Model Context Protocol (MCP)

Model Context Protocol (MCP) is the open standard — created by Anthropic and now stewarded by the Linux Foundation — that lets AI agents connect to any external tool, data source, or service through a single consistent interface. It has become the connective tissue of the AI tool ecosystem.

What Problem It Solves

Before MCP, every AI agent needed custom integration code for every external service. A coding agent that needed to query a database, call a REST API, read a file, and search internal docs required four separate, bespoke integrations — multiplied across every agent framework you used.

MCP solves this by defining a standard client-server protocol:

• A tool or service exposes itself as an MCP server (write once)
• Any AI agent or assistant connects to it as an MCP client (works everywhere)

The analogy: USB-C for AI tools. One interface standard, works with everything.

Why It's in Adopt

The speed of ecosystem adoption has been remarkable. As of early 2026, MCP has first-party server implementations from:

And MCP client support is now standard in every major AI tool:

• Claude Code, Cursor, Windsurf, Cline, Goose, OpenCode
• OpenAI Agents SDK, Claude API (tool use)
• Gemini CLI (via MCP tool integration)

The Linux Foundation AAIF (Agentic AI Foundation) was formed in December 2025 with MCP as a founding contribution alongside Block's Goose and OpenAI's AGENTS.md.

What This Means for Engineering Teams

For teams building products on top of AI agents: Your internal services, databases, and tools should have MCP servers. When you expose your service as an MCP server, every AI agent your team uses can immediately work with it — no custom glue code per agent.

For teams adopting AI tools: Choose tools that support MCP. When your IDE, your CLI agent, and your orchestration framework all speak MCP, your internal MCP servers work across all of them for free.

Building an MCP Server (it's simple)

from mcp.server.fastmcp import FastMCP

mcp = FastMCP("My Service")

@mcp.tool()
def get_order_status(order_id: str) -> dict:
    """Look up the current status of an order."""
    return orders_db.get(order_id)

@mcp.resource("docs://runbook/{service}")
def get_runbook(service: str) -> str:
    """Retrieve the runbook for a service."""
    return runbooks.get(service, "No runbook found")

mcp.run()

Any MCP-compatible agent can now call get_order_status and read runbooks, with no further integration work.

Security Considerations

MCP is a rapidly growing attack surface. A scan of 1,808 public MCP servers found 66% had security findings, and 30 CVEs were reported in the first 60 days of 2026 alone. Key threats:

• Tool poisoning — malicious tool definitions injected into agent contexts (flagged as "alarmingly common" by the MCPTox benchmark)
• Prompt injection via MCP data — hidden instructions in data returned by tools trigger unauthorized agent actions
• Token theft — MCP servers that store auth tokens for multiple services become a single point of breach
• Confused deputy attacks — MCP proxy servers exploited to obtain authorization codes without user consent

Real-world incidents include a cross-org data contamination flaw affecting ~1,000 Asana enterprise customers (May 2025), a WordPress AI plugin privilege escalation affecting 100K+ sites, and a Supabase Cursor agent exploit via SQL embedded in support tickets.

Best practices: use scoped tokens (RFC 8707 Resource Indicators), require mTLS or JWT, validate all inputs, sandbox local MCP servers, and never hard-code secrets. See MCP Security Best Practices on the Security radar for the full checklist.

Key Characteristics