SAF-MCP mitigations are security controls designed to protect Model Context Protocol (MCP) implementations from the attack techniques documented in our framework. Each mitigation is categorized by type and effectiveness, with clear mappings to the techniques it addresses.
New contributions to the mitigations are licensed under the Community Specification License 1.0. Mitigation content contributed on or before 2026-06-10 remains under CC BY 4.0 until the original contributors sign off on relicensing or the content is rewritten. See LICENSE for the full licensing structure.
- Architectural Defense: Fundamental design patterns that prevent entire classes of attacks
- Cryptographic Control: Security measures using cryptographic techniques
- AI-Based Defense: Controls leveraging AI/ML for detection and prevention
- Input Validation: Sanitization and validation of inputs before processing
- Supply Chain Security: Controls for securing the MCP software supply chain
- UI Security: Controls ensuring visual consistency and preventing deception
- Isolation and Containment: Sandboxing and isolation techniques
- Detective Control: Monitoring and detection capabilities
- Preventive Control: Controls that prevent attacks before they occur
- Architectural Control: System design patterns for security
- High: Highly effective control, prevents 80%+ of targeted attacks
- Medium-High: Effective control, prevents 60-80% of targeted attacks
- Medium: Moderately effective, prevents 40-60% of targeted attacks
- Low: Limited effectiveness, prevents <40% of targeted attacks
| Mitigation ID | Name | Category | Effectiveness |
|---|---|---|---|
| SAF-M-1 | Control/Data Flow Separation | Architectural Defense | High (Provable Security) |
| SAF-M-2 | Cryptographic Integrity for Tool Descriptions | Cryptographic Control | High |
| SAF-M-3 | AI-Powered Content Analysis | AI-Based Defense | Medium-High |
| SAF-M-4 | Unicode Sanitization and Filtering | Input Validation | Medium-High |
| SAF-M-5 | Content Sanitization | Input Validation | Medium |
| SAF-M-6 | Tool Registry Verification | Supply Chain Security | High |
| SAF-M-7 | Content Rendering Parity | UI Security | Medium-High |
| SAF-M-8 | Visual Validation | UI Security | Medium |
| SAF-M-9 | Sandboxed Testing | Isolation and Containment | High |
| SAF-M-74 | Per-Invocation Capability Brokering | Isolation and Containment | High |
| SAF-M-10 | Automated Scanning | Detective Control | Medium |
| SAF-M-11 | Behavioral Monitoring | Detective Control | High |
| SAF-M-12 | Audit Logging | Detective Control | Medium-High |
| SAF-M-13 | OAuth Flow Verification | Preventive Control | High |
| SAF-M-14 | Server Allowlisting | Preventive Control | High |
| SAF-M-15 | User Warning Systems | Preventive Control | Medium |
| SAF-M-16 | Token Scope Limiting | Preventive Control | High |
| SAF-M-17 | Callback URL Restrictions | Preventive Control | High |
| SAF-M-18 | OAuth Flow Monitoring | Detective Control | Medium |
| SAF-M-19 | Token Usage Tracking | Detective Control | Medium |
| SAF-M-20 | Anomaly Detection | Detective Control | High |
| SAF-M-21 | Output Context Isolation | Architectural Control | High |
| SAF-M-22 | Semantic Output Validation | Input Validation | Medium-High |
| SAF-M-23 | Tool Output Truncation | Preventive Control | Medium |
| SAF-M-24 | SBOM Generation and Verification | Supply Chain Security | High |
| SAF-M-25 | AI-Specific Risk Modeling | Risk Management | Medium-High |
| SAF-M-26 | Data Provenance Tracking | Data Security | High |
| SAF-M-27 | Social Engineering Awareness Training | Human Factors | Medium |
| SAF-M-28 | Pre-Authentication Tool Concealment | Preventive Control | High |
| SAF-M-30 | Vector Store Integrity Verification | Cryptographic Control | High |
| SAF-M-32 | Continuous Vector Store Monitoring | Detective Control | Medium-High |
| SAF-M-33 | Training Data Provenance Verification | Data Security | High |
| SAF-M-34 | AI Model Integrity Validation | Cryptographic Control | High |
| SAF-M-35 | Adversarial Training Data Detection | AI-Based Defense | Medium-High |
| SAF-M-36 | Model Behavior Monitoring | Detective Control | Medium-High |
| SAF-M-29 | Explicit Privilege Boundaries | Architectural Control | High |
| SAF-M-37 | Metadata Sanitization | Input Validation | High |
| SAF-M-38 | Schema Validation | Input Validation | Medium-High |
| SAF-M-39 | Prompt Context Validation | Architectural Control | High |
| SAF-M-40 | Clear UI Patterns | UI Security | Medium-High |
| SAF-M-41 | Tool and Package Pinning | Supply Chain Control | High |
| SAF-M-42 | Cross-Server Protection | Architectural Control | High |
| SAF-M-43 | Steganography Scanner | Detective Control | Medium-High |
| SAF-M-44 | Behavioural Monitoring | Detective Control | Medium-High |
| SAF-M-45 | Tool Manifest Signing & Server Attestation | Supply Chain Security | High |
| SAF-M-46 | Bridge Risk Management | Preventive Control | High |
| SAF-M-47 | Cross-Chain Transaction Graph Analysis | Detective Control | High |
| SAF-M-48 | Custodial Off-Ramp Monitoring | Detective Control | Medium-High |
- Total Mitigations: 48
- High Effectiveness: 27 (56%)
- Medium-High Effectiveness: 15 (31%)
- Medium Effectiveness: 6 (13%)
- Low Effectiveness: 0 (0%)
| Category | Number of Mitigations |
|---|---|
| Detective Control | 12 |
| Preventive Control | 7 |
| Input Validation | 6 |
| Cryptographic Control | 3 |
| Architectural Defense | 2 |
| UI Security | 3 |
| AI-Based Defense | 2 |
| Supply Chain Security | 4 |
| Data Security | 2 |
| Architectural Control | 4 |
| Isolation and Containment | 2 |
| Risk Management | 1 |
| Human Factors | 1 |
The most effective security posture combines multiple mitigations across different categories:
- Foundation Layer: Implement architectural defenses (SAF-M-1, SAF-M-21) that provide fundamental protection
- Prevention Layer: Add cryptographic controls (SAF-M-2) and input validation (SAF-M-4, SAF-M-5, SAF-M-22)
- Detection Layer: Deploy monitoring and detection controls (SAF-M-10, SAF-M-11, SAF-M-12)
- Response Layer: Maintain audit logs and incident response procedures
For organizations with limited resources, prioritize implementation based on:
-
Critical Controls (Implement First):
- SAF-M-1: Control/Data Flow Separation
- SAF-M-2: Cryptographic Integrity
- SAF-M-6: Tool Registry Verification
- SAF-M-11: Behavioral Monitoring
-
Important Controls (Implement Second):
- SAF-M-3: AI-Powered Content Analysis
- SAF-M-4: Unicode Sanitization
- SAF-M-9: Sandboxed Testing
- SAF-M-13: OAuth Flow Verification
-
Additional Controls (Implement as Resources Allow):
- Remaining mitigations based on specific threat model
- Review mitigations relevant to your threat model
- Implement controls in layers for defense in depth
- Regularly update and test mitigation effectiveness
- Monitor for new threats requiring additional controls
- Consider automation for detective controls
- Document implementation details for compliance
To add new mitigations or update existing ones:
- Create a new directory under
mitigations/with the next available SAF-M-X number - Use the mitigation template for consistent documentation
- Update this MITIGATIONS.md file
- Submit a pull request with justification for the new mitigation