A model context protocol (MCP) tool can claim to execute a benign task such as “validate email addresses,” but if the tool is compromised, it can be redirected to fulfill ulterior motives, such as exfiltrating your entire address book to an external server. Traditional security scanners could flag suspicious network calls or dangerous functions and pattern-based detection could identify known threats, but neither capability can connect a semantic and behavioral mismatch between what a tool claims to do (email validation) and what it actually does (exfiltrate data).
Introducing behavioral code scanning: where security analysis meets AI
Addressing this gap requires rethinking how security analysis works. For years, static application security testing (SAST) tools have excelled at finding patterns, tracing dataflows, and identifying known threat signatures, but they’ve always struggled with context. Answering questions like, “Is a network call malicious or expected?” and “Is this file access a threat or a feature?” requires semantic understanding that rule-based systems can’t provide. While large language models (LLMs) bring powerful reasoning capabilities, they lack the precision of formal program analysis. This means they can miss subtle dataflow paths, struggle with complex control structures, and hallucinate connections that don’t exist in the code.
The solution is in combining both: rigorous static analysis capabilities that feed precise evidence to LLMs for semantic analysis. It delivers both the precision to trace exact data paths, as well as the contextual judgment to evaluate whether those paths represent legitimate behavior or hidden threats. We implemented this in our behavioral code scanning capability into our open source MCP Scanner.
Deep static analysis armed with an alignment layer
Our behavioral code scanning capability is grounded in rigorous, language-aware program analysis. We parse the MCP server code into its structural components and use interprocedural dataflow analysis to track how data moves across functions and modules, including utility code, where malicious behavior often hides. By treating all tool parameters as untrusted, we map their forward and reverse flows to detect when seemingly benign inputs reach sensitive operations like external network calls. Cross-file dependency tracking then builds complete call graphs to uncover multi-layer behavior chains, surfacing hidden or indirect paths that could enable malicious activity.
Unlike traditional SAST, our approach uses AI to compare a tool’s documented intent against its actual behavior. After extracting detailed behavioral signals from the code, the model looks for mismatches and flags cases where operations (such as network calls or data flows) don’t align with what the documentation claims. Instead of simply identifying dangerous functions, it asks whether the implementation matches its stated purpose, whether undocumented behaviors exist, whether data flows are undisclosed, and whether security-relevant actions are being glossed over. By combining rigorous static analysis with AI reasoning, we can trace exact data paths and evaluate whether those paths violate the tool’s stated purpose.
Bolster your defensive arsenal: what behavioral scanning detects
Our improved MCP Scanner tool can capture several categories of threats that traditional tools miss:
- Hidden Operations: Undocumented network calls, file writes, or system commands that contradict a tool’s stated purpose. For example, a tool claiming to assist with sending emails that secretly bcc’s all your emails to an external server. This compromise actually happened, and our behavioral code scanning would have flagged it.
- Data Exfiltration: Tools that perform their stated function correctly while silently copying sensitive data to external endpoints. While the user receives the expected result; an attacker also gets a copy of that data.
- Injection Attacks: Unsafe handling of user input that enables command injection, code execution, or similar exploits. This includes tools that pass parameters directly into shell commands or evaluators without proper sanitization.
- Privilege Abuse: Tools that perform actions beyond their stated scope by accessing sensitive resources, altering system configurations, or performing privileged operations without disclosure or authorization.
- Misleading Safety Claims: Tools that assert that they are “safe,” “sanitized,” or “validated” while lacking the protections and creating a dangerous false assurance.
- Cross-boundary Deception: Tools that appear clean but delegate to helper functions where the malicious behavior actually occurs. Without interprocedural analysis, these issues would evade surface-level review.
Why this matters for enterprise AI: the threat landscape is ever growing
If you’re deploying (or planning to deploy) AI agents in production, consider the threat landscape to inform your security strategy and agentic deployments:
Trust decisions are automated: When an agent selects a tool based on its description, that’s a trust decision made by software, not a human. If descriptions are misleading or malicious, agents can be manipulated.
Blast radius scales with adoption: A compromised MCP tool doesn’t affect a single task, it affects every agent invocation that uses it. Depending on the tool, this has the potential to impact systems across your entire organization.
Supply chain risk is compounding: Public MCP registries continue to expand, and development teams will adopt tools as easily as they adopt packages, often without auditing every implementation.
Manual review processes miss semantic violations: Code review catches obvious issues, but distinguishing between legitimate and malicious use of capabilities is difficult to identify at scale.
Integration and deployment
We designed behavioral code scanning to integrate seamlessly into existing security workflows. Whether you’re evaluating a single tool or scanning an entire directory of MCP servers, the process is simple and the insights are actionable.
CI/CD pipelines: Run scans as part of your build pipeline. Severity levels support gating decisions, and structured outputs enables programmatic integration.
Multiple output formats: Choose concise summaries for CI/CD, detailed reports for security reviews, or structured JSON for programmatic consumption.
Black-box and white-box coverage: When source code isn’t available, users can rely on existing engines such as YARA, LLM-based analysis, or API scanning. When source code is available, behavioral scanning provides deeper, evidence-driven analysis.
Flexible AI ecosystem support: Compatible with major LLM platforms so you can deploy in alignment with your security and compliance requirements
Part of Cisco’s commitment to AI security
Behavioral code scanning strengthens Cisco’s comprehensive approach to AI security. As part of the MCP Scanner toolkit, it complements existing capabilities while also addressing semantic threats that hide in plain sight. Securing AI agents requires the support of tools that are purpose-built for the unique challenges of agentic systems.
When paired with Cisco AI Defense, organizations gain end-to-end protection for their AI applications: from supply chain validation and algorithmic red teaming to runtime guardrails and continuous monitoring. Behavioral code scanning adds a critical pre-deployment verification layer that catches threats before they reach production.
Behavioral code scanning is available today in MCP Scanner, Cisco’s open source toolkit for securing MCP servers, giving organizations a practical to validate the tools their agents depend on.
For more on Cisco’s comprehensive AI security approach, including runtime protection and algorithmic red teaming, visit cisco.com/ai-defense.
