MCP Core Defense: A 7-Phase Security Proxy for AI Agent Systems

MCP Core Defense: A 7-Phase Security Proxy for AI Agent Systems

The Model Context Protocol (MCP) has become the standard interface for connecting large language models to external tools and data sources. As of mid-2026, the MCP ecosystem encompasses over 2,200 public MCP servers — but recent research reveals alarming security gaps:

- 9.93% of MCP servers exhibit description-code inconsistencies (Shi et al., 2026)
- Leading models suffer ~100% attack success rates under tool description poisoning (Liu et al., 2026)

MCP Core Defense is an open-source, defense-in-depth security proxy interposed between AI agents and all MCP servers. It implements seven sequential verification phases with fail-fast.

The 7 Phases

Phase 1 — Policy Engine: Deny-by-default access control with explicit allowlists and wildcards.

Phase 2 — Schema Validator: Strict JSON schema validation for tool inputs and outputs with nested objects and arrays.

Phase 3 — DCI Checker: Description-code consistency verification. Supports Python (AST), JavaScript, and TypeScript.

Phase 4 — TDP Detector: Scans tool descriptions for malicious hidden instructions: data exfiltration, command execution, and obfuscation.

Phase 5 — Mutual TLS: Certificate verification with pinning, hostname validation, and MITM detection.

Phase 6 — Sandbox: Filesystem jail with path traversal prevention.

Phase 7 — SDK Adapter: Async MCP client interceptor with secure execution and dry-run modes.

Performance

Full pipeline: < 20ms avg. Throughput: > 100 checks/sec. 115 tests passing on Python 3.10/3.11/3.12.

Installation


git clone https://github.com/amurlaniakea/mcp-core-defense.git
cd mcp-core-defense
make install
make test


Research Basis

Based on 7 peer-reviewed papers from 2023-2026 on MCP security.

License

AGPL-3.0-or-later.

GitHub: https://github.com/amurlaniakea/mcp-core-defense