The Protocol That Could Change Everything

I used to think the only challenge in cybersecurity was preventing attacks. That was until I realized the greatest threat wasn’t always a hacker in a hoodie. It was context. Or more specifically, the lack of it.

A decade ago, I sat across from a young analyst on my team. He was sharp, fresh out of school, and eager to prove himself. We had flagged a login attempt from a foreign IP address tied to an executive account. Alarms were going off. The executive was already on the phone.

The analyst had the logs. He had the timestamps. He had the IP data. What he didn’t have was context.

Who was traveling? Was this expected? Had this happened before? Was the executive using a new device? The analyst bounced from dashboard to dashboard, trying to piece together a story that made sense.

There was no breach, but the fallout in trust and confidence lingered. It was a wake-up call. Not just about access or alerts, but about clarity. That was the moment I started thinking less about raw defense and more about understanding the full picture.

Enter the Model Context Protocol (MCP)

Today, we are standing at the edge of a new era. Large language models are beginning to transform how we work. They can accelerate research, streamline workflows, and power decision-making. But there is a critical weakness baked into how most people use them.

Without context, even the smartest AI sounds generic. It may hallucinate. It may mislead. And in high-stakes environments, guesswork is dangerous!

This is where the MCP comes in.

MCP is an open standard that gives AI access to the information it needs in a controlled, structured, and theoretically secure way. It connects language models to real data sources, real systems, and real-time insight. And it does all of this without forcing you to re-architect your stack.

It is not just a technical tool. It is a strategic shift.

Before MCP, Integration Was a Mess

Most organizations that want AI to help with internal systems are left with three options.

First, they manually copy and paste data into the chat. Second, they stitch together fragile plugins and APIs. Third, they don’t even try.

That leaves you with generic responses. It leaves developers jumping between tabs. It leaves security teams out of the loop. And most of all, it leaves value on the table.

MCP changes that.

It creates a unified way to expose the right information to your model, at the right time, with full control over what is shared. The model becomes less of a question-answering tool and more of a teammate who actually understands the business.

A Glimpse Into the Future: The Context-Aware Developer

Picture this.

It’s a Monday morning. A developer logs into their IDE and begins reviewing a recent pull request. Instead of opening five tabs and hunting for information, they simply ask their assistant:

"Why did Alice and Bob change the login flow last week?"

Thanks to MCP, the model accesses the commit message, links it to a Jira ticket, pulls up relevant discussions from Slack, and summarizes the context in plain English.

No digging. No delays. Just answers.

That is what happens when an AI model has real context. It can see the story behind the change. And it can help you write the next chapter.

This Isn’t About Efficiency Alone

At first glance, MCP might seem like a productivity tool. But the more you look at it, the more you realize it is about trust, security, and precision.

If done right CISOs no longer need to choose between enabling innovation and protecting data. Product teams can move fast without breaking the systems they rely on. Support staff can get real answers without waiting on someone else to find them.

The AI becomes a bridge, not a bottleneck.

More importantly, MCP can run entirely inside your environment. You decide what is visible. You set the guardrails. Your data stays your data.

This is not a compromise. It is an evolution.

The Hidden Costs of Context: Security and Risk in MCP

Power without precision is a liability. And in the case of MCP, that liability lives in how context is stored, shared, and interpreted.

Giving an AI model rich access to files, repositories, emails, and databases is like handing a new hire the master key to your office. If you trust that key to do the right thing every time, you’d better be confident in the lock.

Let’s talk about the security side of the Model Context Protocol…the side that doesn’t get enough attention.

A Growing Concern in the Security Community

Across the cybersecurity world, experts are ringing the alarm on MCP. From startups to large enterprises, the emerging consensus is clear: the convenience MCP offers must be counterbalanced with defensive design.

The team at Pillar Security warns that MCP servers create single points of failure. If compromised, these servers can grant attackers access to multiple services using stored tokens leading to email, drive, calendars, even internal systems. Worse, these breaches are often invisible to users because actions occur through standard APIs and never trigger login alerts.

Equixly takes it a step further, calling poorly configured MCP servers “a nightmare scenario in the making.” From command injection to insecure defaults, they break down how a server spun up without proper restrictions can be used to exfiltrate data silently, escalate privileges, or impersonate users.

Other shines light on subtle but powerful threats like prompt injection and context poisoning. The community explores how attackers might use well-crafted natural language inputs to manipulate models into executing commands or leaking data, often without detection.

Top Security Risks of MCP

1. Token Theft and Silent Takeover
   If a token stored in an MCP server is stolen, it can be used to impersonate the user across connected services. These actions fly under the radar because they use legitimate APIs and don’t prompt login alerts. Nothing we haven’t seen before.

2. Prompt Injection Attacks
   A user receives an email saying, "Please review this contract." Hidden in the metadata? A malicious prompt instructing the AI assistant to forward files, delete records, or exfiltrate data.

3. Over-Scoped Permissions
   Many early MCP implementations request full read-write access to services like Gmail or Slack. If that access is exploited, attackers gain operational control, not just visibility. Nothing surprising here, either.

4. Command Injection and Misconfigured Servers
   A vulnerable MCP server may allow arbitrary command execution if input validation is not handled correctly. This can happen during file parsing, shell calls, or poorly isolated plugin logic. Are you seeing a theme here?

5. Context Memory Leakage
   Sessions that persist context across time can inadvertently expose sensitive information from prior queries. If one session is hijacked or poisoned, all that memory becomes fair game.

6. Correlation and Aggregation Risks
   The more services your MCP server connects to, the more useful it becomes for attackers. Token correlation can enable inference attacks and mapping of internal processes.

Defensive Measures and Mitigations

If you are serious about using MCP, you must be serious about securing it!

Here’s what we recommend, to name a few:

• Token Hygiene
  Use short-lived, scoped tokens. Never store them unencrypted. Rotate frequently. Assume every token will eventually be targeted.

• Zero Trust Design
  Don’t trust the MCP server itself. Use layers of access control, network segmentation, and audit trails to prevent lateral movement.

• Session Expiry and Memory Isolation
  Automatically expire context after short intervals. Separate sessions per user and per thread. Never allow memory bleed across contexts.

• Prompt Sanitization and Input Validation
  Sanitize all incoming prompts. Treat natural language as untrusted input. Use allow-lists, deny-lists, and filters.

• Granular Scoping of Permissions
  Don’t request full access when read-only will do. Tailor access to function, not convenience.

• Logging and Monitoring
  Log every prompt, every action, every session. Use anomaly detection to flag unusual access patterns or prompt behavior.

• User Awareness
  Train users to treat AI assistants like command-line interfaces. They should be skeptical, alert, and cautious with what they share.

Security is Not a Feature. It’s the Foundation.

MCP is a major leap forward in making AI useful, relevant, and embedded into real work. But it is also a gateway. And like any gateway, it must be guarded.

There are many traditional things we can do to better secure it, like we mentioned above. But there is also a great deal we have yet to uncover. Only time will tell how these systems evolve under real-world conditions. Implementing programs like a Bug Bounty can go a long way in discovering the unknowns and strengthening the protocol's resilience from the ground up.

The future of AI will be shaped not only by what we connect, but by how we protect it.

If you’re thinking about building with MCP and want to ensure your implementation is secure by design and secure by default, I can help.

I am currently accepting a limited number of consulting engagements. To inquire about availability or schedule a consultation, please visit eliandrett.com.

Subscribe today for my next insight about the Agent2Agent Protocol (A2A) that compliments the MCP.