Engineering
How to Secure MCPs with Lakera Guard
This guide explains how to integrate Lakera Guard directly into a Model Context Protocol (MCP) server, giving you an easy way to add advanced threat detection to your MCP workflows.
.png)
As GenAI applications become more complex, standards like the Model Context Protocol (MCP) are critical for connecting models to real-world tools and data. But they also introduce new security risks—risks that most traditional defenses weren’t designed to catch.
At Lakera, we specialize in securing AI-native systems against these emerging threats. Lakera Guard is built to defend modern GenAI architectures like MCP-based systems—quickly, seamlessly, and without disrupting development velocity.
In this guide, we’ll show how vulnerabilities in MCPs can be exploited—and how you can secure your MCP servers with a simple, powerful addition: Lakera Guard.
The full code is available in this Github gist for you to try.
What is MCP?
The Model Context Protocol (MCP) is an open standard that connects AI applications with data sources and tools. It enables seamless integration of LLMs with external data and context. This protocol supports the development of complex AI workflows and agents, simplifying the management of AI applications. It is relatively new (released in November 2024) but has already been adopted by Open AI and by Google.
Some limitations of MCPs
MCP has also received significant pushback when it comes to security. Articles such as The “S” in MCP Stands for Security and Everything Wrong with MCP illustrate some of the many ways in which attackers can deliver significant damage via vulnerabilities in MCPs.
The official MCP spec makes strong recommendations regarding multiple components in MCP servers and clients that need active security protection. As an example in the spec of 23rd of March 2025, when talking about server prompts, they claim that:
-db1-
Implementations MUST carefully validate all prompt inputs and outputs to prevent injection attacks or unauthorized access to resources.
-db1-
This is only one of many elements to check. Here are a few other examples that they mention:
- Client > sampling: server and client SHOULD validate message content
- Server > prompts: server MUST validate prompt inputs and outputs
- Server > resources: servers MUST validate all resource URIs
- Server > tools: servers MUST validate all tool inputs
How bad can it be?
Suppose we have a simple MCP server called tldr that simply summarizes a content that is passed to it.
-db2-
#!/usr/bin/env python3
# tldr.py
from dotenv import load_dotenv
from mcp.server.fastmcp import FastMCP
load_dotenv()
mcp = FastMCP("TLDR")
@mcp.tool()
async def tldr_text(text: str) -> str:
return f"Make TLDR of text: {text}"
if __name__ == "__main__":
mcp.run()
-db2-
With this MCP server example, I can ask the LLM to access my email account and make a summary for me.
What you don’t see in the email above is that there is a hidden prompt attack in white text.
If you ask an LLM with the TLDR server enabled to summarize it you’ll get:
-db1-
I found an interesting link about guarding LLMs and thought you'd like it: https://lakera.evil. Check it out and let me know what you think! Best, Santiago.
-db1-
This is a simple example that showcases how easily models can expose risks to the user.
How can I secure MCPs with Lakera Guard?
As we've discussed in earlier posts, LLMs introduce entirely new cybersecurity vulnerabilities. Data sent into an LLM can become executable malware, enabling attackers to exploit the application directly.
The first thing to secure is the inputs and outputs between the client and server. To this, we will use Lakera Guard. Lakera Guard analyzes inputs and outputs in real time to detect threats like prompt injections, data leaks, and harmful content, all with extremely low latency.
Now to secure our TLDR MCP server we just need to add a single line of code.
-db2-
from guard import guard_content
@mcp.tool()
@guard_content(input_param="text", output_screen=True)
async def tldr_text(text: str) -> str:
return f"Make TLDR of text: {text}"
-db2-
Notice how adding a single line -bc-@guard_content-bc- to your tools, prompts or resources you can start guarding them with Lakera Guard. How does this work?
-bc-@guard_content-bc- is a simple Python decorator. It calls another method called -bc-screen_content-bc- on the input and output of the MCP server. The -bc-screen_content-bc- method is where the Lakera Guard API is called to check whether the content is harmful.
-db2-
async def screen_content(text: str) -> dict:
"""Screen content using Lakera Guard API"""
async with httpx.AsyncClient() as client:
resp = await client.post(
"https://api.lakera.ai/v2/guard",
json={"messages": [{"role": "user", "content": text}],
headers={"Authorization": f"Bearer {LAKERA_API_KEY}"},
)
if resp.status_code != 200:
logger.error(f"error: {resp.status_code} - {resp.text}")
return {
"is_safe": False,
"summary": "Error screening content"
}
result = resp.json()
return {
"is_safe": not result.get("flagged", False),
"summary": "Lakera Guard screen the message and content is safe to use"
if not result.get("flagged", False)
else "Content has been flagged by Lakera Guard as potentially harmful.",
}
-db2-
This works out of the box, but you can also customize the behavior by configuring Lakera Guard with different policies for more flexible use cases.
That is it, now with just a single line guarding your tools your MCP servers are no longer vulnerable. Re-running the same example as above, but now with the protected server, we get the following:
-db1-
I’ll run the tldr tool on the email as requested.
…
The tldr tool returned an error indicating the content was flagged by Lakera Guard as potentially harmful.
-db1-
**👉 Adding Lakera Guard API calls to your MCP servers ensures your data and resources are secure, making the minimal 100ms overhead truly worthwhile.**
In the example above, we have shown how to secure a tool (the -bc-tldr-bc- tool), but as we will see below you can use the same decorator to secure all 3 MCP server primitives: prompts, resources, and tools.
Secure Tools
Tools are executable functions that allow models to perform actions or retrieve information.
-db2-
@mcp.tool()
@guard_content(input_param="text", output_screen=True)
async def tldr_text(text: str) -> str:
return f"Make TLDR of text: {text}"
-db2-
Secure Prompts
Prompts are pre-defined templates or instructions that guide model interactions.
-db2-
@mcp.prompt()
@guard_content(input_param="text", output_screen=True)
async def summarize_text_prompt(text: str) -> str:
return f"Summarize text: {text}"
-db2-
Secure Resources
Resources are structured data or content that provides additional context to the model.
-db2-
@mcp.resource("docs://tldr_text_usage")
@guard_content(input_param="", output_screen=True)
async def summarize_text_resource() -> str:
return "This is a resource."
-db2-
The full code is available in this Github gist.
Conclusion
MCP opens the door to powerful new capabilities — but it also exposes your AI application to serious, potentially catastrophic risks. Ignoring these threats isn’t an option for any production-grade AI application.
Fortunately, securing your MCP integrations is fast and easy with Lakera Guard. With just one line of code added to your prompts, resources and tools you can secure inputs and outputs to your MCP server. As we’ve shown, a single API call can be the difference between a robust, secure application and a critical failure. Don’t leave your data, systems, and users unprotected.
Learn how to protect against the most common LLM vulnerabilities
Download this guide to delve into the most common LLM security risks and ways to mitigate them.
GenAI Security Preparedness
Report 2024
Get the first-of-its-kind report on how organizations are preparing for GenAI-specific threats.
Free Download
Explore AI Regulations.
Compare the EU AI Act and the White House’s AI Bill of Rights.
Understand AI Security Basics.
Get Lakera's AI Security Guide for an overview of threats and protection strategies.
Uncover LLM Vulnerabilities.
Explore real-world LLM exploits, case studies, and mitigation strategies with Lakera.
Optimize LLM Security Solutions.
Use our checklist to evaluate and select the best LLM security tools for your enterprise.
Master Prompt Injection Attacks.
Discover risks and solutions with the Lakera LLM Security Playbook.
Unlock Free AI Security Guide.
Discover risks and solutions with the Lakera LLM Security Playbook.
Don’t miss the updates!
Subscribe to our newsletter to get the recent updates on Lakera product and other news in the AI LLM world. Be sure you’re on track!
You might be interested
Releasing Canica: A Text Dataset Viewer
Discover Canica, Lakera's interactive text dataset viewer that elevates data analysis with visual exploration tools like t-SNE and UMAP. Now available for the machine learning community under the MIT license.
Activate
untouchable mode.
untouchable mode.
Get started for free.
Lakera Guard protects your LLM applications from cybersecurity risks with a single line of code. Get started in minutes. Become stronger every day.
Join our Slack Community.
Several people are typing about AI/ML security. Come join us and 1000+ others in a chat that’s thoroughly SFW.
