What is the Model Context Protocol (MCP)?

The Model Context Protocol (MCP) is an open standard developed by Anthropic that defines how AI models connect to external tools, APIs, and data sources. It creates a common language so any AI client (like Claude, GPT-based tools, or custom agents) can communicate with any MCP-compatible server without custom integration code.

What problem does MCP solve?

Before MCP, every AI integration was custom-built. If you wanted an AI assistant to read your files, call your API, or query your database, you had to write bespoke glue code for each combination of model and tool. MCP standardises this: build one MCP server and any MCP-compatible AI client can use it immediately.

How is MCP different from a REST API?

REST APIs are stateless request-response interfaces designed for human developers. MCP is designed for AI models: it supports bidirectional communication, dynamic tool discovery (the AI can ask what tools are available), schema negotiation, and streaming responses. MCP servers self-describe their capabilities so AI clients can adapt without manual documentation.

Is MCP secure by default?

No. MCP itself is a protocol specification, not a security guarantee. MCP servers can be deployed with or without authentication, over HTTP or HTTPS, with or without rate limiting. The security posture depends entirely on how the server is implemented and configured. AgentGrade grades MCP servers on 14 observable security checks to help users assess real-world security.

What are the main security risks of MCP?

The primary risks include: unauthenticated tool execution (anyone can call your tools), data exfiltration through tool responses, prompt injection via malicious tool outputs, credential exposure in responses, and overly permissive CORS policies that allow cross-site requests. These risks are magnified because MCP tools often have elevated access to databases, file systems, and APIs.

How does AgentGrade help with MCP security?

AgentGrade automatically scans publicly-accessible MCP servers and grades them A–F on 14 passive security checks including HTTPS enforcement, authentication, credential exposure, CORS policies, security headers, and more. Grades are updated regularly so you can track improvement over time.

What is MCP? Model Context Protocol Explained

The Model Context Protocol (MCP) is an open standard that lets AI models connect to external tools, APIs, and data sources through a common interface. Think of it as USB-C for AI — one standard plug that works with any device, instead of a different cable for every combination.

Section 1: What is MCP?

Before MCP, connecting an AI assistant to your tools was bespoke work. Want Claude to read your files? Write a custom integration. Want GPT-4 to call your internal API? Write another custom integration. Every new model meant rewriting the glue layer from scratch.

MCP solves this by defining a standard protocol for the conversation between an AI model (the client) and an external capability (the server). Build one MCP server, and any MCP-compatible AI client can use it — no additional integration code required.

MCP was developed by Anthropic and released as an open standard in late 2024. It has since been adopted across the AI ecosystem, with hundreds of MCP servers now publicly available.

What can an MCP server expose?

Tools: Callable functions the AI can invoke (e.g., search_database, send_email, run_query)
Resources: Data the AI can read (e.g., files, database rows, API responses)
Prompts: Pre-built prompt templates the AI can use for common tasks

Section 2: How MCP Works

MCP uses a client-server architecture where the AI model acts as the client and the tool provider acts as the server.

Connection: The AI client connects to an MCP server, either over HTTP (remote servers) or via stdio (local processes).
Discovery: The client sends a tools/list request. The server responds with a list of available tools, each with a name, description, and JSON Schema describing its parameters.
Invocation: When the AI decides a tool is useful, it sends a tools/call request with the tool name and arguments. The server executes the tool and returns the result.
Response: The result — text, structured data, or binary content — flows back to the AI model, which incorporates it into its response.

This bidirectional design means the AI can iteratively call tools, inspect results, and decide whether to call more tools — all within a single user request.

Section 3: MCP vs REST APIs

Both MCP and REST APIs expose functionality over HTTP, but they serve different consumers and have different design goals:

Feature	REST API	MCP Server
Primary consumer	Human developers	AI models / agents
Communication style	Stateless request-response	Bidirectional, session-aware
Tool discovery	Manual (read the docs)	Dynamic (`tools/list` at runtime)
Schema negotiation	Fixed (OpenAPI spec)	Self-describing per connection
Streaming support	Optional (SSE/WebSockets)	Native via SSE
Error semantics	HTTP status codes	Structured JSON-RPC errors

In short: REST APIs are designed to be called by code written by humans. MCP is designed to be called by AI models that discover and invoke tools autonomously at runtime.

Section 4: MCP Security Risks

Because MCP servers often have elevated access to databases, file systems, internal APIs, and sensitive data, their security posture matters more than a typical public API. The key risks:

Unauthenticated Tool Execution

An MCP server with no authentication allows any client to invoke its tools. This means anyone on the internet can call run_query, send_email, or whatever your server exposes — without any credentials. This is the most common critical failure AgentGrade detects.

Data Exfiltration via Tool Responses

If a malicious actor can invoke your tools, they can extract data through the tool response. An MCP server connected to a database could leak entire tables through repeated tool calls.

Prompt Injection via Tool Outputs

If a tool returns data from an untrusted source (e.g., user-controlled content, web pages, external APIs), that content may contain instructions that hijack the AI model's behavior. For example, a malicious web page returned by a fetch_url tool might instruct the AI to ignore previous instructions and exfiltrate conversation history.

Credential Exposure

Some MCP servers inadvertently return API keys, tokens, or configuration data in tool responses. These are immediately usable by attackers.

Overly Permissive CORS

MCP servers with Access-Control-Allow-Origin: * can be called by any browser-based application, enabling cross-site attacks where a malicious web page calls your MCP server on behalf of a visiting user.

For a full breakdown of observable security checks, see our methodology page.

Section 5: How AgentGrade Helps

AgentGrade continuously scans publicly-accessible MCP servers and grades them on 14 security checks — from HTTPS enforcement and authentication to credential exposure and security headers. Grades range from A (strong posture) to F (critical failures).

Grades are updated automatically as servers change, so you can track whether a server's security is improving or declining over time. If you build or use MCP servers, AgentGrade gives you an independent, objective view of observable security posture — no manual testing required.

Browse MCP server security grades →