Quick Start Top 10 Controls 01 Never expose MCP over the public internet without mTLS or equivalent. 02 Scope every tool to the minimum necessary permissions. 03 Validate and sanitize all inputs before they reach tool execution. 04 Log every tool invocation with the originating session context. 05 Set rate limits on both the MCP server and any downstream APIs it calls. 06 Treat agent sessions as untrusted by default — validate intent, not just tokens. 07 Separate read and write tools; require explicit approval for write ops in sensitive contexts. 08 Rotate credentials used by MCP servers on a defined schedule. 09 Monitor for behavioral anomalies: unusual tool chains, high-frequency calls, off-hours access. 10 Conduct a tool inventory review before every production deployment. YOUR PROGRESS 0 / 0 completed Full Checklist Security Controls Reset Progress