arXiv — MCP-DPT: Defense Placement Taxonomy for Model Context Protocol Security

AI relevance: This research addresses fundamental security gaps in Model Context Protocol infrastructure, which underpins modern AI agent toolchains and autonomous system deployments.

Researchers from Old Dominion University published MCP-DPT (Defense Placement Taxonomy), a comprehensive framework that shifts MCP security analysis from attack-centric to defense-placement oriented. The paper systematically maps 49 MCP-specific attacks across six architectural layers and identifies critical coverage gaps in current security practices.

Key Findings

Six Architectural Defense Layers

• Model Provider/LLM Alignment: Model behavior, refusal logic, tool selection
• MCP Host/Application: Execution state, capability exposure, orchestration logic
• MCP Client/SDK: Protocol parsing, request construction, response interpretation
• MCP Server/Tool Execution: Runtime environment, authentication, isolation
• Transport/Network: Communication channels, encryption, endpoint authentication
• Registry/Marketplace & Supply-chain: Discovery, distribution, versioning, provenance

Critical Security Gaps

• Uneven defense coverage: Current protections cluster around tool-centric defenses
• Transport layer under-defended: Only 2/13 analyzed defenses cover network-level threats
• Supply chain risks: Registry and marketplace layers receive minimal protection
• Host orchestration gaps: Application-level enforcement remains sparse
• Structural rather than incidental: Gaps reflect architectural misalignment, not isolated flaws

Primary vs Secondary Defense Points

The taxonomy introduces a crucial distinction:

• Primary defense layer: Earliest boundary where prevention is feasible
• Secondary defense layer: Fallback containment if primary fails
• Example: Rug pull attacks pass registry evaluation (primary) but require host-level detection (secondary)

Why This Matters

MCP adoption has exploded—Anthropic's protocol hit 97M monthly SDK downloads in January 2026—yet security practices haven't kept pace:

• Multi-party trust boundaries: MCP spans independently operated components
• Pre-execution artifacts: Tool metadata influences decisions before any execution
• Cross-context propagation: Attacks chain across tools, sessions, and servers
• Third-party control: Heterogeneous identity and authorization outside model provider boundaries

Defense Mechanisms Analyzed

The study evaluates 13 academic and industry defenses:

• Static/pre-execution: MCP-Scan, MCPScan.ai, Cisco MCP Scanner
• Behavior-level/runtime: MCIP-Guardian, MCP Defender, MCP-Guard
• Isolation-based/architecture: MCP-Gateway, ToolHive, MCP Guardian
• Decision-level: MindGuard, AIM-Guard-MCP, Prisma AIRS

Recommendations

• Adopt defense-in-depth: Implement protections across multiple layers
• Focus on transport security: Strengthen network-level protections
• Enhance supply chain governance: Implement registry-level controls
• Improve host orchestration: Strengthen application boundary enforcement
• Use capability-based assessment: Evaluate defense coverage across attack classes

References & Primary Sources

• arXiv:2604.07551 — MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security
• Model Context Protocol GitHub Organization
• Model Context Protocol Official Site
• LiteLLM GitHub Repository
• Anthropic GitHub Organization