Skip to content
guide

The NSA published MCP security guidance: 6 checks for your server

| 8 min read

In May 2026 the NSA's Artificial Intelligence Security Center published a 17-page Cybersecurity Information Sheet on Model Context Protocol security (identifier U/OO/6030316-26, Version 1.0). The short version: agentic systems built on MCP carry risks that ordinary API security misses, and the sheet names six mitigations to close them.

The hard problem is trust. A tool result is not passive data the way a database row is; the model reads it and acts on it. A poisoned output can steer the agent, and a misrouted request can cross a trust boundary a normal API call never touches. The sheet's six mitigations are filtering outbound proxies, data loss prevention, sandboxing, message integrity, output filtering, and local MCP scans. Here is how to turn five of them into API checks you can wire in this week. The sixth, sandboxing, is infrastructure you run around the rest.

1. Output filtering: scan tool results before the model reads them

This is the highest-value check. Every tool result flows into the model and influences its next action, so a leaked secret or an injected instruction in a result is an active threat, not a log entry. Scan each output for PII and credentials before it reaches the model: 

# Output filtering: scan every tool result before the model reads it.
curl -X POST https://api.botoi.com/v1/pii/detect \
  -H "Content-Type: application/json" \
  -d '{"text": "Customer SSN 123-45-6789 and card 4111111111111111 on file."}'
{
  "data": {
    "found": true,
    "matches": [
      { "type": "ssn", "value": "123-45-6789", "start": 13, "end": 24 },
      { "type": "credit_card", "value": "4111111111111111", "start": 34, "end": 50 }
    ]
  }
}

Place the check on the result path and fail closed: if the output carries an SSN, a card number, or an API key, redact it before the model sees the raw value. A drop-in filter looks like this: 

// Drop-in output filter for an MCP tool result path.
// Fails closed: if the result carries PII, the model never sees the raw value.
import { detectPii } from "./botoi-client";

export async function filterToolOutput(toolName, result) {
  const text = typeof result === "string" ? result : JSON.stringify(result);
  const { found, matches } = await detectPii(text);

  if (!found) return result;

  // Redact each match in place before the result reaches the model.
  let redacted = text;
  for (const m of matches) {
    redacted = redacted.replaceAll(m.value, `[${m.type.toUpperCase()}_REDACTED]`);
  }
  console.warn(`[${toolName}] redacted ${matches.length} PII matches from output`);
  return redacted;
}

2. Message integrity: verify the tokens a server presents

The sheet calls out implicit trust between an agent and the servers it calls. If a server hands your agent a signed token, decode it and check the issuer and expiry before you trust the claims. The botoi JWT decoder returns the header, payload, and expiry state without you pulling in a crypto library: 

# Message integrity: decode and inspect the signed token a server presents.
curl -X POST https://api.botoi.com/v1/jwt/decode \
  -H "Content-Type: application/json" \
  -d '{"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguYWNtZS5jb20iLCJzdWIiOiJhZ2VudC03IiwiZXhwIjoxODAwMDAwMDAwfQ.sig"}'
{
  "data": {
    "header": { "alg": "RS256", "typ": "JWT" },
    "payload": {
      "iss": "https://auth.acme.com",
      "sub": "agent-7",
      "exp": 1800000000
    },
    "expired": false
  }
}

Confirm the iss matches the authorization server you expect and that expired is false. This pairs with the RFC 9207 issuer validation the 2026 MCP spec now requires: decode first, then enforce the issuer match before the token grants anything.

3. Outbound proxy filtering: vet every URL a tool fetches

Dynamic tool invocation means your agent will fetch URLs you never hard-coded. Run each one through a reputation check before the request leaves your network. Treat a high-risk verdict as a block on the high-trust paths and a warning everywhere else: 

# Outbound proxy filtering: vet a URL a tool wants to fetch.
curl -X POST https://api.botoi.com/v1/phishing/check \
  -H "Content-Type: application/json" \
  -d '{"url": "http://acme-support-login.click/reset"}'
{
  "data": {
    "url": "http://acme-support-login.click/reset",
    "risk": "high",
    "reasons": ["suspicious_tld", "brand_impersonation", "no_https"]
  }
}

4. Data loss prevention: catch secrets on the way out

Output filtering watches what comes back from a tool. DLP watches what your agent sends. Before a tool call ships a payload to an external service, run the same PII and secret detector over the arguments. An agent that pastes a customer record into a web-search query is a disclosure; the detector catches it at the boundary. Reuse the /v1/pii/detect call from step 1 on the request path instead of the response path.

5. Local MCP scans: inventory and vet installed servers

The sheet recommends scanning the MCP servers running on a host, because a developer can install one without review. Pull the package metadata for any npm-published server and check its version, maintainers, and publish date before you trust it. The botoi npm endpoint returns that in one call, which you can fold into a periodic inventory job that flags servers added since the last scan.

6. Sandboxing: the layer the API checks sit inside

The remaining mitigation is infrastructure. Run the agent with no ambient cloud credentials, a scoped filesystem, and outbound network on an allowlist. The sandbox caps the blast radius; the five API checks above catch what tries to cross the boundary. Neither replaces the other.

The NSA framing is worth internalizing: in an agentic system, a tool result is an instruction the model may follow, not data it merely displays. Every check here exists because the gap between "data" and "action" closed the moment you handed a model a tool.

The checklist

  • Filter outputs. Scan every tool result with /v1/pii/detect and redact before the model reads it. Fail closed.
  • Verify messages. Decode presented tokens with /v1/jwt/decode and enforce the issuer and expiry.
  • Vet outbound URLs. Run each fetch target through /v1/phishing/check and block high-risk on trusted paths.
  • Apply DLP. Run the secret detector over tool arguments before they leave your network.
  • Scan local servers. Inventory installed MCP servers and check package metadata for anything added since the last scan.

Botoi exposes /v1/pii/detect, /v1/jwt/decode, /v1/phishing/check, and roughly 200 other single-purpose endpoints behind one API key with 5 req/min free. Wire them into your agent's request and response paths, or connect the MCP server to Claude Code and run the checks from your editor. Start from the interactive docs.

Frequently asked questions

What is the NSA MCP security information sheet?
It is a 17-page Cybersecurity Information Sheet from the NSA Artificial Intelligence Security Center, "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation," released in May 2026 under identifier U/OO/6030316-26 (PP-26-1834), Version 1.0. It flags serialization risks, trust boundaries, and agent misuse as the core problems and names six mitigations: filtering outbound proxies, data loss prevention, sandboxing, message integrity, output filtering, and local MCP scans.
Why does MCP need its own security guidance?
MCP introduces risks that classic API security misses: dynamic tool invocation, implicit trust between an agent and the servers it calls, and context shared across tools. A tool result is not passive data; the model acts on it. That means a poisoned tool output can steer the agent, and a misrouted request can cross a trust boundary the way a normal API call never would.
Which NSA recommendation matters most for a small team?
Output filtering. The sheet calls out that tool results flow straight into the model and influence its next action. Scanning every tool output for secrets and PII before it reaches the model closes the highest-traffic gap with the least code. A single detection call on the output path catches leaked credentials and injected instructions before the agent ever sees them.
Do these checks slow the agent down?
Each check is a single sub-200ms HTTP call you place on the request or response path. Run them in parallel with the tool call where you can, and fail closed on the high-risk paths (output filtering, message integrity) and fail open on the advisory ones (proxy reputation). The added latency is a fraction of the model round-trip you are already paying for.
Does this replace sandboxing the agent?
No. Sandboxing is one of the six mitigations and the API checks here cover the other five. Run the agent in a sandbox with no ambient cloud credentials, then add output filtering, message integrity, outbound proxy reputation, and local server scans on top. Defense in depth: the sandbox limits blast radius, the API checks catch what crosses the boundary.

Try this API

JWT Decoder API — interactive playground and code examples

More guide posts

Guide

MCP went stateless: 5 changes the 2026 spec makes to your server

8 min read

 Guide

Miasma worm hit Red Hat's npm packages: detect, rotate, replace

8 min read

 Guide

Claude confused-deputy audit matrix: 4 blind spots, 3 guardrails

8 min read

Start building with botoi

150+ API endpoints for lookup, text processing, image generation, and developer utilities. Free tier, no credit card.

View API docs Try free tools