Auditing an MCP Server Against the OWASP MCP Top 10

Auditing an MCP Server Against the OWASP MCP Top 10

The OWASP MCP Top 10 is now the taxonomy people reach for when they talk about MCP risk. It is the framework a security team will bring into a procurement conversation, and the one practitioners increasingly cite by number. It is still a beta — Phase 3, under active community revision — but the categories are stable enough to design an audit around.

So here is the practical question. You operate an MCP server. Someone hands you the Top 10 and asks how you stand against it. What does an audit actually check, category by category?

Eight of the ten are testable against a running server. The remaining two are not really about a single server at all — they live in the build pipeline and in org-level governance. That split is most of the work, so it is how the rest of this is organized.

A note on what "testable" means here. Gated audits operated servers from the network — the deployed endpoint, with its real auth, its real TLS, its real manifest — not a config file on a developer's laptop. That vantage point decides which risks an audit can reach. It is the difference between reading what a server claims and observing what it does.