> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> A short glossary of the key MCP security threats — prompt injection, tool poisoning, rug pulls, server spoofing, token theft, over-privileged access, data leakage, shadow MCP, and missing authentication — with a one-line definition of each and a link to the MCP Manager capability that addresses it.

MCP is powerful but ships **without guardrails**. The protocol standardizes how clients and servers talk; it does not provide authentication, observability, or any defense against malicious tools or leaked data. **MCP Manager** is the product layer that closes those gaps — one governed [gateway](/mcp-gateway-concepts/mcp-gateways) where identity, governance, runtime protection, and audit are applied to every call. This page is a quick glossary of the key MCP threats and where each one is addressed.

## Key threats at a glance

| Threat                                         | What it is                                                                                                 | Where MCP Manager addresses it                                                                                     |
| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| **Prompt injection**                           | Hidden instructions inside data or tool content trick the agent into unsafe actions.                       | [Runtime Protections](/security/runtime-protections)                                                               |
| **Tool poisoning**                             | Malicious instructions hidden in a tool's metadata (description or schema), read into the model's context. | [Feature Governance](/security/feature-governance#a-defense-against-tool-poisoning-and-rug-pulls)                  |
| **Rug pull**                                   | A tool quietly changes its behavior or description *after* you approved it.                                | [Feature Governance](/security/feature-governance#a-defense-against-tool-poisoning-and-rug-pulls)                  |
| **Server spoofing & cross-server shadowing**   | A malicious server impersonates or overrides another server's tools.                                       | [Feature Governance](/security/feature-governance) · [Audit & Observability](/security/audit-and-observability)    |
| **Token theft / account takeover**             | Stolen credentials let an attacker impersonate a service account, often undetected.                        | [Authentication & Identity](/security/authentication-and-identity#where-credentials-live-and-how-theyre-protected) |
| **Over-privileged access**                     | Agents are handed far more tools and scope than the task needs.                                            | [Feature Governance](/security/feature-governance)                                                                 |
| **Data leakage & exfiltration**                | Sensitive data (PII, secrets) flows to the model or out of bounds.                                         | [Runtime Protections](/security/runtime-protections#data-loss-prevention-stopping-pii-and-secrets)                 |
| **Shadow MCP**                                 | Unsanctioned, unseen MCP usage that no one can audit.                                                      | [Audit & Observability](/security/audit-and-observability)                                                         |
| **Missing authentication / exposed endpoints** | Servers with weak or no auth that anyone on the network can reach.                                         | [Authentication & Identity](/security/authentication-and-identity)                                                 |

## The four layers that address them

MCP Manager applies defense in depth across four layers — each has its own page:

<CardGroup cols={2}>
  <Card title="Authentication & Identity" icon="fingerprint" href="/security/authentication-and-identity">
    Brokers a real identity to every server, stores credentials encrypted, and revokes access instantly — countering token theft and missing auth.
  </Card>

  <Card title="Feature Governance" icon="list-check" href="/security/feature-governance">
    Least privilege for tools, with metadata locking that defends against tool poisoning and rug pulls.
  </Card>

  <Card title="Runtime Protections" icon="shield-halved" href="/security/runtime-protections">
    Inspects live traffic to block injection and stop PII or secrets from leaking.
  </Card>

  <Card title="Audit & Observability" icon="magnifying-glass-chart" href="/security/audit-and-observability">
    Records every call with attribution, so shadow MCP and spoofing become visible and auditable.
  </Card>
</CardGroup>

## Further reading

<CardGroup cols={2}>
  <Card title="Authentication & Identity" icon="fingerprint" href="/security/authentication-and-identity">
    The first security layer — brokered identity, credential storage, and instant revocation.
  </Card>

  <Card title="Architecture & Trust" icon="building-shield" href="/mcp-gateway-concepts/architecture-and-trust">
    How the gateway is hardened as the control point in the path of every call.
  </Card>
</CardGroup>

## External sources

<CardGroup cols={2}>
  <Card title="OWASP Top 10 for LLM Applications" icon="book" href="https://genai.owasp.org/llm-top-10/">
    The industry reference on prompt injection and related LLM risks.
  </Card>

  <Card title="MCP security best practices" icon="shield-check" href="https://modelcontextprotocol.io/specification/draft/basic/security_best_practices">
    Security guidance from the Model Context Protocol specification.
  </Card>
</CardGroup>
