MCP Is Dead. Long Live MCPS.

The Problem Nobody Wants to Talk About

MCP (Model Context Protocol) is now the standard for connecting AI agents to tools. Adopted by Anthropic, OpenAI, Google, Microsoft, and AWS. Every major framework supports it.

But MCP was built for functionality, not security.

The numbers speak for themselves:

• 30 CVEs filed in 60 days
• 38% of MCP servers have zero authentication (TapAuth scan of 518 servers)
• 33% have critical vulnerabilities (Enkrypt AI scan of 1,000+ servers)
• Messages travel unsigned between agent and server
• No replay protection -- captured requests can be re-sent
• Tool definitions can silently change after approval
• Agents have no verifiable identity

"But We Have TLS"

TLS terminates at every hop. Corporate proxies from Zscaler, Palo Alto, and Fortinet routinely decrypt, inspect, and re-encrypt traffic. After termination, your messages are plaintext.

TLS protects the pipe. It doesn't protect the message.

"But We Have OAuth"

OAuth proves who you are. It doesn't protect what you send.

A valid OAuth token with a modified message body? Accepted without question. No message signing. No payload integrity.

OAuth is authentication. MCP needs message-level security.

The HTTP vs HTTPS Moment

This is the same pattern we've seen before:

• HTTP -> HTTPS
• Telnet -> SSH
• FTP -> SFTP
• WS -> WSS

MCP -> MCPS

The S stands for Secure.

What MCPS Adds

MCPS (IETF Internet-Draft: draft-sharif-mcps-secure-mcp) adds four capabilities that MCP is missing:

1. Message Signing
Every JSON-RPC message is signed. If anything is modified in transit -- by proxies, middleware, or compromised dependencies -- it's detected and rejected.

2. Replay Protection
Every request gets a unique nonce. Captured messages cannot be re-sent. Centralised tracking with automatic expiry.

3. Tool Integrity
Tool definitions are fingerprinted at discovery. If a server silently changes a tool after approval (rug pull), the call is blocked before execution.

4. Agent Identity
Every agent gets a verifiable passport with trust levels L0-L4. Servers set minimum trust requirements. No more anonymous tool calls.

MCPSaaS: One URL Change

We built MCPSaaS -- a managed proxy that adds MCPS security to any MCP server with zero code changes.

// Before (no security)
endpoint: "https://your-mcp-server.com/mcp"

// After (signed, verified, audited)
endpoint: "https://mcpsaas.co.uk/proxy?target=https://your-mcp-server.com/mcp"

That's it. Your MCP server doesn't even know we exist.

What you get:

• Every message signed and verified
• Replay attacks blocked
• Tool definition mutations detected
• Agent identity verification
• Full audit trail (JSON + RFC 5424 syslog)
• Heuristic threat detection (SQL injection, command injection, prompt injection, path traversal)
• Dashboard with real-time monitoring

Standards-Backed

This isn't a weekend project. MCPS is backed by:

• IETF Internet-Draft: draft-sharif-mcps-secure-mcp -- 43 pages, Standards Track
• OWASP MCP Top 10: Full compliance mapping at mcpsaas.co.uk/owasp
• Patent Pending: Filed at UKIPO, March 2026

The Bottom Line

MCP got agents talking. MCPS keeps them safe.

If you're running AI agents in production -- Cursor, Gemini CLI, Claude, LangChain, CrewAI, AutoGen -- your tool calls are travelling unsigned, unverified, and unaudited.

One URL change fixes that.

mcpsaas.co.uk

---

Previously: We submitted MCPS to the IETF