DEV Community

Mzer Michael Terungwa
Mzer Michael Terungwa

Posted on

MCP Security Is the New Cloud Security

#webdev #ai #security

A Defense-in-Depth Playbook for the Model Context Protocol (MCP)

The Shift We Need to Intentionally Be Talking About

MCP gives AI agents hands.

Those hands can read files, execute commands, call APIs, and move data across systems.

Right now, most teams are connecting those hands directly to production environments with minimal controls.

That is not an AI problem. That is a security architecture problem.

Abstract

The Model Context Protocol (MCP) has emerged as a standard for connecting AI agents to external tools across platforms such as Anthropic (Claude), OpenAI (ChatGPT), Google (Gemini), and Microsoft (Copilot).

Recent ecosystem scans indicate that a large proportion of MCP servers contain security vulnerabilities, including command injection risks, authentication weaknesses, and excessive system access. Real-world supply chain attacks have already been observed.

This paper evaluates the MCP ecosystem against established research (Li & Gao, 2025) and proposes a defense-in-depth model spanning pre-deployment scanning, runtime enforcement, continuous monitoring, and ecosystem governance.

1. Introduction

MCP servers sit between trusted AI agents and highly privileged systems.

They have access to:

  • credentials
  • cloud tokens
  • local filesystems
  • APIs and internal services

A compromised MCP server can:

  • execute arbitrary commands
  • exfiltrate sensitive data
  • manipulate AI behavior

This expands the attack surface beyond traditional application boundaries.

The current MCP specification emphasizes recommended (SHOULD) security practices rather than enforceable (MUST) controls. This creates a gap between specification intent and implementation reality.

That gap is where attackers operate.

2. Ecosystem Risk: What the Data Shows

Security weaknesses in the MCP ecosystem are no longer hypothetical. Both independent research and internal analysis point to a consistent pattern of systemic risk.

Public research has already identified critical vulnerability classes across MCP servers. For example, studies report that up to 43% of servers contain command injection vulnerabilities, while approximately 30–33% allow unrestricted network access, enabling potential data exfiltration and remote execution pathways (Docker, 2025; Ultra Security, 2025).

In addition, risks such as unintended file access, path traversal, and weak authentication controls are widely documented across MCP implementations (DataDome, 2025).

Building on these findings, our internal scan of 1,808 publicly available MCP servers (early 2026) indicates that the problem is broader than previously reported:

  • 66% of servers had at least one security finding
  • 43% exhibited command injection risks
  • 33% allowed unrestricted network access
  • 22% exposed unintended file system access

The convergence between independent studies and internal findings suggests that these issues are not isolated misconfigurations, but structural weaknesses in how MCP servers are designed, deployed, and trusted.

3. The Core Problem

The industry is solving for access.

But an emerging problem is control.

AI can now query databases, call tools, and automate workflows.

Without guardrails, this becomes:

faster access to incorrect, unsafe, or exploitable outcomes.

4. Defense-in-Depth for MCP (The Missing Model)

Security for MCP cannot rely on a single layer.

It must be designed as a system.

Layer 1: Pre-Deployment Scanning

  • Static analysis of MCP servers
  • Detect injection, auth issues, supply chain risks

Layer 2: Runtime Enforcement

  • Sandbox execution
  • Capability-based permissions
  • Block undeclared actions

Layer 3: Continuous Monitoring

  • Track behavior over time
  • Detect drift and anomalies

Layer 4: Ecosystem Governance

  • Registry controls
  • Package signing
  • Standardized security scoring

Visual Model: MCP Defense Layers 

+-------------------------------+
|   Ecosystem Governance        |
|   (Standards, Registry)       |
+-------------------------------+
|   Continuous Monitoring       |
|   (Drift, Telemetry)          |
+-------------------------------+
|   Runtime Enforcement         |
|   (Sandbox, Permissions)      |
+-------------------------------+
|   Pre-Deployment Scanning     |
|   (Static Analysis)           |
+-------------------------------+
Enter fullscreen mode Exit fullscreen mode

5. What Needs to Change

For the Ecosystem

  • Move sandboxing from optional to mandatory
  • Introduce capability manifests
  • Standardize security enforcement

For Product Teams

  • Stop treating MCP servers as trusted
  • Enforce least privilege
  • Track what tools actually do

For Developers

  • Ship source, not just bundles
  • Declare capabilities clearly
  • Avoid implicit permissions

6. Where This Is Going

The MCP layer will become:

The new control plane for AI systems.

Just like cloud introduced IAM, VPCs, and zero trust,

MCP will require:

  • permission systems
  • audit trails
  • runtime isolation

Teams that treat MCP like plugins will get burned.

Teams that treat MCP like infrastructure will win.

7. Contribution

To address the security and compliance gaps identified in this paper, I developed mcp-audit https://github.com/michaelterungwamzer-sys/MCP-sec-scanner-cli) - an open-source static analysis tool for MCP servers designed with ISO 27001 governance requirements in mind.

The tool provides:

  • Vulnerability detection across 12 threat categories derived from recent MCP security research
  • Quantitative security scoring to enable risk-based prioritization (ISO 27001 A.8.2 - Information Classification)
  • Auditable findings with evidence trails for compliance demonstration (ISO 27001 A.12.4 - Logging and Monitoring)
  • CI/CD integration for continuous security assurance (ISO 27001 A.14.2 - Security in Development)

When paired with Notion MCP, the tool extends into a full governance system: asset inventory (A.8.1), scan history as audit logs (A.12.4), and automated recurring assessments (A.18.2).

This is step one.

The goal is larger:

Make MCP security a default, not an afterthought.

https://github.com/michaelterungwamzer-sys/MCP-sec-scanner-cli

8. Final Thought

The bottleneck is no longer access to data or tools. The bottleneck is trust.

If MCP is the interface layer for AI systems, then security at that layer determines everything.

References

Anthropic. (2025). Claude Code sandboxing. https://www.anthropic.com/engineering/claude-code-sandboxing

Cloud Security Alliance. (2025). MCP security resource center. https://modelcontextprotocol-security.io

DataDome. (2025). MCP security and agent trust management.
Linux Foundation. (2025). Formation of the Agentic AI Foundation. https://www.linuxfoundation.org

Docker. (2025). MCP security issues threatening AI infrastructure.

Li, X., & Gao, Y. (2025). Security analysis of the MCP ecosystem. arXiv.

Ultra Security. (2025). Command injection in MCP servers.

Top comments (0)