fatcousin
// case type

MCP server compromise

the MCP (Model Context Protocol) server itself is the failure locus — leaked server credentials, impersonated server identity, server-side tool-definition tampering, or permission escalation in the server's tool-grant ledger. evidence is the server audit log, the client-invocation trail showing what the LLM thinks it called vs what the server actually executed, the tool-call attribution graph, and the OAuth scope grant ledger. distinct from ai-agent-runaway (agent did this with a benign server) and llm-prompt-injection (input bent the model · server was clean). a compromised server can fool both honest models and honest agents.

tools
15
priority
H
processing
local · in browser
// start here

entry point: mcp model context protocol server audit log forensic analyzer. work the primary tools top-down — all local, no upload.

run this kit →

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. mcp model context protocol server audit log forensic analyzerdrop mcp server audit log · parse tool calls + resource accesses + auth · runs locally
  2. mcp client invocation log forensic analyzerdrop mcp client invocation log · parse server calls + arguments + responses · runs locally
  3. mcp server permission escalation detectordrop mcp server audit log · detect over-permissioned tool exposure · runs locally
  4. mcp tool call graph reconstructordrop mcp client + server log set · reconstruct tool-call dependency graph · runs locally
  5. mcp prompt injection via tool result detectordrop mcp server tool result log · detect injection payloads in tool responses · runs locally
  6. anthropic mcp claude tool call attribution tooldrop claude tool call log · attribute each tool call to model decision · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ai agent tool call execution trace reconstructordrop agent run log · reconstruct tool-call sequence + state mutations · runs locally
  2. ai agent prompt vs action divergence detectordrop agent run log · detect actions taken inconsistent with prompt · runs locally
  3. ai agent credential handling auditdrop agent run log · audit credential usage + leakage risk · runs locally
  4. llm tool call injection forensic analyzerdrop agent tool call log export · parse injected args + unauthorized tool invocations · runs locally
  5. casb oauth token abuse detectordrop casb oauth grant export · detect excessive scope grants · runs locally
  6. saas overprivileged oauth scope detectordrop saas oauth grant export · detect excessive oauth scopes · runs locally
  7. api key leakage into prompt detectordrop prompt corpus · detect api keys / secrets leaked into prompts · runs locally
  8. fatcousin multi tool super timeline correlatordrop any fatcousin findings csv/json · unified timestamp-sorted timeline · runs locally
  9. fatcousin cross export ioc hash correlatordrop hash/ioc csv from any fatcousin tool · shared indicator intersection report · runs locally
// reference

proof & methodology

synthetic reference investigations and investigation playbooks for this case type — fixture-locked goldens, local binders, evidence order, and tool paths.

investigation guide: MCP server compromise — methodology

side-by-side: compare case types →

run as a case-kit pipeline

no curated stack for this case type yet. tracked in the forensics rollout — pipelines roll out one case type at a time.

ready