MCP is enabling agentic AI, but how secure is it?

MCP is becoming the plug-and-play standard for agentic AI apps to pull in data in real time from multiple sources. The Pulse MCP server directory currently lists more than 4,300 active MCP servers allowing LLMs to connect with data feeds ranging from Spotify and YouTube, to Salesforce and GitHub. The momentum behind the protocol will likely accelerate adoption as developers coalesce around a common standard, and alternatives struggle to gain traction.

However, this also makes it more attractive for malicious actors looking to exploit weaknesses in how MCP has been deployed. This is especially relevant where MCP is being used to access external third party data sources. Although not related to this particular technology, the recent cyber attack on UK retailer Marks & Spencer was due to a weakness in one of its supplier’s IT systems. The error wiped almost nearly a billion dollars (£750 million) for the company’s market capitalization, and is expected to knock nearly half a billion off operating profits this year.

A question of security

So what are some of the key vulnerabilities that MCP presents and how might they be addressed? MCP is designed to operate in a more dynamic way than traditional APIs where manual oversight in setting up data feeds is more the norm. For agentic AI to truly benefit from the advantages of MCP, the dynamic discovery of data sources and real-time access will often be required. Unfortunately, in its current form, MCP doesn’t have sufficient security capabilities baked in for enterprises to deploy it without taking additional precautions.