MCP Security Demo: Agentic Guardrails with Daxa | Nico Popp posted on the topic | LinkedIn

LinkedIn respects your privacy

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Select Accept to consent or Reject to decline non-essential cookies for this use. You can update your choices at any time in your settings.

1w Edited

MCP Security + Guardian Agent Demo This demo showcases MCP Security Guardrails using Daxa, Inc MCP gateway— the foundation of agentic security. A few key concepts to watch for: 🔐 1. Security guardrails = static layer + agentic layer MCP security policy is the combination of traditional static controls and a new dynamic, agentic layer. Static Layer (Traditional Guardrails) These look familiar — identity, posture, and content-based controls — but rebuilt for AI agents and MCP workflows. 🧬 Identity-Based Guardrails Enforce authentication Ensure RBAC authorization flows down through MCP to the APIs the agent calls. OAuth will likely become the norm Validate whether the agent should have write/delete permissions. NB: developers are not security people — RBAC will often be missing, incomplete, or overly permissive. 👉 This is where a new compensating access controls come in (enter the Guardian Agent i.e. agentic IAM/PAM). 🛡️ Posture-Based Guardrails Zero-trust logic applied to AI agents: Should this agent be allowed to update HR policy? Is the agent running with known critical or high vulnerabilities? Are compensating security controls enabled on the host? Yes — the usual ZTNA mambo-jumbo, but for agents instead of humans. 📦 Content-Based Guardrails Where the MCP security agent / eBPF / gateway / SSE components matter: Inspect data returned to the agent Detect prompt injection attempts in queries and responses Classic DLP and threat-detection territory 🔮 2. The Agentic Layer — Enter the Guardian Agent This is the exciting part. In the demo, this is represented by Daxa’s concept of the Guardian Agent — (and honestly, don’t we all need a guardian agent?) Why this matters: MCP security itself becomes agentic — because only AI can watch AI. Think of it as a modern UEBA: not rules and time series, but generative-AI-powered behavioral reasoning across identity, posture, content, and context (with state and continuous learning). This dual-layer pattern — static guardrails + agentic behavioral oversight — is something we will likely see across the entire security stack. It’s essentially the natural evolution of everything detection & response: 👉 AI-Detection Response (AIDR) for acronym lovers. Enjoy the demo! Let me know what I missed and resonates. #aisecurity #agentsecurity #mcpsecurity #mcp #daxa #pebble #guardianagen

5 Comments

Transcript

All right. Let me start by few words of introduction. What you're going to see in this demo, which is about MCP security, so agentic workflow security. Is I think a general construct that we're going to find again and again across all the control points. And it's really this dual idea of, you know, we're going to have more traditional static guardrail, right? Very much like like we have today in cyber. But then we're going to have also a more intelligent secondary layer that will do the detection response. That layer will leverage AI, AI protecting AI. That's a general idea here, and they will work and in hands, right, They'll complement each other. So we're going to sit here for the MCP gateway, but I would suspect we're going to see it in in other domains of cyber security. Right. And in fact, if you think about it, it's not that different than what we're seeing in India Today or endpoint security. You have static antivirus rule heuristics, right signatures and then you have dynamic ideology is more MBAs and tomorrow it's going to be a base for the detection. OK, all right, let's go and no further due. Let's move forward with the demo. Alright, let me start by describing the setup I have. I'm going to use Cloud as the agent. So Cloud is in agentic mode and you can see in the settings the connectors have a couple MCP services set up. And one is for application and it's protected by Pablo. So I'm forcing the the traffic TMCP traffic through the gateway. And then the other one is for Notion. And if I go to these two sets application, this is, uh, Atlassian Confluence, you can see he has some hour policy, something with Notion. It's a repro for files and there's a bunch of, you know. We'll see, partly retirement, all these good things. OK, so let's go now. On the protection side, I'm in the Pablo Admin console. And I want to show you the policies right the the safeguard policies. And this idea of static policies that are applied across all the agents and all the MCP services, things like do not delete, right? We're gonna stop all delete attempt via AMCP. We can do access control, right? Basic restriction. The one that I really want to show you is this disallow MCP right action. So we basically blocking update and I will show you that in the in the demo, right? So it's just a static guard. Well, pretty straightforward. I'm going back to cloud and asking, hey, can you retrieve the parental leave policy from Confluence? So it's a search, so read should be allowed. And sure enough, here's the policy, right? It's been retrieved. Pretty cool now. Let's do something more gutsy. We're gonna update the policy or at least attempt update it to one year vacation if you're French, because we French love our vacation. So you go and MCP column authorizing the MCP, right? But of course, the gateway is looking at that and it has a global setting, a global Gabriel to diesel, right? So it should block and show it as right. I encounter an error. Trying to update the page, this could be a permissioning issue and it is so here you go right there. The gateway did the work, but let's let's make sure that it did actually it was actually the gateway in action. So if I go now to the. Back to Pueblo. And I go to the violation pane and you can see, right, we have a, an alert, right? We've basically an event evaluation. And you can see that is exactly right. It's the block that you the safe agent rule, we disable the MCP right through for adulation. Influence. OK, uh, and that's, that's simple. OK, so now let's talk about dynamic policies and the Guardian agent, right? That's the. Coolest part of the demo. So to show the guardian agent, I'm first gonna enable right MCP, right for the Notion MCP service. So what I'm doing here is I'm adding Notion. MCP to the exceptionalist for the global Galleria for the static. Gabriel OK, doesn't mean that we left without protection. Of course not right. So if I go to the HR chat boat policing, you can see that there is a tab about the guardian agent. And so the guardian agent, right is your monitoring kind of think of it as the detection response right on top of the the gallery on the protection. OK, so it's done on. There's no alert. Now I'm going to do the same thing again. I'm going to retrieve the parental leave policy from Notion via the MCP service through cloud. And it's working beautifully. Here's the paternity leave. You can see it's 16 weeks paid. So I'm going to change that paternity leave policy from 16 to 20 weeks. So I'm doing an MCP right through cloud, through MCP. Two notion to the falling notion and now it works right because I disabled the guardrail for MCP notion. OK, now I'm going to add a outrageous outrageous clothes for French dad. They get a 52 weeks paid leave and they get a 50K bonus. And since we're at it. Let's throw in a business class ticket to France. And, uh, you know. Being older now, you know we gotta take care of the grandpa as well. And so we'll give Grandpa 10K to to help with the the parental leave that's obviously a religious and you can see it's a bunch of right now that Claude is doing so and it seems to be working. And so we've really created. That. Superb. Parental leave for French people. The agent did what we wanted it to do. Now let's see if the Guardian agent was able to catch that. So if I go to the console again and I look under the Guardian agent section, you can see now that we have a bunch of adults and they're each outlet correspond to the MCP, right? As you can see, here is the 50K bonus for the French employee, but all the other clauses in the attempted updates are here. So we get our. Monitoring agent or Gallian agent the. The AI watching the eye is working beautifully.

Avivah Litan, graphic

5d

Nico Popp thanks for adding life to the guardian agent concept. The demo was really informative. quick question" Guardian agents can only 'guard' registered agents (at least for now). How do you see guardian agents guarding unregistered agents (that are nonetheless detected? And are you still classifying runtime data that hasn't been classified at rest, and if yes, how do you manage the permissions for access of runtime-classified data that has no permissions yet associated?

Marcos Santos, graphic

1w

Great demo—love the two-layer guardrails concept. For API security, how is end-to-end identity and authorization enforced as agents call multiple MCP services? Do you rely on OAuth/OIDC tokens, and is mTLS used between microservices to enforce least privilege when RBAC is imperfect at design time? On the Guardian Agent, what signals drive its behavior, and how do you prevent policy drift or overreach? For content guards, how quickly can you detect prompt injection and data leakage across chained calls, and how is that logged for forensics? Would also love to see a concrete API-centric threat model and playbook to accompany this. #aisecurity #agentsecurity #mcpsecurity #mcp #daxa #guardianagen

See more comments

To view or add a comment, sign in

Nico Popp

11,669 followers

View Profile Follow

More from this author

Explore content categories