◎ Platform · Protocol Security · MCP Security

Every MCP server, treated as untrusted by default.

MCP gives agents access to tools, data, and external systems at scale. It also gives every server those agents connect to the ability to inject instructions, claim capabilities it doesn't have, and receive credentials it shouldn't hold. Trust3 AI secures the MCP layer at every point: server verification, credential scoping, content inspection, and a tamper-evident record of every connection.

Request a demo See how it works
THE CHALLENGE

MCP expands what agents can do. And what can be done to them.

The protocol itself has no built-in trust model. A malicious server can embed directives inside tool descriptions that redirect the agent's behavior or instruct it to exfiltrate data through a call that looks legitimate. The agent has no way to distinguish a genuine description from an injected one.

The other problem is scope. Default MCP deployments hand agents the broadest credentials the server will accept. A captured credential, a misconfigured server, or an agent running beyond its declared purpose all lead to the same outcome: access that should have been scoped isn't.

HOW IT WORKS

Five controls. One secured MCP layer.

01
Server Verification

Every MCP server authenticated before any call is made.

Trust3 AI maintains a registry of approved MCP servers for each agent. When an agent initiates a connection, the server is authenticated against that registry before any tool description is loaded, any credential is exchanged, or any call is attempted. A server that moves to a new host, changes its certificate, or misrepresents its capabilities gets caught at the connection layer, not after the fact.

  • Every MCP server authenticated at connection time, before any tool is loaded
  • Unknown or unregistered servers blocked: no call attempted, no credential exposed
  • Server identity verified on every new session, not just at onboarding
  • Blocked connection attempts logged with agent identity, server target, and timestamp
02
Tool Scoping & Content Firewall

Injected instructions stripped before they reach the agent.

Trust3 AI inspects every tool description before it enters agent context. The content firewall identifies instruction-like patterns (imperative commands, scope-escalation claims, destination redirects) and strips them while leaving legitimate tool metadata intact. The same inspection runs on tool responses: PII, PCI, and PHI are detected before they're passed back into the agent's reasoning loop.

  • Tool descriptions scanned at server registration and on every call
  • Injected instructions, permission claims, and redirect patterns detected and stripped
  • Tool responses scanned for PII, PCI, and PHI before entering agent context
  • Tools that exceed an agent's declared scope flagged or blocked before the agent calls them
  • Every firewall event logged with the stripped content preserved as evidence
03
Credential Isolation & Token Exchange

Agents get credentials scoped to the task. Nothing that outlasts the session.

Trust3 AI mediates the credential layer. Agent credentials are never passed to MCP servers in their original form. Instead, Trust3 AI issues scoped, short-lived tokens via RFC 8693 OAuth 2.0 token exchange: one per session, scoped to the declared purpose, expiring when the session ends. A compromised server that captures a token gets a credential that can only access what the task required.

  • Agent credentials never passed directly to MCP servers
  • RFC 8693 token exchange issues scoped, short-lived tokens per session
  • Token scope bound to the agent's declared purpose, with no access beyond what the task requires
  • Tokens expire at session end, leaving no orphaned credentials and no persistent access
  • Every token issuance and expiration logged in the audit record
04
Per-Agent Allowlists

Each agent reaches only the servers it's approved to reach.

Every registered agent in Trust3 AI has an explicit allowlist: the set of MCP servers it's authorized to reach, with tool-level scoping applied where needed. An agent cannot connect to anything outside that list, regardless of what its reasoning suggests it should do next.

  • Per-agent allowlists maintained in the Trust3 AI control plane
  • Tool-level scoping within approved servers, not just server-level access control
  • Allowlist evaluated against the agent's current Trust Score, with low-trust agents facing additional restrictions
  • Allowlist changes logged and versioned, with full history of what each agent was permitted to reach and when
05
Full MCP Traffic Logging

Every connection, tool call, and credential exchange. Captured. Tamper-evident.

Every server connection, tool call, credential issuance, and firewall event is recorded in a tamper-evident log. Entries cannot be modified after they're written. Each one is time-stamped, signed, and linked to the session, the agent identity, the server, and the active policy at the time of the event.

  • Every MCP connection, tool call, and credential exchange recorded
  • Firewall events retained with the original stripped content for evidence
  • Records signed and tamper-evident, cannot be modified after the fact
  • Full audit trail: agent identity to server to tool to credential to outcome
  • Retained permanently as your compliance record

The MCP ecosystem is expanding. Your security perimeter has to expand with it.

Every new MCP server an agent can reach is a new surface. Trust3 AI gives security and data teams a verified, scoped, and audited perimeter around the entire MCP layer, without changing how agents work.