Bishop Fox Releases "Otto Support" MCP Security CTF
AI relevance: As organizations deploy MCP-connected AI agents with access to internal tools, files, and credentials, understanding how attackers exploit privilege boundaries in MCP architectures becomes essential — and Bishop Fox has packaged those attack paths into a hands-on CTF anyone can run.
What happened
- Bishop Fox published otto-support, an open-source vulnerable MCP (Model Context Protocol) server designed as a capture-the-flag challenge.
- The CTF simulates a customer-support MCP tool that an AI coding assistant (e.g., Claude Code) connects to via the stdio transport.
- Ships with 19 tools across 4 privilege levels, a tiered authentication system, internal services, and a ticket database.
- Players must escalate privileges, exfiltrate data across trust boundaries, manipulate the AI assistant into performing unintended actions, and ultimately execute code on the underlying system.
- Delivered as a single Go binary running inside a container — designed for use with an AI coding client connected via MCP.
- Attack surfaces span MCP tool interactions at different trust levels combined with traditional web application vulnerabilities.
- Completion likely requires both dynamic testing and source code review, reflecting real-world AI security assessment workflows.
- The blog post references real-world MCP failures as design inspiration, including CVE-2025-49596 (MCP Inspector critical SSRF, CVSS 9.4).
- Repository: github.com/BishopFox/otto-support
Why it matters
- MCP is rapidly becoming the standard protocol for connecting AI agents to tools, but security testing tooling for MCP architectures is still nascent.
- The CTF highlights a critical reality: stdio MCP servers inherit the parent process's full environment — including env vars, filesystem access, local configs, and any rogue software bound to loopback.
- Privilege escalation across MCP tool tiers mirrors real enterprise deployments where agents accumulate access through plugin ecosystems.
- Hands-on training for MCP security is scarce — this fills a gap for security engineers, red teamers, and developers.
- Complements Bishop Fox's broader AI/LLM security assessment practice and adds to the growing body of practical agentic-AI security resources.
What to do
- Run the CTF in an isolated container — never on a host with production credentials or sensitive data.
- Use it to train security teams on MCP-specific attack patterns: tool discovery abuse, prompt manipulation, and environment-variable inheritance risks.
- Review your own MCP deployments: which tools does your agent have access to? Are privilege boundaries enforced at the protocol level, or assumed?
- Consider running local MCP servers in sandboxed environments with explicit allowlists for filesystem and network access.