SAFE-MCP

Security Analysis Framework for Evaluation of MCP

80+ Security Techniques
14 Tactic Categories

SAFE-MCP is a specification for MCP attack vectors and mitigation techniques, initiated by astha.ai and now part of the OpenID and Linux Foundations, driven by community collaboration.

Part of

SAFE-MCP is part of the Linux Foundation and OpenID Foundation

Linux Foundation
OpenID Foundation

Initiated by Astha.ai

We're actively evolving — join us as we build the future of MCP security together.

Contribute on GitHubSee TechniquesView Events

What is SAFE-MCP?

1

MITRE ATT&CK Adaptation

SAFE-MCP adapts the MITRE ATT&CK methodology specifically for MCP environments, providing a structured catalog of adversarial tactics, techniques, and procedures (TTPs) tuned for agent-tool orchestration.
Explore on GitHub
2

Framework Coverage

The framework currently defines 14 tactic categories that mirror the MITRE ATT&CK axes, and supports 80+ techniques across those tactics (e.g. SAFE-T1001 Tool Poisoning, SAFE-T1102 Prompt Injection)
Explore on GitHub
3

Guidance & Mappings

Every technique in SAFE-MCP includes mitigation and detection guidance, along with mappings to existing MITRE ATT&CK techniques when applicable.
Explore on GitHub

Why It Matters

Security Engineers & Red Teams

Understand what attacks are possible in MCP architectures; plan threat modeling and pentesting.

Developers / System Architects

Identify which techniques apply to your MCP servers or tool pipelines, and embed mitigations early.

Auditors & Researchers

Map SAFE-MCP across existing security frameworks and evaluate MCP system maturity.

SAFE-MCP Team

Led by industry experts in cloud-native security, Zero Trust, and software supply chain defense

Frederick Kautz

SAFE-MCP Specification Lead

zt.dev

Frederick Kautz is a distinguished leader in open-source and cloud-native communities, with over 10 years of Kubernetes and Docker experience, and extensive expertise in software supply chain security, Zero Trust, and networking.

Key Achievements

  • Co-authored NIST Special Publication 800-204D, defining strategies for software supply chain security in DevSecOps CI/CD pipelines, which significantly influenced the Department of Defense's Enterprise DevSecOps Fundamentals v2.5
  • Created in-toto Archivista, an open-source graph and storage service for in-toto attestations, enabling secure discovery and retrieval of software artifact attestations
  • Lead Architect at Elevance Health for the Sydney Health app, collaborating with the CISO to define Zero Trust strategy and GCP onboarding
  • Emeritus Co-Chair of KubeCon + CloudNativeCon, leading the global cloud-native community through and beyond the COVID phase

Current Leadership Roles

  • SPIFFE Steering Committee Member – Driving standards in workload identity and Zero Trust
  • OmniBOR and ProtoBOM Co-Creator – Advancing transparency in binary provenance and SBOM practices
  • Network Service Mesh Co-Founder – Modernizing network infrastructure for secure, cloud-native networking
  • CNCF TAG Security Contributor – Co-author of the Cloud Native Security White Paper

Innovation & Standards

  • Defined the CNF: Cloud Native Network Function, transforming network service provider architectures for Kubernetes
  • Developed one of the first federated learning platforms for healthcare in 2019, enabling collaborative research while preserving patient privacy
  • Founded Red Hat Container Storage Engine, providing storage solutions for containers
  • Architected WorkOS at Elevance Health, an enterprise platform streamlining operations with advanced security measures

Community Involvement: Former Program Committee Member for KubeCon EU & NA, Open Networking Summit, Edge Computing World, and former LFPH Technical Advisory Committee Member. Active contributor to CNCF TAG Security, NTIA SBOM Working Group, and various cloud-native initiatives.