* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [AI Security](https://origin-researchcenter.paloaltonetworks.com/blog/category/ai-security/)
* Model Context Protocol (M...

# Model Context Protocol (MCP): A Security Overview

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmodel-context-protocol-mcp-a-security-overview%2F)  
[](https://twitter.com/share?text=Model+Context+Protocol+%28MCP%29%3A+A+Security+Overview&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmodel-context-protocol-mcp-a-security-overview%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmodel-context-protocol-mcp-a-security-overview%2F&title=Model+Context+Protocol+%28MCP%29%3A+A+Security+Overview&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/model-context-protocol-mcp-a-security-overview/&ts=markdown)  
\[\](mailto:?subject=Model Context Protocol (MCP): A Security Overview)  
Link copied  
By [Sharon Farber](https://www.paloaltonetworks.com/blog/author/sharon-farber/?ts=markdown "Posts by Sharon Farber")  
Jun 06, 2025  
6 minutes  
[AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown)  
[AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown)  
[DSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/dspm/?ts=markdown)  
[Model Context Protocol](https://www.paloaltonetworks.com/blog/tag/model-context-protocol/?ts=markdown)

The Model Context Protocol (MCP), introduced by Anthropic in November 2024 to connect AI models to data, has taken off in recent months. Countless companies have announced new integrations based on this protocol, culminating in OpenAI's March announcement that it too will adopt MCP. For organizations struggling to keep up with the protocol's security implications, here's a concise overview of what you need to know.

## MCP --- the Simple-as-Possible Explanation

For many newer AI implementations (such as agentic AI), MCP enables the AI system to interact with external systems, such as databases, files, web services and development tools. We would typically refer to this as tool use, functions or something similar. MCP is meant to standardize communication between the AI system and these external systems.

For example, let's think of an AI support agent for a financial institution. To answer a customer's query, such as "What is my current account balance?", the agent might be instructed to ask for more details, fetch the balance from a database or notify a human agent in the company's customer support platform. Afterward, the agent will log the conversation in the company's CRM. The last three actions in this example require interaction with an external system, and that's where MCP comes into play.
![How MCP enables an AI support agent to interact with external systems like databases, web services, and CRM to respond to a user's query](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340393-1.png)
Figure 1: How MCP enables an AI support agent to interact with external systems like databases, web services, and CRM to respond to a user's query

As depicted in figure 1, the MCP connection defines how data is retrieved from the database containing the account balance and sets expectations for the format in which the data arrives. The MCP server might also contain a repository of prompts that would add context and guardrails to the model responses. When a specific action is required, MCP would translate agent requests such as "check balance" into API calls executed against the external system via an MCP server.

As long as the underlying AI model (e.g., Anthropic's Claude) supports the MCP standard, anyone can develop an MCP server, since communication with external systems is still handled via "traditional" APIs such as HTTP. In the example above, it could also be via the chatbot developer who builds the MCP server.

In practice, however, many companies now offer their own MCP server to more readily integrate their systems into AI-powered workflows. In fact, hundreds of MCP servers are available via [GitHub](https://github.com/modelcontextprotocol/servers) or [mcp.so](https://mcp.so/), with new ones added daily.

Given the purpose of this article, we'll suffice with the above overview of how MCP works rather than delve into various MCP concepts.

## What Are the Security Risks Associated with MCP?

Since the MCP standard is new, Palo Alto Networks Unit 42 (and undoubtedly other security research teams) is still probing its full security ramifications. With that said, several risks are immediately evident.

### 1/ Prompt Injection

MCP servers contain prompt repositories used to augment instructions given to AI agents. While these data assets are meant to improve or contextualize model behavior, they could be misused to cause an AI actor to behave in undesired, unexpected or malicious ways.

For example, an MCP server could contain prompts that instruct a coding agent to write insecure code or to ignore certain types of user requests. Alternatively, an MCP prompt could instruct the agent to perform actions such as modifying database records without the user's permission.
![A prompt injection risk involving a compromised MCP server that could lead an AI agent to generate unsafe code or introduce vulnerabilities during a refactoring task](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340393-2.png)
Figure 2: A prompt injection risk involving a compromised MCP server that could lead an AI agent to generate unsafe code or introduce vulnerabilities during a refactoring task

### 2/ Credentials Exposure

As mentioned, an MCP server's main purpose is to facilitate connections with external systems. These connections require credentials such as API keys. While the MCP's current implementation requires servers to run locally, this setup still represents another instance of credential storage that can lead to exposure.

What's more, an MCP server will often request broad permission scopes to provide flexible functionality, while the same server might require permissions to multiple external services. Centralized storage of multiple sensitive credentials should remain of interest to security teams.

### 3/ Unverified Third-Party Tools

With hundreds of MCP servers available from the internet, any developer can download one from their CLI. Doing so, however, will enable bad actors to attack the supply chain. The inherent design of MCP servers to transmit data to external services makes the situation risky, particularly in conjunction with "set it and forget it" workflows explicitly encouraged by developers of agentic AI tools.

An MCP server could, for example, impersonate an official integration with a cloud database via typosquatting to exfiltrate the organization's data and send it to the attacker. The attack could also be achieved through more complex, harder-to-detect methods, perhaps involving multiple tool calls chained together, with each tool receiving instructions the user might not see or grasp. Interesting research about this attack vector has been [published by Invariant Labs](https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks?utm_source=chatgpt.com).

## Best Practices You Should Implement

**Log All Application Prompts**

Implement comprehensive logging for all prompts sent to MCP-enabled AI systems. The record will allow security teams to audit interactions, detect potential prompt injection attempts and establish baseline behaviors.

**Establish Governance Procedures for New MCP Servers**

* Create a formal approval process for adding new MCP servers to your environment, including security reviews, source verification and documentation.
* Maintain an inventory of approved servers.
* Consider establishing an internal repository of vetted MCP servers rather than allowing direct installation from public sources.

**Monitor Exposed API Keys in MCP Configuration Files**

* Use secret scanning tools to identify potential leaks in configuration files.
* Use environment variables or dedicated secret management solutions instead of hard-coded credentials when possible.
* Ensure that keys have the minimum necessary permissions to reduce the impact of potential exposure.

## Stay Tuned

Today's overview describes the state of affairs as of June 2025. But, as with everything related to AI, the technology is radidly evolving, making security a moving target. As more integrations and MCP implementations appear in the wild, the risk landscape is likely to change. For the time, your best bet is to stay informed and ensure you have a [holistic view of cloud and AI security](https://www.paloaltonetworks.com/cortex/cloud).

*** ** * ** ***

## Related Blogs

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem/?ts=markdown), [DSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/dspm/?ts=markdown)

[#### AI-SPM Update: 3 New Capabilities for Model Activity, Agentic AI and Software Supply Chain Risks](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/aispm-capabilities-enhanced-security/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown), [CSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/cspm/?ts=markdown), [DSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/dspm/?ts=markdown)

[#### Deploying Secure LLM and RAG Applications with Amazon Bedrock and Prisma Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/deploy-secure-llm-rag-applications/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown)

[#### Don't Let Inactive AI Models Linger: Reduce Risk and Cost with Cortex Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-security-inactive-ai-model-risk/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown)

[#### Implementing AI Security with Cortex Cloud AI-SPM](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/implementing-ai-security-with-cortex-cloud-ai-spm/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown)

[#### The New AI Attack Surface --- How Cortex Cloud Secures MCP](https://origin-researchcenter.paloaltonetworks.com/blog/2025/06/cloud-security-model-context-protocol-mcp-security/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown), [Artificial Intelligence](https://www.paloaltonetworks.com/blog/cloud-security/category/artificial-intelligence/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/cspm/?ts=markdown)

[#### The Rise of AI-Powered IDEs: What the Windsurf Acquisition News Mean for Security Teams](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/windsurf-openai-acquisition/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language