benchmark 2026

MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security

Mehrdad Rostamzadeh , Sidhant Narula , Nahom Birhan , Mohammad Ghasemigol , Daniel Takabi

Old Dominion University

0 citations
α

Published on arXiv

2604.07551

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Reveals predominantly tool-centric protection with persistent gaps at host orchestration, transport, and supply-chain layers, suggesting MCP security weaknesses stem from architectural misalignment

MCP-DPT

Novel technique introduced

The Model Context Protocol (MCP) enables large language models (LLMs) to dynamically discover and invoke third-party tools, significantly expanding agent capabilities while introducing a distinct security landscape. Unlike prompt-only interactions, MCP exposes pre-execution artifacts, shared context, multi-turn workflows, and third-party supply chains to adversarial influence across independently operated components. While recent work has identified MCP-specific attacks and evaluated defenses, existing studies are largely attack-centric or benchmark-driven, providing limited guidance on where mitigation responsibility should reside within the MCP architecture. This is problematic given MCP's multi-party design and distributed trust boundaries. We present a defense-placement-oriented security analysis of MCP, introducing a layer-aligned taxonomy that organizes attacks by the architectural component responsible for enforcement. Threats are mapped across six MCP layers, and primary and secondary defense points are identified to support principled defense-in-depth reasoning under adversaries controlling tools, servers, or ecosystem components. A structured mapping of existing academic and industry defenses onto this framework reveals uneven and predominantly tool-centric protection, with persistent gaps at the host orchestration, transport, and supply-chain layers. These findings suggest that many MCP security weaknesses stem from architectural misalignment rather than isolated implementation flaws.

Key Contributions

  • Layer-aligned defense-placement taxonomy organizing MCP attacks by architectural component responsible for enforcement
  • Structured mapping of existing academic and industry defenses revealing uneven coverage and persistent gaps at orchestration, transport, and supply-chain layers
  • Defense-in-depth framework identifying primary and secondary defense points across six MCP layers under adversaries controlling tools, servers, or ecosystem components

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Applications
llm agentstool-augmented ai systemsmulti-party ai workflows
Read PDF arXiv

Similar Papers

benchmark

LPS-Bench: Benchmarking Safety Awareness of Computer-Use Agents in Long-Horizon Planning under Benign and Adversarial Scenarios

2026 1 cit.
92%
benchmark

MCP-SafetyBench: A Benchmark for Safety Evaluation of Large Language Models with Real-World MCP Servers

2025 4 cit.
92%
benchmark

SafeToolBench: Pioneering a Prospective Benchmark to Evaluating Tool Utilization Safety in LLMs

2025 0 cit.
92%
benchmark

Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents

2025 0 cit.
92%
defense

Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime

2026 0 cit.
83%
defense

MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents

2025 4 cit.
83%
defense

Tracking Capabilities for Safer Agents

2026 0 cit.
83%
defense

Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents

2025 0 cit.
83%