Skip to Content
View all events

Securing MCP Servers

Published by O'Reilly Media, Inc.

Intermediate content levelIntermediate

Hands-on exploitation and defense in a controlled environment

What you’ll learn and how you can apply it

  • Assess and communicate the primary security and privacy risks in MCP services to technical and nontechnical stakeholders
  • Design and implement secure MCP services with protection against the top five vulnerability classes
  • Develop and execute comprehensive security testing plans for MCP implementations
  • Recommend and deploy effective, practical mitigations for common MCP security vulnerabilities

Course description

Imagine AI agents that don’t just chat—they book flights, edit files, write code, and author entire books. The Model Context Protocol (MCP) has unlocked this reality, enabling flexible integrations that define the AI era. But unlike traditional APIs with predictable interfaces, MCP’s dynamic nature introduces unprecedented security challenges.

In this intensive course, expert hacker Katie Paxton-Fear helps both security professionals and developers see MCP vulnerabilities through the attacker’s perspective. You’ll map agentic AI attack surfaces, identify critical vulnerabilities, understand exploitation techniques, assess business impact, and implement robust mitigation strategies. Using a purpose-built vulnerable MCP server, you’ll watch or practice attacks in a controlled environment, and then design and implement defenses against the very vulnerabilities you’ve exploited. You’ll come away with the expertise to build genuinely secure MCP servers and the skills to audit existing implementations with confidence.

This live event is for you because...

  • You’re a developer who’s actively building or maintaining MCP implementations.
  • You’re a security professional who’s responsible for securing AI/ML infrastructure.
  • You’re a DevSecOps engineer who integrates security into AI development pipelines.
  • You’re a technical leader evaluating the security implications of MCP adoption.
  • You’re an individual technologist who uses MCP tools and needs to protect personal/organizational data.

Prerequisites

  • Familiarity with common web application security vulnerabilities (OWASP Top 10 knowledge preferred)
  • Basic understanding of MCP concepts and use cases
  • Experience with API security testing or penetration testing (helpful but not required)

Recommended preparation:

  • If you wish to practice attacks or to code along with the instructor, set up your lab environment before the course begins (check back for instructions)

Recommended follow-up:

Schedule

The time frames are only estimates and may vary according to how the class is progressing.

Introduction to MCP security (30 minutes)

  • Presentation: MCP fundamentals and security implications
  • Group discussion: Security for MCP versus traditional APIs
  • Hands-on exercise: Check your MCP security knowledge
  • Q&A

Agentic AI attack surface (40 minutes)

  • Presentation: Attack surface analysis—agents, tools, and processes
  • Hands-on exercise: Match the vulnerability to the attack surface component
  • Q&A
  • Break

Vulnerability deep dive—prompt injection (25 minutes)

  • Presentation: Prompt injection mechanics and AI social engineering
  • Hands-on exercise: Exploit a prompt injection vulnerability to get an agent to reveal its prompt
  • Group discussion: Difficulty assessment and real-world implications
  • Q&A

Vulnerability deep dive—preference attacks (35 minutes)

  • Presentation: Preference manipulation and malicious server selection
  • Hands-on exercise: Exploit a preference attack by adapting the description of an MCP server using the “greatest” method
  • Group discussion: Attack sophistication and detection challenges
  • Q&A
  • Break

Vulnerability deep dive—privilege escalation (25 minutes)

  • Presentation: Accessing control failures in MCP architectures
  • Hands-on exercise: Exploit improper access control to access another users information
  • Group discussion: Business impact and compliance implications
  • Q&A

Vulnerability deep dive—supply chain vulnerabilities (35 minutes)

  • Presentation: Agentic AI supply chain vulnerabilities beyond MCP
  • Hands-on exercise: Review a recent real-life security disclosure of a traditional vulnerability that affected MCP
  • Group discussion: Supply chain risk mitigation strategies
  • Q&A
  • Break

Vulnerability deep dive—tool misuse and defense design (25 minutes)

  • Presentation: Ecosystem vulnerabilities and malicious agent scenarios
  • Group discussion: What could you do with a malicious agent?
  • Hands-on exercise: Choose one scenario and design a zero-trust approach to defend your MCP server against the attack
  • Q&A

Defense implementation and next steps (25 minutes)

  • Presentation: Zero-trust AI agent principles
  • Hands-on exercise and optional homework: Fix some of the vulnerabilities from the course in the code, and try to bypass each other’s fixes (if you want)
  • Q&A

Your Instructor

  • Katie Paxton-Fear

    Katie Paxton-Fear is a technical marketing manager at Traceable, but she's probably better known for her hobby. In her free time she's a hacker who has found more than 30 vulnerabilities in software in production. In her first attempt at a live hacking event in 2019, she discovered two bugs in Uber’s API. After finding even more API bugs at DEFCON, she started making videos to teach others how to do it. She now has 70,000 subscribers to her YouTube channel, InsiderPhD. Her speciality is access control and business logic issues, finding the vulnerabilities scanners miss.

Skill covered

Security Engineering