Securing the Model Context Protocol (MCP): A Deep Dive into Emerging AI Risks

In 2025, the rise of autonomous agents and developer-integrated copilots has introduced an exciting new interface paradigm: the Model Context Protocol (MCP). Originally proposed by Anthropic, MCP has quickly become the de facto open standard for allowing language models to securely interact with external tools, APIs, databases, and services.

But as enterprise adoption surges, so do the risks - both novel and unanticipated.

In this post, we’ll break down what MCP is, how it works, and the urgent security gaps CISOs, red teams, and platform architects must address.

What Is the Model Context Protocol (MCP)?

MCP is an open, composable protocol that enables large language models (LLMs) to:

• Dynamically invoke external tools
• Fetch contextual information from APIs or knowledge sources
• Operate across disconnected domains without retraining

Instead of hardcoding logic into a model, MCP provides an interface between the model and its runtime environment.

Think of it as the API gateway between a model and the world.

A model doesn’t know how to update a Jira ticket. An MCP server tells it how.

Core Concepts of MCP (Based on Anthropic's Official Specification)

MCP is built around the concept of structured, dynamic interaction between models and external systems. The main components include:

1. MCP Host

The application or agent environment in which the LLM operates. This is where the user interacts with the model, and where tool invocations and responses are surfaced.

In practice, the Host (IDE, web app, copilot tool) embeds the Client, which connects to the Server and invokes Tools using Prompts.

4. MCP Client

A runtime interface—often part of a larger agentic system—that communicates with MCP servers. It manages connections, authentication, and translation between user intent and tool invocation.

Examples include:

• Claude Desktop Agent
• Azure AI Studio workflows
• VSCode AI tool integrations

2. MCP Server

A remote or local service that exposes structured capabilities (called tools), resources, and contextual information via a defined API surface. MCP servers can wrap internal APIs, SaaS products, or custom tools.

Key characteristics:

• Implements the JSON-RPC 2.0 protocol
• Lists its available capabilities and prompts through a discovery endpoint
• Includes metadata such as version, heartbeat timestamp, and status
• Uses authentication methods like API keys, OAuth, or mTLS

2. Tools

Functional units that the model can invoke (e.g., create_ticket, fetch_data). Each tool has:

• A unique name
• Input and output schemas
• Execution endpoint
• Metadata (description, categories, access restrictions)

These tools act as extensions of the model's functionality.

3. Prompts

Predefined, structured prompt templates that assist the model in using specific tools or interacting with certain data contexts. Prompts help standardize high-quality input generation for tools.

How MCP Works

1. Discovery: The model queries a server to retrieve available tools and prompts.
2. Selection: Based on intent and context, the model chooses a tool.
3. Invocation: It sends a JSON-RPC request with input parameters.
4. Execution: The server processes the call and returns results for model use.

Why MCP Matters

By decoupling model logic from tool-specific implementations, MCP unlocks:

• Faster development of AI-driven workflows
• Improved generalization across domains
• Greater contextual relevance for agent outputs

But these benefits come with new risk.

Where the Security Risks Lie

This is way beyond a theoretical discussion—there are already real-world exploits. For example:

• GitHub MCP Leak: A misconfigured server allowed unauthorized access to private vulnerability reports.
• WhatsApp MCP Abuse: A rogue tool exposed message histories via indirect prompt injection.

More examples and technical details are available at vulnerablemcp.info.

As powerful as MCP is, it also introduces new security dimensions:

With LLMs increasingly acting as semi-autonomous decision-makers, these vulnerabilities carry real-world consequences — from data exfiltration to insider threat amplification.

Real-World Use Cases: Where MCP Is Used

Why This Matters to Security Teams

1. Exploding Adoption

Over 13,000 MCP servers launched on GitHub in 2025 alone. Devs are integrating them faster than security teams can catalog them.

2. No Native Guardrails

MCP spec doesn’t enforce audit, sandboxing, or verification. It’s up to the enterprise to manage trust.

3. Attack Surface Expansion

Each server is a potential gateway to SaaS sprawl, misconfigured tools, or credential leaks, data exfiltration routes.

Zenity's approach to securing MCP

At Zenity, we believe securing MCP is essential to securing modern AI workflows.

• Discovery: Automatic inventory of MCPs (cloud & endpoint)

This means remote MCPs in the wild, on your cloud and even local MCPs.

• Risk Assessment: Continuous scanning of MCP config, prompts, and tools

• Policy: Customers can allow/block vetted servers

Allow vetted MCPs to be used across the business while continuing to monitor and assess them to avoid rug pull scenarios.

• Runtime Enforcement: Endpoint agent detects and blocks risky calls

In-line control to analyze and prevent malicious activity

• Automated Remediation: Automated playbooks to stop abuse and notify users
• Observability: Full visibility into agent-to-MCP server interactions

Securing MCP Starts with Awareness

The Model Context Protocol is a major unlock for the future of AI-driven software. But like any powerful abstraction, it introduces complexity and risk.

Security leaders must get ahead of the curve by understanding how MCP works, where vulnerabilities exist, and how to implement controls before incidents happen.

Zenity’s mission is to make that possible—before attackers exploit the gap.

📎 Explore Further:

• Anthropic MCP Spec
• Zenity Platform Overview
• Examples of MCP Exploits