Flows category icon
Agent QA & Security
Advanced

Threat-Model Your MCP Server

Systematically threat-model an MCP server before it is exploited: assets, entry points, trust boundaries, and mitigations documented and tested.

4 steps12 verify checks90-120 minutesWorks with: emergent · chatgpt · claude · cursor
Start Guided Walkthrough

The Route

0/4 verified

Context Pack

Paste this first. It briefs the AI on requirements, constraints, and the Definition of Done before your first build prompt.

Context Pack
PROJECT CONTEXT:
My MCP server exposes tools to agents (and through them, to untrusted content), but I have never threat-modeled it. Guardrail projects that ship real threat models show MCP servers have specific attack surfaces worth mapping deliberately.

GOAL:
Produce and act on a threat model for my MCP server: asset inventory, entry-point and trust-boundary analysis, ranked threats, and implemented, tested mitigations.

REQUIREMENTS:
- An asset inventory: what the server can access, expose, or affect
- Entry points and trust boundaries mapped (who calls, with what authority, over what transport)
- Threats enumerated per boundary using a structured method (STRIDE or equivalent)
- Threats ranked by impact and likelihood, with mitigations assigned
- Mitigations implemented and verified by targeted tests

CONSTRAINTS:
- Assume callers may be driven by injected/untrusted content - the agent is not a trusted user
- Every high-rank threat needs a mitigation with a test proving it

DEFINITION OF DONE:
- The threat model documents assets, boundaries, and ranked threats
- High-rank threats each have an implemented mitigation
- Tests demonstrate each key mitigation blocking its threat
- Residual risks are documented and accepted explicitly

COMMON FAILURES TO AVOID:
- Shipping an MCP server with no analysis of what it exposes
- Trusting the calling agent implicitly despite injection risk upstream
- Threats listed but never mitigated or tested
- No record of accepted residual risk, so gaps are forgotten

Paste this into your AI builder first. It teaches the AI what you want before you give it the build prompt.

Related routes

More Agent QA & Security flows that share ground with this one.

Flows category icon
Agent QA & Security

Prompt Injection Defense Checklist

Systematically defend your agent against prompt injection: trust boundaries, content isolation, and defense-in-depth that assumes injection will happen.

01Map trust boundaries
02Isolate and label untrusted content
03Separate authority from content

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-150 minutesAdvanced
Flows category icon
Agent QA & Security

Dependency and Supply-Chain Scanning for Agents

Guard against the dependencies your agent adds: vulnerability scanning, hallucinated-package detection, and gated installs.

01Intercept dependency additions
02Verify existence and reputation
03Scan for vulnerabilities

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Guard Memory Writes Against Injection

Stop poisoned data from becoming persistent agent beliefs: validate, attribute, and quarantine memory writes as untrusted input.

01Make writes source-aware
02Validate content before persistence
03Quarantine and require corroboration

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-120 minutesAdvanced

Made with Emergent