You shouldn't deploy MCP in production without a plan. 43% of public MCP servers have command injection vulnerabilities, and most enterprises are connecting them to live data warehouses. Safe deployment requires isolation at three points: the network, the application, and the runtime. Strake provides this by default, using Firecracker MicroVMs to house execution so a malicious prompt can't touch your host system.
The danger isn't just a "bad" agent; it's what an agent can do once it has warehouse access. SQL exfiltration and session poisoning aren't theoretical — they are the default state of insecure MCP implementations.
A clever prompt can still "dump" tables if your engine doesn't enforce read-only boundaries.
Agents are surprisingly good at crafting queries to extrude data to external endpoints.
Data from one user leaking into another's agent session because of shared resources.
Air-gap the sandbox. Isolation isn't enough; the environment where code runs should have zero outbound internet access unless you've explicitly whitelisted it.
Don't trust the prompt. Every query needs inspection for PII and injection patterns at the engine layer before it ever reaches execution.
Containers are not a security boundary. Firecracker MicroVMs provide hardware-level isolation, ensuring a script can't escape to the host even if it cracks the sandbox.