The NSA Just Put AI Infrastructure on Notice. Here's How Netzilo Responds.
In May 2026, the National Security Agency issued its first formal guidance on Model Context Protocol — the integration standard now embedded in Copilot, Claude, Cursor, and dozens of other enterprise AI tools. The message was clear: MCP deployment is outpacing security governance, and the risks are no longer theoretical. Here's what the NSA found, and how Netzilo addresses every concern.
NSA Cybersecurity Information Sheet U/OO/6030316-26 (May 2026) is the agency's first formal security analysis of Model Context Protocol — the JSON-RPC–based application protocol now embedded in Copilot, Claude, Cursor, Harvey AI, and most enterprise agentic AI stacks. The document identifies 8 structural vulnerability classes rooted in the protocol specification itself, not in any single implementation. Its central finding: MCP's security gaps exist at the protocol layer (CWE-77, CWE-78, CWE-94, CWE-95 are explicitly cited) and cannot be addressed by patching individual servers or requiring vendors to improve their implementations.
Enforcing consistent security guarantees across a heterogeneous MCP environment requires controls that operate at the endpoint and infrastructure layer — below any individual tool or agent. Below is a technical mapping of each NSA concern to the corresponding Netzilo AIDR control.
8 NSA Findings — Netzilo AIDR Control Mapping
No Mandatory Access Control
Session-to-identity binding is not defined by the spec. RBAC has no protocol primitive. Many deployments have no authentication at all.
Netzilo control
Every MCP endpoint is gated behind the Netzilo AIDR's zero trust access gateway. Acting as an auth enforcer, policy-based RBAC controls which user/device/process identities may reach which servers, with separate read/write enforcement — regardless of whether the MCP server implements any auth.
Netzilo AIDR Filter: enforcing sanctioned MCP tool access — unsanctioned tools blocked by policy
Insecure Serialization (OWASP A08, CWE-77/78/94/95)
Deserialized JSON-RPC payloads carry executable code paths. Natural-language content in serialized objects is interpreted as instructions by the receiving LLM.
Netzilo control
Netzilo AIDR inspects the full scope of AI behavior and MCP activity. Built-in analysis detects direct and indirect prompt injection, as well as tool poisoning attacks sourced from MCP servers — including manipulated tool descriptions and poisoned prompts.
Netzilo AIDR Scanners: built-in rules for direct injection blocking, indirect injection via tool results, PII redaction, and MCP config write detection
Silent Capability Expansion (Poor Approval Workflows)
An approved MCP server can silently expand its tool surface post-deployment. Demonstrated in the wild: a WhatsApp MCP server advertised benign behavior at install, switched to exfiltration after second invocation.
Netzilo control
Netzilo AIDR creates deterministic redlines around AI agent behavior. Independent of what an MCP server advertises, it continuously analyzes behavioral activity that could constitute an attack or data exfiltration — mitigating risks from misbehaving MCP servers regardless of their declared intent.
Netzilo AIDR Replay Scanner: behavioral graph replaying a peer session — 5 events blocked across HTTP requests, shell execution, and file reads independent of MCP server declarations
Token and Session Security
OAuth 2.1 bearer tokens used without mandatory expiration, rotation, or revocation. No replay protection. Idempotency undefined in core spec. Session hijacking enables undetected impersonation.
Netzilo control
The Netzilo MCP Gateway enforces token scoping, short-lived credentials, and rotation regardless of server implementation.
MCP Gateway: tool registry with per-server connection control
Gmail MCP server: OAuth2 auth enforcement, transport config, and HTTP header controls
Misconfiguration and Shadow Deployments
Open-source frameworks enable zero-friction MCP server deployment with no security defaults. Shadow servers outside change control are undetectable without network-level visibility.
Netzilo control
Netzilo AIDR operates on the endpoint without requiring a network gateway deployment. It enables teams to enforce sanctioned MCP server policies and provides full visibility into what servers agents are connecting to.
Netzilo AIDR Discovered Tools: shadow MCP servers observed by the gateway — flagged for review before approval
Tool Poisoning and Indirect Prompt Injection
Adversarial context preconditioning steers probabilistic LLM behavior toward unsafe execution. Tool description manipulation (tool poisoning) and injection in retrieved content are both demonstrated against production MCP deployments (GitHub MCP, CVE-tracked).
Netzilo control
Netzilo AIDR monitors behavioral patterns across the full agent execution chain, detecting adversarial context preconditioning that exploits non-deterministic LLM behavior. By analyzing activity across chained tool invocations, it identifies attempts to steer agents toward unsafe execution through accumulated context manipulation — including cascading injection across multi-agent pipelines.
Netzilo AIDR Scanners: CVE-mapped rules detecting Claw Chain sequences, indirect injection, credential exfiltration, and MCP supply-chain bypasses
Missing Audit Logs
Spec provides no mandatory logging schema. Most implementations emit no session-correlated, identity-attributed records. Incident response and RBAC violation detection are impossible without them.
Netzilo control
Netzilo AIDR provides full visibility into tool activity through a behavioral graph — best-of-breed audit logs generated independently of the MCP server's own logging capability. Every tool invocation, parameter, and outcome is captured and attributed, giving security teams a complete forensic record that no MCP server can suppress or omit.
AI Agent Activity: 320 tool calls, 133 policy violations — full attribution per user, agent, and server
Behavioral graph: complete forensic chain from user identity through every tool invocation and MCP server
Denial of Service and Fatigue Techniques
Prompt storms, recursive task chains, and "lethargy" attacks (legitimate-looking complex requests) exhaust server resources and are indistinguishable from high-load traffic without behavioral baselines.
Netzilo control
Rate limiting and anomaly detection by AIDR prevents volumetric and recursive abuse before it reaches MCP servers. Per-identity request attribution enables immediate source tracing without relying on server-side capacity controls. AIDR also supports writing advanced behavioral detection rules directly over the real-time behavior graph — enabling multi-step, context-aware defenses against complex agentic attack patterns.
Netzilo AIDR Scanner: custom YAML rule detecting prompt storms — rate threshold, absolute volume, and injection-driven call spikes across monitored agent processes
name: behavior-prompt-storm-mcp
severity: high
context: [tool_request, llm_tool_call]
action: execute
on_timeout: allow
on_error: allow
script: |
# Prompt storm detection: an AI agent flooding an MCP server with tool calls
# in a short time window, indicating runaway agentic loops or adversarial
# prompt injection driving repeated tool invocations.
#
# Detection logic:
# 1. Count TOOL_CALL edges from each monitored agent process
# 2. Measure the time span between first and last call
# 3. Compute calls-per-second rate; block if rate exceeds threshold
# 4. Also block on raw volume regardless of rate (absolute storm)
# 5. Correlate with a recently acquired external skill (injection-driven storm)
RATE_THRESHOLD = 5 # tool calls per second sustained -> storm
VOLUME_THRESHOLD = 50 # absolute call count in session -> storm regardless of rate
INJECTION_VOLUME = 20 # lower threshold when an external skill was recently acquired
WINDOW_NS = 60_000_000_000 # 60-second sliding window for rate calc
SKILL_RECENCY_NS = 300_000_000_000 # skill acquired within last 5 minutes counts as recent
def run():
now_ns = 0
for a in graph(type="Process"):
if a.get("agent", "0") != "1":
continue
for e in edges(a["id"], dir="out"):
ts_raw = e.get("last_ts", "") or e.get("ts", "")
if ts_raw != "":
ts = int(ts_raw)
if ts > now_ns:
now_ns = ts
for a in graph(type="Process"):
if a.get("agent", "0") != "1":
continue
aid = a["id"]
tool_edges = edges(aid, dir="out", kind="TOOL_CALL")
if not tool_edges:
continue
total_calls, earliest_ts, latest_ts = 0, 0, 0
server_counts = {}
for e in tool_edges:
total_calls += 1
ts_raw = e.get("ts", "")
if ts_raw != "":
ts = int(ts_raw)
if earliest_ts == 0 or ts < earliest_ts:
earliest_ts = ts
if ts > latest_ts:
latest_ts = ts
t = node(e["to"])
if t != None:
srv = t.get("server", "unknown")
server_counts[srv] = server_counts.get(srv, 0) + 1
has_recent_external_skill = False
for se in edges(aid, dir="out", kind="ACQUIRED_SKILL"):
s = node(se["to"])
if s == None:
continue
if s.get("is_private", "1") == "0":
skill_ts_raw = se.get("ts", "")
if skill_ts_raw != "" and now_ns > 0:
if (now_ns - int(skill_ts_raw)) < SKILL_RECENCY_NS:
has_recent_external_skill = True
effective_volume = INJECTION_VOLUME if has_recent_external_skill else VOLUME_THRESHOLD
if total_calls >= effective_volume:
suffix = " (injection-driven)" if has_recent_external_skill else ""
print("prompt storm: " + str(total_calls) + " tool calls" + suffix + " agent=" + aid)
return "block"
if earliest_ts > 0 and latest_ts > earliest_ts:
span_ns = latest_ts - earliest_ts
if span_ns <= WINDOW_NS and span_ns > 0:
rate = total_calls / (span_ns / 1_000_000_000)
if rate >= RATE_THRESHOLD:
print("prompt storm: rate=" + str(rate) + " calls/sec agent=" + aid)
return "block"
for srv, count in server_counts.items():
if count >= effective_volume / 2:
print("prompt storm: " + str(count) + " calls to server=" + srv + " agent=" + aid)
return "block"
return "allow"
result = run()NSA Recommendations — Control Matrix
| NSA Recommendation | Netzilo Control |
|---|---|
| Filtering outgoing proxy / DLP for MCP connections | AIDR inspects full AI behavior and MCP activity — detects injection and tool poisoning across all traffic |
| Define trust boundaries per data classification zone | AIDR zero trust access gateway enforces RBAC; agents reach only authorized servers per data tier |
| Context-aware parameter validation | AIDR detects direct and indirect prompt injection, including tool poisoning via server descriptions and prompts |
| OS-level sandboxing + least-privilege execution | AIDR behavioral redlines detect attack and exfiltration patterns independent of MCP server intent |
| Message signing, expiration timestamps, replay protection | MCP Gateway enforces token scoping, short-lived credentials, and rotation regardless of server implementation |
| Output pipeline filtering for indirect injection | AIDR behavioral chain analysis detects context preconditioning and cascading injection across agent pipelines |
| SIEM-integrated audit logging with full attribution | AIDR behavioral graph generates best-of-breed audit logs independently of MCP server logging capability |
| CVE tracking + MCP vulnerability patch management | AIDR CVE-mapped detection rules updated automatically — no agent redeployment required |
| Network scan for unauthorized / unauthenticated MCP servers | AIDR operates on the endpoint; enforces sanctioned MCP server policies and provides full visibility |
Source document
NSA CSI U/OO/6030316-26 | PP-26-1834 | May 2026 — Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation
Download PDF