Trust3 AI launches security layer for MCP servers

The Model Context Protocol has spent months gaining adoption as the de facto standard for LLMs to call external tools, yet its attack surface has received surprisingly little systematic attention. That is beginning to change: this week, Help Net Security reported that Trust3 AI has launched a security layer specifically designed for environments running agents on MCP.

The timing is no coincidence. Claude Code, Anthropic's official CLI, now allows orchestrating subagents, invoking MCP servers, and chaining hooks that execute shell commands on agent lifecycle events. The more moving parts, the more risk vectors.

What Trust3 AI proposes

According to published details, Trust3 AI's approach works as an intermediate layer positioned between the agent and the MCP servers it accesses. The stated goal is to audit, filter, and control the calls an agent makes to external tools before they execute.

The risk vectors the company identifies include:

• Prompt injection through tools: a malicious or compromised MCP server can return responses designed to redirect the agent's actions.
• Privilege escalation: an agent with access to multiple MCP servers can chain calls to obtain permissions it would not have individually.
• Context exfiltration: Claude Opus 4.7's 1M token window can accumulate sensitive information that external tools could extract without outbound traffic inspection.
• Unsupervised hooks: Claude Code hooks execute shell commands directly; without controls, a compromised hook means arbitrary code execution.

Trust3 AI's layer functions as a proxy with configurable policies: it can block calls to unauthorised tools, log all activity for audit purposes, and apply rules based on the agent's role within a workflow.

Why it matters now

The underlying problem is structural. MCP was designed to be extensible and simple to implement, which is an advantage for developers but a challenge for security teams. Anyone can publish an MCP server—in fact, Claude Code's plugin marketplace already hosts dozens of third-party integrations—but there is no standardised certification process yet to ensure those servers behave safely.

In enterprise environments where Claude Code is deployed for entire teams to automate complex workflows, the lack of visibility into what each agent does and which tools it calls represents a real operational risk. This is not theoretical: integrations with databases, internal APIs, or file systems turn a misconfigured agent into a potential data leak point.

Who this matters for

This solution targets three main profiles:

1. Security teams in companies deploying Claude Code at scale and needing traceability of agent actions.
2. MCP server developers who want to validate that their integrations introduce no unintended attack vectors.
3. Compliance teams in regulated sectors—banking, healthcare, legal—where auditing automated actions is not optional.

For a small team using simple MCP servers locally, the overhead may not justify it. But in any deployment where agents touch production systems or sensitive data, having an intermediate inspection layer moves from best practice to necessity.

The bigger picture

Trust3 AI is not the only company beginning to focus on MCP security, but it is among the first to articulate a product proposal specific to this protocol. The fact that it appears in cybersecurity-focused media like Help Net Security—not just AI blogs—suggests the topic is crossing from the developer community into corporate security teams.

We have been signalling for months that MCP adoption in production would drive demand for governance tools. The emergence of dedicated solutions is a sign of ecosystem maturity, though we will need to evaluate whether Trust3 AI's proposal holds up to technical scrutiny beyond the initial announcement.