or shadow tooling, and show how secure defaults, like containerized MCP servers<\/a> and policy-based gateways<\/a>, can help you govern every tool call without slowing your AI roadmap.<\/p>\n Model Context Protocol<\/a> is a standardized interface that enables AI agents to interact with external tools, databases, and services. MCP security refers to the controls and risks that govern how agents discover, connect to, and execute <\/strong>MCP servers. These security risks span across the entire development lifecycle and involve:<\/p>\n Supply chain<\/strong>: how servers are packaged, signed, versioned, and approved.<\/p>\n Runtime isolation<\/strong>: how they\u2019re executed on the host vs. in containers, with CPU\/memory\/network limits.<\/p>\n Brokered access<\/strong>: how calls are mediated, logged, blocked, or transformed in real time.<\/p>\n Client trust<\/strong>: which tools a given IDE\/agent is allowed to see and use.<\/p>\n Securing MCP workflows has become more important than ever because AI agents blur the line between \u201ccode\u201d and \u201cruntime.\u201d A prompt or tool description can change what your system is capable of without a code release.\u00a0<\/p>\n This means that security practices have to move up a layer, from static analysis to policy over agent\u2011tool interactions<\/strong>. Docker codifies that policy in a gateway and makes secure defaults practical for everyday developers.<\/p>\n Docker\u2019s approach is to make MCP both easy<\/strong> and safe<\/strong> through containerized execution, a policy\u2011enforcing MCP Gateway<\/strong>, and a curated MCP Catalog & Toolkit<\/strong><\/a> that helps teams standardize what agents can do. If you\u2019re building with agents, this guide will help you understand the risks, why traditional tools fall short, and how Docker reduces blast radius without slowing your AI roadmap.<\/p>\n While MCP risks can show up in various ways across the dev lifecycle, there are specific categories they typically fall into. The section below highlights how these risks surface in real workflows, their impact, and practical guardrails that mitigate without slowing teams down.\u00a0<\/p>\n Running servers directly on the host<\/strong> with broad privileges or a persistent state.<\/p>\n Unrestricted network egress<\/strong> from tools to the public internet.<\/p>\n Unvetted catalogs\/registries<\/strong> in client configs, exposing agents to unknown tools.<\/p>\n No audit trail<\/strong> for tool calls-hard to investigate or respond.<\/p>\n Impact:<\/strong> Lateral movement, data exfiltration, and irreproducible behavior.<\/p>\n Mitigation:<\/strong> Always follow MCP server best practices<\/a> such as leveraging containerization, applying resource and network limits, maintaining an allowlist of approved tools, and capturing call logs centrally.<\/p>\n Typosquatting\/poisoned images<\/strong> or unsigned builds.<\/p>\n Hidden side effects<\/strong> or altered tool metadata that nudges agents into risky actions.<\/p>\n Impact:<\/strong> Covert behavior change, credential theft, persistent access.<\/p>\n Mitigation:<\/strong> Require signature verification, pin versions\/digests, and pull from curated sources such as the MCP Catalog & Toolkit<\/strong><\/a>.<\/p>\n Plaintext credentials<\/strong> in environment variables, prompts, or tool arguments.<\/p>\n Leakage<\/strong> via tool outputs or model completions.<\/p>\n Impact:<\/strong> Account takeover, data loss.<\/p>\n Mitigation:<\/strong> Use managed secrets, minimize prompt exposure, and redact or block sensitive values at the broker.<\/p>\n Prompt injection<\/strong>: hostile content instructs the model to exfiltrate data or call dangerous tools.<\/p>\n Tool poisoning\/shadowing<\/strong>: misleading tool descriptions or unexpected defaults that steer the agent.<\/p>\n Impact:<\/strong> Agents do the wrong thing, confidently.<\/p>\n Mitigation:<\/strong> Strict tool allowlists, pre\/post\u2011call interceptors, and output filtering at the gateway. Docker\u2019s MCP Gateway provides active security capabilities<\/a> (signature checks, call logging, secret and network controls, interceptors).<\/p>\n Dynamic & non\u2011deterministic behavior<\/strong>: the same prompt may lead to different tool calls.<\/p>\n Instruction vs. data ambiguity<\/strong>: LLMs can treat content (including tool docs) as instructions.<\/p>\n Growing, shifting attack surface<\/strong>: every new tool expands what the agent can do instantly.<\/p>\n Traditional AppSec gaps<\/strong>: Static analysis tools don\u2019t see agentic tool calls or MCP semantics; you need mediation between agents and tools, not just better prompts.<\/p>\n Implication for developers:<\/strong> You need a guardrail that lives at the agent\u2013tool boundary, verifying what runs, brokering what\u2019s allowed, and recording what happened.<\/p>\n Use this practitioner checklist to raise the floor:<\/p>\n Containerize every MCP server<\/strong> Centralize enforcement at a gateway (broker)<\/strong> Verify signatures<\/strong> before running servers.<\/p>\n Maintain a tool allowlist<\/strong> (only approved servers are discoverable).<\/p>\n Apply network egress controls<\/strong> and secret redaction<\/strong>.<\/p>\n Log<\/strong> requests\/responses for audit and incident response.<\/p>\n Govern secrets end\u2011to\u2011end<\/strong> Defend the prompt layer<\/strong> Harden the supply chain<\/strong> Monitor and rehearse<\/strong> Turning MCP security from theory into practice means putting guardrails where agents meet tools and making trusted servers easy to adopt for agentic workflows. Docker\u2019s MCP stack does both: Docker Gateway enforces policy and observability on every call, while the Docker MCP Catalog & Toolkit curates, verifies, and versions the servers your team can safely use.<\/p>\n The gateway sits between clients and servers to provide verification, policy, and observability<\/strong> for every tool call. It supports active security measures like signature verification, call logging, secret and network controls, and pre\/post-interceptors<\/strong> so you can block or transform risky actions before they reach your systems.\u00a0<\/p>\n Learn more in Docker MCP Gateway: Unified, Secure Infrastructure for Agentic AI<\/strong><\/a> and the Gateway Active Security<\/strong><\/a> documentation.<\/p>\n Use the MCP Catalog & Toolkit<\/strong><\/a> to standardize the servers your organization trusts. The catalog helps reduce supply\u2011chain risk (publisher verification, versioning, provenance) and makes it straightforward for developers to pull approved tools into their workflow. With a growing selection of 150+ curated MCP servers, MCP Catalog is a safe and easy way to get started with MCP.<\/p>\n Looking for a broader view of how Docker helps with AI development? Check out Docker for AI<\/strong><\/a>.<\/p>\n Choose servers from the Catalog<\/strong> and pin them by digest.<\/p>\n Register servers with the Gateway<\/strong> so clients only see approved tooling.<\/p>\n Enable active security<\/strong>: verify signatures, log all calls, redact\/deny secrets, and restrict egress.<\/p>\n Add pre\/post interceptors<\/strong>: validate arguments (before), redact\/normalize outputs (after).<\/p>\n Monitor and tune<\/strong>: review call logs, alert on anomalies, rotate secrets, and update allowlists as new tools are introduced.<\/p>\n MCP unlocks powerful agentic workflows but also introduces new classes of risk, from prompt injection to tool poisoning and supply\u2011chain tampering. MCP security isn\u2019t just better prompts; it\u2019s secure packaging, verified distribution, and a brokered runtime with policy<\/strong>.<\/p>\n Key takeaways<\/strong><\/p>\n Treat MCP as a governed toolchain<\/strong>, not just an SDK.<\/p>\n Put a policy gateway<\/strong> between agents and tools to verify, mediate, and observe.<\/p>\n Pull servers from the MCP Catalog & Toolkit<\/strong><\/a> and pin versions\/digests.<\/p>\n Use active security<\/strong> features such as signature checks, interceptors, logging, and secret\/network controls<\/strong><\/a> to reduce blast radius.<\/p>\n Browse the <\/strong>MCP Catalog<\/strong><\/a>: Discover 200+ containerized, security-hardened MCP servers<\/p>\n Download the MCP Toolkit in <\/strong>Docker Desktop<\/strong><\/a>: Get immediate access to secure credential management and container isolation<\/p>\n Submit Your Server: Help build the secure, containerized MCP ecosystem. Check our submission guidelines<\/a> for more.<\/p>\nWhat is MCP security?<\/strong><\/h2>\n
Why does MCP security matter?<\/h3>\n
Understanding MCP security risks<\/strong><\/h2>\n
Misconfigurations & weak defaults<\/strong><\/h3>\n
Malicious or compromised servers (supply chain)<\/strong><\/h3>\n
Secret management failures<\/strong><\/h3>\n
Prompt injection & tool poisoning<\/strong><\/h3>\n
What makes MCP security challenging?<\/strong><\/h2>\n
How to prevent and mitigate MCP server security concerns<\/strong><\/h2>\n
<\/strong>Run servers in containers (not on the host) with CPU\/memory caps<\/strong> and a read\u2011only filesystem where possible. Treat each server as untrusted code with the least privilege necessary.
Why it helps:<\/em> limits blast radius and makes behavior reproducible.<\/p>\n
<\/strong>Place a policy\u2011enforcing gateway<\/strong> between clients (IDE\/agent) and servers. Use it to:<\/p>\n
<\/strong>Store secrets in a managed system; avoid .env files. Prefer short\u2011lived tokens. Sanitize prompts and tool outputs to reduce exposure.<\/p>\n
<\/strong>Use pre\u2011call interceptors<\/strong> (argument\/type checks, safety classifiers) and post\u2011call interceptors<\/strong> (redaction, PII scrub). Combine with strict tool scoping to reduce prompt\u2011injection blast radius.<\/p>\n
<\/strong>Pull servers from curated sources (e.g., MCP Catalog & Toolkit<\/strong><\/a>), require signatures, and pin to immutable versions.<\/p>\n
<\/strong>Alert on anomalous tool sequences (e.g., sudden credential access), and run tabletop exercises to rotate tokens and revoke access.<\/p>\nHow Docker makes MCP security practical<\/strong><\/h2>\n
Docker MCP Gateway: Your enforcement point<\/strong><\/h3>\n
Docker MCP Catalog & Toolkit: Curation and convenience<\/strong><\/h3>\n
Putting it all Together: A practical flow<\/h3>\n
Conclusion<\/h3>\n
Learn more<\/h3>\n