This looks interesting, but anytime security is offloaded to an LLM I am extremely skeptical. IMO the right way to do this is to enforce permissions explicitly through a AuthZ policy. Something like what Toolhive [0] is doing is the right way I think.
All MCP comms from client to server go through an SSE proxy which has AuthN and AuthZ enabled. You can create custom policies for AuthZ using Cedar [1].
This is really interesting, I'll check it out. At least in its current form this seems like it would take some effort to setup - we're focusing heavily on making MCP Defender easy to setup in less than a minute and then forgetting about it as it runs in the background.
If your application can be significantly diverted from its intended purpose by the presence of instructions in a normal input file, your application is unsuitable for production workloads.
This feels like installing an "antivirus" addon into wordpress instead of updating php.
I had the same thought while building this, but I really feel a tool like this is needed as MCP has a lot of surface area for attacks. Any MCP server that gets hacked exposes all users of that MCP server to serious security risk, unless they are really careful about inspecting every single MCP tool call they make.
What’s to stop an attacker from using prompt injection against this firewall? I don’t understand how your AI is anymore secure than the AI it’s protecting
I may be missing something, but in addition to this threat of prompt injection, you also have to trade trusting the arbitrary MCP server for trusting MCP Defender.
In the default mode, the app will interpose on the communication between, say, Claude, and a local MCP server. It will send the contents of the message (which may include the very sensitive information it is trying to protect) to a remote LLM, which you have to trust. The "scans" will be stored on a log on the server. Not to mention the potential extra delay for every MCP exchange?
We'll be adding the ability to run MCP Defender through a local LLM soon, so using that approach no data will leave your computer to perform a scan.
Yes, there is a delay for MCP exchange, but I imagine that most MCP calls in the future will be done in "YOLO" mode where the user prompts a large task and an agent makes 1000's of MCP calls over hours to accomplish it. This would add some time to the overall task but IMO this is a small price to pay for added security. Also, the delay will decrease over time.
While Cursor and other apps can include security checks in their system prompt, MCP Defender provides an extra unified layer of security across all apps. Also, we're going to be adding the ability to have multiple models perform the scan in parallel so any prompt injection attack would have to work against all of the models you select.
I know I'm being extremely ignorant here, you are seeing my thought process live, but antivirus/firewall for AI? I'm sure the likes of Bitdefender etc. will start including something like this if it's real. I just can't believe any of this is real. After computers and phone, is AI the next market for antiviruses, 1 click optimizing tools and registry cleaners?
Kudos to you for making something, but if this is the next gold rush I want a piece of it too. Never took this AI, mcp, cursor business seriously because I thought of them as just poor boiler plates for web dev. I was wrong.
We used Cursor + MCP tools like Cloudflare, Linear and Github to build and deploy a lot of MCP Defender, so I think the value is real. I had the same thought about it feeling like an antivirus/firewall many of us ran decades ago. Those always felt clunky and slowed down your computer. We'll try our best to avoid that fate
This is certainly a valid concern. We'll soon be adding the ability to have multiple models perform the scan in parallel, so any attack would have to bypass all of the models.
How are you intercepting the huge variety of network calls and range of protocols that a local MCP service can make? Are you between the client and process? Or do you only support remote MCP?
OK well since OP isn't replying, [Edit: Author replied] it looks like they're using a wrapper process for local MCP servers and a proxy for remote, and you have to modify your MCP config to reference the local wrapper or proxy so it can intercept requests.
Claude artifact based on Sonnet 4 analyzing the code with github MCP.
In the video example, the 'bad guy' tried to get the MCP server to read ~/.ssh/id_rsa and post it to the attacker site. The MCP Defender popup balked just by it trying to read a suspicious file so it didn't get to the point of making the network connection. It was unclear whether just getting it to ping a remote server with something less shocking than your private keys, such as for instance, source code or environment variables in the current project, would also be treated as malicious.
With the default signatures, source code would not be treated as malicious. However, you can add custom signatures and detect whatever you'd like. We'll soon be adding deterministic rules as well to complement the LLM based ones.
MCP Defender sits between the MCP client and server. If you use Cursor for example, MCP Defender rewrites your Cursor MCP config file so that all MCP servers point to the MCP Defender proxy. So the tool calls are scanned before they make it to the server. The responses from the servers are also scanned although this is configurable (disabling it speeds up scans).
Ah thanks. Sorry I didn't see your reply before I posted the analysis. I'll leave it. Thanks for the reply. Congrats on the project. Seems like a legit need.
I guess it depends if you want to restrict an agent to a set of protocols or let it go wild.
I think in most use cases and agent would need just https and dns, both which can be MiTM monitored. In other some cases maybe also one or more of SSH, redis, MySQL, Postgres etc.
But YOLOing and letting it to connect to anything is probably not needed.
Thanks for your comment - MCP Defender sits between the MCP client and server, it doesn't need to worry about the protocols that the server communicates with to other services.
pretty sure the only response you'll get out of elmu's chatbot is one alleging a "white genocide", which he forced it to say due to his personal and political bias [0][1]
1: to clarify, this was after elmu hitler-saluted usa republicans on stage multiple times, not before elmu hitler-saluted usa republicans on stage multiple times
All MCP comms from client to server go through an SSE proxy which has AuthN and AuthZ enabled. You can create custom policies for AuthZ using Cedar [1].
[0] https://github.com/stacklok/toolhive, https://github.com/stacklok/toolhive/blob/main/docs/authz.md
[1] https://docs.cedarpolicy.com/
an admirable goal!
given the fallibility of LLMs, are you sure it's a good idea that they forget about it?
that seems like it has the same risks as having no security (perhaps worse, lulling people into a false sense of security)
are you sure the LLM doing security can't be tricked/attacked using any of the usual methods?
This feels like installing an "antivirus" addon into wordpress instead of updating php.
In the default mode, the app will interpose on the communication between, say, Claude, and a local MCP server. It will send the contents of the message (which may include the very sensitive information it is trying to protect) to a remote LLM, which you have to trust. The "scans" will be stored on a log on the server. Not to mention the potential extra delay for every MCP exchange?
This may be more secure, but is it really?
Yes, there is a delay for MCP exchange, but I imagine that most MCP calls in the future will be done in "YOLO" mode where the user prompts a large task and an agent makes 1000's of MCP calls over hours to accomplish it. This would add some time to the overall task but IMO this is a small price to pay for added security. Also, the delay will decrease over time.
Clearly you need a firewall-firewall.
..defense in depth?
Kudos to you for making something, but if this is the next gold rush I want a piece of it too. Never took this AI, mcp, cursor business seriously because I thought of them as just poor boiler plates for web dev. I was wrong.
I wonder if that just opens up some more attack vectors...
A fun thought experiment would be figuring how to achieve something similar using eBPF to get better control at the kernel level
Claude artifact based on Sonnet 4 analyzing the code with github MCP.
https://claude.ai/public/artifacts/30b92814-c4d2-4cb5-b08e-4...
I think in most use cases and agent would need just https and dns, both which can be MiTM monitored. In other some cases maybe also one or more of SSH, redis, MySQL, Postgres etc.
But YOLOing and letting it to connect to anything is probably not needed.
0: https://www.theguardian.com/technology/2025/may/14/elon-musk...
1: to clarify, this was after elmu hitler-saluted usa republicans on stage multiple times, not before elmu hitler-saluted usa republicans on stage multiple times