MCP security tracks API's playbook — we know how that ends | RL Blog<br>prev
next
Close
RL Blog
SearchTopics
Why RL Built Spectra Assure Community<br>We set out to help dev and AppSec teams secure the village: OSS dependencies, malware, more. Learn how.<br>Read More about Why RL Built Spectra Assure Community
Why RL Built Spectra Assure Community
Follow us
Subscribe<br>Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.
Sign up
MCP security tracks API's playbook — we know how that ends<br>The standard connecting AI agents to tools and data leaves security to others. Make it a do-over.
John P. Mello Jr., Freelance technology writer.John P. Mello Jr.
Application programming interfaces arrived with enormous promise — and minimal security standards. But APIs were widely adopted nonetheless, and it was only after a decade of painful breaches that API security became a real discipline.<br>The AI analog of APIs is the Model Context Protocol (MCP) — and it’s following the same pattern. But a compromised MCP integration can wreak havoc faster and more broadly than any compromised API and be harder to trace.<br>Here’s what your security team needs to know about the risks of MCP — and how to ensure they do not expose your supply chain.<br>[ Download Report: AI Is the Supply Chain ]<br>Déjà vu all over again<br>An open standard that lets AI applications connect to external tools, data sources, and workflows, MCP has a compelling goal of eliminating the need for custom integrations for every AI app or model. But the security model around it leaves a lot to be desired.<br>The MCP specification explicitly leaves authentication, authorization, input validation, and sandboxing to whoever deploys the server. That is a defensible decision, but delegating security to implementers has been shown to be a “kick the can down the road” problem, said Dan Moore, director of customer identity and access management strategy at FusionAuth.<br>“MCP explicitly doesn’t enforce security at the protocol level. That’s not a criticism of the spec authors. It’s a difficult problem, and they made a deliberate choice to let implementers handle it. But in practice, ‘left to the implementer’ has historically meant ‘skipped until a breach scares everyone and forces re-evaluation.’”<br>—Dan Moore<br>In fact, the MCP ecosystem is looking like a replay of the early API era: rapid adoption, with no standard authentication or authorization patterns, with transport security treated as an afterthought, and with a collective assumption that security controls will materialize eventually.<br>This time the stakes are higher<br>But compared to APIs, the risks from MCP are hugely magnified. When a traditional API is called, the caller is deterministic: a specific application or piece of code, written by a developer, with predictable behavior that can be modeled, tested, and governed. MCP-connected agents operate differently.<br>With a large language model (LLM) in the loop, the caller is no longer predictable. The model autonomously selects tools and determines what actions to take. Its decisions can shift based on context, incoming prompts, or manipulated upstream data. Its behavior, therefore, is neither repeatable nor bounded in the way traditional API calls are.<br>Jim Wojno, Director of Product Management for Integrations at ReversingLabs (RL), said organizations are rushing to adopt Agentic AI in cybersecurity operations for all the obvious benefits. However, in that scenario AI becomes the most privileged and most manipulable component simultaneously.<br>“An attacker who compromises the AI layer — through MCP server tampering for example — doesn't need to touch a single endpoint. They can use the organization's own automation to suppress detections, whitelist malware, and execute commands across the environment. That's not a breach. That's a rootkit.”<br>—Jim Wojno<br>The consequences of compromise scale accordingly, said Gianpietro Cutolo, cloud threat researcher at Netskope Threat Labs.<br>“A compromised API leaks information. A compromised MCP integration can send emails, move money, or pivot across every other tool the agent is connected to — at machine speed, with a user’s credentials, and with a plausible audit trail.”<br>—Gianpietro Cutolo<br>Researchers at Carnegie Mellon University’s Software Engineering Institute note that MCP’s risks extend well beyond traditional confidentiality, integrity, and availability concerns. Because MCP is deeply integrated with LLMs and agentic workflows, vulnerabilities can also compromise privacy, safety, and system reliability — areas where AI-driven systems can autonomously execute high-stakes actions without human review at each step.<br>The attack surfaces AppSec isn’t testing for<br>MCP’s permissive security model creates threat categories that most application security (AppSec) programs are not designed to detect. Tool poisoning embeds malicious...