Threat Coverage

MCP Top 10 coverage matrix.

How our detection rules map to each risk in the MCP Top 10. A risk is covered once at least one rule is live; partial means rules are in review.

CoveredPartialNo rules

Official MCP Spec Coverage

modelcontextprotocol.io ↗

The six threat categories from the official Model Context Protocol security best practices, mapped 1:1 to the MCPSafe rules that cover them. ✅ covered, ⚠️ in review, ❌ missing.

Token Passthrough✅ covered

MCP-265token-passthrough

Confused Deputy✅ covered

MCP-260confused-deputy-no-per-client-consent
MCP-261redirect-uri-non-exact-match
MCP-262oauth-state-missing-or-late
MCP-263consent-cookie-weak
MCP-264consent-ui-clickjackable

Server-Side Request Forgery✅ covered

MCP-060ssrf-oauth-metadata

Session Hijacking✅ covered

MCP-266session-not-bound-to-user
MCP-267predictable-session-id

Local MCP Server Compromise✅ covered

MCP-268local-http-transport-no-auth

Scope Minimization✅ covered

MCP-269wildcard-oauth-scopes

Tool Abuse

Tools used beyond their declared intent or scope

Covered

MCP-002 MCP-010 MCP-046 MCP-084 MCP-206 MCP-211 MCP-252

Prompt Injection

Untrusted input redirecting agent behaviour

Covered

MCP-002 MCP-003 MCP-010 MCP-060 MCP-062 MCP-081 MCP-083 MCP-085 MCP-212 MCP-250 MCP-275 MCP-276

Insufficient Access Control

Missing auth, wildcard permissions, or over-privileged roles

Covered

LLM Prompt Manipulation

Injecting instructions into inner-LLM system prompts

Covered

MCP-046 MCP-048 MCP-061 MCP-080 MCP-093 MCP-095 MCP-096 MCP-205 MCP-214 MCP-223 MCP-270 MCP-271 MCP-272

Data Exfiltration

Sensitive data leaking through tool responses or logs

Covered

MCP-003 MCP-005 MCP-060 MCP-062 MCP-070 MCP-071 MCP-212 MCP-220 MCP-221 MCP-222 MCP-275

Resource Exhaustion

Unbounded operations causing denial of service

Covered

MCP-110 MCP-276 MCP-281

Insecure Defaults

Dangerous configuration shipped as the default

Covered

MCP-272

Supply-Chain Compromise

Malicious code introduced via dependencies or install hooks

Covered

MCP-072 MCP-073 MCP-094 MCP-095 MCP-100 MCP-207 MCP-215 MCP-240

Secrets Exposure

Credentials or keys stored or transmitted in plaintext

Covered

MCP-030 MCP-202 MCP-210 MCP-232 MCP-251

R10

Destructive Actions

Irreversible operations without confirmation or annotation

Covered

MCP-005 MCP-051 MCP-070 MCP-200 MCP-201 MCP-283 MCP-284 MCP-285

Rule statuses update on every build from the live rules catalog. Rules in review do not yet affect user-visible scan results.