Automating SQL injection over MCP
Join us on our first tactics release where we go over performing SQL Injection over Model Context Protocol (MCP), an emerging protocol central to modern AI systems and a fresh, critical attack surface for security professionals.
Published on February 3, 2026
TL;DR
We released a full walkthrough and a free hands-on exercise lab on “Automating SQL Injection over MCP,” packaged as a “ThreatSims Tactics” workshop. All you need to follow along is a browser and an SSH client to connect to the exercise lab. If you just want to read the write-up, it’s directly accessible here: Automating SQL Injection Over MCP.
What is a tactic?
A tactic in offensive security is a specific technique or approach used to test, exploit, or analyze the security of a system. Tactics can range from reconnaissance methods and social engineering to vulnerability exploitation and privilege escalation. Mastering different tactics equips you with a diverse toolkit for real-world offensive security assessments.
ThreatSims Tactics is a free, continuous workshop focused on helping you master offensive security, one tactic at a time. Each tactic offers a practical, hands-on approach, making it easy for anyone to learn, apply, and stay on top of the evolving security landscape.
What you get in this free workshop:
A Byte-sized offensive security lesson: Gain focused insights on a new tactic through a concise, practical walkthrough.
A Hands-on lab: Immediately put theory into practice with an included free hands-on lab.
How ThreatSims Tactics works:
We will regularly release new Tactics chapters available for a limited time, each introducing a fresh offensive security technique.
Older chapters are retired to make room for the latest releases, giving you access to the most current tactics.
Stay engaged and up-to-date by enrolling. Stay informed about new tactics and updates to our content.
Stay tuned to unlock the latest offensive strategies, sharpen your hands-on skills, and always have something new to learn.
Current Tactics Release
Automating SQL injection over MCP: Join us on our first tactics release where we go over performing SQL Injection over Model Context Protocol (MCP), an emerging protocol central to modern AI systems and a fresh, critical attack surface for security professionals. We will script and automate exploitation over MCP with a hands-on exercise lab to try out the attack yourself. If you want to learn more about MCP, check out our Model Context Protocol (MCP) Attacks workshop.
Prerequisites & Assumptions
Because this module focuses on automation, we assume you are already familiar with the fundamentals. To get the most out of this lab, you should have:
Basic MCP Knowledge: A high-level understanding of how the Model Context Protocol uses JSON-RPC messages to communicate between clients and servers.
SQL Injection Fundamentals: You understand the theory behind SQLi (how inputs can manipulate queries).
Python Basics: We will be using Python scripts to interface with the MCP server.
Ready to Master this Tactic?
Don't let the shift in technology outpace your security toolkit. This is your opportunity to get hands-on experience with an emerging attack vector, completely free.
Happy Hacking, The ThreatSims Team
