
MCP Security - How to Observe, Authenticate, and Govern AI Agent Traffic
Download Now
What is the MCP blind spot?
An MCP endpoint is a new, internet-facing attack surface that sits outside the perimeter controls most enterprises have spent years building. Traditional tools cannot see which MCP tools are being invoked, with which arguments, by which agents. The result is a governance gap — and the oldest problem in security: you cannot protect what you cannot see.
That blind spot is already being probed. The same tool calls that let a trusted agent run a product search or build a cart let an attacker do the same at machine speed:
- Automated credential and payment-card testing against agentic checkout endpoints
- Data exfiltration and scraping — systematic theft of catalogue, pricing, and content via search tools
- Business-logic abuse — inventory hoarding, coupon stacking, flash-sale exploitation
- Resource exhaustion and cost amplification — API-driven denial-of-service and infrastructure cost attacks
- Hijacked or prompt-injected agents — a legitimate agent commandeered, its session loaded with stolen credentials or steered off-mandate
Each of these maps cleanly to the OWASP API Security Top 10 and the OWASP Top 10 for LLM Applications — meaning MCP abuse slots directly into the risk register you already maintain. The full mapping is in the solution brief.
Why can't a WAF see MCP traffic?
WAFs and bot-management tools inspect HTTP requests for known signatures and browser-like behavior. MCP traffic is different in kind: it's JSON-RPC tool calls made by autonomous, non-human identities — often executed from cloud infrastructure that concentrates thousands of “users” behind a handful of subnets. At the packet level, legitimate and malicious automation are indistinguishable.
That's why the old control question has collapsed. The old question was “Is this a bot?” The question that matters now is “Is this non-human identity authorized — and is this tool call consistent with legitimate intent, right now?”
Blocking all bots means blocking your customers' AI assistants. Allowing them all means letting attacker tooling through. Neither is a strategy.
How do you secure MCP endpoints without blocking legitimate agents?
Answering the new question takes three capabilities working together at the edge — before a request ever reaches your backend.
Observe every tool call. Parse JSON-RPC at the perimeter and see exactly which tool an agent is calling, with which parameters. Stitch the agent's ordered tool calls — and the eventual human checkout — into a single journey, giving your SOC a complete, attributable forensic record: the prompt, the tools, the sequence, the origin of every call.
Authenticate non-human identities. Emerging standards like web-bot-auth let legitimate agents cryptographically sign their requests. Validating those HTTP message signatures at the edge turns identity into a policy signal — and because web-bot-auth, Visa TAP, and Mastercard Agent Pay all share the same signature pattern, one integration covers the protocol your partners mandate next.
Detect malicious intent behaviorally. Identity tells you who; it cannot tell you whether a verified agent has been hijacked. Behavioral scoring of every tool call — with no attack signatures to maintain and no labelled training data — catches skipped steps, impossible speed, and sequences no legitimate actor takes.
The result is risk-based enforcement rather than blanket blocking: a trusted, signed agent on a legitimate journey gets a frictionless prompt-to-payment path. A lower-trust agent gets contained in a web checkout where full profiling and a human-present step apply. Same destination, two paths, chosen by risk in the moment. Never trust identity alone; verify behavior continuously; contain when risk rises. This is zero-trust made concrete for AI agents.
One control plane, not another point tool
MCP won't be the last agent protocol you're asked to support. The solution brief covers how a single edge-native deployment — on the CDN you already run — brings MCP, web-bot-auth, Visa TAP, Mastercard Agent Pay, AP2, and UCP/ACP under one policy engine alongside your existing web, API, and mobile traffic. Each standard answers one question; the brief explains how to answer the one they all leave open.
Get the full solution brief
The complete brief includes the OWASP threat mapping, the four behavioral signals that flag hostile MCP traffic out of the box, the four adoption modes for agent authentication, and architecture diagrams showing how enforcement works at the CDN edge.
Download the Darwinium MCP Observability & Protection solution brief to see how it works.
Frequently Asked Questions
What is MCP (Model Context Protocol)?
MCP is an open JSON-RPC standard that AI agents use to discover and call tools on web services — searching a catalogue, creating a cart, initiating checkout. It is becoming the default transport for agentic commerce, supported natively by emerging standards like UCP.
Is MCP a security risk?
MCP itself is a protocol, not a vulnerability — but an MCP endpoint is a new internet-facing attack surface that traditional WAFs and bot-management tools cannot inspect, because they don't parse JSON-RPC tool calls. Unmonitored MCP endpoints expose organizations to credential testing, scraping, business-logic abuse, and hijacked-agent attacks.
How is securing AI agents different from blocking bots?
Bot management assumes automation is adversarial. In agentic commerce, non-human identities are simultaneously your customers' assistants and your attackers' tooling. Security teams need to authenticate which agent is calling and verify its behavior matches legitimate intent — not block automation wholesale.
What is web-bot-auth?
Web-bot-auth is an emerging standard that lets legitimate AI agents cryptographically sign their HTTP requests, so services can verify the agent's identity. Visa TAP and Mastercard Agent Pay use the same underlying signature pattern.