Zero trust identity for autonomous AI agents. Every action signed. Every tool gated. Every agent verified. No identity, no trust.
Message integrity verification, replay protection, tool definition monitoring, and agent identity -- all with one URL change.
Built on open standards. Reviewed by the security community.
MCPSaaS implements the MCPS protocol, submitted as an IETF Internet-Draft and aligned with OWASP MCP Top 10 controls.
Every message is verified end-to-end. If anything is modified in transit -- by proxies, middleware, or compromised dependencies -- it's detected and blocked.
Every request is unique. Captured messages cannot be re-sent. Centralised tracking across all your agents with automatic expiry.
Tool definitions are fingerprinted at discovery. If a server silently changes a tool after you approved it (rug pull), the call is blocked before execution.
Every agent gets a verifiable identity with trust levels L0-L4. Servers set minimum trust requirements. No more anonymous tool calls.
Full structured logging in JSON and syslog (RFC 5424). Feed directly into Cribl, Splunk, Datadog, or any SIEM. Complete non-repudiation.
Change one URL in your MCP config. No SDK, no library, no key management. Your MCP server doesn't know we exist.
MCP (Model Context Protocol) is the standard for connecting AI agents to external tools. Adopted by Anthropic, OpenAI, Google, Microsoft, and AWS. But it was built for functionality, not security. Here's what's missing.
Every JSON-RPC message between agent and tool server travels without any integrity verification. Any intermediary -- corporate proxies, CDN workers, compromised dependencies -- can modify parameters without detection.
Captured MCP messages can be re-sent by an attacker to repeat sensitive operations. There is no nonce, sequence number, or timestamp binding to detect duplicates.
Tool definitions can change after initial approval. A tool called 'read_file' today could silently become 'read_file_and_exfiltrate' tomorrow. No hash-pinning, no mutation detection.
Agents authenticate with bearer tokens or API keys. A stolen token means full impersonation. There is no way to verify which specific agent made a request.
Transport security terminates at every hop. Corporate HTTPS inspection proxies (Zscaler, Palo Alto, Fortinet) routinely decrypt, inspect, and re-encrypt traffic. After termination, messages are plaintext.
OAuth proves who you are but doesn't protect what you send. A valid OAuth token with a modified message body is accepted without question. No message signing, no payload integrity.
MCP has the fastest-growing attack surface in AI infrastructure. Critical vulnerabilities including RCE (CVE-2025-6514, CVSS 9.6), authentication bypass, and unauthenticated API exposure.
Industry scans of 500+ MCP servers found that 38% lack any form of authentication. Anyone who can reach the endpoint can invoke any tool.
MCPSaaS closes every one of these gaps. One URL change. Zero code modifications.
See HowChange your MCP endpoint URL. That's it.
Existing security standards leave critical gaps in agent communication. MCPSaaS closes all of them.
| Requirement | TLS | OAuth | JWT | JWS | DPoP | mTLS | MCPS |
|---|---|---|---|---|---|---|---|
| Identity | Server only | Yes | Yes | No | Key bind | Both | Passport (L0-L4) |
| Message Integrity | No | No | Token only | Yes | No | No | Every message |
| Replay Protection | No | No | Expiry | No | Partial | No | Nonce + timestamp |
| Tool Integrity | No | No | No | No | No | No | SHA-256 hash-pin |
| Trust Levels | No | No | No | No | No | No | L0-L4 hierarchy |
| Revocation | CRL | Expiry | Expiry | No | No | CRL | Real-time |
| Non-repudiation | No | No | No | Yes | No | No | Yes |
TLS-terminating proxies can modify messages after decryption.
Cloudflare Workers or CDN scripts can intercept and modify MCP traffic.
Compromised npm dependencies can intercept from inside your MCP server.
Captured requests can be re-sent to repeat sensitive operations.
MCP servers can silently change tool definitions after approval.
Fake servers at hijacked domains proxy traffic while modifying it.
How MCPSaaS maps to each OWASP MCP risk control.
| Risk | OWASP MCP Control | MCPSaaS | How |
|---|---|---|---|
| MCP-01 | Tool Poisoning -- Malicious instructions in tool descriptions | Covered | Tool definitions hash-pinned at discovery. Any mutation detected and blocked before execution. |
| MCP-02 | Excessive Agency -- Agent performs unintended actions | Partial | Audit trail logs every tool call with full parameters. Anomaly detection via dashboard. |
| MCP-03 | Data Exfiltration -- Sensitive data sent via tool calls | Partial | Full audit of all parameters in transit. Syslog integration for SIEM alerting. |
| MCP-04 | Tool Rug Pulls -- Tool definitions changed post-approval | Covered | SHA-256 hash-pinning. Tool definition verified against pinned hash before every execution. |
| MCP-05 | Prompt Injection via Tools -- Injected instructions in tool responses | Partial | Response integrity verification. Signed responses from MCPS-enabled servers. |
| MCP-06 | Cross-Server Shadowing -- Tool name collisions across servers | Partial | Per-server tool pinning with server-specific hashes. Namespace isolation via proxy. |
| MCP-07 | Insufficient Auth -- Weak identity verification | Covered | Agent passports with trust levels L0-L4. Servers set minimum trust requirements. |
| MCP-08 | No Message Integrity -- Unsigned messages in transit | Covered | Every message signed with ECDSA P-256 via MCPS. Tampered messages rejected. |
| MCP-09 | Supply Chain Risks -- Compromised MCP packages | Partial | Tool integrity monitoring detects post-install mutations. Zero dependency signing chain. |
| MCP-10 | Logging Gaps -- No audit trail for agent actions | Covered | Full structured audit in JSON + RFC 5424 syslog. Every request/response logged with non-repudiation. |
6 of 10 risks fully covered. 4 partially covered with detection and monitoring.
MCPSaaS is the only managed service that maps directly to the OWASP MCP Top 10. View the full OWASP MCP Top 10.
MCPSaaS supports local key generation and GCP Cloud KMS for enterprise key management.
| Feature | Local (Free) | GCP KMS (Pro/Enterprise) |
|---|---|---|
| Key Generation | ECDSA P-256 on server | ECDSA P-256 in Cloud KMS |
| Key Storage | Encrypted volume | Google-managed, never exported |
| Key Rotation | Manual via API | Automatic with grace period |
| Audit | MCPSaaS audit log | MCPSaaS + Cloud Audit Logs |
| Compliance | SOC2 | SOC2 + FIPS 140-2 Level 1 |
| BYOK | N/A | Bring Your Own Key supported |
Everything you need to secure your MCP connections.
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/signup | Create account |
| POST | /api/login | Get API key |
| GET | /api/dashboard | Dashboard stats |
| POST | /api/proxies | Create proxy endpoint |
| GET | /api/proxies | List proxy endpoints |
| GET | /api/audit | Audit log (JSON) |
| GET | /api/audit/syslog | Audit log (RFC 5424 syslog) |
| POST | /api/keys/rotate | Rotate API key |
| GET | /proxy/:id | Proxy endpoint (use in MCP config) |
MCPSaaS implements the MCPS protocol as defined in IETF Internet-Draft draft-sharif-mcps-secure-mcp.
| Layer | Control | Standard |
|---|---|---|
| Message Signing | ECDSA P-256 per-message signatures | NIST FIPS 186-5 |
| Canonicalization | Deterministic JSON serialization | RFC 8785 (JCS) |
| Replay Protection | Nonce + timestamp window | MCPS SEP-2395 |
| Tool Integrity | SHA-256 hash-pinning | MCPS SEP-2395 |
| Agent Identity | Cryptographic passports (L0-L4) | MCPS SEP-2395 |
| Audit Output | Structured JSON + syslog | RFC 5424 |
Start free. Scale as you grow.
Get AI agent security alerts in the tools you already use. MCPSaaS integrates with Microsoft Defender for Cloud, Azure Sentinel, and any SIEM via syslog.
When MCPSaaS detects a threat in MCP traffic -- command injection, credential access, SQL injection, prompt injection -- it pushes a security alert directly to Microsoft Defender via the Graph Security API. Alerts appear in your Defender console with MITRE ATT&CK categories.
SecurityAlert.ReadWrite.All permissiontenantId, clientId, and clientSecretcurl -X POST https://mcpsaas.co.uk/api/defender/config \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tenantId": "YOUR_AZURE_TENANT_ID",
"clientId": "YOUR_APP_CLIENT_ID",
"clientSecret": "YOUR_APP_CLIENT_SECRET"
}'POST /api/defender/test sends a simulated alert to verify the connection.Every security event -- threat detections, replay blocks, unsigned request blocks, agent blocks -- is pushed to your Azure Log Analytics workspace as custom logs (MCPSaaS_CL). Query with KQL, build workbooks, trigger automated playbooks via Logic Apps.
Workspace ID and Primary Key from Azure Portal > Log Analytics > Agentscurl -X POST https://mcpsaas.co.uk/api/defender/config \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tenantId": "YOUR_AZURE_TENANT_ID",
"clientId": "YOUR_APP_CLIENT_ID",
"clientSecret": "YOUR_APP_CLIENT_SECRET",
"sentinelWorkspace": "YOUR_WORKSPACE_ID",
"sentinelSharedKey": "YOUR_PRIMARY_KEY"
}'POST /api/sentinel/test pushes a test log entry. Query in Sentinel: MCPSaaS_CL | where ThreatType_s != ""// All MCP threats in last 24 hours
MCPSaaS_CL
| where TimeGenerated > ago(24h)
| where EventType_s == "threat_detected"
| project TimeGenerated, ThreatType_s, Severity_s, AgentName_s, Detail_s
// Command injection attempts by agent
MCPSaaS_CL
| where ThreatType_s == "COMMAND_INJECTION"
| summarize count() by AgentName_s
| order by count_ desc
// MITRE ATT&CK heatmap
MCPSaaS_CL
| where MITRECategory_s != ""
| summarize count() by MITRECategory_s
| render piechartExport your full audit trail as RFC 5424 syslog. Feed it into Splunk HEC, Datadog log intake, Elastic Filebeat, AWS CloudWatch, or any syslog-compatible collector.
# JSON audit log
curl https://mcpsaas.co.uk/api/audit \
-H "Authorization: Bearer YOUR_API_KEY"
# RFC 5424 syslog format
curl https://mcpsaas.co.uk/api/audit/syslog \
-H "Authorization: Bearer YOUR_API_KEY"MCPSaaS sits between your AI agents and the MCP servers they call. Zero code changes. One URL swap.
Replace your MCP server URL with your MCPSaaS proxy endpoint. Your agent connects to us instead of directly to the MCP server. No SDK, no library, no code change.
MCPSaaS cryptographically signs every MCP message passing through the proxy. Tool definitions are pinned on first contact. If a tool schema changes unexpectedly, execution is blocked.
A heuristic engine inspects every tool call for known attack patterns -- injection, credential theft, traversal, prompt manipulation. Critical threats are blocked before they reach the MCP server.
Blocked threats and security events are pushed to Microsoft Defender, logged to Azure Sentinel, and exported via syslog -- all in real time. Your SOC sees MCP threats alongside everything else they monitor.
MCPSaaS is a transparent security proxy. It does not host your tools or store your data. Traffic passes through, gets signed and scanned, then forwards to your MCP server. If MCPSaaS is unreachable, agents fall back to direct connections. We secure MCP -- we don't replace it.
Or contact us: contact@agentsign.dev
Real-time overview of your MCP security posture.
No activity yet. Configure a proxy endpoint to start.