Talk to an expert Get started

Blog

Research, TTPs, and engineering-grade writeups.

Published by operators, not marketing. Deep-dives on exploits we've shipped, methodology we've tuned, and compliance patterns that actually scale.

Featured · AI Security9 min read

MCP servers are the new vendor risk: auditing the agent toolbox

Every MCP server you plug into your agent is a trust boundary. Here's how to audit them like the supply-chain risk they are.

Apr 21, 2026 · PentStark AI Research

$ head -8 mcp-servers-are-the-new-vendor-risk.md

The Model Context Protocol (MCP) has become the plug-and-play interface between LLMs and the tools they need — filesystems, databases, Jira, GitHub, your CRM. In six months it went from "interesting spec" to "how every agent framework ships tools." It also went from "clean abstraction" to the largest underappreciated supply-chain surface in your stack. Every MCP server your agent connects to is a trust boundary crossing. Most of them came from a third party's GitHub. Most of them run with the agent's full credentials. Very few of them have been audited. ## The trust model you didn't write When an agent connects to an MCP server, it: - Trusts the server's **capability declaration** (what tools it says it provides). - Trusts the **tool output** returned to the model — that content re-enters the agent's context as authoritative. - Shares **credentials or session state** with the server, either explicitly (API keys) or implicitly (workspace access, network reachability). Any of those trust edges, violated, breaks the agent.

All posts

Active Directory AI Security AppSec Red Team Compliance Product Security Identity Cloud Security

Passkeys in the enterprise: 18 months in, here's what breaks

Five recurring attack paths we've found in enterprise passkey rollouts since they became table stakes.

PentStark Red Team

EU AI Act red teaming: what a pentester actually delivers

Article 15 and 54a say you need cybersecurity and adversarial testing. Here's the engagement shape the first audit cycle accepted.

PentStark Compliance

Active Directory

AD CS ESC1 in the wild: the certificate template you forgot about

How a single ManageCA + supplied-subject template got us to domain admin in 22 minutes.

PentStark Red Team

Your Kubernetes ingress is the new DMZ

Ingress controllers parse untrusted input, reach every service, and run privileged. They are a DMZ, not a detail.

PentStark Cloud

LLM tool-use escalation: from prompt injection to arbitrary code

A case study on bridging a benign prompt-injection primitive into full agent compromise.

PentStark AI Research

DORA ICT third-party testing: lessons from the first audit cycle

What we learned running threat-led penetration tests under DORA Articles 26–27 across the first wave of 2026 audits.

PentStark Compliance

BOLA across microservices: when authorization is someone else's job

Why BOLA is the most under-tested flaw class in modern SaaS — and how we find it.

PentStark PTaaS

Lockfile injection: the npm supply-chain attack your SCA missed

Pinning your lockfile is necessary but not sufficient. Here's the pattern attackers are using to slip past SCA tools.

PentStark Product Security

Ransomware-ready posture: the assume-breach scenario every board should fund

A red-team scoping guide for boards asking 'are we ransomware-ready?'

PentStark Red Team

SOC 2 without slowing down your release train

Patterns for embedding evidence collection into your engineering workflow.

PentStark Compliance

Product Security

Shift-left that actually ships: patterns from ten SSDLC rollouts

The three patterns that make product-security programs work — and the three that quietly kill them.

PentStark Product Security

Get our research in your inbox

One monthly digest of TTPs, published advisories, and engineering-grade deep-dives. No marketing fluff. Or grab the RSS feed.

Talk to an operator

Your next finding is one scoping call away.

Thirty minutes with a real operator tells us what you need and what we can deliver. No BDR handoff, no sales engineer theater — the person you talk to is the person who scopes the work.

hello@pentstark.com

Talk to an expertBook a demo

● Responses in < 1 business day