This work addresses the structural security blind spots in the Model Context Protocol (MCP), which arise from its multi-party architecture and distributed trust boundaries, leading to a lack of systematic delineation of defensive responsibilities. To tackle this issue, the paper proposes a layered security analysis framework oriented toward defense deployment and introduces, for the first time, an MCP-specific security taxonomy centered on defense placement. Existing security measures are mapped onto a six-layer architecture to evaluate their coverage comprehensively. The analysis reveals that current defenses are overly concentrated at the tool layer, while significant gaps persist in orchestration, transmission, and supply chain layers. These findings indicate that vulnerabilities stem from architectural misalignment rather than isolated implementation flaws, thereby providing a theoretical foundation for designing coordinated, defense-in-depth strategies at the protocol’s weakest points.

The Model Context Protocol (MCP) enables large language models (LLMs) to dynamically discover and invoke third-party tools, significantly expanding agent capabilities while introducing a distinct security landscape. Unlike prompt-only interactions, MCP exposes pre-execution artifacts, shared context, multi-turn workflows, and third-party supply chains to adversarial influence across independently operated components. While recent work has identified MCP-specific attacks and evaluated defenses, existing studies are largely attack-centric or benchmark-driven, providing limited guidance on where mitigation responsibility should reside within the MCP architecture. This is problematic given MCP's multi-party design and distributed trust boundaries. We present a defense-placement-oriented security analysis of MCP, introducing a layer-aligned taxonomy that organizes attacks by the architectural component responsible for enforcement. Threats are mapped across six MCP layers, and primary and secondary defense points are identified to support principled defense-in-depth reasoning under adversaries controlling tools, servers, or ecosystem components. A structured mapping of existing academic and industry defenses onto this framework reveals uneven and predominantly tool-centric protection, with persistent gaps at the host orchestration, transport, and supply-chain layers. These findings suggest that many MCP security weaknesses stem from architectural misalignment rather than isolated implementation flaws.