The Model Context Protocol (MCP) has, in just a few months, become the standard “glue” for connecting AI agents with real-world data and tools: code repositories, internal databases, IDEs, browsers, or file systems. In most organizations it is being deployed with an almost exclusive focus on functionality, pushing security architecture into the background. The result: thousands of exposed MCP servers, default configurations, lack of strong authentication, and an explosive mix of classical vulnerabilities (RCE, path traversal, lack of isolation) with vectors specific to the LLM world (prompt injection, tool poisoning, tool shadowing, abuse of persistent context). In this talk, we will present the state of the art in MCP security, including results from enumerating Internet-accessible servers and common exposure patterns in corporate environments. From there, we propose a reference architecture to “tame” MCP in the enterprise, focused on how to systematically standardize and test MCP deployments. We will introduce a lightweight “MCP Security Baseline” framework with maturity levels, as well as an open-source tool that can discover/monitor MCP servers, inventory exposed tools, and run non-destructive tests to validate minimum requirements (auth, encryption, restrictions around dangerous tools, context limits, etc.). We will close with an actionable checklist and lessons learned for security teams that need to decide, with sound criteria, when an MCP is ready for production and when it is just a pretty PoC about to get pwned.
Speakers: