MCP servers just showed up in our infrastructure and I genuinely have no idea how to secure them, anyone been through this?
Not panicking but definitely out of my depth and i'd rather admit that now than figure it out after something breaks.
I've been doing DevOps for about three years at a mid-sized SaaS company. pipelines, containers, infra automation, the usual. last month our engineering team started integrating MCP servers to power some internal AI agent tooling and it landed in my lap to manage the deployment and infra side of it.
The problem is that everything i know about securing infrastructure doesn't map cleanly onto this. i can lock down a container. i can harden a CI/CD pipeline. but MCP is a different thing entirely. the servers expose tools that AI agents can call autonomously, and some of those tools have filesystem access, shell execution, database connectors. the blast radius of a misconfigured permission scope here feels genuinely significant and i don't have a framework for thinking about it systematically yet.
What's been keeping me up is the agentic side of it. these aren't just APIs sitting behind auth. the agents decide what tools to call and chain them together without a human approving each step. our current pipeline validation has already started flagging permission scope warnings on three of the deployed MCP tools and i blocked the deployment because i didn't know what the acceptable threshold even was. i've been piecing things together from blog posts and the handful of MCP security write-ups that exist but nothing gives me a repeatable methodology i can actually build a process around.
This is basically what my week has looked like. pass rate dropped from 96% to 81% since we started integrating MCP servers and almost all of the failures are permission or schema validation errors i don't fully understand yet.
Has anyone here gone through this? specifically curious whether there's any structured training that actually covers MCP security mechanics rather than AI security broadly, and how you're handling scope definition in your engagement agreements when the blast radius of these servers isn't obvious even to the people who built them.