Working repository for the OWASP MCP Verification Standard. Will transfer to
github.com/OWASP/mcpvsonce the project is accepted. OWASP service desk ticket: PPS-86 (submitted 8 April 2026).
MCPVS is the verification-standard companion to the existing OWASP MCP Top 10 catalogue, the same way OWASP ASVS sits next to the OWASP Top 10 and OWASP MASVS sits next to the Mobile Top 10.
It defines a tiered set of verification requirements for implementations of the Model Context Protocol (MCP) — the de-facto integration layer between LLM agents and external tools, data, and systems.
As of April 2026: 97M+ official SDK downloads, 13,000+ public MCP servers, and zero verification standard for MCP implementations. Independent security research published in early 2026 has identified systemic resource-allocation gaps in MCP implementations that motivate this verification work.
| OWASP submission | PPS-86 (8 April 2026) |
| Tier requested | Incubator |
| Co-leads | Raza Sharif (CyberSecAI Ltd), Aaron Zamora (Cribl, creator of ELIDA) |
| License | CC BY-SA 4.0 (documentation only — no source code shipped from this project) |
| Working repo | github.com/razashariff/mcpvs (this repo) |
| Target repo on acceptance | github.com/OWASP/mcpvs |
| Concern | Owner |
|---|---|
| MCP transport, framing, resource bounds | MCPVS |
| Tool definition integrity, tool poisoning | MCPVS |
| MCP-specific agent identity & signing | MCPVS |
| Audit trail of MCP traffic | MCPVS |
| AI system architecture, model governance | AISVS |
| LLM prompt-injection at the model layer | LLMVS |
| Underlying HTTP/TLS hygiene of MCP-over-HTTP | ASVS |
| Risk catalogue for MCP | MCP Top 10 (catalogue ↔ MCPVS verification) |
MCPVS does not subsume any sister project. It defers up the stack for non-protocol concerns and is deferred to by ASVS / AISVS / LLMVS for MCP-specific protocol verification. Same pattern as MASVS ↔ ASVS.
- MCPVS-L1 — Baseline — required for any production MCP server or client. Covers the foundational hygiene controls (resource bounds, input validation, transport hardening).
- MCPVS-L2 — Standard — for MCP servers handling sensitive data, business workflows, or untrusted tool sources. Adds agent identity verification, signed tool calls, audit logging.
- MCPVS-L3 — Advanced — for MCP servers in regulated, financial, or safety-critical contexts. Adds formal trust levels, cryptographic chain of custody, sender-constrained tokens, full forensic audit.
See controls/README.md for the v0.1 outline.
- V1 — Architecture, Design & Threat Modelling for MCP
- V2 — Transport & Framing Security
- V3 — Tool Definition Integrity
- V4 — Tool Invocation & Result Handling
- V5 — Resource Exposure & Access Control
- V6 — Agent Identity & Authentication
- V7 — HTTP Message Signatures (RFC 9421) Profile for MCP
- V8 — Audit, Logging & Forensics
- V9 — Supply Chain & Package Verification
- V10 — Client-Side Verification
This is the working repository for MCPVS. Once the project is accepted by OWASP and moves to github.com/OWASP/mcpvs:
- Issues and PRs welcome under standard OWASP project governance
- All contributions under CC BY-SA 4.0 + DCO sign-off
- Discussion will move to OWASP Slack
#project-mcpvs
Until then, contact the co-leads directly.
- Raza Sharif — raza@cybersecai.co.uk — CyberSecAI Ltd — FBCS, CISSP, CSSLP
- Aaron Zamora — zamora.aaron2@gmail.com — Cribl (Principal TME), creator of ELIDA
Documentation in this repository is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0).
Drafted by Raza Sharif and Aaron Zamora · April 2026 · CyberSecAI Ltd