Skip to main content
Glama

Monitoring and Security for MCP based AI Systems

Written by on .

Agentic Ai
cloud mcp servers
mcp
security
  1. 2. Why Monitoring and Security Matter for MCP Systems
    1. 3. Building Blocks: Observability and Logging for MCP
      1. 3.1 Structured Logging & SIEM Forwarding
        1. 3.2 Observability Platforms (Moesif, New Relic)
          1. 3.3 Phased Monitoring Strategy
          2. 4. Threat Models and Attack Mitigations
            1. 4.1 Prompt Injection & Tool Poisoning
              1. 4.2 Safety Audits with MCPSafetyScanner
                1. 4.3 Enterprise-Grade Mitigation Frameworks
                  1. 4.4 Real-World Examples: Windows AI Foundry
                  2. 5. Behind the Scenes: Architecting Secure MCP Production Systems
                    1. 6. My Thoughts
                      1. 7. References

                        Deploying AI agents that leverage the Model Context Protocol (MCP) in production environments presents exciting opportunities and equally formidable challenges. While MCP enables dynamic tool invocation and seamless integration with external services, it also exposes new attack surfaces and operational complexities.

                        In this article, we explore how to make MCP-based systems reliable, observable, and secure at scale. We provide a thorough, actionable guide to implementing logging, metrics, alerting, and permission models, so that your production MCP deployments remain robust and safe.

                        2. Why Monitoring and Security Matter for MCP Systems

                        MCP servers handle dynamic JSON-RPC calls from AI agents. This highly flexible model brings these key challenges:

                        • Non-static behavior: Agents generate unpredictable workloads unlike fixed REST endpoints, usage is volatile and context-dependent1.
                        • Volume and unpredictability: High traffic surges from agent workflows can overwhelm traditional monitoring pipelines2.
                        • Unique threats: MCP introduces attack vectors such as prompt injection (malicious payloads in prompts), tool poisoning, unauthorized tool access, and data exfiltration via tool chaining234.
                        • Maintainability risks: A recent study found that 5.5% of open-source MCP servers exhibited MCP-specific vulnerabilities like tool poisoning, and many had generic code health concerns3.

                        Given these factors, a multi-layered observability and security strategy is essential.

                        3. Building Blocks: Observability and Logging for MCP

                        3.1 Structured Logging & SIEM Forwarding

                        Begin with rich, structured logging for every MCP call:

                        { "timestamp": "2025-08-14T10:12:34Z", "agent_id": "agent-123", "tool_id": "get_user_data", "params": {"user_id": "42"}, "status": "success", "latency_ms": 85 }
                        • Include metadata like agent identity, tool invoked, parameters, execution status, and latency.
                        • Forward logs to SIEM systems like Splunk, Azure Monitor, or Tinybird for deeper analysis and pattern detection[^4].
                        • This enables detection of anomalies for instance, repeated calls to sensitive tools outside expected workflows.

                        3.2 Observability Platforms (Moesif, New Relic)

                        Use specialized observability tools tailored to MCP:

                        • Moesif: Captures JSON-RPC payloads, method parameters, agent identity, and more. You can define alerts for scraping, unusual tool usage, or latency spikes. Playbooks and dashboards help trace suspicious flows back to specific agents or prompts5.

                          Example integration (Python/Starlette):

                          from moesifasgi import MoesifMiddleware settings = {'APPLICATION_ID': 'YOUR_MOESIF_APP_ID'} app.add_middleware(MoesifMiddleware, settings=settings)

                        • New Relic: Offers MCP support in its AI monitoring suite, accessible via their Python Agent v10.13.0. It surfaces error rates, latency, and agent/tool usage in unified dashboards, great for performance APIs5.

                        These tools help you monitor MCP-specific metrics and detect unexpected behaviors quickly.

                        3.3 Phased Monitoring Strategy

                        Implement observability in stages:

                        1. Start with local structured logging.
                        2. Forward logs to an observability backend (e.g., Moesif, New Relic).
                        3. Build dashboards and dashboards for key metrics like traffic volume, error trends, latency, and tool usage.
                        4. Enforce access controls on monitoring data to prevent internal misuse.
                        5. Scale across distributed MCP servers, consolidating logs centrally6.

                        4. Threat Models and Attack Mitigations

                        4.1 Prompt Injection & Tool Poisoning

                        • Prompt injection: Malicious inputs cause agents to invoke unintended tools or behave dangerously e.g., rewriting secure code or bypassing approval flows7.
                        • Tool poisoning: Attacks where tool definitions (or tools themselves) are tampered with to inject malicious behaviors.

                        Mitigations:

                        • Use code signing or versioned manifests.
                        • Employ tool registries with vetting and cryptographic verification, see ETDI, which adds OAuth-based tool definitions and policy-based access control to safeguard MCP → tool relationships[^38].

                        4.2 Safety Audits with MCPSafetyScanner

                        MCPSafetyScanner is the first open-source auditing tool for MCP servers:

                        • Auto-generates adversarial scenarios based on the server’s tool definitions.
                        • Tests for vulnerabilities like unauthorized code execution or credential leakage.
                        • Produces a security report with findings and remediations8.

                        Run such audits before MCP deployment to ensure resilience.

                        4.3 Enterprise-Grade Mitigation Frameworks

                        A recent academic paper offers a thorough security framework for MCP:

                        • Includes systemic threat modeling and identifies patterns like session hijacking, proxy attacks, or tool chaining abuses.
                        • Offers enterprise-ready mitigations: authentication guards, rate limiting, schema validation, audit logging, and response sandboxes8.

                        Adopting this framework helps convert theoretical security gaps into executable controls.

                        4.4 Real-World Examples: Windows AI Foundry

                        Microsoft’s integration of MCP into Windows includes thoughtful security design:

                        • MCP registry and user consent prompts protect against rogue agents accessing system resources.
                        • Restricted preview rollout illustrates a cautious, staged approach to potential risk exposures like token theft or prompt injection9.

                        5. Behind the Scenes: Architecting Secure MCP Production Systems

                        LayerDefense Mechanism
                        IngressJWT/OAuth authentication; rate limiting; input sanitization
                        Tool InvocationTool versioning and signing; policy enforcement (e.g., ETDI)
                        ObservabilityStructured logs; Moesif/New Relic dashboards; alerting
                        AuditingPeriodic scans using MCPSafetyScanner; threat modeling frameworks
                        GovernanceRole-based permissions; compliance audits; access control to logs

                        Implementing across these layers ensures comprehensive visibility and enforced safety throughout the MCP deployment lifecycle10.

                        6. My Thoughts

                        When scaling MCP infrastructure, a unified observability-first strategy decides ROI, not just performance but security posture.

                        • Structured logging plus SIEM forms the bones of threat detection.
                        • Agent-aware tools like Moesif or New Relic help you pivot from traditional HTTP-centric monitoring to JSON-RPC-native analytics.
                        • Auditing, using frameworks from academia or open-source projects, is non-negotiable for MCP’s dynamic threat surface.
                        • Permission models such as ETDI or Windows-style registries with user consent are crucial as agents scale into sensitive domains.

                        By blending security with monitoring, MCP systems can deliver on their promise of intelligent, agent-driven interactions, without compromising on safety or visibility.

                        7. References

                        Footnotes

                        1. Model Context Protocol (MCP): A Security Overview – Palo Alto Networks

                        2. How to Setup Observability for Your MCP Server with Moesif 2

                        3. Monitoring MCP Security and Agent Behavior with Moesif 2

                        4. New Relic Adds Support for MCP in its Observability Platform

                        5. The Double‑Edged Sword of MCP: Understanding the Threat Landscape for AI Workflows – Red Canary 2

                        6. Enterprise‑Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies

                        7. Windows Is Getting Support for the ‘USB‑C of AI Apps’ (MCP) – The Verge

                        8. MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits 2

                        9. ETDI: Mitigating Tool Squatting and Rug Pull Attacks in Model Context Protocol (MCP)

                        10. Model Context Protocol (MCP): A First Glance at Security and Maintainability

                        Written by Om-Shree-0709 (@Om-Shree-0709)