ThornGuard operates as an edge security proxy. It addresses these risks at the network and protocol layer between AI clients and MCP servers. Risks that require client-side or model-level enforcement are noted in the coverage gaps section.
Coverage Summary
| OWASP Risk | ThornGuard Coverage | Key Features |
|---|---|---|
| MCP-01 Tool Poisoning | Strong | Tool poisoning detection, ANSI stripping, schema integrity, recommendation poisoning defense, hidden HTML sanitization |
| MCP-02 Rug Pull | Strong | TOFU schema pinning, behavioral anomaly detection |
| MCP-03 Excessive Permissions | Moderate | Policy engine, approval workflows, tool risk scoring |
| MCP-04 SSRF | Strong | DNS-aware SSRF blocking, IP validation, domain blocklists |
| MCP-05 Data Exfiltration | Strong | PII redaction (10+ pattern types), cross-server data flow governance |
| MCP-06 Credential Theft | Strong | Secret redaction, OAuth 2.1 token isolation, encrypted credential storage |
| MCP-07 Unauthorized Actions | Strong | Command injection detection, policy engine, approval workflows |
| MCP-08 Logging Gaps | Strong | Structured D1 audit logs, correlation IDs, webhook alerting |
| MCP-09 Resource Exhaustion | Strong | Durable Object rate limiting, per-license quotas |
| MCP-10 Third-Party MCP Risk | Moderate | Tool inventory, risk scoring, taint tracking, namespace isolation |
MCP-01: Tool Poisoning
Risk: Malicious instructions embedded in tool definitions that manipulate AI agent behavior, such as hidden directives to override system prompts, exfiltrate data, or suppress security warnings.How ThornGuard addresses this
ThornGuard scans tool definitions returned by upstream MCP servers before they reach the AI client.- Instruction override detection — identifies patterns like
<IMPORTANT>, identity reassignment directives, and suppression commands injected into tool descriptions - Hidden character detection — flags non-visible Unicode characters (zero-width spaces, bidirectional overrides, homoglyphs) used to conceal malicious payloads
- Schema integrity walks — recursively inspects nested tool definition structures for embedded injection attempts
- ANSI/VT escape code stripping — removes terminal control sequences from tool definitions and responses that could exploit terminal-based MCP clients
- AI Recommendation Poisoning defense (AML.T0080) — detects memory persistence commands (“remember X as trusted source,” “in future conversations”) used by the 31 companies Microsoft documented in February 2026 deploying prompt injection as a marketing strategy
- Hidden HTML content sanitization — strips
display:noneelements, HTML comments,visibility:hidden/opacity:0content, off-screen elements,<noscript>blocks, and suspicious JSON-LD metadata from tool responses before they reach the AI client - AI share URL inspection — detects “Summarize with AI” URLs targeting ChatGPT, Copilot, Claude, Perplexity, and Gemini with memory-manipulation query parameters
Tool poisoning detection operates on every
tools/list and tools/call response passing through the proxy, including SSE streams. Detected poisoning attempts are logged with the TOOL_POISONING_DETECTED audit action with category-specific metadata.MCP-02: Rug Pull
Risk: Tools that change behavior after an initial trust period. A tool may present safe definitions during setup, then alter its schema or behavior to perform malicious actions once trusted.How ThornGuard addresses this
ThornGuard implements Trust On First Use (TOFU) schema pinning to detect tool definition drift.- SHA-256 schema hashing — computes a cryptographic hash of each tool’s definition on first observation and stores it in the tool inventory
- Drift detection — subsequent
tools/listresponses are compared against the pinned hash; any change triggers an alert or block depending on policy configuration - Behavioral anomaly detection — EWMA (Exponentially Weighted Moving Average) baselines, Page-Hinkley drift detection, and Markov chain sequence analysis identify behavioral shifts even when tool schemas remain unchanged
- Tool inventory tracking — maintains a complete record of all observed tools, their schemas, and when they were last verified
MCP-03: Excessive Permissions
Risk: Tools requesting or exercising more access than required for their stated function, violating the principle of least privilege.How ThornGuard addresses this
ThornGuard provides policy-based controls to restrict what tools can do, even if the upstream server grants broad permissions.- Policy engine — structured rules in allow/block/audit modes that scope permitted actions by tool name, method, target URL, or parameter patterns
- Approval workflows — human-in-the-loop gating for high-risk tool invocations; tools matching approval profiles require explicit authorization before execution
- Tool risk scoring — automated risk classification in the tool inventory based on tool capabilities and observed behavior
- Custom blocklists — per-license domain and command blocklists to restrict tool access to approved targets only
Approval workflows allow teams to enforce manual review for sensitive operations. When a tool invocation matches an approval profile, the request is held with a
BLOCKED_APPROVAL status until an authorized team member approves or denies it.MCP-04: Server-Side Request Forgery
Risk: Tools making requests to internal network resources, cloud metadata endpoints, or localhost services that should not be accessible from the MCP server.How ThornGuard addresses this
SSRF prevention is a core layer in ThornGuard’s security pipeline, applied before any request is proxied upstream.- Private IP blocking — rejects targets resolving to
127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16, and other RFC 1918/6598 ranges - Cloud metadata protection — blocks requests to AWS (
169.254.169.254), GCP, and Azure metadata endpoints - DNS-over-HTTPS resolution — resolves target hostnames via DoH before proxying to prevent DNS rebinding attacks where a domain initially resolves to a public IP but later resolves to an internal address
- HTTPS enforcement — rejects non-HTTPS targets to prevent cleartext interception
- Domain blocklists — per-license custom domain blocking for additional target restrictions
DNS resolution happens at the proxy edge, not at the upstream server. This means SSRF checks cannot be bypassed by DNS rebinding or time-of-check/time-of-use attacks against the upstream server’s resolver.
MCP-05: Data Exfiltration
Risk: Sensitive data leaking through tool responses, parameters, or side channels. This includes PII, credentials, and proprietary data exposed in MCP message payloads.How ThornGuard addresses this
ThornGuard applies bidirectional PII and secret redaction on both outbound requests and inbound responses, including SSE streams.- 10+ built-in pattern types — EMAIL, SSN, AWS_KEY, GCP_KEY, GITHUB_TOKEN, SLACK_TOKEN, PRIVATE_KEY, JWT, PHONE, CREDIT_CARD
- Credit card validation — IIN prefix matching (Visa, Mastercard, Amex, Discover, JCB, UnionPay, Diners Club) combined with Luhn checksum to minimize false positives
- SSE stream redaction — PII scanning operates on Server-Sent Events streams in real time, tracking detected types across chunks
- Custom regex redaction — enterprise customers can define additional redaction rules for proprietary data patterns, with built-in ReDoS protection on user-supplied regular expressions
- Cross-server data flow governance — namespace isolation via
server_id::tool_namescoping and taint tracking with a 4-level sensitivity lattice prevent data from flowing between MCP servers without authorization
MCP-06: Credential Theft
Risk: Authentication tokens, API keys, and secrets exposed through tool parameters, responses, or insecure storage.How ThornGuard addresses this
ThornGuard combines secret redaction with secure credential management to prevent credential exposure at multiple layers.- Secret pattern redaction — detects and scrubs AWS keys, GCP keys, GitHub tokens, Slack tokens, private keys, and JWTs from request and response payloads
- OAuth 2.1 token isolation — proxy-issued tokens are fully decoupled from upstream credentials; clients never see upstream access tokens
- Encrypted credential storage — upstream tokens are stored with AES-256-GCM encryption in D1, accessible only to the proxy’s token exchange logic
- PKCE S256 enforcement — all OAuth authorization flows require Proof Key for Code Exchange to prevent authorization code interception
MCP-07: Unauthorized Actions
Risk: Tools performing actions beyond their intended scope, including destructive operations, privilege escalation, or lateral movement.How ThornGuard addresses this
ThornGuard applies multiple layers of action control to prevent tools from executing unauthorized operations.- Command injection detection — approximately 40 blocked patterns covering destructive commands (
rm -rf,sudo,chmod 777,mkfs,dd if=, etc.), privilege escalation attempts, and dangerous shell constructs - Policy engine — structured rules that can allow, block, or audit specific RPC methods, tool names, and parameter patterns
- Approval workflows — high-risk tool invocations can require human authorization before execution
- IP whitelisting — enterprise per-license restriction of which client IPs can invoke the proxy
- RBAC team tokens — admin and viewer roles with expiry and revocation controls
MCP-08: Logging and Monitoring Gaps
Risk: Insufficient audit trails that prevent detection of security incidents, hinder forensic investigation, and leave compliance gaps.How ThornGuard addresses this
ThornGuard maintains comprehensive structured audit logging for every request that passes through the proxy.- Structured D1 audit logs — every request is logged with timestamp, license hash, target URL, RPC method, action taken, response time, and client IP
- Correlation IDs —
log_id(UUID) andtrace_idfields enable end-to-end request tracing across distributed systems - 17 distinct audit actions — granular categorization from
PROXY_SUCCESSthrough specific block reasons (BLOCKED_SSRF,BLOCKED_MALICIOUS,BLOCKED_POLICY, etc.) toPII_REDACTEDandAUDIT_PURGE - Webhook integrations — real-time alerting to external endpoints via queue-backed delivery with retry tracking
- CSV export — audit log export for external analysis and compliance reporting
- Automated retention cleanup — scheduled daily purge based on per-license retention settings
- GDPR purge support — on-demand deletion of audit records for data subject requests
MCP-09: Resource Exhaustion
Risk: Denial of service through excessive requests, large payloads, or resource-intensive tool invocations that overwhelm the MCP infrastructure.How ThornGuard addresses this
ThornGuard implements per-license rate limiting backed by Cloudflare Durable Objects for consistent enforcement at the edge.- Durable Object rate limiter — per-license request quotas with KV fallback for high availability
- Per-license configuration — rate limits are configurable per license tier through the settings system
- Immediate rejection — rate-limited requests receive an immediate
429response with aBLOCKED_RATE_LIMITaudit log entry - Edge deployment — rate limiting runs on Cloudflare’s edge network, absorbing abuse before it reaches upstream MCP servers
MCP-10: Third-Party MCP Risk
Risk: Security risks introduced by connecting to untrusted or compromised third-party MCP servers, including supply chain attacks and malicious tool ecosystems.How ThornGuard addresses this
ThornGuard provides visibility and control over third-party MCP server interactions through its tool intelligence and data flow governance layers.- Tool inventory — automatic cataloging of all tools exposed by upstream MCP servers, with computed risk levels
- Risk scoring — automated classification of tool risk based on capabilities, permissions, and behavioral patterns
- Cross-server namespace isolation —
server_id::tool_namescoping prevents tools from different servers from interfering with each other - Taint tracking — 4-level sensitivity lattice (public, internal, confidential, restricted) tracks data provenance across server boundaries
- TOFU schema pinning — detects when a third-party server changes its tool definitions after initial trust establishment
- Domain and command blocklists — restrict which upstream targets and operations are permitted
Tool inventory and risk scoring provide visibility into what third-party MCP servers expose. Combined with the policy engine, teams can enforce granular controls over which third-party tools are allowed, audited, or blocked.
Coverage Gaps
ThornGuard is a proxy-level security gateway. The following areas fall outside its scope and require complementary measures:| Area | Why It Is Out of Scope |
|---|---|
| Client-side enforcement | ThornGuard operates at the network edge. It cannot enforce security policies within the AI client application itself, such as restricting which MCP servers a client is configured to use before the connection reaches the proxy. |
| Model-level guardrails | Preventing the AI model from generating harmful outputs, following injected instructions, or making unsafe decisions requires model-layer safety features, not proxy-level inspection. ThornGuard can block the resulting tool calls but cannot influence model reasoning. |
| Training data protection | Protecting the data used to train or fine-tune AI models is outside the scope of runtime MCP traffic inspection. |
| End-to-end encrypted payloads | If MCP traffic is encrypted between client and server such that the proxy cannot inspect it, redaction and content scanning do not apply. ThornGuard requires TLS termination at the proxy to inspect payloads. |
| Out-of-band communication | Data exchanged between tools and external services through channels that do not pass through the MCP proxy (such as direct database connections or filesystem access) cannot be monitored or controlled. |
ThornGuard is designed to be one layer in a defense-in-depth security architecture. For comprehensive MCP security, combine proxy-level controls with client-side configuration management, model safety features, and organizational security policies.