How We Selected These Tools
Selection criteria: active development (commits in last 90 days), documented security architecture, community adoption or production deployments, and compatibility with MCP-based agent systems.
Category 1: MCP & Agent Scanners
1. Shodan + Custom MCP Queries
What it does: Internet-wide scanning to find your own exposed instances. Security researchers used this to discover 8,000+ exposed MCP servers.
Why it matters: You should Shodan your own IP before attackers do. Combine with custom queries for MCP-specific ports (8080, 3000, 8000).
Cost: Free tier available, $59/mo for API access.
2. Augustus (Open Source)
What it does: Open-source LLM prompt injection testing tool. Featured on r/netsec with 36 upvotes.
Why it matters: Automated prompt injection testing against your own agents before attackers find weaknesses.
Cost: Free and open-source.
3. CaMeL Framework (Google DeepMind)
What it does: Causal verification of agent actions — tracks whether agent behavior is caused by user instructions vs. injected content.
Why it matters: Simon Willison called it "a promising new direction" for mitigating prompt injection. Based on Google DeepMind paper.
Cost: Open-source research tool.
Category 2: Prompt Injection Firewalls
4. CommandSans
What it does: Surgical precision prompt sanitization. Strips injection payloads while preserving legitimate content.
Why it matters: Based on the research paper "CommandSans: Securing AI Agents with Surgical Precision".
5. CausalArmor
What it does: Efficient indirect prompt injection guardrails using causal attribution.
Why it matters: Specifically targets indirect injection — the stealthiest and most dangerous variant. See arXiv paper.
6. BrowseSafe
What it does: Protects AI browser agents from prompt injection in web content.
Why it matters: As demonstrated on r/netsec, AI browsers are vulnerable to "unseeable" prompt injections hidden in screenshots. BrowseSafe paper.
Category 3: Agent Monitoring & Observability
7. ASTRIDE
What it does: Security threat modeling platform specifically for agentic AI applications.
Why it matters: Systematic threat identification (not ad-hoc). See research paper.
8. AARM (Autonomous Action Runtime Management)
What it does: Runtime security for AI-driven actions. Monitors tool execution in real-time.
Why it matters: Traditional log-and-review is too slow for autonomous agents. AARM specification shifts security to runtime.
Category 4: Governance & Policy
9. AgenTRIM
What it does: Tool risk mitigation for agentic AI. Automatically classifies tool risk levels and enforces policies.
Why it matters: Principle of least privilege applied systematically. See paper.
10. Sentinel Agents Framework
What it does: Deploys dedicated security agents that monitor other agents in multi-agent systems.
Why it matters: "Who watches the watchmen?" architecture. See Sentinel Agents paper.
Quick Comparison Table
| Tool | Type | Open Source | Production Ready | MCP Compatible |
|---|---|---|---|---|
| Shodan | Scanner | No | Yes | Yes (queries) |
| Augustus | Injection tester | Yes | Beta | Yes |
| CaMeL | Causal verification | Yes | Research | Adaptable |
| CommandSans | Sanitization | Yes | Research | Yes |
| CausalArmor | Guardrail | Yes | Research | Yes |
| BrowseSafe | Browser guard | Yes | Research | Partial |
| ASTRIDE | Threat modeling | Yes | Beta | Yes |
| AARM | Runtime monitor | Spec only | Spec | Yes |
| AgenTRIM | Tool governance | Yes | Research | Yes |
| Sentinel | Multi-agent guard | Yes | Research | Yes |
Bottom line: Start with Shodan (scan yourself), Augustus (test your own agents), and the hardening checklist. Add research tools as they mature to production-grade.
Get the complete hardening checklist | Read the full MCP exposure analysis