Cogny first-party MCP stack · security-reviewed

    Vendor-built MCPs. Not strangers from the internet.

    Every MCP server on Cogny is built, hosted, and patched by our team. OAuth-scoped per integration, audited per call, wrapped by Cogny Shield on the way out. The alternative — pulling a random MCP from a public registry — is the pattern the NSA warned the industry about in May 2026.

    ❯ see the integrationscogny shield →

    cogny --first-party

    THE STACK

    Each of these MCP servers ships from our repo, with one team responsible end to end

    Ad platformsGoogle Ads, Meta Ads, TikTok Ads, X Ads, LinkedIn Ads. Read campaigns, adjust budgets, manage audiences — through our servers, not a stranger’s.
    Analytics & searchGA4, Google Search Console, Bing Webmaster Tools. Realtime reports and indexing data, OAuth-scoped per warehouse.
    Tag & data infrastructureGoogle Tag Manager, BigQuery, Supabase. Schema inspection, SQL execution, container audits — all gated by your row-level policies.
    Commerce & billingStripe, Shopify, RevenueCat. Subscription state, refunds, customer lookups — never proxied through a third-party MCP.
    Email, CRM & communityMailchimp, Get-a-Newsletter, HubSpot, Discord. Send, segment, and report from a vendor we control.
    Creative & contentCogny image-gen, web search, web fetch. Generation and retrieval that fits inside your warehouse’s trust boundary.

    cogny --why-trust-matters

    THE PROBLEM

    Four failure modes the NSA flagged in real-world MCP deployments

    Tool poisoningThe NSA describes a malicious MCP server quietly switching from a benign tool description to a malicious one after install — agents started exfiltrating WhatsApp messages with no user notice. The same pattern works against any MCP your agent has trusted.
    Naming collisionsPublic MCP registries let two servers ship tools with the same name. The agent resolves to whichever one wins the race — often the malicious one. Cited in the NSA report as "parasitic toolchain attacks."
    Blanket scopesThe GitHub MCP server, when installed, can read every private repo and write to public ones on your behalf — no per-repo or per-action consent. The NSA flagged it by name. Most third-party MCPs follow the same all-or-nothing pattern.
    Supply-chain rot"The MCP project documentation has identified that many popular servers are no longer actively maintained." Orphaned servers don’t get patched. CVE-2025-49596 (RCE in MCP-Inspector) is what that looks like in practice.

    cogny --vs-wild

    SIDE BY SIDE

    A Cogny first-party MCP next to a random one pulled from a public registry

    dimensioncogny first-partyrandom mcp
    Built byCogny engineers, in our repo, code-reviewed before every merge.Anonymous maintainers. Often archived. No SLA.
    HostingManaged in the EU, alongside your warehouse.Wherever the maintainer chose — often anywhere in the world.
    AuthenticationOAuth 2.1 with per-tool scope review. Token vault, rotation, revocation.Often blanket account access (NSA flagged GitHub MCP by name).
    Tool definitionsVersion-pinned, change-gated, surfaced in your audit log.Can silently change between calls (NSA flagged WhatsApp MCP by name).
    Output handlingCogny Shield wraps PII; injection scanning strips embedded instructions before they reach the model.Whatever bytes the server returns flow straight into your model’s context.
    Vulnerability responsePatched once. Every customer covered. CVEs tracked in our advisory feed.You upgrade. Or you don’t.
    AuditEvery tool call logged with caller, parameters, result, and shield disclosure.Whatever the server chose to log — often nothing.

    cogny --shield-mcp-hardening

    ROADMAP

    Cogny Shield is extending to cover the NSA-flagged MCP risks. Per-warehouse feature flags, so you can adopt independently of PII masking.

    01
    Cross-server injection scanning
    Every MCP tool result passes through a scanner that detects text shaped like LLM instructions ("ignore previous instructions", embedded system prompts, hidden tool-call markup) and quarantines it before the response reaches the frontier model. Defends against the tool-poisoning pattern the NSA cited.
    02
    Cryptographically signed responses
    First-party Cogny MCP servers sign tool results with a Cogny-issued key. The client verifies the signature before forwarding to the model. A parasitic server connected to the same agent cannot forge a Cogny signature, so it cannot impersonate a trusted tool.

    cogny --source

    PRIMARY SOURCE

    We're not the first to flag this. The NSA published an advisory on MCP security in May 2026.

    “MCP's rapid proliferation has outpaced the development of its security model. Much like early web protocols, MCP was released with a flexible and underspecified design, allowing implementers freedom of design but also introducing ambiguity for safe usage.”

    citation
    NSA Cybersecurity, Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation, May 2026 (U/OO/6030316-26, PP-26-1834, v1.0).
    read the full advisory (PDF) ↗

    cogny --related

    SEE ALSO
    Cogny ShieldThe EU-hosted PII layer that already wraps every tool result. MCP hardening ships as part of the same per-warehouse toggle.explore →
    Security at CognyRLS, OAuth vault, GDPR webhooks, incident response. The plumbing under the marketing copy.explore →
    MCP MarketingWhat MCP is and why it matters. The protocol underneath everything on this page.explore →

    trust the stack you connect

    Connect with confidence. Or roll your own.