Model Context Protocol (MCP) was created in late 2024 by OpenAI’s top competitor Anthropic. It was so good as a means for providing a standardized way to connect AI models to various data sources and tools that OpenAI adopted it as a standard, as have most other big AI players and all three hyperscalers.
In just a few months, MCP has caught fire, with several thousand MCP servers now available from a wide range of vendors enabling AI assistants to connect to their data and services. And with agentic AI increasingly seen as the future of IT, MCP — and related protocols ACP and Agent2Agent — will only grow in use in the enterprise.
But as organizations rushing into AI are beginning to find out, innovations like MCP also come with significant risks.
In May, work management vendor Asana released an MCP server to allow AI assistants to access the Asana Work Graph. Though the server, AI assistants could access an organization’s Asana data, generate reports, and create and manage tasks, for example. One month later, security researchers found a bug that could have allowed users to see data belonging to other users. That same month, Atlassian also released an MCP server. Security researchers found a vulnerability allowing attackers to submit malicious support tickets and gain privileged access.
The risk is so big that OWASP launched its MCP Top 10 project the same day as the Atlassian attack report was published, though, as of this writing, the OWASP list is still empty.
On that same week, an update to MCP was released, addressing some of the vulnerabilities that security experts have been worrying about.
Here is an in-depth look at MCP and what CISOs should know about its risks, mitigations, and emerging solutions for better securing the MCP servers on which their organization’s AI agents increasingly depend.
What is model context protocol (MCP)?
MCP is a kind of API, but instead of allowing one computer program to talk to another computer program in a standardized way, it allows an AI agent or chatbot to talk to databases, tools, and other resources.
In the past, a company that wanted to pass data into an LLM would turn that data into a vector database and pass relevant context to the AI by adding the information to a prompt. This was called RAG, or retrieval augmented generation, and required a vector database, and then a custom integration into the application’s business logic.
MCP servers turned this on its head.
Instead of doing multiple integrations, a developer can just put an MCP server in front of the database, and an AI agent can just pull whatever data it needs, when it needs it, no additional programming necessary. Anthropic has already announced pre-built MCP servers for Atlassian, Cloudflare, Intercom, Linear, PayPal, Plaid, Sentry, Square, Wokato, Zapier, and Invideo. And that’s for the consumer-friendly version of Claude. Developers using Claude Code can access any MCP server anywhere.
OpenAI announced support for MCP server connections to Cloudflare, HubSpot, Intercom, PayPal, Plaid, Shopify, Stripe, Square, Twilio, Zapier, and more in late May. But developers can connect OpenAI’s models to any MCP server anywhere by using OpenAI’s Responses API.
Companies can use MCP servers to expose their own data to their own AI processes, to expose their own data to external users, or to connect to public sources of information or functionality.
All these carry significant risks to all parties involved, but the technology is so useful that many companies are moving ahead anyway.
And it’s not just tech firms. Yageo Group, a manufacturing company, is already looking at deploying the technology. Some of that is being done by recently acquired subsidiaries. “And the parent company I’m working at right now is looking at expanding governance around it,” says Terrick Taylor, information security operations manager at Yageo.
But he’s worried about security implications, including data leakage, and with so many applications being built at so many different sites, it’s hard to keep up. “Pretty soon my hair is going to turn gray.”
Mitigating MCP server risks
When it comes to using MCP servers there’s a big difference between developers using it for personal productivity and enterprises putting them into production use cases.
Derek Ashmore, application transformation principal at Asperitas Consulting, suggests that corporate customers don’t rush on MCP adoption until the technology is safer and more of the major AI vendors support MCP for their production-level environments.
One problem is that while MCP risks can be eliminated or mitigated by deploying MCP servers in a secure manner, others are built into the MCP protocol itself. According to Equixly, the MCP protocol specification mandates session identifiers in URLs, which violates security best practices. MCP also lacks required message signing or verification mechanisms, which allows for message tampering.
“MCP servers are still catching up in this security maturity cycle, making them particularly vulnerable during this adoption phase,” states Equixly CTO Alessio Della Piazza in a blog.
Some of these protocol issues were addressed in the latest MCP protocol update.
MCP servers are now classified as OAuth resource servers, addressing some of the authentication issues that Equixly identified. There is also a new resource indicator requirement, which could prevent attackers from obtaining access’ tokens.
The protocol has now mandatory protocol version headers, which will help reduce confusion about which version of which MCP server is running.
These changes don’t fix all the problems that security researchers have identified, nor do they instantly fix all the MCP servers already deployed, but they’re a sign that the community is moving in the right direction.
And, for enterprises deploying MCP servers and implementing authorization flows, there’s now a new set of MCP security best practices.
If those aren’t enough, Anthropic has also added a page about MCP server best practices to its own support portal, for organizations building new MCP servers.
And, for organizations deploying third-party MCP servers, CyberArk has some advice:
Before using a new MCP server, verify if it is part of the official servers published on the MCP GitHub; if not, try using it in a sandbox environment first.
Make sure to include MCP in your threat modeling, penetration tests, and red-team exercises.
When you install a local MCP server, perform a manual code review for anomalies or backdoors. Supplement this by submitting the codebase to a large-language model or automated analysis tool to highlight any hidden malicious patterns.
Use an MCP client whose default is to show you every tool call and its input before approving it.
Understanding MCP security is going to be key for enterprises going forward, especially if they are deploying AI agents in any significant way.
According to Gartner, MCP is emerging as the AI integration standard predicting that by 2026, 75% of API gateway vendors and 50% of iPaaS vendors will have MCP features.
Organizations need to be careful about the expanded attack surface and about new supply chain risks from third-party MCP servers. That can sound familiar to cybersecurity managers. These are all issues that the industry has had to deal with before. But MCP servers are more than just a new version of APIs, warns Lori MacVittie, distinguished engineer and chief evangelist in F5 Networks’ Office of the CTO. It’s a fundamental paradigm shift, she says, similar in impact to the move from perimeter security to application security.
“MCP is breaking everything,” she says. “It’s breaking core security assumptions that we’ve held for a long time.”
The reason? Most of the functionality of MPC lies within the context window where the MCP server communicates in plain language with AI agents. That means that there’s potential for deceit and manipulation. “Someone can say, ‘I am the CEO,’. How do you prevent that?”
The system can’t be trusted to work as intended because core components — AI agents and LLM — are not deterministic. “I don’t think anyone’s got how to do it right yet,” MacVittie says.
MCP security vendors
That’s not to say that there aren’t already vendors out there trying to sell MCP security. Here are a few:
BackSlash Security: Searchable database of thousands of MCP servers with risk ratings, free MCP risk self-assessment tool, and commercial services to manage MCP risks.
Lasso Security: Open-source MCP gateway that allows configuration and lifecycle management of MCP servers and sanitizes sensitive information in MCP messages.
Invariant Labs: Their MCP-Scan is an open-source scanner that performs static analysis of MCP servers and does real-time monitoring to detect tool poisoning attacks, rug pulls, and prompt injection attacks.
Pillar Security: MCP server protection services including automated discovery, red teaming assessments and runtime protection.
Palo Alto Networks: Their Cortex Cloud WAAS tool offers MCP protocol validation and detects API-layer attacks against MCP endpoints.
No Responses