So, the future of application security isn’t just about protecting your website, your APIs, or even your cloud infrastructure. The new frontier is something far stranger – and far riskier. It’s called Model Context Protocol, or MCP. And they may be the most important, least understood security challenge we face as AI agents become part of everyday software. And now about this…
Let’s start simple. Think of the history of apps like a family tree. We began with websites. Then came APIs. Then LLM APIs – those interfaces to big language models like ChatGPT or Claude. And now, MCP. Which was built and provided by Anthropic.
MCP and MCP Servers are, in a sense, the “new APIs”. But instead of a developer calling an endpoint with clear rules, MCP lets an AI agent crawl your app, infer what to do, and act on its own reasoning. It’s not just “send data, get data.” It’s more like, “figure out what needs to be done, and go do it”.
This is powerful – but it’s also deeply unpredictable. Because when machines reason for themselves, they don’t always behave in ways their creators expect. So, MCP mark the shift from deterministic software to probabilistic, autonomous systems. That’s not just a technical leap – it’s a cultural one. We’re handing software a steering wheel and hoping it doesn’t crash the car.
Now here’s where it gets messy. MCP is being adopted at wild speed. Think of it as a “wild west” moment: everyone wants in, everyone’s experimenting, and security is usually an afterthought – as it was on the startup bubble.
Research shows the risk of a single MCP might be manageable – say 9 percent. But chain a few of them together, and the risk explodes. With three MCP servers working in tandem, you’re already at over 50 percent risk. Add more than five, and you’re looking at a 70 percent chance of failure or exploitation. Why? Glad you asked! Because when multiple autonomous systems talk to each other, their reasoning compounds. It’s like putting a group of improvisational actors on stage: brilliant things can happen, but chaos is far more likely.
So security isn’t additive here, it’s exponential.
Think of this example. You connected Claude, the AI model, to Gmail and a code execution MCP. Then you can use something called emotional prompting – which is persuading the model it was on the attacker’s “team.”
What can happen? Claude happily writes a phishing email, executes code, and even congratulates itself on the success – bypassing its own built-in safeguards.
These attacks aren’t just technical in the old sense: they are psychological manipulation of an AI system. Yes, the attack surface now includes persuasion.
Here’s your headache now: most companies don’t even know which MCPS are running across their systems. Developers might pull them in. Finance teams might install them. Even your CFO could be running one soon enough on his Windows 11 laptop.
Without visibility, you can’t secure them. And because innovation is the priority, security gets bypassed. How often do you click “never ask me again” on a security prompt? Exactly.
The deeper conflict is this: AI agents are valuable because they’re autonomous. But security requires guardrails, monitoring, and limits. It’s the same thing we see with self-driving cars. Full autonomy sounds exciting — but in practice, we stick to semi-autonomous systems with a lot of safety nets.
So, if we zoom out, we see where this is heading. AI isn’t a feature anymore. It’s becoming infrastructure, like electricity. And in that world, the adversarial race accelerates: defenders build new tools, attackers exploit them faster. Deepfakes, malicious MCPS, rogue agents – all part of the same landscape.
We should be starting to talk about AI-assisted security. That means using AI in targeted ways: analysing traffic, generating contextual attacks, automating remediation. Always with human oversight. The crucial word is context. Security without context is just noise. If an AI can tell you not just that an API is vulnerable, but how that vulnerability threatens your actual business logic – say, your shopping cart or your payments flow – then you have something actionable.
Bottom line: we’re entering a security era where software isn’t just executing code – it’s making decisions. That means the battlefield is shifting. Attacks will be conversational, manipulative, even emotional. Defences will need to be contextual, adaptive, and deeply human-aware. And like with electricity, once AI becomes infrastructure, we won’t get to opt out. The question isn’t whether MCP and MCP Servers, which power autonomous agents, will shape the application landscape. It’s whether we’ll build the guardrails in time to keep the lights on. See you on the next episode!
