19 Attack Patterns, How Many Were Actually Detected: Threat Matching Results Across 2,863 Servers
We ran threat matching for 19 attack patterns against 2,863 unique MCP servers (normalized from 3,601 scans). Shell RCE (187), Path Traversal (162), and SSRF (146) top the list, with 484 servers (16.9%) showing specific threat pattern matches. Vulnerability analysis series, part 2.
Terminology
| Term | Meaning |
|---|---|
| Threat matching | The process of comparing MCP server scan results against predefined attack patterns to identify applicable threats |
| Unique server | A deduplicated unit (ServerIdentity) after normalizing multiple scans of the same MCP server |
| Detection rate | The percentage of unique servers where a specific threat pattern was detected |
| Severity | Threat severity level: LOW / MEDIUM / HIGH / CRITICAL |
Introduction
In Part 1, we organized MCP server threats into 19 attack patterns and 12 server function categories, providing a structural overview. However, what we presented was a theoretical mapping of "what threats could exist" — the quantitative data on "how often they are actually detected" was deferred to this installment.
This is that installment.
We report the results of threat matching 19 attack patterns against 2,863 unique MCP servers, normalized from 3,601 scan records. Which attacks are detected most frequently? Which ones are rarely found? How prevalent are threats that were theoretically classified as "dangerous"? The data provides the answers.
Key Findings
- 72.4% of servers received WARN or BLOCK verdicts. Of 2,863 unique servers, only 785 (27.4%) were judged PASS.
- Shell RCE ranks #1 in detections (187, 6.5%). Code execution threats are the most prevalent. Path Traversal (162) and SSRF (146) follow.
- MCP-specific attacks cluster from 4th place onward. Prompt Injection, PleaseFix Attack, and Function Hijacking each appear in 134 servers. These are undetectable by conventional security tools.
- 484 servers (16.9%) show specific threat pattern matches. The remaining WARN/BLOCK servers are flagged for risk factors beyond threat patterns (excessive permission requests, opaque provenance, etc.).
- 16 of 19 patterns were actually detected. Tool Name Collision, Supply Chain, and Rug Pull show 0 detections — but this does not mean these threats are absent.
- Among servers with detections, HIGH severity dominates at 392 (81.0%). No CRITICAL verdicts at this time.
Methodology
Dataset
| Item | Value |
|---|---|
| Total scans performed | 3,601 |
| Unique servers after normalization | 2,863 |
| Threat patterns evaluated | 19 |
| Analysis date | April 2026 |
The 3,601 scan records include multiple scans of the same server. This analysis uses the latest scan result per unique server (ServerIdentity), eliminating duplicates.
How threat matching works
Threat matching compares the operational characteristics detected during a scan against predefined attack patterns. Specifically, it identifies the types of operations a server actually performs (file read/write, network communication, command execution, etc.) and maps them to related threat patterns.
An important caveat: threat matching detects "the existence of conditions under which an attack could succeed," not "the attack was executed." Detections are indicators of potential risk, not evidence of actual exploitation.
Overall scan results
The scan verdict distribution across 2,863 unique servers:
| Verdict | Count | Percentage | Meaning |
|---|---|---|---|
| WARN | 1,811 | 63.2% | Potential risks detected |
| PASS | 785 | 27.4% | No critical issues detected |
| BLOCK | 263 | 9.2% | Critical risks detected; use not recommended |
| OTHER | 8 | 0.3% | Scan errors, etc. |
The "70% receive warnings or higher" figure from our previous report is confirmed at 72.4% (WARN + BLOCK) in this analysis.
The weight of BLOCK verdicts
The 263 BLOCK verdicts represent 9.2% of the total. This means roughly 1 in 10 MCP servers has issues severe enough to be flagged as unsuitable for use at the inspection stage. BLOCK-classified servers typically show multiple critical vulnerability patterns (Shell RCE, Data Exfiltration, etc.) detected simultaneously.
Detection distribution by attack pattern
The following table shows the actual number of unique servers where each of the 19 attack patterns was detected.
| Rank | Attack Pattern | Category | Servers Detected | Detection Rate |
|---|---|---|---|---|
| 1 | Shell RCE | A: Code Execution | 187 | 6.5% |
| 2 | Path Traversal | A: Code Execution | 162 | 5.7% |
| 3 | SSRF | B: Data Theft | 146 | 5.1% |
| 4 | Insecure Plugin Design | D: Permission Abuse | 137 | 4.8% |
| 5 | Prompt Injection | C: MCP-Specific | 134 | 4.7% |
| 5 | PleaseFix Attack | C: MCP-Specific | 134 | 4.7% |
| 5 | Function Hijacking | C: MCP-Specific | 134 | 4.7% |
| 8 | Data Exfiltration | B: Data Theft | 115 | 4.0% |
| 9 | Indirect Theft | C: MCP-Specific | 114 | 4.0% |
| 10 | MITM | B: Data Theft | 72 | 2.5% |
| 10 | DNS Rebinding | B: Data Theft | 72 | 2.5% |
| 12 | Argument Injection | A: Code Execution | 62 | 2.2% |
| 13 | Clawdrain | D: Permission Abuse | 16 | 0.6% |
| 14 | OAuth Scope Abuse | D: Permission Abuse | 4 | 0.1% |
| 15 | Unicode Injection | E: Supply Chain | 2 | 0.1% |
| 15 | Tool Poisoning | C: MCP-Specific | 2 | 0.1% |
| — | Tool Name Collision | C: MCP-Specific | 0 | 0.0% |
| — | Supply Chain | E: Supply Chain | 0 | 0.0% |
| — | Rug Pull | E: Supply Chain | 0 | 0.0% |
Total: 16 patterns detected. 484 unique servers produced 13,479 cumulative threat matches — an average of 27.8 matches per affected server.
Category-level trend analysis
Category A: Code Execution — Dominating the top ranks
| Pattern | Count |
|---|---|
| Shell RCE | 187 |
| Path Traversal | 162 |
| Argument Injection | 62 |
| Subtotal | 411 |
The three code execution patterns account for 411 detections, roughly 30% of all matches. Shell RCE leads because a large proportion of MCP servers provide command execution functionality.
The dominance of Shell RCE and Path Traversal reflects a fundamental design pattern in MCP servers: many exist specifically to provide file system operations and process execution to AI agents. These capabilities are inherently adjacent to Shell RCE and Path Traversal risks.
Category B: Data Theft & Communication Interception — The ubiquity of network communication
| Pattern | Count |
|---|---|
| SSRF | 146 |
| Data Exfiltration | 115 |
| MITM | 72 |
| DNS Rebinding | 72 |
| Subtotal | 405 |
Nearly equal to Category A at 405 detections, reflecting the prevalence of network-communicating MCP servers.
SSRF ranking 3rd overall is notable. When an MCP server calls external APIs, the server itself can become a stepping stone into internal networks. In cloud environments, access to metadata endpoints (169.254.169.254) can directly lead to credential theft.
MITM and DNS Rebinding share the same count (72) because both depend on the same foundation: network communication security. Servers that disable TLS verification are simultaneously exposed to both threats.
Category C: MCP-Specific Attacks — New threats are real
| Pattern | Count |
|---|---|
| Prompt Injection | 134 |
| PleaseFix Attack | 134 |
| Function Hijacking | 134 |
| Indirect Theft | 114 |
| Tool Poisoning | 2 |
| Tool Name Collision | 0 |
| Subtotal | 518 |
Category C's total of 518 is the largest across all categories. This demonstrates that MCP-specific threats are not theoretical concepts but detectable realities present in numerous servers.
The identical count (134) for Prompt Injection, PleaseFix Attack, and Function Hijacking suggests these threats share common preconditions. Specifically, servers that provide conversational interfaces with AI agents tend to be simultaneously exposed to all three.
Tool Poisoning's low detection count (2) reflects the fact that exploiting it requires intentional tampering with tool definitions — it does not occur accidentally. However, low detection does not imply low risk. A single successful Tool Poisoning attack can be as impactful as, or more impactful than, Shell RCE.
Category D: Permission & Resource Abuse
| Pattern | Count |
|---|---|
| Insecure Plugin Design | 137 |
| Clawdrain | 16 |
| OAuth Scope Abuse | 4 |
| Subtotal | 157 |
Insecure Plugin Design ranks 4th overall at 137 detections, indicating that weak permission boundaries in plugin-enabled servers are widespread.
Clawdrain (resource exhaustion) appears in only 16 servers, but in AI agent loop-execution environments, a single Clawdrain instance can trigger massive cost explosions. The low count reflects the specialized detection conditions (unlimited API calls, explicit loop structures).
Category E: Supply Chain & Persistence — The temporal barrier
| Pattern | Count |
|---|---|
| Unicode Injection | 2 |
| Supply Chain | 0 |
| Rug Pull | 0 |
| Subtotal | 2 |
The extremely low detection count for Category E has a clear explanation. Supply Chain and Rug Pull are threat patterns that detect changes over time, making them structurally undetectable in a single-point-in-time scan.
Supply Chain detection requires differential analysis against historical versions of dependency packages. Rug Pull detection requires tracking source code hash changes over time. Both become detectable only through periodic rescanning and change monitoring.
Zero detections do not mean "this threat does not exist." They indicate the structural limitations of point-in-time analysis.
Severity distribution
For the 484 servers with at least one threat match, the highest severity distribution:
| Severity | Count | Percentage |
|---|---|---|
| HIGH | 392 | 81.0% |
| MEDIUM | 92 | 19.0% |
81% of servers with detected threats receive a HIGH severity rating. This reflects that most detected patterns — Shell RCE, Data Exfiltration, etc. — carry significant impact if exploited.
The absence of CRITICAL verdicts is consistent with the fact that detections represent "conditions under which an attack could succeed" rather than "confirmed exploitation." CRITICAL classification is reserved for cases where actual exploitation is confirmed.
The gap between WARN/BLOCK and threat matching
A structurally significant finding emerges from this analysis:
- Servers with WARN or BLOCK: 2,074 (72.4%)
- Servers with 1+ threat pattern match: 484 (16.9%)
- Gap: 1,590 (55.5%)
This gap means WARN/BLOCK verdicts are based on a broader set of risk factors beyond specific threat pattern matching:
- Excessive permission requests: Designs requesting unnecessarily broad permissions for their functionality
- Opaque provenance: Missing source URLs, inconsistencies with package registries
- Declaration-implementation gaps: Mismatches between tool definitions and actual operations
- Security practice deficiencies: Missing TLS, lack of input validation
In other words, a vast number of servers are problematic from a security perspective even without matching a specific attack pattern. Threat matching reveals the tip of the iceberg; beneath it lies a much broader landscape of risk factors.
Series structure
| Part | Theme | Status |
|---|---|---|
| 1 | Overview: Threat structure × server function taxonomy | Published |
| 2 | Detection distribution by attack pattern (this article) | This article |
| 3 | Risk profiles by server function category | Next |
| 4 | Deep dive into code execution servers | Planned |
| 5 | The frontline of AI/MCP-specific attacks | Planned |
Next: Part 3 will analyze threat detection trends by server function category (file operations, API integration, code execution, etc.). We will quantitatively demonstrate which function categories carry the highest risk and how function combinations affect risk profiles.
Limitations
- This analysis covers 2,863 unique servers (normalized from 3,601 scans) and does not comprehensively represent the entire MCP ecosystem.
- Threat matching detects "the existence of conditions under which an attack could succeed," not evidence of actual exploitation.
- The zero detections for Supply Chain and Rug Pull reflect the structural limitations of point-in-time scanning, not the absence of these threats.
- Detection rates depend on the comprehensiveness of inspection rules. Patterns outside the inspection scope are not detected.
- Detailed cross-analysis with server function categories will be reported in Part 3.
Conclusion
Threat matching against 2,863 unique MCP servers detected 16 of 19 attack patterns. Shell RCE (187), Path Traversal (162), and SSRF (146) occupy the top three positions, confirming that traditional security threats related to code execution and network communication are the most prevalent.
At the same time, MCP-specific threat categories (Prompt Injection, PleaseFix Attack, Function Hijacking, Indirect Theft) total 518 detections — the highest among all categories — demonstrating that AI/MCP protocol-specific threats are detectable realities, not theoretical concerns.
While 72.4% of servers receive WARN or higher verdicts, specific threat pattern matches occur in only 16.9%. This gap indicates that MCP server risk arises not only from specific attack patterns but from a wide range of design, implementation, and operational issues.
MCP Guard monitors 19 attack patterns with over 176 inspection items, providing multi-faceted security evaluation for MCP servers.