Model Context Protocol allows AI agents to connect to data sources but the first iteration of this standard lacked serious security. Over the past few months, a multitude of vendors appeared to help solve the problem. Is the technology now ready for prime-time, or is it still too early to put into production?
Some progress has been made on the core protocol side. In March, support was added for OAuth authentication, and in June, the protocol added support for third-party authentication servers such as Auth0, Okta, or a company’s own identity management system.
The MCP standards body also launched an official MCP registry in September, in order to address the problem of malicious MCP servers masquerading as legitimate ones.
But significant security gaps remain. For example, authentication is optional, and the systems are vulnerable to prompt injections, tool poisoning, token theft, cross-server attacks, message tampering and more.
Companies looking to get ahead of the competition when it comes to building agentic AI systems have to do a lot of security heavy lifting to keep these tools from exposing all their corporate secrets and sensitive data.
And, over the past few months, vendors have been stepping up. Today, the major AI platforms have added security infrastructure, as have core technology providers, existing cybersecurity vendors, and a fleet of emerging players.
Challenges of different uses of MCP servers
There are three main types of MCP server deployments, and each one has their own security challenges.
When a company sets up an internal MCP server, on infrastructure they control, to access internal data or tools, to be used by AI agents that they also control. First, a low-risk use of this might be to allow employees to use AI agents to search through non-sensitive documents or databases, such as product descriptions. A higher-risk use case might be to allow access to customer data.
Second, a company might allow their AI agents to access external data sources or tools via MCP servers. Here, one concern might be that the information the AI agents get back might include malicious instructions because either the server or the data source is compromised by an attacker.
The third deployment type is that of an internal MCP server exposing a company’s data or tools to the outside world. Again, this could be a low-risk use case if the MCP server provides access to product descriptions or user manuals. But it could also be extremely risky if MCP servers that allow external partners to connect in and place orders, submit invoices, and change their payment addresses.
There are ways to ease into MCP deployments, says Anh Hatzopoulos, co-founder and CEO at PepperMill, a no-code AI platform. For example, an MCP server that goes and gets public LinkedIn information is going to be safer than one that handles financial transactions, she says. “With moving money, I’m surprised that people are going hard at it right now, given the security problems with MCPs. But someone has to do it — and someone will discover those security problems.”
In fact, for many tech companies, especially SaaS vendors, MCP servers are already a must-have. “They can’t wait,” says Peter Nebel, chief strategy officer at cloud consultancy AllCloud. “If they wait, their competition will be there before them and have the MCP advantage.”
Companies that have already released official MCP servers for public use include PayPal, Notion, HubSpot, CloudFlare, Atlassian, Slack, and GitHub. There are also third-party providers building MCP servers. Zapier, for example, currently offers MCP connections to 8,000 different apps.
If a vendor doesn’t offer their own, official MCP server, someone else might set up unofficial ones that use the vendor’s APIs. For example, there are already MCP servers out there for LinkedIn, Spotify, eBay, YouTube, AWS, Zillow, and many other platforms, some more trustworthy than others. Developers and power users are downloading them and using them to give their AI agents access to those platforms, but it’s not always obvious where some of these less-than-official MCP servers are coming from, who’s maintaining them, and what else they do under the covers.
Pulse MCP lists over 6,000 servers. MCP marketplace MCP.so currently lists more than 16,000. And a GitHub search for “MCP server” produces more than 45,000 results.
What to look for in an MCP security platform
Whether a company connects their own agents to third-party MCP servers, their own MCP servers to third-party agents, or their own servers to their own agents, there’s going to be the potential for data leakage, prompt injections and other security threats.
That means companies will need to check for authorizations and permissions, implement fine-grained access controls, and log everything, says AllCloud’s Nevel.
Here are some other MCP security tools that vendors are offering today:
MCP server detection: It’s easy for company employees to download and run their own MCP servers. These servers could boost their productivity or they could be a new attack vector. Some MCP security vendors are offering scanning services to help companies find all instances of shadow MCP servers in their environments.
Runtime protection: AI agents communicate with MCP servers in plain English. That creates the potential for prompt injections, data leaks and other security issues. Many MCP security vendors offer tools to monitor all communications for these and similar problems.
Authentication and access controls: The core MCP protocol now supports OAuth, but that’s just the start. For additional security, vendors offer zero trust and least privilege control frameworks.
Logging and observability: Vendors can provide platforms to collect MCP logs, alert security teams about security events or policy violations, collect compliance data, or feed logs into existing security infrastructure.
Vedors offering MCP security tools
Below, we divide in three sections the list of vendors offering MCP security tools.
Hyperscalers
For companies all-in on a particular cloud platform, going with the MCP tools provided by that particular hyperscaler can be an easy way to get started.
AWS launched its own agentic AI platform in July. Amazon Bedrock AgentCore includes a gateway that supports multiple protocols, including MCP, an identity management system and observability. In October, AWS followed this up with a set of guidelines for securing MCP servers with zero trust best practices.
Microsoft announced a basic Azure MCP server in April, added support for the Azure Key Vault in May, announced MCP support in the Azure AI Foundry Agent Service in June, and announced Azure API Management support in August. Azure API Management means that MCP servers can have secure and governed access to resources, with observability and control.
In October, Microsoft announced the Microsoft Agent Framework, which includes support for both MCP and the Agent2Agent protocol, protection against prompt injection, PII detection, and multi-agent observability to ensure that the systems are doing what they’re supposed to be doing.
Google Cloud announced its MCP Toolbox for Databases in April with authentication and observability built in. In September, it released a reference architecture for securing MCP servers on the Google Cloud Platform, based around a centralized MCP proxy architecture. It uses the Google Identity Platform to validate identities and issue OAuth tokens, uses Model Armor to check messages for prompt injections, jailbreaks, or sensitive data, and a Secret Manager to store API keys, credentials, and sensitive configuration values. Its Artifact Registry can store MCP server images and scan them for vulnerabilities before they are deployed.
Google also recommends using network-level security controls to isolate MCP servers and reduce the risk of lateral movement. Finally, Google’s Security Command Center can identify unauthorized access and data exfiltration attempts.
Major technology providers
Cloudflare: Cloudflare announced MCP Server Portals, which enable enterprises to centralize, secure, and observe every MCP connection. This feature is part of Cloudflare One, the company’s secure access service edge (SASE) platform.
Palo Alto Networks: The company launched the Prisma AIRS MCP Server in June. It sits between the AI agent and the MCP server and detects malicious content in data, helping protect against prompt injection attacks, as well as web and DNS attacks. Another tool, MCP Security in Cortex Cloud WAAS, sits at the network boundary, and inspects MCP communications for malicious activity.
SentinelOne: SentinelOne Singularity Platform offers visibility into the MCP interaction chain, as well as alerts and automated incident response, for both local and remote MCP servers.
VMware: In August, parent company Broadcom announced that VMware Cloud Foundation will offer more security for agentic workflows, including MCP servers.
Startups
Acuvity: Acuvity secures MCP servers by hardening them with least-privilege execution, immutable runtimes, continuous vulnerability scanning, authentication, and threat detection.
Akto: API security company Akto launched an MCP security solution in June, claiming to be the first dedicated security solution specifically built to protect MCP servers. It includes a discovery tool for finding the MCP servers deployed in corporate environments, security testing tools, and monitoring and threat detection.
Invariant Labs: Their MCP-Scan is an open-source scanner that performs static analysis of MCP servers and does real-time monitoring to detect tool poisoning attacks, rug pulls, and prompt injection attacks. A commercial product, Invariant Guardrails, is a proxy that sits between AI agents and MCP servers and protects against project injections and other MCP security threats, and allows companies to impose rules such as prohibiting PII from going to external email addresses.
Javelin: The company’s AI Security Fabric platform includes MCP security, such as functionality to scan for risky servers, or to block or require review of agent tools or data requests. In addition, MCP guardrails stop unsafe calls and poisoned inputs in real-time and prevent prompt injections and data leakage.
Lasso Security: Open source MCP gateway that allows configuration and lifecycle management of MCP servers and sanitizes sensitive information in MCP messages.
MCPTotal: Offers a hub to manage, run and monitor MCP servers in a secure, sandboxed environment, as well as a gateway to protect AI workflows interacting with both internal and external MCP servers, and a governance tool to monitor and enforce AI tool use policies.
Noma: Recently launched AI Agent Security solution offers support for discovery of MCP connections, vulnerability scanning, access policy enforcement, real-time prompt guardrails, and audit trails.
Obot: The Obot MCP gateway is an open-source platform to manage MCP servers, define security access policies, and track usage and compliance.
Operant: Operant MCP Gateway automatically catalogs MCP tools, discovers AI agents, and tracks traffic between agents and servers to eliminate MCP blind spots. It can also identify threat vectors such as tool poisoning, jailbreaks and unauthorized access, prevent data leaks, and establish a centralized governance framework for agents and tools across the enterprise.
Solo: The company’s Agent Gateway was overhauled in August to support MCP and A2A protocols and protects against malicious prompts and data leaks, enforces strong authentication, and centralizes logging and tracing for every interaction.
Teleport: Its Secure MCP tool for its Infrastructure Identity Platform allows companies to unify how they govern human, machine, workload, device, and AI identities. MCP Security provides identity, access control, governance, and audit tools in a zero trust and least privilege environment.
No Responses