Agentic AI security curriculum · Security overview
MCP Runtime Protection: Panguard, ATR Rules, and Agentic Threat Mitigation
Module 9 of 20 · Agentic AI Security Curriculum · May 2026
How to use this module
Use it as self-paced study or as instructor-led training. YAML, commands, and policy excerpts are illustrative; map them to your cloud, mesh, identity provider, and agent runtime—substitute your own names, namespaces, and tools while preserving the control intent.
Estimated time: ~35 minutes reading; add time for linked standards and team discussion.
Learning objectives
By the end of this module, you should be able to:
- Explain synchronous policy enforcement for tool and API calls in agent architectures.
- Relate session-scoped authorization to OAuth-style claims and API gateways.
- Identify abuse cases specific to multi-step agent workflows.
Prerequisites
- Prior module: Sandboxing Options and Trade-offs: Kata, gVisor, Seatbelt, Docker, and Cloudflare Workers
Suggested discussion / lab: Pick one diagram in your environment (build, deploy, runtime) and mark where this module’s controls apply; note gaps versus the checklist in the body.
The MCP interface is the highest-risk attack surface in any agentic platform. Agents interact with tools, memory, documents, and external systems through natural language, making traditional prompt-based defenses insufficient. This module details how to protect the MCP runtime using Panguard, ATR scoping, and layered governance.
Panguard AI as the Synchronous Chokepoint
Panguard sits directly in front of the intelligent MCP gateway (clawql-api) and acts as the primary real-time intercept layer.
Key Capabilities:
Sub-50ms latency per tool call Real-time ATR (Agent Task Request) rule evaluation Blocking of malicious or out-of-scope requests Coverage of OWASP Agentic Top 10 risks Full session auditing
All clawql_execute calls, native vertical tools, and proxy plugin dispatches flow through Panguard before any downstream execution.
ATR Rules and Explicit Tool Scoping
Instead of relying on fragile prompt filtering, Teams often use structured ATR claims attached to JWT session tokens:Each tool call is validated against the user’s role, vertical permissions, and current task scope. Agents cannot self-escalate privileges. Cross-vertical actions (e.g., lending fraud patterns applied to insurance) require explicit elevated claims. Sandbox execution and dangerous operations are tightly gated.
Panguard rejects any call that violates these rules and returns a clear error to the agent.
Microsoft Agent Governance Toolkit as Deterministic Overlay
Panguard is complemented by the Microsoft Agent Governance Toolkit running as a sidecar. While Panguard provides fast, AI-augmented protection, the Toolkit adds deterministic, rule-based governance with different failure modes. Together they create defense-in-depth at the MCP layer.
Prompt and Response Logging with Redaction
Every MCP interaction is logged with:Full context (redacted via Presidio in the Fluent Bit pipeline) Tool parameters and results Decision metadata (why a call was allowed or blocked)
Logs are written to WORM storage with Merkle roots for tamper evidence.
Key Takeaways
The MCP interface must be treated as the primary attack surface and protected with synchronous, low-latency interception. ATR-based capability scoping is far more effective than prompt injection defenses. Layered protection (Panguard + Microsoft Toolkit) provides resilience through diverse failure modes. Comprehensive auditing and redaction ensure forensic readiness without exposing sensitive data.
Strong MCP runtime protection builds directly on the sandboxing and network controls from previous modules and enables safe agentic operation at scale.
Next module: Data Classification and PII Redaction – Never Let Sensitive Data Hit Logs.
Further reading (vendor-neutral)
These resources are independent of any single product; use them to deepen the topic for audits, architecture reviews, or procurement discussions.
- Model Context Protocol (MCP) specification
- OWASP Top 10 for Agentic Applications (2026)
- OWASP API Security Top 10
Commercial training use
You may reuse this curriculum internally or in paid consulting / training engagements. Keep examples aligned to the customer’s actual stack; substitute your own runbooks, tool names, and compliance frameworks (SOC 2, ISO 27001, sector regulators) where cited examples use a reference architecture only.