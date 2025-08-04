BOSTON, Aug. 04, 2025 (GLOBE NEWSWIRE) -- Snyk , the leader in secure AI software development, today announced the immediate availability of Secure At Inception , which consists of three new innovations focused on Model Context Protocol (MCP) technology.

Anchored in MCP, the de facto framework for how AI agents communicate with tools and models, the three innovations are purpose-built to deliver security at first prompt for AI coding assistants and introduce these new capabilities:

Deeply-integrated and real-time security scanning that runs at the point of code generation or execution;

Visibility into generative AI, agentic and MCP components in enterprise software, and;

A new, experimental scanner for detecting AI-specific MCP vulnerabilities.



Secure At Inception marks a software development security first as AI-agentic coding shifts to so called ‘vibe coding’ - where developers orchestrate AI agents with high-level prompts instead of traditional code. Importantly, it has been integrated into the AI Trust Platform cementing Snyk’s leadership in delivering a complete solution now including the critical domain of MCP security.

Why Secure At Inception, Why Now

With the software development world rapidly shifting the way code is constructed, legacy security tools are no longer sufficient. In vibe coding, AI agents interact intensely with external tools, data and models, all of which dramatically expands the risk surface. The result is that the underlying security model must change to meet the accompanying increases in vulnerabilities.



“If anyone or any enterprise is vibe coding, we believe Secure At Inception is mandatory because it shifts security to the very first prompt, enabling developers to build intelligent, trustworthy software right from the start,” said Peter McKay, CEO of Snyk. “Snyk pioneered ‘shift left’ coding security, an innovation that became an industry standard. We’re now moving beyond ‘shift left’ to deliver security that is invisible, automatic and designed for how AI-native software is built.”



Embedding Security Natively into Agentic Workflows with Snyk’s MCP Server

Now available in early access, Snyk’s MCP Server allows AI agents to securely invoke Snyk’s full suite of scanning engines – including static analysis, open source dependency analysis and newly available support for Snyk Container and Snyk Infrastructure as Code (IaC) directly within agentic workflows. This means developers working inside AI-powered environments, like Cursor or Claude Desktop, can programmatically run security scans at the point of code generation or execution, without leaving their flow.



Designed for speed, trust and integration, the MCP Server makes "secure at inception" a reality, embedding security into the foundation of AI-native development rather than bolting it on after the fact.



"With the software development lifecycle collapsing due to AI, it's now more important than ever that we understand that application security is critical,” said Janet Worthington, analyst at Forrester Research. “The idea should be for any organization to treat all code—regardless of who writes it—as potentially vulnerable, because ultimately you, as the organization, are responsible for what goes into it."1



Bringing governance to MCP with Snyk’s AI-BOM

Snyk is expanding its AI-Bill of Materials (AI-BOM) to include visibility into MCP components, delivering the first governance tool purpose-built for the AI-native supply chain. Within the new paradigm of vibe coding, traditional notions of software composition are rapidly breaking down. AI agents are dynamically assembling applications from tools, prompts and data in real time, making it nearly impossible to track what’s being built.

Snyk’s enhanced AI-BOM restores visibility in this new world, giving security and engineering leaders a complete, actionable inventory of MCP-connected tools, data sources and instructions. It also empowers CISOs and AppSec leaders to define policies, enforce compliance and manage risk across unpredictable, agentic workflows. Available now for everyone, the AI-BOM lays the foundation for governing the next era of software development, where the “code” is a conversation, and visibility is everything.

Powering Proactive Agentic Security with Snyk’s Toxic Flow Analysis (TFA)

Snyk’s June acquisition of Invariant Labs, a leading AI security research firm, significantly strengthens its capabilities around MCP and agentic threat defense. Snyk is advancing threat detection for AI-native systems with the preview release of its Toxic Flow Analysis (TFA) framework, now integrated into its MCP Security Scanner. TFA identifies complex, multi-step vulnerabilities unique to agentic environments, such as indirect prompt injection, tool poisoning and runtime exfiltration paths. By analyzing how untrusted instructions, sensitive data and external tools intersect inside an MCP system, TFA equips AppSec teams with the foresight to mitigate toxic flows before they can be exploited. This marks a major leap forward in reducing the agent-based attack surface and protecting AI-powered applications long before runtime.



Invariant Labs also brings cutting-edge expertise in identifying zero-day risks specific to MCP systems, including emerging exploit classes like "tool poisoning" and "MCP rug pulls." Now fully integrated into Snyk’s research arm, the team is contributing to innovations like TFA and the broader MCP security framework. This strategic acquisition not only reinforces Snyk’s leadership in AI-native security but also positions the company at the forefront of defending against tomorrow’s most sophisticated AI threats.

