Kai Security AI — Honeypot MCP server logs AI agent probing

AI relevance: The write‑up shows how attacker‑controlled or exploratory agents probe MCP tools, highlighting a real-world threat model for agent toolchains.

• Kai Security AI ran a public MCP honeypot and logged 135 real tool calls shortly after listing the server in the MCP registry.
• A honeypot tool named get_aws_credentials was called once with role="admin", suggesting credential‑harvesting behavior.
• Most traffic was benign, but the experiment underscores that agents enumerate tools and will try plausible high‑value calls.
• The author argues the overlooked threat model is malicious agents connecting to legitimate MCP servers, not just users connecting to malicious servers.
• Dataset notes from 518 scanned MCP servers show a large share operating with no authentication, increasing exposure to probing.
• Calls included direct MCP agent queries such as “operational status,” showing agents actively explore other agents via tool calls.

Why it matters

• Public MCP endpoints effectively become attack surfaces for automated agent probing, not just human misuse.
• Tool discovery without auth makes it easier for adversaries to map capabilities before any exploit attempt.

What to do

• Require auth before tool discovery and block anonymous tools/list on public MCP servers.
• Instrument and alert on tool‑call anomalies (credential‑like names, bulk data calls, repeated enumeration).
• Rate‑limit unauthenticated traffic and add canary tools to detect probing early.
• Document a malicious‑agent threat model in MCP deployments, not just prompt‑injection risk.

Sources

• Kai Security AI — Honeypot MCP server report
• Kai MCP dataset and scanning endpoints
• Model Context Protocol (MCP)