8,000 Exposed MCP Servers — Why Audit Logs Aren't Enough

Security researchers just disclosed: over 8,000 MCP servers are exposed on public networks without authentication. Exposed to anyone who knows where to look.

MCP servers are the bridge between AI agents and external tools — they give agents access to APIs, databases, file systems, and custom business logic. An exposed MCP server is a direct line from an AI agent to your infrastructure.

The immediate response is correct: implement authentication, RBAC, rate limiting. Close the exposure.

But that's only half the security problem.

The Gap That Remains Even With Auth

Authentication and RBAC prevent unauthorized access to MCP servers. An attacker without credentials can't reach them.

But what about an authorized user's agent?

A legitimate agent logs into an MCP server using valid credentials. The agent is authorized. The session is authenticated. Everything looks correct.

Then the agent's behavior changes.

Maybe:

• A prompt injection attack redirected it mid-session
• The agent encountered unexpected content and deviated from its intended task
• A man-in-the-middle modified the MCP server's responses
• The agent was compromised by malicious content on a web page it was visiting

In any of these scenarios, your audit log will show:

• Session authenticated ✅
• Actions authorized ✅
• Requests valid ✅
• Session completed successfully ✅

All true. All useless for detecting compromise.

The log shows what the agent claimed to do. It doesn't show what the agent actually saw. It doesn't show whether the MCP server's responses were legitimate or hijacked. It doesn't show whether the agent encountered malicious content that redirected its behavior.

Text audit logs are designed to show intent. They miss reality.

Why This Matters for MCP Security

Model Context Protocol is designed for high-autonomy interactions. An agent connects to an MCP server, accesses tools and resources, and executes actions with minimal human oversight. That's the value proposition.

It's also the risk.

If an agent is compromised — prompt injection, hijacked browser session, man-in-the-middle attack on the MCP connection — the agent will use its legitimate credentials to execute unintended actions. The text audit log will record those actions as authorized and successful.

You won't know you were attacked until the damage surfaces.

Visual Session Replay: The Evidence Layer

Frame-by-frame video replay of an agent's MCP session shows what actually happened:

• You see the MCP server's actual responses — whether they were legitimate or injected
• You see the agent's decision-making context — what the agent encountered before acting
• You see unexpected behavior immediately — deviation from the expected path is visually obvious
• You have forensic evidence — for post-incident investigation, compliance review, or audit follow-up

When your compliance team asks "was that session compromised?", a video replay gives you an answer. A text log gives you a guess.

Implementing Visual Audit Trails for MCP Sessions

Add visual capture at the MCP client level. Record the agent's session state before and after each MCP server interaction:

import mcp.client
import pagebolt

class AuditedMCPClient(mcp.client.MCPClient):
    def __init__(self, server_uri, audit_enabled=True):
        super().__init__(server_uri)
        self.audit_enabled = audit_enabled
        self.session_id = generate_session_id()

    def call_tool(self, tool_name, arguments):
        """Execute tool and capture visual proof."""

        # Capture state before action
        if self.audit_enabled:
            before = pagebolt.capture_state(
                session_id=self.session_id,
                context="before_action",
                tool_name=tool_name,
                arguments=arguments
            )

        # Execute the tool
        result = super().call_tool(tool_name, arguments)

        # Capture state after action
        if self.audit_enabled:
            after = pagebolt.capture_state(
                session_id=self.session_id,
                context="after_action",
                tool_name=tool_name,
                result=result
            )

        return result, (before, after) if self.audit_enabled else None

Every MCP call is now backed by visual evidence of pre- and post-state. If an agent's behavior deviates, the video shows exactly where and why.

The Timeline for Enforcement

Enterprises are already asking for this. The CISO asks the agent platform team: "If an agent is compromised, how do you prove what happened?"

The answer from most agent frameworks right now: "We have text audit logs."

That answer is increasingly insufficient for:

• Financial services (regulatory audit trails required)
• Healthcare (HIPAA compliance)
• Government/defense (audit evidence mandated)
• Any high-stakes automation

Within 6 months, the expectation will be: visual session replay is part of the baseline security posture for autonomous agents.

MCP servers are the infrastructure layer. Securing the infrastructure (auth, RBAC, firewalls) is table stakes. Proving agent behavior when things go wrong (visual replay) is the next table.

Getting Started

1. Identify which MCP servers handle sensitive operations
2. Add visual capture to the agent's MCP client
3. Store session videos with metadata (agent ID, MCP server, timestamp, outcome)
4. Test with a compromised agent — verify the video shows the deviation

8,000 exposed servers is a wake-up call. The real work is detecting compromise when it happens, and that requires seeing what the agent actually encountered and did.

Text logs alone aren't enough. You need the video.

[Get started at pagebolt.dev — free tier, 100 captures/month, no credit card.]

---

MCP (Model Context Protocol) is an open standard maintained by Anthropic.