MCP Confused-Deputy Visualizer
A confused deputy is a program with legitimate authority that a less-privileged party tricks into misusing it. Pick an attack, then switch controls on to see exactly where each one gets stopped.
Source alignment: Built on Andrew's work as Principal Co-author of the CIS Controls v8.1 MCP Companion Guide. Simplified for education; not an official CIS product or assessment.
What is a confused deputy in MCP?
An AI agent often holds broad authority: credentials to call tools, read data, and act on a user's behalf. A confused-deputy attack happens when a less-privileged party (untrusted content like a retrieved document or tool output, or a lower-privilege user) gets the agent to use its authority to do something the attacker could never do directly.
The root cause is ambient authority: the agent acts with its own privileges instead of the requesting user's. The fix is layered, and no single control stops every variant. Toggle the controls below and watch where each attack breaks down.
Step 1: Choose an attack
Step 2: Toggle controls & watch the request flow
Every control starts off, so the attack succeeds. Click a gate to switch that control on and re-run the request.
Control analysis for this attack
Defense in depth: notice that no single control stops all three attacks. Per-user authorization is the core fix for ambient authority, but it does nothing against a destructive action an admin is allowed to take. Layered controls, not a silver bullet, are what contain a confused deputy.
Sources & Inspiration
- CIS Controls v8.1 Model Context Protocol (MCP) Companion Guide (Principal Co-author)
- CIS Controls v8.1 AI and LLM Companion Guide (Collaborator)
- CIS Controls v8.1 AI Agents Companion Guide (Collaborator)