Your AI agent just found a tool on the internet and used it.
Did it verify the source? No.
Did it check the signature? There wasn't one.
Did it confirm the data wasn't tampered? It can't.
This is the state of the agent internet in 2026. AI agents are discovering tools, invoking APIs, making payments, and querying institutional financial data -- all without any mechanism to verify that what they found is legitimate.
We decided to measure the problem. Then we built the fix.
We Indexed 1,906 MCP Servers
The Model Context Protocol has 57 million weekly SDK downloads. Stripe, PayPal, FactSet, Moody's, GitHub, Coinbase, Adyen -- all have MCP servers. AI agents are already using them.
We crawled the entire MCP ecosystem from awesome-mcp-servers and indexed every source we could find.
The results:
| Metric | Count |
|---|---|
| Total sources indexed | 1,906 |
| Cryptographically signed | 11 |
| Unsigned | 1,895 |
| Percentage with any trust verification | 0.6% |
99.4% of the MCP ecosystem has no cryptographic identity, no message signing, and no way for a consuming agent to verify that a response is genuine.
An agent searching for "payment processing tool" today has no way to distinguish between Stripe's official MCP server and a malicious impersonator. Both return JSON. Neither is signed.
What AgenticSearch Does Differently
AgenticSearch is not a traditional search engine. It doesn't index web pages. It doesn't rank by links. It indexes capabilities -- what agents can do, not what humans can read -- and ranks by cryptographic trust.
Trust Scoring (not PageRank)
Every indexed source receives a composite trust score based on:
- Cryptographic identity -- does the source have a verifiable identity?
- Message signing -- does it sign responses with ECDSA?
- Historical reliability -- uptime, response consistency, error rates
- Compliance status -- SOC 2, PCI DSS, ISO 27001, OWASP
- Community attestation -- trust signals from other verified agents
Sources without cryptographic identity score L0. Sources with verified identity and signed responses can reach L4. There is no way to game this -- you can't fake a cryptographic signature.
Dual-Signed Results
Every search result carries two signatures:
- Source signature -- the originating server's cryptographic signature (if it signs responses)
- Search engine signature -- our ECDSA P-256 attestation that we verified the source and faithfully transmitted the result
Consuming agents can verify results through either signature. Full zero-trust -- you don't even have to trust us.
Capability Indexing
Traditional search indexes text. AgenticSearch indexes capabilities:
{
"name": "Stripe MCP Server",
"trustLevel": "L4",
"trustScore": 0.95,
"capabilities": ["create_payment", "list_customers", "create_invoice"],
"protocol": "mcp",
"compliance": ["PCI DSS", "SOC 2"],
"signed": true,
"verified": true
}
An agent doesn't need to read a web page and figure out what an API does. It searches for a capability ("payment processing, PCI compliant, trust L3+") and gets structured, actionable, signed results.
The Clean Index
Google indexes everything -- including phishing sites, malware distributors, and SEO spam. They detect and filter after the fact.
AgenticSearch only indexes sources that meet minimum verification criteria. Unsigned sources are flagged. Unverified sources are marked. Blocked sources are excluded entirely.
The result: a search engine where every result is a source you can actually trust. No spam. No phishing. No SEO gaming. The ranking algorithm doesn't care about your meta tags -- it cares about your cryptographic signature.
The Agent Search API
Any MCP-capable agent can search through standard tool calls:
curl -X POST https://agentsearch.cybersecai.co.uk/api/search \
-H "Content-Type: application/json" \
-d '{
"query": "payment processing PCI compliant",
"minTrust": 0.8,
"protocol": "mcp",
"maxResults": 5
}'
Response:
{
"results": [
{
"name": "Stripe MCP Server",
"trustScore": 0.95,
"trustLevel": "L4",
"signed": true,
"verified": true,
"capabilities": ["create_payment", "list_customers"],
"compliance": ["PCI DSS", "SOC 2"],
"resultSignature": "<ECDSA P-256>"
}
],
"searchTime": "3ms",
"signature": "<search engine attestation>"
}
The search engine itself is exposed as an MCP server at /mcp/tools/list -- so agents can discover AgenticSearch the same way they discover everything else.
Why This Matters Now
The agent ecosystem is at the same inflection point the human web was in 1998. Millions of resources, no trust infrastructure. Google solved discovery for humans with PageRank. Agent discovery needs something fundamentally different because agents don't have judgement -- they act on whatever they receive.
When a human gets a dodgy search result, they might notice the URL looks wrong. When an agent gets a dodgy search result, it executes the tool and sends the payment.
The stakes are higher. The trust bar needs to be higher too.
What we found in the data
After indexing 1,906 sources:
- Zero use per-message cryptographic signing
- Zero provide independently verifiable response integrity
- Zero carry trust scores or compliance attestation
- The entire ecosystem relies on transport-layer security (TLS) and nothing else
- An agent connecting to any MCP server today is trusting the network, not the source
This is not a theoretical risk. We filed 6 CVEs against the MCP ecosystem this week -- including both official Anthropic SDKs (TypeScript and Python, 57M combined weekly downloads) -- for unbounded resource allocation vulnerabilities that exist precisely because there's no message-level validation.
The Protocol Stack
AgenticSearch doesn't exist in isolation. It's part of a security stack we've built for the agent ecosystem:
-
MCPS -- per-message ECDSA signing for MCP (
npm: mcp-secure) - AgentPass -- graduated trust scoring (L0-L4) with AML sanctions screening
- AgenticWeb -- ephemeral signed websites created by agents on demand
- AgenticSearch -- trust-scored search for agent capability discovery
One cryptographic stack (ECDSA P-256 + SHA-256). Zero dependencies. Every component is open source under BSL 1.1.
Google indexed the human web. This is the agent web.
The agent internet needs what the human internet never had -- a search engine that only shows you what you can trust.
IETF supported. Patent supported.
Try It
- AgenticSearch: agentsearch.cybersecai.co.uk
- AgenticWeb: agenticweb.fly.dev
- MCPS Playground: playground.cybersecai.co.uk
-
npm:
mcp-secure(signing),model-secure(model files),stripe-mcps(Stripe + trust),agentsign(identity) - IETF: draft-sharif-agent-payment-trust
- Paper: doi.org/10.5281/zenodo.19409366
- OWASP: MCP Security Cheat Sheet
-
API:
POST /api/searchorGET /api/search?q=payment
1,906 sources indexed. 11 signed. The rest are flying blind.
Not ranked by links. Ranked by trust.
Raza Sharif, CEO, CyberSecAI Ltd
London, UK
contact@agentsign.dev | cybersecai.co.uk
Top comments (0)