Introducing Golf Firewall: Enterprise Security for MCP Servers

Every security leader knows the pattern: a new protocol emerges, organizations rush to adopt it, and security becomes an afterthought. We've seen it with REST APIs, GraphQL, and WebSockets. Now it's happening with the Model Context Protocol.

As enterprises race to ship MCP servers as product features - giving AI agents direct access to customer data, internal systems, and business logic - they're discovering that traditional security tools weren't built for this new paradigm. Client-side protections leave server operators blind. API gateways don't understand MCP's unique attack surface. And marking tool outputs as "untrusted" shifts the burden to every downstream consumer.

Today, we're launching Golf Firewall: the first security layer purpose-built for MCP server providers.

The MCP Security Gap

The Model Context Protocol is fundamentally different from REST. It's not just another API standard - it's a protocol designed for AI agents to query, retrieve, and manipulate data through natural language interfaces. This creates an entirely new class of security challenges that existing tools simply can't address.

Traditional approaches to securing MCP deployments fall into two categories, both insufficient:

Client-side protection leaves server operators completely blind. You have no visibility into what's being requested, no control over access patterns, and no ability to detect threats targeting your infrastructure. When a customer's agent is compromised or manipulated, you're the last to know - often after data has already leaked.

Existing API security tools treat MCP like any other HTTP endpoint. They can't parse MCP-specific payloads, don't understand tool invocation patterns, and miss the protocol's unique attack vectors. Rate limiting designed for REST breaks down when a single MCP request can trigger dozens of tool calls. Authentication checks don't account for context windows that persist across sessions.

The result? Enterprises deploying MCP servers face an impossible choice: ship without adequate security controls, or build complex custom solutions that duplicate functionality across every server they deploy.

A Firewall Built for MCP

Golf Firewall solves this by sitting directly in your infrastructure, in front of your MCP servers, providing a security layer that understands the protocol natively.

We deploy in your cloud environment or on-premises - wherever your MCP servers live. All MCP traffic routes through Golf Firewall before reaching your servers, giving you complete visibility and control without sending sensitive data to third parties. Your customer data stays in your infrastructure.

Here's what Golf Firewall provides:

Prompt injection detection analyzes MCP requests in real-time, identifying indirect prompt injections embedded in tool calls or lurking in data stored on your platform. These attacks - where malicious instructions hide in customer data and manipulate AI agents during retrieval - are nearly impossible to catch with traditional security tools.

MCP-aware rate limiting understands the protocol's request patterns. Unlike generic API rate limiters, we track tool invocation sequences, context window usage, and session patterns specific to how agents interact with MCP servers.

Authentication validation integrates with your existing identity infrastructure - Okta, Auth0, Entra ID - to verify JWTs and validate user context without becoming your identity provider. We extract user information from tokens and enforce access policies based on your existing auth setup.

Session replay detection identifies when agents attempt to reuse or manipulate session contexts in ways that bypass your intended access controls.

Full audit logging captures complete data flows through your MCP servers. Every tool call, every response, every context window update - logged with the granularity security and compliance teams need. Logs export to Elasticsearch and Datadog, integrating with your existing observability stack.

Who Needs This

Golf Firewall is built for enterprises deploying MCP servers as part of their product offering. Three categories where server-side security becomes critical:

Data platforms exposing MCP as a product feature. When you give customers' AI agents direct access to query and retrieve data through MCP, you need granular control over what each agent can access. Multi-tenant isolation becomes critical - one customer's agent shouldn't be able to pivot to another's data. Golf Firewall enforces these boundaries and provides the audit trail that enterprise customers expect.

SaaS platforms adding MCP for agentic workflows. Whether it's customer records, financial data, or business intelligence, exposing your platform's capabilities through MCP means agents can read, write, and manipulate information at scale. The challenge isn't just authentication - it's detecting when agents are being manipulated by malicious instructions hidden in your platform's own data, and preventing unauthorized access patterns that bypass your intended controls.

Developer tools integrating with coding agents. When agents need access to code repositories, deployment logs, or infrastructure data, the stakes are high. A single misconfigured access policy or successful prompt injection could expose proprietary code, customer data, or production secrets. Golf Firewall provides the visibility and control needed to safely enable these integrations.

In each case, the core risk is the same: a customer's agent gets hijacked by malicious instructions embedded in your platform's data. The agent exfiltrates information, manipulates records, or escalates privileges - all while appearing to make legitimate MCP requests.

Why Server-Side Protection Matters

You might ask: why not rely on client-side security?

Because this is your product for agents. The same way you secure products built for humans - with authentication, authorization, audit logs, and threat detection - you need the same controls for products built for AI agents. Client-side controls can't give you visibility into access patterns, can't enforce your access policies, and can't detect threats targeting your infrastructure.

Traditional API gateways and observability platforms weren't built for MCP's unique characteristics. They can't parse tool invocation sequences, don't understand context window manipulation, and miss protocol-specific attack vectors like indirect prompt injections disguised as legitimate data retrieval.

Golf Firewall gives you what API gateways give REST APIs: full visibility and protection of your new product line, with controls designed specifically for how MCP actually works.

Built for Enterprise Requirements

We designed Golf Firewall for security-conscious organizations with real compliance requirements:

Deployment flexibility: We run in your infrastructure - your cloud, your datacenter, your network. Customer data never leaves your control.

Enterprise integrations: Native support for Okta, Auth0, Entra ID for authentication validation. Export logs to Elasticsearch and Datadog for centralized observability.

Security posture: Even when building in a new protocol space, enterprises can't compromise on security fundamentals. Golf Firewall ensures your MCP deployments meet the same security standards as the rest of your infrastructure.

What's Next

We're launching Golf Firewall on November 6th, 2025. This is the foundation of our vision for agentic security - protecting the infrastructure that AI agents interact with, starting with MCP.

On our roadmap: AI-powered analytics that don't just record logs but extract insights about agent behavior patterns, anomalies, and emerging threats. As MCP adoption grows, so will the sophistication of attacks. We're building the security layer that evolves with the threat landscape.

If you're deploying MCP servers as part of your product, or planning to, we'd love to talk. Book a call to discuss how Golf Firewall can secure your deployment.

Need Help Securing Your MCP Server?

At Golf.dev, we provide protocol-aware security for MCP servers - sitting between agents and your server to detect prompt injection attempts in real-time, validate outputs, and provide MCP-layer audit trails.

We handle the output validation and anomaly detection so your team can focus on building your product, not debugging security incidents.

Let's talk about your MCP security →

Wojciech Blaszak is CEO & Co-founder of Golf.dev, providing firewall for MCP servers.