Now in Public Beta
Secure MCP. Zero Trust for AI Agents. End-to-End Security.
Zero trust identity for autonomous AI agents. Every action signed. Every tool gated. Every agent verified. No identity, no trust.
Message integrity verification, replay protection, tool definition monitoring, and agent identity -- all with one URL change.
Standards-Backed Security
MCPSaaS implements the MCPS protocol, submitted as an IETF Internet-Draft and aligned with OWASP MCP Top 10 controls.
What MCPSaaS does
🔒
Message Integrity
Every message is verified end-to-end. If anything is modified in transit -- by proxies, middleware, or compromised dependencies -- it's detected and blocked.
🔄
Replay Protection
Every request is unique. Captured messages cannot be re-sent. Centralised tracking across all your agents with automatic expiry.
🛡
Tool Integrity
Tool definitions are fingerprinted at discovery. If a server silently changes a tool after you approved it (rug pull), the call is blocked before execution.
🎯
Agent Identity
Every agent gets a verifiable identity with trust levels L0-L4. Servers set minimum trust requirements. No more anonymous tool calls.
📄
Audit Trail
Full structured logging in JSON and syslog (RFC 5424). Feed directly into Cribl, Splunk, Datadog, or any SIEM. Complete non-repudiation.
⚡
Zero Friction
Change one URL in your MCP config. No SDK, no library, no key management. Your MCP server doesn't know we exist.
The MCP Security Problem
MCP (Model Context Protocol) is the standard for connecting AI agents to external tools. Adopted by Anthropic, OpenAI, Google, Microsoft, and AWS. But it was built for functionality, not security. Here's what's missing.
No Message Integrity
Every JSON-RPC message between agent and tool server travels without any integrity verification. Any intermediary -- corporate proxies, CDN workers, compromised dependencies -- can modify parameters without detection.
No Replay Protection
Captured MCP messages can be re-sent by an attacker to repeat sensitive operations. There is no nonce, sequence number, or timestamp binding to detect duplicates.
No Tool Verification
Tool definitions can change after initial approval. A tool called 'read_file' today could silently become 'read_file_and_exfiltrate' tomorrow. No hash-pinning, no mutation detection.
No Agent Identity
Agents authenticate with bearer tokens or API keys. A stolen token means full impersonation. There is no way to verify which specific agent made a request.
TLS Is Not Enough
Transport security terminates at every hop. Corporate HTTPS inspection proxies (Zscaler, Palo Alto, Fortinet) routinely decrypt, inspect, and re-encrypt traffic. After termination, messages are plaintext.
OAuth Doesn't Cover It
OAuth proves who you are but doesn't protect what you send. A valid OAuth token with a modified message body is accepted without question. No message signing, no payload integrity.
30 CVEs in 60 Days
MCP has the fastest-growing attack surface in AI infrastructure. Critical vulnerabilities including RCE (CVE-2025-6514, CVSS 9.6), authentication bypass, and unauthenticated API exposure.
38% Have No Auth
Industry scans of 500+ MCP servers found that 38% lack any form of authentication. Anyone who can reach the endpoint can invoke any tool.
MCPSaaS closes every one of these gaps. One URL change. Zero code modifications.
How MCPSaaS Works
Get started in 30 seconds
Change your MCP endpoint URL. That's it.
Copy
// Before (no security) endpoint: "https://your-mcp-server.com/mcp" // After (fully signed, verified, audited) endpoint: "https://mcpsaas.co.uk/proxy?target=https://your-mcp-server.com/mcp"
Why MCPSaaS?
Existing security standards leave critical gaps in agent communication. MCPSaaS closes all of them.
| Requirement | TLS | OAuth | JWT | JWS | DPoP | mTLS | MCPS |
|---|---|---|---|---|---|---|---|
| Identity | Server only | Yes | Yes | No | Key bind | Both | Passport (L0-L4) |
| Message Integrity | No | No | Token only | Yes | No | No | Every message |
| Replay Protection | No | No | Expiry | No | Partial | No | Nonce + timestamp |
| Tool Integrity | No | No | No | No | No | No | SHA-256 hash-pin |
| Trust Levels | No | No | No | No | No | No | L0-L4 hierarchy |
| Revocation | CRL | Expiry | Expiry | No | No | CRL | Real-time |
| Non-repudiation | No | No | No | Yes | No | No | Yes |
Test Results
180
Security tests across 19 attack categories
21
Attack surfaces identified in standard MCP
0
Unsigned messages when MCPSaaS is enabled
100%
Replay attacks blocked
Real-World Threats Blocked
🚫
Corporate Proxy MITM
TLS-terminating proxies can modify messages after decryption.
⚡
CDN/Edge Worker Injection
Cloudflare Workers or CDN scripts can intercept and modify MCP traffic.
📦
Supply Chain Compromise
Compromised npm dependencies can intercept from inside your MCP server.
🔄
Replay Attacks
Captured requests can be re-sent to repeat sensitive operations.
🛠
Tool Rug Pulls
MCP servers can silently change tool definitions after approval.
🌐
DNS Hijacking
Fake servers at hijacked domains proxy traffic while modifying it.
OWASP MCP Top 10 Compliance
How MCPSaaS maps to each OWASP MCP risk control.
| Risk | OWASP MCP Control | MCPSaaS | How |
|---|---|---|---|
| MCP-01 | Tool Poisoning -- Malicious instructions in tool descriptions | Covered | Tool definitions hash-pinned at discovery. Any mutation detected and blocked before execution. |
| MCP-02 | Excessive Agency -- Agent performs unintended actions | Partial | Audit trail logs every tool call with full parameters. Anomaly detection via dashboard. |
| MCP-03 | Data Exfiltration -- Sensitive data sent via tool calls | Partial | Full audit of all parameters in transit. Syslog integration for SIEM alerting. |
| MCP-04 | Tool Rug Pulls -- Tool definitions changed post-approval | Covered | SHA-256 hash-pinning. Tool definition verified against pinned hash before every execution. |
| MCP-05 | Prompt Injection via Tools -- Injected instructions in tool responses | Partial | Response integrity verification. Signed responses from MCPS-enabled servers. |
| MCP-06 | Cross-Server Shadowing -- Tool name collisions across servers | Partial | Per-server tool pinning with server-specific hashes. Namespace isolation via proxy. |
| MCP-07 | Insufficient Auth -- Weak identity verification | Covered | Agent passports with trust levels L0-L4. Servers set minimum trust requirements. |
| MCP-08 | No Message Integrity -- Unsigned messages in transit | Covered | Every message signed with ECDSA P-256 via MCPS. Tampered messages rejected. |
| MCP-09 | Supply Chain Risks -- Compromised MCP packages | Partial | Tool integrity monitoring detects post-install mutations. Zero dependency signing chain. |
| MCP-10 | Logging Gaps -- No audit trail for agent actions | Covered | Full structured audit in JSON + RFC 5424 syslog. Every request/response logged with non-repudiation. |
6 of 10 risks fully covered. 4 partially covered with detection and monitoring.
MCPSaaS is the only managed service that maps directly to the OWASP MCP Top 10. View the full OWASP MCP Top 10.
Key Management
Signing Key Infrastructure
MCPSaaS supports local key generation and GCP Cloud KMS for enterprise key management.
| Feature | Local (Free) | GCP KMS (Pro/Enterprise) |
|---|---|---|
| Key Generation | ECDSA P-256 on server | ECDSA P-256 in Cloud KMS |
| Key Storage | Encrypted volume | Google-managed, never exported |
| Key Rotation | Manual via API | Automatic with grace period |
| Audit | MCPSaaS audit log | MCPSaaS + Cloud Audit Logs |
| Compliance | SOC2 | SOC2 + FIPS 140-2 Level 1 |
| BYOK | N/A | Bring Your Own Key supported |
Documentation
Everything you need to secure your MCP connections.
Quick Start
# 1. Sign up and get your API key curl -X POST https://mcpsaas.co.uk/api/signup \ -H "Content-Type: application/json" \ -d '{"email":"you@company.com","password":"Secure123!","confirmPassword":"Secure123!"}' # 2. Add a proxy endpoint curl -X POST https://mcpsaas.co.uk/api/proxies \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"name":"My MCP Server","target":"https://mcp-server.com/mcp"}' # 3. Use the proxy URL in your MCP config endpoint: "https://mcpsaas.co.uk/proxy/PROXY_ID"
API Reference
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/signup | Create account |
| POST | /api/login | Get API key |
| GET | /api/dashboard | Dashboard stats |
| POST | /api/proxies | Create proxy endpoint |
| GET | /api/proxies | List proxy endpoints |
| GET | /api/audit | Audit log (JSON) |
| GET | /api/audit/syslog | Audit log (RFC 5424 syslog) |
| POST | /api/keys/rotate | Rotate API key |
| GET | /proxy/:id | Proxy endpoint (use in MCP config) |
Security Model
MCPSaaS implements the MCPS protocol as defined in IETF Internet-Draft draft-sharif-mcps-secure-mcp.
| Layer | Control | Standard |
|---|---|---|
| Message Signing | ECDSA P-256 per-message signatures | NIST FIPS 186-5 |
| Canonicalization | Deterministic JSON serialization | RFC 8785 (JCS) |
| Replay Protection | Nonce + timestamp window | MCPS SEP-2395 |
| Tool Integrity | SHA-256 hash-pinning | MCPS SEP-2395 |
| Agent Identity | Cryptographic passports (L0-L4) | MCPS SEP-2395 |
| Audit Output | Structured JSON + syslog | RFC 5424 |
Simple, transparent pricing
Start free. Scale as you grow.
Free
$0
Forever free
5 agents
1,000 signed requests/mo
7-day audit retention
Community support
1 proxy endpoint
Popular
Pro
$29/mo
For growing teams
50 agents
100,000 signed requests/mo
90-day audit retention
Email support
10 proxy endpoints
Custom trust levels
Enterprise
$299/mo
For security teams
Unlimited agents
Unlimited requests
1-year audit retention
Priority support + SLA
Unlimited proxy endpoints
Custom trust authority
SIEM integration
SSO / SAML
Enterprise Security
MCP Security for SOC Teams
Get AI agent security alerts in the tools you already use. MCPSaaS integrates with Microsoft Defender for Cloud, Azure Sentinel, and any SIEM via syslog.
Microsoft Defender for Cloud
Real-time alerts via Graph Security API
LIVE
When MCPSaaS detects a threat in MCP traffic -- command injection, credential access, SQL injection, prompt injection -- it pushes a security alert directly to Microsoft Defender via the Graph Security API. Alerts appear in your Defender console with MITRE ATT&CK categories.
Setup
1. Register an app in Azure AD with SecurityAlert.ReadWrite.All permission
2. Note your tenantId, clientId, and clientSecret
3. Configure via API:
curl -X POST https://mcpsaas.co.uk/api/defender/config \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tenantId": "YOUR_AZURE_TENANT_ID",
"clientId": "YOUR_APP_CLIENT_ID",
"clientSecret": "YOUR_APP_CLIENT_SECRET"
}'Test: POST /api/defender/test sends a simulated alert to verify the connection.
Azure Sentinel / Log Analytics
Structured logs for KQL queries and playbooks
LIVE
Every security event -- threat detections, replay blocks, unsigned request blocks, agent blocks -- is pushed to your Azure Log Analytics workspace as custom logs (MCPSaaS_CL). Query with KQL, build workbooks, trigger automated playbooks via Logic Apps.
Setup
1. Get your Log Analytics Workspace ID and Primary Key from Azure Portal > Log Analytics > Agents
2. Add to your Defender config:
curl -X POST https://mcpsaas.co.uk/api/defender/config \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tenantId": "YOUR_AZURE_TENANT_ID",
"clientId": "YOUR_APP_CLIENT_ID",
"clientSecret": "YOUR_APP_CLIENT_SECRET",
"sentinelWorkspace": "YOUR_WORKSPACE_ID",
"sentinelSharedKey": "YOUR_PRIMARY_KEY"
}'Test: POST /api/sentinel/test pushes a test log entry. Query in Sentinel: MCPSaaS_CL | where ThreatType_s != ""
Example KQL Queries
// All MCP threats in last 24 hours
MCPSaaS_CL
| where TimeGenerated > ago(24h)
| where EventType_s == "threat_detected"
| project TimeGenerated, ThreatType_s, Severity_s, AgentName_s, Detail_s
// Command injection attempts by agent
MCPSaaS_CL
| where ThreatType_s == "COMMAND_INJECTION"
| summarize count() by AgentName_s
| order by count_ desc
// MITRE ATT&CK heatmap
MCPSaaS_CL
| where MITRECategory_s != ""
| summarize count() by MITRECategory_s
| render piechartSyslog / Any SIEM
RFC 5424 format for Splunk, Datadog, Elastic, CloudWatch
LIVE
Export your full audit trail as RFC 5424 syslog. Feed it into Splunk HEC, Datadog log intake, Elastic Filebeat, AWS CloudWatch, or any syslog-compatible collector.
Endpoints
# JSON audit log
curl https://mcpsaas.co.uk/api/audit \
-H "Authorization: Bearer YOUR_API_KEY"
# RFC 5424 syslog format
curl https://mcpsaas.co.uk/api/audit/syslog \
-H "Authorization: Bearer YOUR_API_KEY"How it works
Agent
calls MCP tool
→
MCPSaaS
signs + scans
→
MCP Server
executes tool
↓
Threat detected?
↓
Defender
real-time alert
Sentinel
KQL + playbooks
Syslog
Splunk / Elastic / etc
How MCPSaaS Works
MCPSaaS sits between your AI agents and the MCP servers they call. Zero code changes. One URL swap.
1
Point your agent at MCPSaaS
Replace your MCP server URL with your MCPSaaS proxy endpoint. Your agent connects to us instead of directly to the MCP server. No SDK, no library, no code change.
2
Every call is signed
MCPSaaS cryptographically signs every MCP message passing through the proxy. Tool definitions are pinned on first contact. If a tool schema changes unexpectedly, execution is blocked.
3
Traffic is scanned in real time
A heuristic engine inspects every tool call for known attack patterns -- injection, credential theft, traversal, prompt manipulation. Critical threats are blocked before they reach the MCP server.
4
Alerts flow to your SOC
Blocked threats and security events are pushed to Microsoft Defender, logged to Azure Sentinel, and exported via syslog -- all in real time. Your SOC sees MCP threats alongside everything else they monitor.
☁
Like Cloudflare, but for MCP
MCPSaaS is a transparent security proxy. It does not host your tools or store your data. Traffic passes through, gets signed and scanned, then forwards to your MCP server. If MCPSaaS is unreachable, agents fall back to direct connections. We secure MCP -- we don't replace it.
Threats detected
🛡
Command Injection
MITRE: Command & Control
🔑
Credential Access
MITRE: Credential Access
💾
SQL Injection
MITRE: Initial Access
🧠
Prompt Injection
MITRE: Execution
📁
Path Traversal
MITRE: Collection
🔄
Replay Attacks
Nonce-based rejection
Dashboard
Real-time overview of your MCP security posture.
Trust Levels: L0 Unsigned L1 Identified L2 Verified L3 Scanned L4 Audited No passport = L0 | AgentSign issues L1-L4
Request Volume (24h)
Security Posture
Agent Trust Levels
Activity Timeline (7 days)
Recent Activity
No activity yet. Configure a proxy endpoint to start.
Proxy Endpoints
Each proxy wraps one MCP server with full MCPS security.
| Name | Target | Proxy URL | Status | Requests |
|---|
Agents
AI agents that have connected through your proxies.
| Agent | Trust | Last Seen | Requests | Status / Actions |
|---|---|---|---|---|
| No agents connected yet. | ||||
Audit Log
Cryptographically verifiable record of all MCP traffic.
| Time | Method | Tool | Agent | Direction | Signed | Session |
|---|---|---|---|---|---|---|
| No audit events yet. | ||||||
Attacks Blocked
Replay attacks, tool mutations, and signature failures caught by MCPS.
No attacks detected yet. That's a good thing.
API Keys
Manage your API keys for programmatic access.
Settings
Account and security configuration.