mcp-warden is the supply-chain security lockfile and CI gate that DSE authored for Model Context Protocol servers. It pins a server's tool surface, fails the build on drift, and inspects tool results at runtime, so the dependency surface around your AI agents gets the same scrutiny you already apply to application code.
It is public, MIT-licensed, and the same IP we run on client systems during an AI security engagement.
repo · github.com/ernestprovo23/mcp-warden ↗ · install · pip install mcp-warden-cli
Model Context Protocol is how AI agents reach external tools and data. That power is also an attack surface, and most teams have no way to tell when it changes underneath them.
An MCP server advertises a set of tools an AI agent can call. Today that surface is trusted on faith: a server can add a tool, change a tool's behavior, or alter what a tool returns, and nothing in a typical pipeline notices. That is the same class of risk the software world solved years ago for dependencies with a lockfile, and mcp-warden brings the pattern to MCP.
mcp-warden pins the tool surface of an MCP server into a signed lockfile using a canonicalized JCS plus SHA-256 integrity hash, then fails fast when the live surface drifts from what was pinned. Run it as a CI gate and an unreviewed change to a tool definition stops the build instead of shipping silently. Run its runtime inspection and the results a tool returns get checked, not just the schema it declares. It ships with default-block hardening and a self-signing release flow, and the project carries 164 tests of its own.
Three failure modes in the MCP supply chain that a lockfile and a runtime inspector are built to surface before they reach production.
A server adds, removes, or redefines a tool after you last vetted it. mcp-warden pins the reviewed surface and fails the build the moment the live surface no longer matches the lock.
A poisoned tool description or schema can smuggle instructions into the agent's context. Pinning and reviewing the tool surface means a change to that metadata is caught and gated, not absorbed.
The risk is not only the declared schema but the payload a tool actually returns. mcp-warden inspects tool results at runtime so prompt-injection content arriving through a tool channel does not pass unexamined.
mcp-warden is not a marketing artifact. It is the test harness DSE runs on the MCP review of every AI red teaming and LLM security engagement.
We inventory the MCP servers your agents depend on and pin each tool surface into a signed lockfile, establishing the reviewed baseline the rest of the assessment measures against.
We add mcp-warden as a CI check so any future drift in a tool definition fails the build and lands in review, rather than reaching production unnoticed after we leave.
We run its runtime inspection against live tool calls, looking for prompt-injection and data-leakage pathways that arrive through tool results, mapped to OWASP LLM Top 10 and MITRE ATLAS.
The lockfile, the CI configuration, and the findings ship with the engagement. Your team owns a working integrity gate on the MCP surface after the assessment closes.
A small firm of senior practitioners, established 2026, that ships the open-source tooling it brings to client work.
The fastest way to judge a security firm is to ask what it has actually built. mcp-warden is a direct answer: authored open-source IP, public on GitHub under an MIT license, with signed releases and its own test suite. When we review a bank or fintech's AI vendor surface, the MCP integrity check we apply is the same one we ship to the community, not a slide about a capability we do not have.
If your AI use sits inside a regulated environment, this testing pairs directly with our AI governance readiness engagement for banks, which turns the findings into audit-ready evidence, and with AI governance for banks and fintechs more broadly. The same depth backs the full AI security assessment.
mcp-warden is free to read and use. When you want it run against your own AI stack as part of a senior-led assessment, that is a scoped engagement.
mcp-warden is open-source software DSE authored and maintains. Using it, or having DSE run it, is security testing and readiness work. It does not certify that an MCP server, an AI system, or an organization is secure or compliant, and DSE is not an accredited certification body.
We cannot guarantee that a system is free of vulnerabilities or that an assessment prevents every attack, and we do not provide legal advice. We work alongside your counsel and your security team. All paid engagements are governed by a signed SOW / MSA that includes a limitation of liability.