Protocol Pivoting: Cross-Protocol Attack Escalation in Agentic AI Systems

Modern agentic AI deployments run several agent communication protocols in parallel: the Model Context Protocol (MCP) for tool access, Google's Agent-to-Agent (A2A) protocol for inter-agent delegation, and emerging standards such as the Agent Network Protocol (ANP). Each was designed independently, with a security model that assumes it operates alone. We identify and formalize a new attack class we term Protocol Pivoting—a multi-step attack in which an adversary gains initial access through one protocol, exploits trust assumptions between protocols, and escalates to capabilities only accessible via a different protocol. We present three concrete Protocol Pivoting scenarios: MCP to A2A privilege escalation via implicit trust delegation, A2A to MCP capability injection via malicious agent impersonation, and cross-protocol prompt injection chains where context from one protocol influences behavior in another. We analyze why existing defenses fail against Protocol Pivoting, and propose a unified cross-protocol security framework including a formal trust boundary model and three protocol-agnostic mitigations.