MCP Security: Understanding Risks, Threats, and Best Practices

MCP (Model Context Protocol) is a powerful and popular solution for connecting LLM-based applications and services to other AI models, tools, and data. But it can pose significant security risks. In this article, we explain the security challenges linked to MCP, outline real-world AI threat scenarios, and share best practices to help organizations take advantage of MCP while keeping it from becoming the weakest link in their cybersecurity strategy

Gartner: AI Security Trends and DevelopmentsMCP to Agentic AI: Shaping AI Security for What’s Next
The Cloud Native ExpertsSeptember 14, 2025

What is MCP, and why is it popular?

MCP is a standardized framework for connecting large language models (LLMs) to other models, as well as to external tools and data sources. Introduced in November 2024 by engineers at Anthropic, MCP aims to serve as a sort of “USB C” for AI, meaning it can connect virtually any AI model to any relevant resource.

Because of this capability, MCP has become popular as a framework for creating AI agents, meaning software programs that can carry out actions autonomously under the guidance of an AI model. By creating an MCP server (which provides access to software utilities, APIs and/or data sources) that supports an intended use case, developers can build AI agents capable of completing virtually any type of operation in response to a user prompt ; from searching or deleting messages in an email account, to creating posts on a social media platform, to restructuring a database, to installing software updates on a server, to name just a handful of MCP use cases.

MCP isn’t the only agentic AI framework in existence. However, it has gained widespread popularity as a result of its focus on providing an agnostic, standards-based interface. Although it was created by Anthropic, it can work with virtually any LLM, tool, or data source, not just those in the Anthropic ecosystem, hence why Gartner is now calling MCP an AI integration standard.

In this article:

The need for MCP security 

While MCP is a powerful and versatile agentic AI framework, it’s also one that, like virtually all technologies in the rapidly evolving realm of agentic AI, may pose significant AI security risks.

Some of these risks are similar to those that can impact any type of application or service. For example, the use of insecure dependencies when creating an MCP server could lead to software supply chain attacks.

But MCP may also be subject to particular kinds of risks and threats that extend beyond those of conventional applications (which we detail later in this article). What’s more, MCP itself lacks rigorous native security controls. The protocol is designed to make it fast and easy to build a wide variety of AI integrations or agents, but it places much less emphasis on security. Thus, anticipating and mitigating the AI security challenges posed by MCP is a task that users must handle on their own.

Indeed, in many ways, the state of MCP security today resembles that of container security about a decade ago, when technologies like Docker and Kubernetes were still new. At the time, these solutions were rapidly growing in popularity, but many developers and businesses struggled to deploy them securely. MCP is in a similar state today as a new technology that offers great promise, but also creates great challenges from a security perspective.

Gartner

“MCP initially does not include native authorization between the MCP client and MCP server, and this is arguably the biggest security gap.”

Gartner: AI Security Trends and Developments

Key MCP security risks

The exact security risks that impact an MCP-based application or service can vary depending on factors such as which model and tools it uses. But in general, most MCP deployments are subject to risks like the following:

No native authorization

Authorization (which makes it possible to control who can do what within an MCP server or service) was introduced only in March 2025. MCP servers created before that time may have no way to distinguish between authorized and non-authorized users, opening the door to attack.

Expanded attack surface

Every MCP server an organization adds widens its exposure to potential security risks.

Prompt injection and tool poisoning

Malicious prompts to LLMs that connect to MCP servers could lead to attacks like data deletion or exposure.

Rogue or malicious servers

MCP servers are easy to deploy, and they can run both locally and on remote hosts. As a result, it can be tough for IT departments to prevent the deployment of “rogue” or “shadow” servers that are not properly secured. Worse, attackers or malicious insiders could plant servers that are designed to cause harm to an organization.

Legacy MCP implementations

MCP continues to evolve rapidly, but developers don’t always update MCP servers to keep up with the latest versions of MCP. This may lead to the operation of legacy servers that lack the latest security enhancements.

Threat scenarios in practice

Those are the main agentic AI security risks that may arise when using MCP. To provide a sense of what these types of issues may mean in practice, let’s look at some common AI security threat scenarios involving MCP.

Malicious servers manipulating LLM behavior

Imagine that an MCP server contains malicious code, either because of insecure components within its supply chain, or because threat actors managed to plant malicious software directly inside the MCP server. Using this code, attackers could cause the server to manipulate the way an LLM operates. For instance, they could potentially instruct an LLM to reveal sensitive data, thereby bypassing the LLM’s security and data privacy controls.

Man-in-the-middle attacks on MCP traffic

Attackers who are able to intercept network traffic flowing between MCP servers and AI models could potentially modify the packets, especially if they are unencrypted. In this way, they could manipulate the API calls or commands that an MCP server executes and cause it to carry out malicious activity, like deleting important data or sending sensitive information to a remote server.

Supply chain attacks via third-party servers

Similar to container images hosted on public registries like Docker Hub, thousands of third-party MCP servers are available for free download. If an organization runs third-party servers, it may expose itself to supply chain attacks, in the event that the servers contain malicious code.

Insider misuse of MCP-enabled access

Malicious insiders could potentially abuse MCP servers by issuing prompts designed to cause them to harm the organization or exfiltrate sensitive data. What’s more, because MCP servers may have permissions that a human user lacks, insiders can, in some scenarios, use MCP as a way of bypassing the access controls that are supposed to restrict what they can do with the organization’s IT resources.

Cross-server chaining and lateral movement

In addition to interacting with LLMs, MCP servers can also interact with each other. This creates the potential for cross-server chaining attacks or lateral movement scenarios in which threat actors compromise one server, then use it as a beachhead for taking control of or abusing other servers connected to it.

Best practices for securing MCP

As with any complex technology, there is no “one simple trick” that can prevent all types of MCP and LLM security risks. But there are a variety of practices organizations can adopt to help mitigate the chances of experiencing a breach due to MCP, including:

  • Choose the right deployment type (local vs. remote): MCP servers can operate locally, interacting with resources hosted on the same device as the server. They can also run on remote hosts, in which case they function more or less like API endpoints. In general, remote MCP servers are more difficult to secure because they are directly exposed to the Internet, although they can also make it easier to centralize agentic AI operations across multiple hosts. Thus, it’s important to balance security with operational needs when deciding which type of MCP deployment model to use.
  • Secure deployments: Keep MCP servers secure by ensuring that all servers running within your organization are up-to-date. Requiring encryption for network traffic can also help to secure deployments and prevent man-in-the-middle attacks.
  • Require authorization: As noted above, MCP now offers native authorization features, which should be enabled to prevent unapproved users from accessing resources via MCP.
  • Restrict permissions: Least privilege principles apply to MCP as to many other technologies. The permissions granted to each MCP server should be restricted to the minimum necessary to support an intended use case.
  • Apply a zero trust policy: Similarly, organizations should apply a zero trust policy, preventing MCP servers and connected LLMs from accessing resources until they have determined them to be secure.
  • Monitor and audit: Monitoring MCP server activity and creating audit logs provides visibility into which resources the servers are accessing. This can help teams to flag malicious activity.
  • Require manual approval: Keeping a human in the loop by requiring manual approval of high-risk activity (like access to highly sensitive data) can help to prevent malicious behavior by an MCP server or LLM.
  • Maintain an inventory: Maintaining an inventory of active MCP servers within the organization can help IT departments detect shadow MCP deployments, as well as determine whether they have any outdated servers in operation.

Organizations should deploy these practices alongside other strategies for mitigating generative AI security risks in general, such as the OWASP top 10 recommendations

Balancing MCP opportunities with security risks

MCP is powerful, but it lacks many key security features. The good news is that, with the right tools and processes, organizations can effectively secure MCP servers and protect against LLM security and AI agent security risks. Indeed, now is the time to get ahead of this challenge, before MCP becomes even more widespread within business environments.

Aqua’s AI security solutions can help.

Gartner

“It is reasonable to anticipate it will take time for MCP to evolve into such an enterprise-grade security state, if it ever gets there.” 

Gartner: AI Security Trends and Developments
The Cloud Native Experts
"The Cloud Native Experts" at Aqua Security specialize in cloud technology and cybersecurity. They focus on advancing cloud-native applications, offering insights into containers, Kubernetes, and cloud infrastructure. Their work revolves around enhancing security in cloud environments and developing solutions to new challenges.
Related Articles
Table of Contents
See how Secure AI protects your AI applications
From code to cloud to prompt
Aqua Secure AI
Aqua Security is the pioneer in securing containerized cloud native applications from development to production. Aqua's full lifecycle solution prevents attacks by enforcing pre-deployment hygiene and mitigates attacks in real time in production, reducing mean time to repair and overall business risk. The Aqua Platform, a Cloud Native Application Protection Platform (CNAPP), integrates security from Code to Cloud, combining the power of agent and agentless technology into a single solution. With enterprise scale that doesn’t slow development pipelines, Aqua secures your future in the cloud. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the world’s largest enterprises.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Policy | Your Privacy Choices |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links