What is an MCP server?‍

MCP (Model Context Protocol) is the open protocol for connecting AI agents to external tools, data sources, and systems. An MCP server is a piece of software that exposes capabilities to AI agents.

• Provides tools the AI agent can call (file access, API queries, system commands)
• Runs locally on the developer’s endpoint, with the developer’s privileges
• Connects to Cursor, Claude Code, GitHub Copilot, Antigravity, and other AI coding tools
• Can be third-party (npm registry, GitHub) or built in-house

Why are MCPs a security risk?

MCPs run with the developer’s privileges and have direct access to source code, secrets, internal systems, and APIs. Most MCPs are installed without security review.

• Malicious MCPs can exfiltrate source, secrets, and customer data
• Compromised MCPs can escalate privileges or pivot laterally
• Copycat MCPs typosquat popular names to trick developers
• EDR cannot see inside the AI coding harness where MCPs execute
  

How does Backslash discover MCPs across our fleet?

‍The Guardian agent runs on every developer endpoint and continuously inventories installed MCP servers. Discovery requires no manual configuration.

• Malicious MCPs can exfiltrate source, secrets, and customer data
• Detects MCPs across Cursor, Claude Code, GitHub Copilot, Antigravity, Windsurf, Gemini Code Assist
• Captures source, version, permissions, and install path
• Surfaces shadow MCPs invisible to gateways and EDR
• Treats internal MCPs as first-class citizens

Can Backslash block MCPs before they are installed?

Yes. Backslash enforces an allowlist policy at the endpoint before MCPs run.

• Approved MCPs run with their permissions monitored in real time
• Pending MCPs run in restricted mode while awaiting review
• Blocked MCPs are prevented from running at all
• Policy enforced uniformly across every IDE and agent harness

How does this work with Cursor, Claude Code, and GitHub Copilot?

‍Backslash covers every major AI coding tool that uses MCPs. The platform sees MCP invocations from inside each agent harness, regardless of which tool initiated the call.

• One policy applies uniformly across all AI coding tools
• Per-tool inventory and per-tool drill-downs
• No proxy, no gateway, no IDE-specific plugin required
• Designed to coexist with existing developer workflows

What is the difference between a malicious MCP and a vulnerable one?

‍Malicious MCPs are built with intent to harm. Vulnerable MCPs are built in good faith but have security flaws an attacker can exploit. Backslash identifies both.

• One policy applies uniformly across all AI coding tools
• Malicious: detected through behavior, reputation, and copycat patterns
• Vulnerable: detected through static analysis of the MCP source and dependencies
• Compromised: detected when a previously trusted MCP starts behaving differently
• All three categories trigger the same enforcement and audit response

How does Backslash handle internal MCPs we built in-house?

‍Internal MCPs are first-class citizens. Add them to your allowlist, and Backslash monitors their behavior the same as any third-party MCP.

• Drift in permissions or tool surface surfaces automatically
• Behavior anomalies flagged even for trusted internal MCPs
• Useful for the team building the MCP and for security audit
• Internal-MCP risk reports available on demand