Today, we are excited to announce the launch of Levo’s MCP Security Testing module!
Levo’s MCP Security Testing validates whether MCP servers are safe to be used in real, high impact AI workflows before they’re trusted with autonomous execution.
It tests MCP servers the way they will actually be used: by AI agents, under ambiguous inputs, across chained tool calls, and inside sensitive automation paths.
MCP has grown by 970x over 13 months, substantially exceeding comparable infrastructure protocols, which typically require 24-36 months to achieve similar penetration in enterprise environments.
This explosive uptake is driven by MCP’s ability to replace ad‑hoc scripts and cuts integration‑related vulnerabilities (like credential leaks and missing encryption) by a reported 25% in early adopters.
Yet even as MCP reduces script‑driven vulnerabilities, it introduces its own: the attack surface is now the protocol itself, and the risks of insecure servers, exposed tokens, and powerful tool calls are far more consequential.
Reported MCP vulnerabilities surged 270% quarter‑over‑quarter, and over a dozen MCP-driven security incidents over 2025 have now proven that the protocol’s adoption has outpaced security practices.
The risk is magnified because MCPs orchestrate highly sensitive automation pipelines and model‑access tools: a single compromised MCP server can allow malicious agents to manipulate tool calls, evade injection patterns, and recurse in ways that would be unthinkable with a traditional API.
That’s why MCP Security Testing is essential, not just to protect AI models, but to reduce transitive and downstream risk.
Levo’s MCP Security Testing automates that validation, bringing continuous, context-aware assessment so enterprises can integrate AI at scale without broadening their attack surface.
Levo’s MCP Security Testing: Cover OWASP MCP Top 10 Vulnerabilities Automatically
With Levo’s MCP Security Testing, enterprises gain faster approval to move from AI pilots to production, a reduced blast radius from agent-driven tool execution, and security that unblocks MCP adoption instead of slowing it down. Levo’s MCP Security Testing covers the full OWASP MCP Top 10. The most common MCP failure modes are discovered and remediated before MCP servers govern autonomous workflows, not after rollout.
1) MCP01: Token Mismanagement & Secret Exposure
Hard-coded credentials, long-lived tokens, and secrets leaking through logs or context are among the fastest ways MCP deployments get compromised. If an MCP server spills a token, attackers don’t just get access to the server. They inherit access to everything downstream: repos, pipelines, data stores, and internal tools.
Levo approaches this like a leak hunt. Testing traces whether secrets ever appear where they shouldn’t (responses, error messages, caches, or logs) and whether token lifetimes and storage patterns create silent persistence. It then validates safe failure behavior: no accidental spill, no insecure fallback, no token reuse that turns a single mistake into ongoing access.
2) MCP02: Privilege Escalation via Scope Creep
Permissions granted to MCP-connected agents often expand quietly as teams ship more use cases—turning narrowly scoped automation into broad, privileged access. Once an agent can write data, trigger deployments, or modify systems without guardrails, the blast radius becomes operational, not theoretical.
Here the question isn’t “does it work?” It’s “how far can it go?” Levo tests escalation paths by pushing beyond intended scopes, chaining actions, and probing whether controls hold when an agent asks for “just one more capability.” The objective is to prove that automation stays inside boundaries even as workflows evolve.
3) MCP03: Tool Poisoning
MCP workflows depend on tools and plugins to fetch context and take actions. If a tool is compromised or returns manipulated output, it can quietly poison decisions, steer agents into unsafe actions, or introduce backdoors into trusted workflows.
Levo treats tools as untrusted until proven otherwise. Testing injects corrupted tool outputs, misleading responses, and edge-case payloads to see whether the MCP server validates what it consumes or accepts it blindly. The result is confidence that compromised plugins can’t silently redirect workflows into unsafe territory.
4) MCP05: Command Injection & Execution
MCP agents often dynamically construct commands, scripts, or API calls. If untrusted input is passed into execution paths, attackers can trigger unintended commands, access sensitive systems, or cause real-world operational damage.
This is where “dynamic” becomes dangerous. Levo testing throws adversarial inputs at every execution path (including encoded payloads and instruction-shaped strings) to confirm the server never converts untrusted text into unintended execution. It verifies that only intended actions can occur, and everything else stops at the boundary.
5) MCP06: Prompt Injection via Contextual Payloads
Because MCP servers translate natural-language intent into tool execution, attackers can hide malicious instructions inside prompts that override policies, extract data, or manipulate actions. These attacks are subtle, context-dependent, and rarely caught by simple pattern matching.
Levo tests MCP servers using the kinds of prompts that look harmless until they aren’t: override attempts, indirect instructions, and multi-step manipulation designed to persist across context and tool calls. Instead of relying on signatures, testing validates that safety holds when an agent is pressured to “ignore rules,” “exfiltrate,” or “do the risky thing anyway.”
6) MCP07: Insufficient Authentication & Authorization
Weak or inconsistent authentication allows unauthorized invocation of MCP tools. And weak authorization models let “legitimate” requests do more than they should, especially when agents are acting autonomously across chained actions.
Levo verifies trust the way attackers challenge it: missing credentials, wrong identities, replay attempts, and requests that must be denied even if they appear valid. Testing confirms every tool call is authenticated, every action is authorized, and failure modes are safe. No silent fallback, no partial access, no accidental elevation.
7) MCP10: Context Injection & Over-Sharing
In MCP workflows, context often persists across steps and chains. If contexts aren’t properly scoped, sensitive information can leak across sessions, tasks, or users. Attackers can also plant hidden instructions in context that steer future tool calls.
Levo tests whether context behaves like a secure workspace or a shared clipboard. It simulates session mixing, long-running chains, and planted instructions meant to persist into later steps. The focus is isolation and containment, so sensitive data doesn’t bleed across workflows and hidden context can’t steer future actions.
Speak to en engineer today to prove MCP servers are safe before deployment.
