Instruction smuggling
The attacker hides a new instruction inside content the model treats as relevant.
Independent field guide Deep guide June 6, 2026
Defense guide
How to defend MCP systems against prompt injection without overcomplicating the stack
Prompt injection becomes dangerous when untrusted text can influence a tool call. This guide focuses on how to test for that risk, reduce the damage radius, and make the system safer without turning every workflow into a manual approval bottleneck.
MCP Security
Know the patterns before you test them
Prompt injection often looks obvious in hindsight and subtle in production. The dangerous version is usually embedded in content the model is already allowed to read, such as a document, web page, ticket, or chat message.
Authority abuse
The injected content pretends to carry more weight than it should.
Action steering
The injected text nudges the agent toward a tool call that changes state.
Data exfiltration
The attacker tries to redirect a response or tool call toward sensitive information.
MCP Security
Controls should reduce privilege and ambiguity
Good defenses do not rely on one magical prompt or classifier. They reduce the size of the decision surface, make the tools specific, and insert policy between the model's intent and the side effect.
Reduce tool power
Do not let one tool read, write, and execute everything.
Validate arguments
Reject arguments that do not fit the allowed pattern, even if the model sounds confident.
Gate sensitive actions
Require extra review for credential use, external sends, or production mutations.
Log policy outcomes
Without logs, the team cannot tell which defense actually worked.
MCP Security
Test the system, not the demo
A demo usually behaves well because the inputs are clean. A real test uses adversarial content, odd sequencing, and repeated attempts to escape the expected path.
Inject malicious instructions into the content the model can read, then see whether the agent changes its tool choice or argument values.
Repeat the same test after changing the tool surface, because a new tool often opens a path the first test did not cover.
Next step
Add policy at the tool boundary
McpVanguard helps convert prompt-injection defense from advice into something the system can actually enforce in production.
Sources
References and further reading
OWASP GenAI Security
Primary guidance on prompt injection and related risks.
Official MCP docs
Useful for understanding the tool boundary.
Anthropic MCP overview
Helpful background on the protocol.