MCP Protection Pack

Protect MCP tool handlers with a practical runtime bundle.

This pack is built for teams connecting agents to email, databases, file tools, Slack, Notion, Jira, and internal APIs. Start with the mcp-server preset, add regional PII profiles, and roll out in shadow before you enforce, then use the preset and PII catalogs to tune the runtime layer.

Open API preview Preset Catalog PII Profiles

Threat model

What this pack is designed to stop

Risk	Example	Impact
Data exfiltration	Forwarding DB results to an external URL or email address	Customer or internal data leaves the approved environment
Unsafe tool use	`drop_table`, `delete_database`, `shell_exec`	Destructive agent actions run with production privileges
PII exposure	Returned search results include emails, phone numbers, or national IDs	Sensitive data enters the model context or an external tool
Hidden payloads	Prompt injection hidden in HTML, CSS, markdown, or encoded content	The agent is manipulated into actions you did not intend

Recommended bundle

Start with the preset and profiles below

Policy preset: mcp-server for tool blocklists, egress checks, and capability policies.

PII profiles: usually global-core plus a regional profile like kr, jp, or payment.

API usage: call /v1/decide before tool execution and /v1/redact after tool execution.

Rollout: start in shadow, review what would have been blocked, then move to warn or enforce.

Preset

`mcp-server`

Blocks high-risk tools, restricts egress to approved domains, and applies capability-based fallback decisions to tool calls.

Profiles

Choose only the PII you need

Start small to reduce false positives. Use global-core for broad coverage, then add regional or payment profiles as needed.

Patterns

Focus on runtime-relevant detections

TrapDefense focuses on unsafe tool use, data exfiltration, and hidden payloads rather than trying to cover every generic AppSec signature.

Rollout

Use shadow, warn, then enforce

Shadow: allow all traffic, record the original decision, and tune allowlists without breaking workflows.

Warn: downgrade blocks to warnings so your team can review policy violations while tools still run.

Enforce: apply real blocks once the preset, allowlist, and capability policies are stable.

Example

Call decide before a tool runs

curl -X POST https://trapdefense.com/api/v1/decide \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "tool_name": "send_email",
    "args": {"to": "external@gmail.com", "body": "quarterly revenue report"},
    "capabilities": ["email_send"],
    "policy_preset": "mcp-server"
  }'

Integration

Python MCP handler example

async def check_tool(tool_name, args, capabilities):
    resp = await client.post(
        "https://trapdefense.com/api/v1/decide",
        headers={"Authorization": f"Bearer {TRAPDEFENSE_KEY}"},
        json={
            "tool_name": tool_name,
            "args": args,
            "capabilities": capabilities,
            "policy_preset": "mcp-server",
        },
    )
    return resp.json()

decision = await check_tool(
    "send_email",
    {"to": to, "subject": subject, "body": body},
    ["email_send", "network_send"],
)

False positives

How to tune safely

Normal tool call blocked: add the domain to domain_allowlist or pass a custom policy.

Needed capability blocked: move the capability from block to warn during rollout.

Too much PII masking: specify only the profiles you actually need instead of scanning every type.

Need a special workflow: pass a custom policy object for that route or tool.

Status

Hosted API access is still in preparation.

The fastest way to evaluate this pack is to review the HTTP API preview, then plug /v1/decide and /v1/redact into one MCP tool handler in shadow mode when you are ready. Public API key issuance is not open yet.

Open API preview Open API Reference View on GitHub