The model context protocol (MCP) was only introduced at the end of 2024, but the technological consequences are already clearly noticeable in many architectures. MCP provides a standardized “language” for LLM agents so that developers do not have to laboriously program every interface by hand. This allows them to flexibly compile and use tools, databases and SaaS services like building blocks.

One example of the use of MCP in cyber security is the automatic analysis of security incidents, where an AI agent checks suspicious IP addresses in a system, evaluates log data and, if necessary, isolates an affected device via another interface — all through the coordinated use of multiple security tools via MCP.

I remember 2015, when a typo by a colleague in the Python playbook for a firewall API interface led to half the company network being paralyzed. That was annoying, but at least it was deterministic and traceable. MCP, on the other hand, follows a probabilistic logic: an agent evaluates context, makes a probability decision and executes it. If you leave this to an agent with far-reaching rights, can occur in milliseconds, making the system failure caused by a typo seem trivial. For this reason, MCP security is not just an IT issue, but relevant across the entire company.

From a clear trail to digital fog

With classic REST APIs, security is tangible: Every call, every authentication and every input/output pair ends up in the audit log so that processes can be deterministically traced. MCP-based agents, on the other hand, only present the end result, why, on whose prompt or with which tool chain they got there remains hidden. This blind spot between intention and execution destroys any reliable threat model.

Truly secure agentic workflows require telemetry, prompt history, context injections, tool selection and agent memory linked in real time. Without this deep insight, we are merely chasing the shadow of an autonomous decision engine. The question is not whether we need to create this visibility, but how quickly. Only then will MCP turn from a risk into a controllable advantage.

CISOs must become aware of the threat situation, as current incidents show how diverse the attack surfaces of MCP are: In the “Toxic Agent Flow”, a prepared GitHub issue was enough to get an agent to copy confidential code from private repositories to public ones via indirect prompt injection, completely undetected.

At the same time, researchers found hundreds of freely accessible MCP servers that allowed arbitrary shell commands; a single network access was enough to take over production systems and hijack agent identities. There are also supply chain risks: Typosquatted or subsequently manipulated MCP packets secretly connect agents to hostile infrastructure, opening up data leakage or remote control. Even seemingly harmless prompt or tool libraries have already been modified in such a way that agents leak credentials or delete data. In short, the attack no longer just manipulates the LLM agent, but the entire ecosystem.

Four cornerstones for securing MCP servers

CISOs can largely rely on the proven basic principles of cyber security for MCP they just need to adapt them in a few places. Pure checklists fall short here. Instead, a clear, principles-based approach is required. Four central pillars have proven themselves in practice:

1. Strong authentication and clean credential management. Static tokens and unregulated session management open the door to attackers. Short-lived, rotating access data and multi-factor authentication (MFA) should therefore be used. Continuous monitoring of token usage and the automated blocking of compromised keys limit the damage if a token is stolen. Once it has been clarified who has access, it must be defined what this access is allowed to do.
2. Robust input controls and protection against prompt injection. Prompt injection is a real, often successfully used method of attack. Every input should therefore be strictly validated and cleaned up. Allow/deny lists and the monitoring of conspicuous prompt patterns provide valuable services here. In some environments, requests are routed through a GenAI firewall/proxy to sort out known attacks before they reach the MCP server. This prevents data leakage and tampering that could lead to customer loss, legal consequences or reputational damage.
3. Fine-grained authorization and context isolation. Excessively broad authorizations and inadequate client separation significantly increase the potential for damage. MCP systems have had weak points. Before sensitive databases are connected, a robust authorization solution should therefore be implemented: the principle of least privilege, role-based rights and strict isolation of contexts and clients. In this way, an incident remains limited to a single workflow or user instead of affecting the entire company.
4. Continuous monitoring and building AI expertise. Static controls fall short. Real-time monitoring of all MCP interactions, regular red team tests and training for all specialist departments on the opportunities and risks of MCP-supported AI should be standard practice. Today, an AI-competent workforce — from product management to the supervisory board — forms a fundamental line of defense. The result: faster detection and resolution of incidents and a demonstrably strong security posture, which increasingly serves as a competitive advantage in tenders because robust evidence of AI supply chain security is increasingly required.

MCP safety is essential in the age of AI

The first security incidents surrounding MCP are not an aberration, but a warning for CISOs. If autonomous AI agents soon become an integral part of many business processes, securing MCP will become a touchstone for trust in a company. Executives and C-level management who do not dismiss this as a purely technical problem, but instead proactively invest in securing MCP, will not only protect their company but also pave the way for continuous innovation in the AI age.