SAFE-MCP

Security Analysis Framework for Evaluation of MCP

80+ Security Techniques
14 Tactic Categories

SAFE-MCP is a specification for MCP attack vectors and mitigation techniques, initiated by astha.ai and now part of the OpenID and Linux Foundations, driven by community collaboration.

Part of

Linux Foundation
OpenID Foundation

Initiated by Astha.ai

We're actively evolving — join us as we build the future of MCP security together.

What is SAFE-MCP?

1

MITRE ATT&CK Adaptation

SAFE-MCP adapts the MITRE ATT&CK methodology specifically for MCP environments, providing a structured catalog of adversarial tactics, techniques, and procedures (TTPs) tuned for agent-tool orchestration.
Explore on GitHub
2

Framework Coverage

The framework currently defines 14 tactic categories that mirror the MITRE ATT&CK axes, and supports 80+ techniques across those tactics (e.g. SAFE-T1001 Tool Poisoning, SAFE-T1102 Prompt Injection)
Explore on GitHub
3

Guidance & Mappings

Every technique in SAFE-MCP includes mitigation and detection guidance, along with mappings to existing MITRE ATT&CK techniques when applicable.
Explore on GitHub

Why It Matters

Security Engineers & Red Teams

Understand what attacks are possible in MCP architectures; plan threat modeling and pentesting.

Developers / System Architects

Identify which techniques apply to your MCP servers or tool pipelines, and embed mitigations early.

Auditors & Researchers

Map SAFE-MCP across existing security frameworks and evaluate MCP system maturity.

SAFE-MCP Team

Led by industry experts in cloud-native security, Zero Trust, and software supply chain defense

Frederick Kautz

SAFE-MCP Specification Lead

Frederick Kautz is a distinguished leader in open-source and cloud-native communities, with over 10 years of Kubernetes and Docker experience, and extensive expertise in software supply chain security, Zero Trust, and networking.

Key Achievements

  • Co-authored NIST Special Publication 800-204D, defining strategies for software supply chain security in DevSecOps CI/CD pipelines, which significantly influenced the Department of Defense's Enterprise DevSecOps Fundamentals v2.5
  • Created in-toto Archivista, an open-source graph and storage service for in-toto attestations, enabling secure discovery and retrieval of software artifact attestations
  • Lead Architect at Elevance Health for the Sydney Health app, collaborating with the CISO to define Zero Trust strategy and GCP onboarding
  • Emeritus Co-Chair of KubeCon + CloudNativeCon, leading the global cloud-native community through and beyond the COVID phase

Current Leadership Roles

  • SPIFFE Steering Committee Member – Driving standards in workload identity and Zero Trust
  • OmniBOR and ProtoBOM Co-Creator – Advancing transparency in binary provenance and SBOM practices
  • Network Service Mesh Co-Founder – Modernizing network infrastructure for secure, cloud-native networking
  • CNCF TAG Security Contributor – Co-author of the Cloud Native Security White Paper

Innovation & Standards

  • Defined the CNF: Cloud Native Network Function, transforming network service provider architectures for Kubernetes
  • Developed one of the first federated learning platforms for healthcare in 2019, enabling collaborative research while preserving patient privacy
  • Founded Red Hat Container Storage Engine, providing storage solutions for containers
  • Architected WorkOS at Elevance Health, an enterprise platform streamlining operations with advanced security measures

Community Involvement: Former Program Committee Member for KubeCon EU & NA, Open Networking Summit, Edge Computing World, and former LFPH Technical Advisory Committee Member. Active contributor to CNCF TAG Security, NTIA SBOM Working Group, and various cloud-native initiatives.