arxiv: 2604.13849 · v1 · submitted 2026-04-15 · 💻 cs.CR · cs.AI

Recognition: unknown

MCPThreatHive: Automated Threat Intelligence for Model Context Protocol Ecosystems

Alex Leung, Kentaroh Toyoda, Yi Ting Shen

Authors on Pith no claims yet

Pith reviewed 2026-05-10 12:32 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords Model Context ProtocolMCP threat intelligenceagentic systemsMCP-38 taxonomySTRIDEOWASP LLMknowledge graphrisk scoring

0 comments

The pith

MCPThreatHive automates continuous threat intelligence collection and classification for Model Context Protocol agentic systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces MCPThreatHive as an open-source platform that automates the full lifecycle of MCP threat intelligence, including multi-source data collection, AI-driven extraction and classification, knowledge graph storage, and visualization with risk scoring. It operationalizes a curated MCP-38 taxonomy of threat patterns mapped to STRIDE and two OWASP frameworks. Through comparison with existing MCP security tools, the authors identify three specific gaps—incomplete modeling of combined attacks, lack of ongoing intelligence feeds, and absence of unified multi-framework mapping—that the new platform is built to close. If the approach works, security teams could prioritize and respond to threats in proliferating MCP-based AI agents more systematically than before.

Core claim

MCPThreatHive operationalizes the MCP-38 threat taxonomy, a curated set of 38 MCP-specific threat patterns mapped to STRIDE, OWASP Top 10 for LLM Applications, and OWASP Top 10 for Agentic Applications. Through a comparative analysis of representative existing MCP security tools, it identifies three critical coverage gaps that MCPThreatHive addresses: incomplete compositional attack modeling, absence of continuous threat intelligence, and lack of unified multi-framework classification.

What carries the argument

The MCPThreatHive platform that automates end-to-end threat intelligence via continuous multi-source collection, AI extraction and classification, structured knowledge graph storage, interactive visualization, and composite risk scoring, while operationalizing the MCP-38 taxonomy.

If this is right

Threats receive quantitative prioritization through the composite risk scoring model.
Threat patterns receive consistent classification across STRIDE and the two OWASP lists simultaneously.
New threats can be incorporated through ongoing data collection rather than periodic manual updates.
Interactive visualization supports exploration of threat relationships stored in the knowledge graph.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Widespread use could encourage a shared reference taxonomy for MCP security across different agent frameworks.
The knowledge graph structure might allow queries that reveal emerging patterns across multiple data sources.
Integration with live monitoring of deployed agents would test whether the automation scales to production environments.

Load-bearing premise

The MCP-38 taxonomy is comprehensive enough to cover relevant threats and the AI-driven extraction and classification components will identify them reliably without many false positives or misses.

What would settle it

A test set of real or simulated MCP attacks where multiple patterns are either undetected by the platform or assigned risk scores that do not match observed impact.

Figures

Figures reproduced from arXiv: 2604.13849 by Alex Leung, Kentaroh Toyoda, Yi Ting Shen.

**Figure 1.** Figure 1: MCP three-tier architecture. The Host embeds an LLM and one or more MCP Clients, each maintaining a stateful session with an [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗

**Figure 2.** Figure 2: MCPThreatHive four-stage pipeline architecture. Data flows left to right: intelligence sources feed into collection, items are [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

**Figure 3.** Figure 3: MCPThreatHive system interfaces: (a) intelligence gathering with relevance scoring, (b) cross-framework threat mapping, [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗

read the original abstract

The rapid proliferation of Model Context Protocol (MCP)-based agentic systems has introduced a new category of security threats that existing frameworks are inadequately equipped to address. We present MCPThreatHive, an open-source platform that automates the end-to-end lifecycle of MCP threat intelligence: from continuous, multi-source data collection through AI-driven threat extraction and classification, to structured knowledge graph storage and interactive visualization. The platform operationalizes the MCP-38 threat taxonomy, a curated set of 38 MCP-specific threat patterns mapped to STRIDE, OWASP Top 10 for LLM Applications, and OWASP Top 10 for Agentic Applications. A composite risk scoring model provides quantitative prioritization. Through a comparative analysis of representative existing MCP security tools, we identify three critical coverage gaps that MCPThreatHive addresses: incomplete compositional attack modeling, absence of continuous threat intelligence, and lack of unified multi-framework classification.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

MCPThreatHive gives a clear system description and a new 38-pattern taxonomy for MCP threats but supplies no evaluation data on whether the AI extraction and classification actually work.

read the letter

This paper is mainly a description of an open-source platform that collects threat data for Model Context Protocol agent systems, runs it through AI for extraction and classification, stores results in a knowledge graph, and offers visualization. They also introduce the MCP-38 taxonomy and map it to STRIDE plus the two relevant OWASP lists. The comparative look at existing MCP tools to name three gaps—incomplete compositional modeling, no continuous intelligence, and no unified classification—is a direct way to set up the motivation.

Referee Report

2 major / 2 minor

Summary. The paper presents MCPThreatHive, an open-source platform that automates the end-to-end lifecycle of threat intelligence for Model Context Protocol (MCP) ecosystems. It includes continuous multi-source data collection, AI-driven threat extraction and classification, structured knowledge graph storage, and interactive visualization. The platform operationalizes the MCP-38 threat taxonomy (38 MCP-specific patterns mapped to STRIDE, OWASP Top 10 for LLM Applications, and OWASP Top 10 for Agentic Applications) and includes a composite risk scoring model. Through comparative analysis of existing MCP security tools, the authors identify and claim to address three gaps: incomplete compositional attack modeling, absence of continuous threat intelligence, and lack of unified multi-framework classification.

Significance. If the AI-driven components and taxonomy prove reliable, the open-source release of MCPThreatHive could offer a practical contribution to securing emerging MCP-based agentic systems by enabling continuous, automated, and unified threat intelligence. The curation of the MCP-38 taxonomy and the platform's modular architecture represent strengths that could facilitate community use and extension, particularly in a rapidly evolving area where standardized tools are lacking.

major comments (2)

[Abstract] Abstract: The central claim that MCPThreatHive addresses the three identified gaps (incomplete compositional attack modeling, absence of continuous threat intelligence, and lack of unified multi-framework classification) rests on the reliability of the AI-driven extraction and classification pipeline, yet the manuscript provides no quantitative evaluation, benchmark results, false-positive rates, coverage analysis, or validation of these components.
[MCP-38 taxonomy description] MCP-38 taxonomy description: The assertion that the curated MCP-38 taxonomy enables unified multi-framework classification is load-bearing for the gap-closing claim, but no details are supplied on the curation methodology, completeness verification, or how mappings to STRIDE/OWASP are performed without introducing inconsistencies or omissions.

minor comments (2)

The manuscript would benefit from a table explicitly showing the MCP-38 patterns and their mappings to the three reference frameworks to improve transparency and verifiability.
Include at least high-level pseudocode or data-flow diagrams for the AI extraction and classification steps to aid reproducibility, even in the absence of full implementation details.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback, which identifies key areas where additional rigor would strengthen the manuscript's claims regarding MCPThreatHive's ability to address the identified gaps. We address each major comment below and will incorporate the suggested enhancements in the revised version.

read point-by-point responses

Referee: [Abstract] Abstract: The central claim that MCPThreatHive addresses the three identified gaps (incomplete compositional attack modeling, absence of continuous threat intelligence, and lack of unified multi-framework classification) rests on the reliability of the AI-driven extraction and classification pipeline, yet the manuscript provides no quantitative evaluation, benchmark results, false-positive rates, coverage analysis, or validation of these components.

Authors: We agree that the absence of quantitative validation for the AI-driven pipeline limits the strength of the gap-closing claims. The current manuscript emphasizes the platform architecture, taxonomy operationalization, and comparative gap analysis as a systems contribution. In the revision, we will add a dedicated evaluation section reporting benchmark results on threat extraction (e.g., precision, recall, and F1 on a labeled corpus of MCP-related reports), false-positive rates from the classification stage, and coverage metrics for the MCP-38 taxonomy. This will provide empirical grounding for how the components address incomplete compositional modeling, continuous intelligence, and unified classification. revision: yes
Referee: [MCP-38 taxonomy description] MCP-38 taxonomy description: The assertion that the curated MCP-38 taxonomy enables unified multi-framework classification is load-bearing for the gap-closing claim, but no details are supplied on the curation methodology, completeness verification, or how mappings to STRIDE/OWASP are performed without introducing inconsistencies or omissions.

Authors: We acknowledge that the manuscript describes the MCP-38 taxonomy at a summary level without sufficient methodological detail. In the revised manuscript, we will expand the taxonomy section to include: the curation process (systematic review of MCP documentation, CVE entries, and agentic-system incident reports); the explicit mapping procedure to STRIDE, OWASP Top 10 for LLM Applications, and OWASP Top 10 for Agentic Applications, with worked examples; and verification steps such as inter-rater agreement checks and gap analysis to confirm completeness and minimize inconsistencies or omissions. These additions will allow readers to evaluate the taxonomy's robustness independently. revision: yes

Circularity Check

0 steps flagged

No circularity: descriptive system paper with no derivations or self-referential claims

full rationale

The manuscript is a system-description paper that presents MCPThreatHive, operationalizes a pre-curated MCP-38 taxonomy, and performs a comparative gap analysis against existing tools. No equations, fitted parameters, predictions, or derivation chains appear in the provided text. The three coverage gaps are identified via external comparison rather than internal construction. The AI extraction/classification components are described but not validated quantitatively within the paper; this is a validation gap, not a circularity issue. No self-citations are invoked as load-bearing uniqueness theorems or ansatzes. The work is self-contained against external benchmarks and contains no steps that reduce by construction to their own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 1 invented entities

The contribution depends on the effectiveness of a newly introduced 38-pattern taxonomy and unspecified AI models for threat extraction; no independent evidence or external benchmarks for these components are mentioned.

invented entities (1)

MCP-38 threat taxonomy no independent evidence
purpose: Curated set of 38 MCP-specific threat patterns mapped to STRIDE and OWASP frameworks
Introduced by the authors as the core classification structure without reference to prior external validation or publication.

pith-pipeline@v0.9.0 · 5449 in / 1214 out tokens · 39373 ms · 2026-05-10T12:32:01.608549+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

21 extracted references · 6 canonical work pages · 2 internal anchors

[1]

Model Context Protocol Specification,

Anthropic, “Model Context Protocol Specification,” https://modelcontextprotocol.io, 2024, accessed: 2026-04-07

2024
[2]

MCP-38: Threat Taxonomy for Model Context Protocol,

Y . T . Shen, K. Toyoda, and A. Leung, “MCP-38: A Comprehensive Threat Taxonomy for Model Context Protocol Systems,” arXiv preprint arXiv:2603.18063, 2026. [Online]. Available: https://arxiv.org/abs/2603.18063

work page arXiv 2026
[3]

OWASP Top 10 for Large Language Model Applications v1.1,

OWASP Foundation, “OWASP Top 10 for Large Language Model Applications v1.1,” https://owasp.org/ www-project-top-10-for-large-language-model-applications/ , 2023, accessed: 2026-04-08

2023
[4]

OWASP Top 10 for Large Language Model Applications 2025,

——, “OWASP Top 10 for Large Language Model Applications 2025,” https://genai.owasp.org/resource/ owasp-top-10-for-llm-applications-2025/ , 2025, accessed: 2026-04-08. 10 of 11 MCPThreatHive

2025
[5]

OWASP Top 10 for Agentic Applications for 2026,

——, “OWASP Top 10 for Agentic Applications for 2026,” https://genai.owasp.org/resource/ owasp-top-10-for-agentic-applications-for-2026 , 2025, accessed: 2026-04-07

2026
[6]

Shostack, Threat Modeling: Designing for Security

A. Shostack, Threat Modeling: Designing for Security . Wiley, 2014

2014
[7]

Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection

K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T . Holz, and M. Fritz, “Not What You’ve Signed Up For: Compromising Real- World LLM-Integrated Applications with Indirect Prompt Injection,” arXiv preprint arXiv:2302.12173, 2023

work page internal anchor Pith review arXiv 2023
[8]

MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols,

Y . Yang, Y . Wuet al., “MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols,” arXiv preprint arXiv:2508.13220, 2025. [Online]. Available: https://arxiv.org/abs/2508.13220

work page arXiv 2025
[9]

arXiv:2510.15994 [cs.CR] https://arxiv.org/abs/ 2510.15994

D. Zhang, Z. Li, X. Luo, X. Liu, P . Li, and W. Xu, “MCP Security Bench (MSB): Benchmarking Attacks Against Model Context Protocol in LLM Agents,” arXiv preprint arXiv:2510.15994, 2025. [Online]. Available: https://arxiv.org/abs/2510.15994

work page arXiv 2025
[10]

Parasites in the Toolchain: A Large-Scale Analysis of Attacks on the MCP Ecosystem

S. Zhao, Q. Hou, Z. Zhan, Y . Wang, Y . Xie, Y . Guo, L. Chen, S. Li, and Z. Xue, “Mind Your Server: A Systematic Study of Parasitic Toolchain Attacks on the MCP Ecosystem,” arXiv preprint arXiv:2509.06572 , 2025. [Online]. Available: https://arxiv.org/abs/2509.06572

work page internal anchor Pith review Pith/arXiv arXiv 2025
[11]

MPMA: Preference Manipulation Attack against Model Context Protocol,

Z. Wang, R. Zhang, Y . Liu, W. Fan, W. Jiang, Q. Zhao, H. Li, and G. Xu, “MPMA: Preference Manipulation Attack against Model Context Protocol,” arXiv preprint arXiv:2505.11154, 2025. [Online]. Available: https://arxiv.org/abs/2505.11154

work page arXiv 2025
[12]

GitHub MCP Vulnerability: Prompt Injection via Repository Content,

Invariant Labs, “GitHub MCP Vulnerability: Prompt Injection via Repository Content,” https://invariantlabs.ai/blog/ mcp-github-vulnerability , 2025, accessed: 2026-04-07

2025
[13]

CVE-2025-6514: mcp-remote OS Command Injection,

NIST , “CVE-2025-6514: mcp-remote OS Command Injection,” https://nvd.nist.gov/vuln/detail/CVE-2025-6514 , 2025, ac- cessed: 2026-04-07

2025
[14]

MITRE ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems,

MITRE Corporation, “MITRE ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems,” https://atlas.mitre.org/, 2024, accessed: 2026-04-07

2024
[15]

MAESTRO: Multi-Agent Environment, Security, Threat Risk, and Outcome Framework,

Cloud Security Alliance, “MAESTRO: Multi-Agent Environment, Security, Threat Risk, and Outcome Framework,” https:// cloudsecurityalliance.org/research/topics/maestro, 2025, accessed: 2026-04-07

2025
[16]

MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform,

C. Wagner, A. Dulaunoy, G. Wagener, and A. Iklody, “MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform,” in Proceedings of the 2016 ACM Workshop on Information Sharing and Collaborative Security . ACM, 2016, pp. 49–56

2016
[17]

OpenCTI: Open Cyber Threat Intelligence Platform,

Filigran, “OpenCTI: Open Cyber Threat Intelligence Platform,” https://www.opencti.io/, 2023, accessed: 2026-04-07

2023
[18]

MCP-Scan: Security scanner for AI agents, MCP servers and agent skills,

Invariant Labs, “MCP-Scan: Security scanner for AI agents, MCP servers and agent skills,” https://github.com/invariantlabs-ai/ mcp-scan, 2025, accessed: 2026-04-07

2025
[19]

LiteLLM: Call 100+ LLM APIs with OpenAI format,

BerriAI, “LiteLLM: Call 100+ LLM APIs with OpenAI format,” https://github.com/BerriAI/litellm , 2023, accessed: 2026-04-07

2023
[20]

Smithery: MCP Server Registry,

Smithery, “Smithery: MCP Server Registry,” https://smithery.ai, 2025, accessed: 2026-04-07

2025
[21]

Glama: MCP Server Directory,

Glama, “Glama: MCP Server Directory,” https://glama.ai/mcp/servers, 2025, accessed: 2026-04-07. 11 of 11

2025