MCP Security · Defense-Coverage Benchmark

How much of the MCP attack surface does each security proxy actually cover?

A vendor-neutral benchmark. Each tool is driven through its real code against 22 MCP attack vectors, crosswalked to the NIST AI RMF and the OWASP LLM & Agentic Top 10. Results are measured, with matched benign controls — not self-reported.

Corpus: 31 cases Vectors: 22 Covered by ≥ 1 tool: 13/22 Repository Zenodo DOI Preprint

Coverage of the full attack surface

ToolClassWeighted coverage● enforce◐ detectnoneFalse pos.
mcp-bastionruntime-proxy 34% (7.5/22) 2119 0 / 31
mcp-firewallruntime-proxy 14% (3.0/22) 3019 0 / 31
pipelockegress-firewall 11% (2.5/22) 1318 0 / 31
null-baselinenone 0% (0.0/22) 0022 0 / 31

Weighting: enforce = 1.0, detect = 0.5, none = 0, over 22 vectors. A vector counts only if the tool flags the attack and stays clean on the matched benign control (else it's a false positive). Zero false positives across all tools.

Per-vector coverage matrix

VectorLayermcp-bastionmcp-firewallpipelocknull-baseline
Tool poisoningtool
Tool name collision / shadowingclient
Rug pull / dynamic capability mutationtool
Out-of-scope parameter injectiontool
Prompt injection via tool resultstool
Indirect / retrieval injectiontool
Cross-tool data exfiltration / confused deputyclient
Tool-transfer / cross-server chaininghost-orchestration
False-error escalationtool
Package / name squatting in registryregistry-supply-chain
Supply-chain poisoning (unverified provenance)registry-supply-chain
Configuration driftserver
Sandbox escapeserver
Schema / validation bypassserver
Man-in-the-middle (transport)transport
DNS rebinding (local servers)transport
Server impersonation / identity spoofingregistry-supply-chain
Excessive permission / privilege escalationhost-orchestration
Credential / token theft via passthroughhost-orchestration
Consent fatigue / over-broad grantsclient
Command injection in tool executionserver
System-prompt / context leakage via toolsclient
● enforce (blocks) ◐ detect (warns) not covered

Defense-in-depth: the tools cover different layers; 13 of 22 vectors are covered by at least one tool and 9 by none (registry/supply-chain, OS-isolation, and semantic vectors that lie outside a runtime proxy's reach). No single proxy is sufficient.

Evasion robustness

AttackEncodingmcp-bastionmcp-firewallpipelocknull-baseline
response-injectionhomoglyph substitution
response-injectionbase64-wrapped payload
tool-poisoningzero-width / bidi-control characters

Robustness (evasion fixtures detected): mcp-bastion 1/3 · mcp-firewall 0/3 · pipelock 2/3 · null-baseline 0/3. The tools are robust to different obfuscations — no single tool survives all of them.

Framework mapping

Every attack vector is crosswalked to the frameworks security and compliance teams govern by. NIST AI RMF is a U.S. federal framework (NIST, Dept. of Commerce); OWASP is an international open standard; STRIDE is the classic threat-modeling taxonomy.

VectorLayerSTRIDENIST AI RMFOWASP LLM 2025OWASP Agentic 2026
Tool poisoningtoolTampering/ElevationOfPrivilegeMAP, MEASURE, MANAGELLM01, LLM06ASI01, ASI02
Tool name collision / shadowingclientSpoofing/TamperingMAP, MANAGELLM01, LLM03ASI01, ASI04
Rug pull / dynamic capability mutationtoolTamperingMEASURE, MANAGELLM03, LLM06ASI04
Out-of-scope parameter injectiontoolTampering/ElevationOfPrivilegeMEASURE, MANAGELLM05, LLM06ASI02
Prompt injection via tool resultstoolTamperingMEASURE, MANAGELLM01, LLM05ASI01
Indirect / retrieval injectiontoolTamperingMEASURE, MANAGELLM01ASI01
Cross-tool data exfiltration / confused deputyclientInformationDisclosure/ElevationOfPrivilegeMAP, MEASURE, MANAGELLM02, LLM06ASI02, ASI03
Tool-transfer / cross-server chaininghost-orchestrationElevationOfPrivilegeMAP, MANAGELLM06ASI02, ASI03
False-error escalationtoolElevationOfPrivilege/DenialOfServiceMEASURE, MANAGELLM01, LLM06ASI01, ASI02
Package / name squatting in registryregistry-supply-chainSpoofingGOVERN, MAPLLM03ASI04
Supply-chain poisoning (unverified provenance)registry-supply-chainTampering/SpoofingGOVERN, MAP, MANAGELLM03, LLM04ASI04
Configuration driftserverTamperingGOVERN, MEASURE, MANAGELLM03ASI04
Sandbox escapeserverElevationOfPrivilegeMANAGELLM06ASI02, ASI03
Schema / validation bypassserverTampering/ElevationOfPrivilegeMEASURE, MANAGELLM05ASI02
Man-in-the-middle (transport)transportTampering/InformationDisclosure/SpoofingMANAGELLM02ASI03
DNS rebinding (local servers)transportSpoofing/ElevationOfPrivilegeMANAGELLM06ASI03
Server impersonation / identity spoofingregistry-supply-chainSpoofingGOVERN, MAP, MANAGELLM03ASI03, ASI04
Excessive permission / privilege escalationhost-orchestrationElevationOfPrivilegeGOVERN, MAP, MANAGELLM06ASI03
Credential / token theft via passthroughhost-orchestrationInformationDisclosure/ElevationOfPrivilegeGOVERN, MANAGELLM02, LLM06ASI03
Consent fatigue / over-broad grantsclientElevationOfPrivilege/RepudiationGOVERN, MANAGELLM06ASI03
Command injection in tool executionserverElevationOfPrivilege/TamperingMEASURE, MANAGELLM05ASI02
System-prompt / context leakage via toolsclientInformationDisclosureMEASURE, MANAGELLM07, LLM02ASI01

NIST AI RMF: GOVERN · MAP · MEASURE · MANAGE. OWASP LLM: LLM01 Prompt Injection · LLM02 Sensitive Info Disclosure · LLM03 Supply Chain · LLM04 Data/Model Poisoning · LLM05 Improper Output Handling · LLM06 Excessive Agency · LLM07 System Prompt Leakage · LLM08 Vector/Embedding. OWASP Agentic: ASI01 Agent Goal Hijack · ASI02 Tool Misuse · ASI03 Identity & Privilege Abuse · ASI04 Agentic Supply Chain.

References

Frameworks: NIST AI RMF 1.0 (U.S. federal) · OWASP Top 10 for LLM Apps (2025) · OWASP Top 10 for Agentic Apps (2026) · STRIDE.
MCP security research: SoK 2512.08290 · Formal framework 2604.05969 · STRIDE/DREAD 2603.22489 · MCP-DPT 2604.07551 · MSB 2510.15994 · MCPTox 2508.14925 · ETDI 2506.01333 · Trustworthy MCP Registry.
MCP protocol: Specification · Registry.

Method & honesty

Each adapter drives the tool's actual detection code or CLI — never a mock. A defender is scored only on what it inspects at runtime (a proxy that ignores tool results scores none there, even if its rules would match the text in isolation). Absolute totals are corpus-dependent; the per-vector matrix is the more reliable read. Scored tools run locally and deterministically; cloud-model tools are observed, not scored. Full methodology, prior-art positioning, and the whitepaper are in the repository.