Salt Security reports increasing external misuse and abuse of Model Context Protocol (MCP) servers by AI agents and attackers, turning this new AI-integration layer into an emerging attack surface mapped to T1190 and T1078. MCP servers allow LLMs and autonomous agents to call APIs, execute tools, and complete workflows on behalf of users, but are often deployed without central oversight and exposed directly to the internet within AWS ecosystems. This creates opportunities for adversaries to abuse AI agents or compromised identities to trigger unauthorized actions, access sensitive data, or pivot into backend systems through MCP endpoints. Building on its MCP Finder capability, Salt now extends API behavioral threat protection to detect malicious intent targeting MCP servers and automatically block threats using AWS WAF. The platform discovers external, internal, and shadow MCP implementations, correlates behavioral anomalies, and uses AWS WAF to enforce blocking at the edge. This lets organizations leverage existing WAF infrastructure to protect AI action layers without deploying new inline appliances. Business impact is significant for enterprises aggressively adopting AI agents to automate workflows across customer data, internal systems, and cloud infrastructure. If MCP servers are abused, attackers may exfiltrate sensitive records, trigger destructive operations, or perform unauthorized changes under the guise of legitimate AI activity, creating complex attribution and compliance challenges under GDPR or sector regulations. Mitigation requires inventorying all MCP servers, routing their traffic through controlled enforcement points like AWS WAF, and applying intent-aware behavioral analytics tuned to AI-driven usage. Security teams should treat AI action layers as high-value APIs, enforce strong authentication and authorization for AI agents, and integrate MCP telemetry into broader threat detection and governance for AI systems.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: As enterprises wire AI agents into critical workflows, unprotected MCP servers become high-leverage entry points for data theft, fraud, and operational disruption if adversaries hijack agent interactions or API calls. Misuse at this layer may be difficult to distinguish from legitimate automation, complicating incident response and regulatory reporting when sensitive data is exposed or changed. Technical Context: MCP servers expose tool and API execution surfaces to LLMs and autonomous agents, making them attractive targets for external attackers mapped to T1190 and T1078. Salt’s approach—discovery via MCP Finder plus behavioral detection and AWS WAF enforcement—illustrates how existing API and edge controls can be extended to monitor and constrain AI action layers before misuse turns into full compromise.
⚡Strategic Intelligence Guidance
- Discover all MCP servers across AWS accounts and environments, including shadow or experimental deployments, and ensure their traffic is proxied through AWS WAF or similar enforcement points.
- Apply behavioral threat detection to MCP traffic to identify anomalous AI agent calls, unusual data access patterns, or tool execution inconsistent with typical workflows.
- Enforce strong authentication, authorization, and scoping for AI agents interacting with MCP servers, minimizing access to only the APIs and operations required per use case.
- Integrate MCP-layer telemetry into SOC monitoring and AI governance programs, defining incident response playbooks for AI-driven misuse or compromised agent credentials.
Vendors
Salt SecurityAmazon Web Services
Threats
MCP server abuseAI agent misuse
Targets
enterprise AI infrastructureMCP serversAWS WAF customers