Blog posts
The protocol that became a default integration layer. Here's what enterprises need to know to secure themselves.
The protocol that quietly became the default integration layer for enterprise AI agents also created an attack surface most security teams aren't equipped to see. Here's what you need to know — with real CVEs, confirmed incidents, and controls that actually work.
In November 2024, Anthropic published a technical specification called the Model Context Protocol. Most enterprise security teams didn't notice. By March 2026, MCP had 97 million monthly SDK downloads, was supported by every major AI provider — OpenAI, Google, Microsoft, AWS — and had become the default architecture for connecting AI agents to enterprise systems. The Vulnerable MCP Project, run by researchers from SentinelOne, Snyk, Trail of Bits, and CyberArk, now tracks 50 known vulnerabilities across the ecosystem. Thirteen of them are classified critical.
If your organization is deploying AI agents — and statistically, it is — you are almost certainly running MCP. This article explains what it is, what attack surface it creates, what real-world incidents have already happened, and what controls actually close the gaps.
Before MCP, connecting an AI agent to enterprise tools was a bespoke engineering problem. Every integration required custom API code. Connecting an agent to Salesforce, Slack, GitHub, and a PostgreSQL database meant building and maintaining four separate integrations — and rebuilding them every time a provider changed their API. The technical term for this is the N×M problem: N agents multiplied by M tools equals an unmanageable number of custom connections.
MCP solves this by standardizing the interface. An MCP server exposes any tool, database, or service through a uniform protocol. Any MCP-compatible AI agent can connect to any MCP server without custom integration code. The math shifts from multiplicative to additive.
MCP defines three types of primitives: Tools (executable functions — read a file, send an email, run a query), Resources (data the agent can read), and Prompts (templated instructions the server can inject into the agent's context). Each primitive creates a different attack surface.
MCP was introduced by Anthropic in November 2024 and donated to the Linux Foundation's Agentic AI Foundation in December 2025. As of March 2026, it is supported by every major AI provider and has 5,800+ published servers with 97 million monthly SDK downloads.
Eighteen months from initial release to 97 million monthly downloads. Security frameworks, by contrast, move on a timescale measured in years. That gap between how fast MCP was adopted and how slowly security controls developed is precisely where the current incident wave is coming from.
"Adoption outpaced hardening. The CVEs and disclosures stacking up in public databases reflect that gap, and the defense market is still sorting itself into camps."
— PipeLab: State of MCP Security 2026, April 2026These are confirmed or researcher-demonstrated attacks on production-realistic configurations. They happened because security architectures were not designed for agentic AI.
An attacker embeds malicious instructions inside content the agent processes — a support ticket, a GitHub Issue, a document. When the agent retrieves this via MCP, it executes the embedded instructions against real systems. The critical difference from chatbot jailbreaking: agents take actions, not just produce text.
Real incidents: GitHub MCP · Supabase Cursor (2025)A malicious or compromised MCP server presents as legitimate but returns manipulated responses designed to alter agent behavior or exfiltrate data. Real-world benchmarks report tool poisoning success rates exceeding 60% against major LLM agents — 72% against some models.
Source: MCPTox / arXiv benchmarks, 2026The Supabase research scenario was possible because the agent had full service-role database access — bypassing all Row-Level Security — for a task requiring only read access to support ticket text. AI-related access configurations with excess permissions jumped from 12% to 39% of deployments between 2024 and 2026.
Source: Microsoft 2026 Data Security IndexAPI keys and service tokens stored as plaintext in MCP server config files. Tool poisoning attacks can force clients to read and return these files. Local servers executing OS commands can further escalate by reading SSH keys and cloud provider credentials from the host environment.
Datadog audit: 12,000+ credentials exposed (2026)Malicious content injected into an agent's context across multiple interactions gradually shifts its behavior — with no single interaction looking suspicious. Corrupts long-term memory or RAG knowledge bases incrementally, persisting across sessions and evading single-event monitoring.
Source: TrueFoundry MCP Security Research, 2026CVE-2025-49596 (CVSS 9.4) exploits a missing authentication layer between the MCP Inspector client and its proxy. The attack is browser-based: a malicious website uses DNS rebinding to connect to the Inspector running on localhost and execute arbitrary OS commands. No direct network exposure required — a developer simply visiting a malicious site while running Inspector is enough. Patched in v0.14.1; the broader OX Security research identified ~200,000 vulnerable instances across the MCP ecosystem.
CVE-2025-49596 · CVSS 9.4 · OX Security, 2026Standard enterprise security — SIEM, WAF, DLP, endpoint detection — was designed for a world where humans initiate actions and systems execute them. MCP creates a different model: an AI agent autonomously initiates tool calls, processes responses, and takes subsequent actions with no human in the loop for individual decisions.
| Control | Attack Vector Addressed | Implementation Note | Effectiveness |
|---|---|---|---|
| MCP Gateway with I/O Inspection | Prompt injection, tool poisoning | Proxy all agent-to-server traffic through an inspection layer evaluating both tool call inputs and server responses before the agent acts | High |
| Least Privilege Agent Permissions | Privilege escalation, excessive access | Scope each agent's MCP tool access to the minimum required. Service-role access for a read-only task is a configuration error. | High |
| MCP Server Verification and Pinning | Tool poisoning, supply chain attacks | Hash-pin MCP server versions. Verify server identity before connection. Alert on unexpected version changes. | High |
| Secrets Management Integration | Credential exposure in config files | No plaintext credentials in MCP server config. Use a secrets manager (Vault, AWS Secrets Manager) and inject credentials at runtime. | High |
| Agent Activity Audit Logging | All vectors — detection and forensics | Log every tool call, every resource access, every prompt received. Structured logs with session IDs allowing full decision-chain reconstruction. | Medium (detection) |
| Network Auth on All MCP Instances | Unauthenticated inspector exposure | Every MCP instance — including dev tools — requires authentication. CVE-2025-49596 exploited a missing auth layer via browser-based DNS rebinding, not direct network access. Bind proxy servers to 127.0.0.1 only and upgrade to Inspector v0.14.1+. | High |
The most common objection to adding an inspection layer between agents and MCP servers is latency. If inspection adds 500ms to every tool call, agentic workflows become unusable. Effective MCP security requires sub-100ms enforcement — achievable with purpose-built Small Language Models running locally on CPU, rather than routing traffic through external cloud inspection services.
MCP is not going away. Neither is the attack surface it creates. Three actions that materially reduce your MCP risk exposure immediately:
1. Inventory every MCP server your agents connect to. You cannot secure what you cannot see. Complete list, who deployed each server, what permissions it runs with, and whether any instance is running without authentication.
2. Audit agent permission scopes against least privilege. If any agent has write access or service-role credentials for a task that only requires reading data — that misconfiguration needs immediate correction.
3. Establish an inspection point between agents and MCP servers. This is the control that would have prevented every attack in this article. It has to exist.
88% of organizations reported confirmed or suspected AI agent security incidents in the past year (Gravitee, survey of 900+ executives and practitioners). In healthcare, that number is 92.7%. These are not organizations that ignored security. They are organizations whose existing architectures were not designed for the layer where MCP attacks occur.
Sub-100ms inspection of every MCP tool call and server response — on-premise, CPU-only, zero data leaves your network.
Request a Demo →Polygraf AI's Behavioral Control Plane intercepts and controls every AI interaction inline — enforcing organizational policy on input and output, across user-facing and agentic AI, with zero data leaving your environment. Runs on existing infrastructure at sub-100ms latency. No GPU required.
Read the latest breakdown on Cybersecurity Insiders by Yagub Rahimov, Founder and CEO of Polygraf AI, on how AI meeting assistants are embedding themselves into enterprise workflows, silently capturing and
SAN FRANCISCO–(BUSINESS WIRE)–Polygraf AI, the company redefining AI security for critical operations, today announced a major milestone in its mission to secure the enterprise AI frontier. During the RSA Conference
At Polygraf, we envision a future where AI augments human capabilities without compromising safety, privacy, or ethical standards. Trust in our commitment to building this future with you.
© 2026 Polygraf AI. All rights reserved.
Our Solutions 
Regulations Your download will start now.
Please provide information below and we will send you a link to download the white paper.
Data Privacy 
Data Provenance 
Content Generation