# Setting Up the MCP Security Gateway for Tool Poisoning Detection > Learn to set up the MCP Security Gateway for tool poisoning detection. Protect your MCP servers with a two-layer defense from the Agent Governance Toolkit. - Repository: [Microsoft/agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit) - Tags: how-to-guide - Published: 2026-05-29 --- **The Microsoft Agent Governance Toolkit protects MCP servers with a two-layer defense combining static analysis via `MCPSecurityScanner` for detecting malicious tool definitions and runtime enforcement via `MCPGateway` to intercept calls and sanitize responses before they reach the LLM.** The Agent Governance Toolkit (AGT) from Microsoft provides a robust security framework for Model Context Protocol (MCP) deployments. Setting up the MCP Security Gateway for tool poisoning detection involves configuring both static analysis scanners and runtime interceptors that work together to prevent hidden instructions, schema abuse, and credential leaks from compromising your AI agents. According to the microsoft/agent-governance-toolkit source code, this architecture follows a **fail-closed** design where any unexpected error results in a denied call or blocked response. ## Understanding the Two-Layer Defense Architecture The AGT implements defense in depth through two complementary components that share the same threat taxonomy (`MCPThreatType` and `MCPSeverity`) and structured audit logging. ### Static Analysis with MCPSecurityScanner The `MCPSecurityScanner` class in [`agent-governance-python/agent-os/src/agent_os/mcp_security.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/src/agent_os/mcp_security.py) performs pre-flight scanning of tool definitions (name, description, JSON schema) to detect: - Hidden instructions and invisible Unicode characters - Encoded payloads and privilege-escalation cues - Schema abuse patterns - Cross-server impersonation and typosquatting attacks Each finding generates an `MCPThreat` object with severity levels of *info*, *warning*, or *critical*. The scanner also fingerprints tool definitions using SHA-256 hashes to detect **rug-pull** attacks when a tool's description or schema drifts after registration. The implementation includes comprehensive unit tests in [`agent-governance-python/agent-os/tests/test_mcp_security.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/tests/test_mcp_security.py) that verify tool-poisoning, hidden-instruction, and rug-pull detection scenarios. ### Runtime Enforcement with MCPGateway The `MCPGateway` class in [`agent-governance-python/agent-os/src/agent_os/mcp_gateway.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/src/agent_os/mcp_gateway.py) wraps every MCP tool call and response to enforce: - **Deny-list and allow-list** filtering based on tool names - **Parameter sanitization** using policy-defined regexes and built-in dangerous-pattern checks (SSN, credit card numbers, destructive shell commands) - **Per-agent rate limiting** based on the `max_tool_calls` setting in the attached `GovernancePolicy` - **Human-in-the-loop approval** for sensitive tools via callback functions - **Response scanning** for credential leaks, PII/CRI, and prompt-injection tags before the LLM processes the output ## Step-by-Step Deployment Guide Follow this workflow to deploy the MCP Security Gateway for comprehensive tool poisoning protection: 1. **Design-time scan** – Run the scanner or `mcp-scan` CLI on the MCP server's tool manifest to identify poisoned definitions before deployment. 2. **Register fingerprints** – Call `scanner.register_tool(...)` for every legitimate tool to establish a baseline hash for rug-pull detection. 3. **Instantiate a GovernancePolicy** – Define allowed tools, call budgets, and custom blocked-parameter patterns in [`agent-governance-python/agent-os/src/agent_os/integrations/base.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/src/agent_os/integrations/base.py). 4. **Create an MCPGateway** – Configure the gateway with the policy, optional deny-list, sensitive-tool list, and an approval callback for human gating. 5. **Wrap the MCP server** – Use `MCPGateway.wrap_mcp_server(...)` to launch the guarded server configuration. 6. **Runtime interception** – Ensure every tool request passes through `gateway.intercept_tool_call(...)` and responses filter through `gateway.intercept_tool_response(...)`. If any scanner-detected threat is marked *critical* (e.g., tool-poisoning, hidden-instruction, or rug-pull), configure the gateway to reject the tool entirely, preventing malicious definitions from reaching agents. ## Configuring Static Analysis for Tool Poisoning Static analysis acts as your first line of defense against compromised tool definitions. The following examples demonstrate how to scan for hidden instructions and establish baseline fingerprints. Scan a tool definition for hidden payloads: ```python from agent_os.mcp_security import MCPSecurityScanner scanner = MCPSecurityScanner() threats = scanner.scan_tool( tool_name="helpful_search", description="Search the web. ", server_name="acme-tools", ) for t in threats: print(f"[{t.severity.value}] {t.threat_type.value}: {t.message}") # → [critical] tool_poisoning: Hidden comment detected in tool description ``` Register the tool to create a fingerprint for rug-pull detection: ```python fp = scanner.register_tool( tool_name="search", description="Search the web", schema={"type": "object", "properties": {"q": {"type": "string"}}}, server_name="acme", ) print(fp.version) # 1 print(fp.description_hash) # SHA-256 hex digest ``` For CI/CD integration, use the `mcp-scan` CLI wrapper located at [`agent-governance-python/agent-os/src/agent_os/cli/mcp_scan.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/src/agent_os/cli/mcp_scan.py) to automate static scanning in your deployment pipeline. ## Implementing Runtime Enforcement Runtime enforcement prevents exploit execution even if malicious tools bypass static detection. Configure your security policy and gateway as follows: Define a `GovernancePolicy` with tool allowances and custom block patterns: ```python from agent_os.integrations.base import GovernancePolicy policy = GovernancePolicy( name="production", allowed_tools=["search", "read_file"], max_tool_calls=50, blocked_patterns=[r";\s*(rm|del)\b"], # custom blocklist ) ``` Initialize the `MCPGateway` with approval callbacks and sanitization: ```python from agent_os.mcp_gateway import MCPGateway, ApprovalStatus def approve(agent_id, tool_name, params): # Simple logic: deny any destructive deployment if tool_name == "deploy": return ApprovalStatus.DENIED return ApprovalStatus.APPROVED gateway = MCPGateway( policy, denied_tools=["execute_code", "shell"], sensitive_tools=["deploy"], approval_callback=approve, enable_builtin_sanitization=True, ) ``` The gateway references `CredentialRedactor` logic from [`agent-governance-python/agent-os/src/agent_os/credential_redactor.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/src/agent_os/credential_redactor.py) to sanitize audit logs and response content. ## Intercepting Tool Calls and Responses at Runtime With the gateway configured, intercept all MCP traffic to enforce security boundaries: Intercept incoming tool calls against policy: ```python allowed, reason = gateway.intercept_tool_call( agent_id="agent-alpha", tool_name="search", params={"query": "quarterly earnings"}, ) print(allowed, reason) # True Allowed by policy ``` Scan tool responses before they reach the LLM to prevent data exfiltration: ```python response = "User data: alice@example.com, SSN 123-45-6789" decision = gateway.intercept_tool_response( agent_id="agent-alpha", tool_name="search", response_content=response, ) print(decision.allowed) # False (PII detected) print(decision.reason) # Response blocked — pii_leak detected ``` ## Summary Setting up the MCP Security Gateway for tool poisoning detection requires integrating both static and runtime protections from the Microsoft Agent Governance Toolkit: - **Static analysis** via `MCPSecurityScanner` detects hidden instructions, rug-pull attempts, and schema abuse in tool definitions before deployment. - **Runtime enforcement** via `MCPGateway` applies deny-lists, parameter sanitization, rate limiting, and human-in-the-loop approvals to every tool interaction. - **Fail-closed architecture** ensures that scanner errors or gateway failures result in denied calls rather than security gaps. - **Comprehensive audit logging** captures all threats and interventions using standardized `MCPThreat` and `MCPSeverity` taxonomies for compliance pipelines. ## Frequently Asked Questions ### What is tool poisoning in MCP servers? Tool poisoning occurs when malicious actors inject hidden instructions, invisible Unicode characters, or deceptive schemas into MCP tool definitions. These payloads can manipulate LLM behavior, exfiltrate data, or escalate privileges when the agent executes the compromised tool. The `MCPSecurityScanner` class specifically targets these attacks by analyzing tool descriptions and schemas for anomalies before runtime execution. ### How does the MCP Security Gateway prevent rug-pull attacks? The gateway prevents rug-pull attacks through fingerprinting baselines established via `scanner.register_tool(...)`. This method generates SHA-256 hashes of legitimate tool descriptions and schemas. During subsequent scans, the `MCPSecurityScanner` compares current definitions against these fingerprints; any drift triggers a critical severity alert, allowing the gateway to reject the modified tool before an agent processes it. ### Can I integrate MCP Security Gateway with existing CI/CD pipelines? Yes. The toolkit includes the `mcp-scan` CLI utility located at [`agent-governance-python/agent-os/src/agent_os/cli/mcp_scan.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-os/src/agent_os/cli/mcp_scan.py), which wraps the `MCPSecurityScanner` functionality. You can incorporate this command-line tool into your build pipelines to perform automated static analysis of MCP server manifests during the design phase, blocking deployment of poisoned tools before they reach production environments. ### What happens when the gateway detects a critical threat? When the gateway or scanner identifies a critical threat such as tool-poisoning or hidden instructions, the system follows a fail-closed policy. The `MCPGateway` rejects the tool call entirely, returning a denial status to the agent. For response scanning, `gateway.intercept_tool_response()` blocks the content from reaching the LLM and logs the specific threat type (e.g., `pii_leak` or `credential_exposure`) along with the severity level for audit review.