Beyond Reactive Defense: Introducing SFAMDF

A Framework for Proactive, Federated Agentic Security

*January 2026

Open Research Initiative*

The Problem: Reactive Security Can’t Keep Pace

The Model Context Protocol (MCP) has rapidly become the standard for connecting AI agents to enterprise tools and data. With 10,000+ community servers and adoption by Anthropic, Microsoft, OpenAI, Google, AWS, and Salesforce, MCP is powering a new generation of autonomous AI systems.

But there’s a growing gap between MCP’s adoption curve and its security maturity.

Current security guidance focuses on reactive patterns:

Sanitize tool outputs against known injection patterns
Validate schemas against expected structures
Enforce allowlists of permitted tools
Isolate data flows between trust tiers

These controls are necessary. They are also insufficient.

Why Reactive Falls Short

1. Adversaries adapt faster than pattern libraries.

When you block injection pattern #47, attackers use pattern #48. The reactive model assumes we can enumerate all possible attacks. We cannot.

2. Attacks coordinate across boundaries.

A shadow tool registered in Organization A. A data flow anomaly in Organization B. Individually, each looks benign. Together, they form a coordinated exfiltration campaign. Reactive defenses operating in isolation cannot see the full picture.

3. Novel combinations evade individual controls.

Each tool call is legitimate. Each data access is authorized. But the sequence—the cumulative intent—achieves something no single call would allow. Pattern matching at the individual request level cannot detect emergent malicious behavior.

4. Human oversight becomes a bottleneck, not an advantage.

When every suspicious pattern requires human approval, attackers simply increase volume. The reactive model treats humans as approval queues rather than expert judgment sources.

The Vision: Proactive Federated Defense

SFAMDF—the Secure, Federated, Adaptable Multi-Agent Defense Framework—proposes a different approach:

Defense agents that observe, correlate, and adapt—not just defense rules that match and block.

Core Principles

1. Behavioral Detection Over Pattern Matching

Instead of maintaining exhaustive attack pattern libraries, SFAMDF defense agents establish behavioral baselines and detect anomalies:

REACTIVE:  if output matches pattern -> block
PROACTIVE: if behavior deviates from baseline -> investigate

This catches novel attacks that evade pattern libraries while reducing false positives through contextual analysis.

2. Federated Intelligence Across Trust Boundaries

Organizations can’t share raw security data. But they can share anonymized threat signals. SFAMDF’s federated model enables:

Cross-boundary correlation: Detect attacks that manifest partially across multiple organizations
Swarm detection: Identify coordinated campaigns targeting multiple endpoints
Sovereignty preservation: Local policies always override federated recommendations

3. Predictable Delegation Through Governance Contracts

Defense agents must operate with predictable, auditable behavior. SFAMDF introduces governance contracts that specify:

What resources and operations an agent can access
When and how tasks can be delegated
Conditions requiring escalation

# Defense Operator Contract Example
agentType: DefenseOperator
capabilities:
  - monitor
  - isolate
  - alert
escalation:
  confidenceThreshold: 0.85
  criticalPatterns: [coordinated_exfiltration]

This isn’t just documentation—it’s runtime enforcement. The AgentBox execution environment ensures agents cannot exceed their declared capabilities.

4. Expert-in-the-Loop at Decision Points

SFAMDF reframes human involvement from “approval bottleneck” to “expert judgment where it matters”:

Decision Type	Expert Involvement
Routine monitoring	Automated
Anomaly investigation	Async review
Attribution assessment	Sync approval
Active response	Expert panel

Experts focus on decisions requiring judgment. Routine operations proceed without delay.

5. Adaptive Response to Emerging Patterns

SFAMDF defense agents don’t just respond—they adapt:

Partial pattern orchestration: Begin defensive posture when attack fragments emerge
Graduated response: Escalate from observation to isolation to active defense
Learning loops: Successful defenses update baselines; failures trigger review

The Architecture

SFAMDF implements defense-in-depth through multiple complementary layers:

+-------------------------------------------------------------+
|                    FEDERATED TRUST LAYER                     |
|   Cross-organization threat correlation & intelligence       |
+-------------------------------------------------------------+
                              |
+-------------------------------------------------------------+
|                   ORCHESTRATION LAYER                        |
|   Strategic coordination, governance enforcement, EITL       |
+-------------------------------------------------------------+
                              |
+-------------------------------------------------------------+
|                     GATEWAY LAYER                            |
|   Policy enforcement, behavioral monitoring, sanitization    |
+-------------------------------------------------------------+
                              |
+-------------------------------------------------------------+
|                    OPERATOR LAYER                            |
|   Bounded execution within AgentBox sandboxes                |
+-------------------------------------------------------------+
                              |
+-------------------------------------------------------------+
|                   MCP SERVER LAYER                           |
|   Hardened servers with capability-controlled interfaces     |
+-------------------------------------------------------------+

The Orchestrator-Operator Model

SFAMDF distinguishes two agent roles with clear behavioral definitions:

Orchestrator Agents operate at the strategic layer:

Decompose complex defense objectives into delegable tasks
Select appropriate operators based on capabilities and trust
Monitor progress and trigger escalation procedures
Enforce governance contracts

Operator Agents execute specific tasks within bounded domains:

Operate within AgentBox sandboxes enforcing capability limits
Cannot exceed permissions declared in their AgentManifest
Report results through structured channels
Support both deterministic and adaptive reasoning

Comparison: Reactive vs. Proactive

Dimension	Reactive Model	SFAMDF Proactive Model
Detection	Pattern matching	Behavioral anomaly + pattern
Novel attacks	Missed until pattern added	Detected via baseline deviation
Coordinated attacks	Each boundary defends alone	Federated correlation
Partial patterns	Not detected	Triggers graduated response
Human role	Approval queue	Expert at decision points
Adaptation	Manual rule updates	Automated baseline evolution
Trust model	Implicit	Explicit governance contracts
Execution bounds	Code-level	System-level (AgentBox)

Detailed Comparison

Security Maturity Model

Level	Name	Characteristics
0	Chaos	No controls, hoping for the best
1	Awareness	Basic allowlists, some logging
2	Foundation	Gateway + behavioral baselines
3	Defense-in-Depth	Layered controls, anomaly detection, EITL
4	Continuous	Active testing, policy monitoring
5	Adaptive	Federated defense, automated response

Why This Matters Now

MCP is at an inflection point. The patterns established now will shape the ecosystem for years.

Reactive security got us here. But as agentic AI moves from experiments to enterprise-critical deployments, reactive patterns create an ever-widening gap between security maturity and threat sophistication.

SFAMDF proposes that the same agentic capabilities that create new attack surfaces can power proactive defense—if we architect for it deliberately.

The framework is open. The whitepaper is in progress. Reference implementations are planned.

We invite the MCP community to explore, critique, and build upon these patterns.

Resources

Architecture Diagrams - Visual reference
Reactive vs Proactive - Detailed comparison
OSINT Agent Pattern - Implementation example

About the Initiative

SFAMDF (Secure, Federated, Adaptable Multi-Agent Defense Framework) is an open research initiative developing proactive defense patterns for MCP-based agentic AI systems.

GraphSentinel is an open-source initiative applying Graph Neural Networks to security analytics, including threat correlation and anomaly detection.

Both initiatives welcome collaboration from the security and MCP communities.

Back to Home

Version 1.0 | January 2026 License: CC BY 4.0 (Documentation) | Apache 2.0 (Code)