Skip to main content
TopAIThreats home TOP AI THREATS
AI Capability

Model Context Protocol

An open protocol, developed by Anthropic, that standardises how AI applications connect to external data sources and tools. MCP provides a universal interface for language models to access databases, APIs, file systems, and other services through a client-server architecture, replacing fragmented custom integrations.

Agentic Systems Security & Cyber

Definition

The Model Context Protocol (MCP) is an open standard that defines how AI applications (clients) communicate with external tools and data sources (servers). Announced by Anthropic in late 2024, MCP provides a structured protocol for AI models to discover available tools, understand their capabilities through schema descriptions, invoke them with parameters, and receive results. MCP replaces the ad-hoc, platform-specific integrations that previously connected AI models to external services. The protocol follows a client-server architecture: an MCP client (embedded in an AI application) connects to one or more MCP servers, each of which exposes a set of tools, resources, or prompts. This standardisation enables AI applications to connect to any MCP-compatible service without custom integration code.

How It Relates to AI Threats

MCP introduces significant security considerations within the Agentic and Autonomous Threats and Security and Cyber Threats domains. Each MCP server connection expands the AI system’s attack surface by granting access to additional tools and data sources. MCP server poisoning — where a malicious or compromised server provides tool descriptions containing injected instructions — is an emerging threat vector. Cross-tool escalation, where a compromised tool’s output influences the AI model’s use of other tools, creates privilege escalation risks. The protocol’s power in enabling agentic AI capabilities is matched by the security challenges of managing trust boundaries across multiple external services.

Why It Occurs

  • AI applications need structured access to external tools, databases, and APIs to perform useful agentic tasks
  • Custom integrations for each tool-service combination created unsustainable maintenance burdens
  • Standardisation enables an ecosystem of tool providers and AI applications to interoperate without bilateral agreements
  • The protocol model (describe tools → invoke with parameters → return results) mirrors existing patterns in API design and function calling
  • Open-source availability encourages adoption and community-driven MCP server development

Real-World Context

MCP has been adopted by multiple AI development platforms and integrated into coding assistants, enterprise AI applications, and agentic frameworks. The protocol’s security implications have been the subject of active research, with demonstrations of MCP server poisoning attacks, tool description injection, and cross-server escalation. Security best practices for MCP include server authentication, tool-scope restriction, output validation, and the principle of least privilege applied to which servers an AI application connects to. The protocol continues to evolve with security-focused additions to the specification.

Related Threat Patterns

Prompt Injection Attack Security & Cyber AI Supply Chain Attack Security & Cyber

Related Terms

Function Calling Agent Framework Attack Surface Least Privilege
← Back to Glossary → Taxonomy → All Domains

Last updated: 2026-04-03