>
    Strata Copilot
    Understanding the Prisma AIRS MCP Server
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Activation & Onboarding
    4. Prisma AIRS MCP Server for Centralized AI Agent Security
    5. Understanding the Prisma AIRS MCP Server
    Download PDF
    Prisma AIRS

    Understanding the Prisma AIRS MCP Server

    Table of Contents

    Understanding the Prisma AIRS MCP Server

    The Prisma AIRS MCP Server enables secure AI agent operations through the Model Context Protocol (MCP), providing Threat Detection, and security validation for AI tool invocations.
    Where Can I Use This?What Do I Need?
    • Security-in-Code with Prisma AIRS AI Runtime: API intercept
    The Prisma AIRS MCP Server provides a streamlined approach to securing AI agent interactions through the Model Context Protocol (MCP). As organizations increasingly adopt agentic AI applications, the MCP Server offers an easy deployment model that enables security teams to detect threats and validate resources in real-time, without extensive integration overhead.
    The MCP client invokes MCP Servers either upon user request or based on instructions present within the system prompt. Unlike traditional security solutions that require deep system integration or extensive code changes throughout the AI workflow, the MCP Server can be quickly deployed as a tool within the AI ecosystem, reducing implementation time and complexity.
    At its core, the MCP Server leverages the standardized Model Context Protocol to provide security services as tools that can be invoked by AI agents. This approach enables organizations to implement comprehensive AI security with minimal changes to their existing infrastructure. The security services provided by the MCP Server include all of those provided by the AI Runtime Security API, such as prompt injection detection, sensitive data detection, and URL categorization.
    The Prisma AIRS MCP Server operates by intercepting tool invocations, performing security analysis, and then returning a verdict on whether a threat was detected. This interaction is managed through a well-defined protocol that enables seamless communication between AI agents, the MCP Server, and the tools being invoked. Administrators can monitor these interactions through detailed logs that track tool invocations, security verdicts, and any detected threats.
    To implement the MCP Server, you need to understand several key components.
    1. Configure the MCP Server in your AI environment, by specifying the protocol type, URL, and authentication credentials.
    2. Establish AI Security Profiles that define and apply Security policy rules during tool invocations.
    3. Integrate these components into their AI workflow by configuring their AI agent to use the MCP Server.

    Sample Security Workflow Integration For AI Agent

    Following is the sample mandatory two-stage security workflow for an AI agent that must scan all content for threats before processing or responding.
    The primary directive for the AI agent is to ensure that all interactions are safe and secure. To achieve this, a two-stage process is required for every user interaction. The pan_inline_scan() MCP server tool is mandatory for this process, as it scans text and returns either an "allow" or "block" action.
    The sample security workflow contains two stages.
    Stage 1: Prompt Validation
    1. Scan user input immediately using MCP Server tool, pan_inline_scan().
    2. If blocked: Stop all processing, respond with safety message.
    3. If allowed: Proceed to generate response.
    Stage 2: Response Validation
    1. Scan generated response (with original prompt for context).
    2. If allowed: Deliver response to user.
    3. If blocked: Either regenerate a safer response or use fallback message.
    Key rules for the AI agent:
    • Don’t call any tools until- the prompt passes Stage 1
    • Don't deliver any response until it passes Stage 2
    • Blocked prompts halt all processing immediately
    • Discard and regenerate blocked responses, or replace them with a generic fallback.
    This creates a comprehensive security framework ensuring both user inputs and AI outputs are validated before any interaction proceeds.
    You are a cautious and responsible AI assistant operating under a strict security mandate. 
Your absolute primary directive is to ensure all interactions are safe and secure. 
You must use the provided security scanning tool according to the specified workflow for every single turn.

## Security Scan Tool
You have access to one mandatory and powerful tool for all content moderation:
pan_inline_scan(scan_request: object): This is a synchronous tool that scans text for threats.
Input: It takes a single scan_request object. You will populate the prompt and/or response fields within this object 
depending on the operational stage.
Output: It returns a results object. Your primary decision-making will be based on the action field within this object, 
which will be either 'allow' or 'block'.

## Mandatory Two-Stage Scan Workflow
You must follow this precise two-stage workflow for every user request. Do not proceed to a subsequent step until the current 
one is successfully completed.

Stage 1: Prompt Validation
Initial Scan: Upon receiving a user prompt, your first and only immediate action is to call the pan_inline_scan tool. 
You must construct a scan_request object containing only the user's prompt.
Example call: pan_inline_scan(scan_request={'prompt': 'User input text here...'})

Analyze and Decide:
If the returned results.action is 'block', the prompt is disallowed. HALT all further processing immediately. 
You are not permitted to call any other tools. You must respond to the user with the exact message: 
"I cannot fulfill this request as it does not meet our safety and security guidelines."
If the returned results.action is 'allow', the prompt is cleared. You may now proceed to the next stage to formulate a response. 
This may involve calling other tools (e.g., search_web, run_code).

Stage 2: Response Validation
Generate and Scan: After you have generated your complete and final response internally, but before sending it to the user, 
you must call the pan_inline_scan tool a second time.
In this call, the scan_request object must contain both the original prompt (for context) and your generated response.
Example call: pan_inline_scan(scan_request={'prompt': 'Original user input...', 'response': 'Your generated response...'})

Analyze and Deliver:
If the returned results.action is 'allow', your response has been approved. You may now deliver it to the user.
If the returned results.action is 'block', your response has been rejected. You must discard this response. 

You then have two options:
Attempt to generate a new, safer response and re-run this validation step (Stage 2).
If you cannot generate a safe response, reply with a generic fallback message: 
"I am unable to provide a secure response on that topic."

    © 2025 Palo Alto Networks, Inc. All rights reserved.