MCP Servers: The Essential Security Guide for CISOs

Your developers are installing MCP servers in minutes, from a copy-paste command. Your security team probably has no inventory of them. That needs to change.

What Is an MCP Server — and Why It’s Different

MCP (Model Context Protocol) is the USB-C of AI agents. It’s a standard that lets language models — Claude, GPT, Gemini, or whatever runs inside your data center — connect to tools and data sources without writing custom integration code for each one.

The most common systems MCP servers connect to: source code repositories (GitHub, GitLab), databases (Postgres, MySQL, Snowflake), cloud providers (AWS, Azure, GCP), ticketing systems (Jira, Linear), observability platforms (Grafana, Datadog), payment processing (Stripe), and internal file systems. A single MCP server can bridge several of these simultaneously.

What makes it different from every SaaS vendor you’ve reviewed before: an MCP server is an action surface, not a passive data source. When a developer installs one, they’re giving a language model a live hand inside a system — one that can read, write, call APIs, and chain actions together without confirming with the user at every step.

Three properties make this uniquely risky:

• Direct system access. MCP servers run with the identity and credentials of the user who launched them — often a developer with broad production access. No intermediary, no rate limiter, no human approver by default.
• Dynamic tool definitions. Capabilities can change after installation. A tool that looked safe on Day 1 can quietly add a send_email function on Day 7. Your quarterly vendor assessments won’t catch this.
• LLM-mediated execution. The model decides when and how to invoke each tool based on natural-language instructions — some of which may come from untrusted documents. Tool descriptions are visible to the model but invisible to the end user, which makes them a natural hiding place for prompt-injection attacks.

Three Risks Worth Presenting to the Board

Data exfiltration. An AI agent can be instructed — by a document it reads, a ticket it processes, a repository it indexes — to quietly copy data somewhere it shouldn’t. In May 2025, Invariant Labs documented a GitHub MCP prompt-injection attack where malicious content in a public issue convinced an agent to leak private repository contents (including salary data) into a new public pull request. Impact: High. Detection: Hard.

Supply chain substitution. You approved a tool on Monday. On Friday it silently changed what it does — and nobody on your team was notified. Knostic researchers found 1,862 MCP servers exposed on the public internet with zero authentication in late 2025. Astrix Security reported that 43% of open-source MCP servers contain command-injection vulnerabilities. CVE-2025-6514 alone affected more than 437,000 developer environments.

Regulatory exposure. DORA, NIS2, and the EU AI Act all require demonstrating control over third-party tooling connected to critical business processes. An unmanaged MCP server is an unmanaged ICT third-party — a finding no auditor will miss. IBM’s 2025 Cost of a Data Breach Report puts the “shadow AI” premium at $670,000 above a standard breach. Only 17% of organizations currently monitor agent-to-agent interactions.

The pattern across all three: the attacker doesn’t need to breach your perimeter. Malicious instructions arrive as ordinary content through legitimate channels and get executed by tools your organization voluntarily installed. The blast radius is defined entirely by the privileges you granted.

What to Ask Before Approving Any MCP Server

Your third-party risk program assumes a SaaS vendor, a contract, and a quarterly review cycle. MCP breaks all three assumptions. Here’s what actually matters — grouped by what you’re trying to establish:

Provenance & supply chain

• Who maintains this, and is every release pinned to a cryptographic hash?
• Has it been independently analyzed — SAST, taint analysis, supply-chain scanning?
• What’s the vulnerability disclosure policy and patch SLA?

Access & permissions

• Which systems can it reach? Enumerate them. “Depends on configuration” is not an acceptable answer.
• Does it require persistent credentials, or can it use short-lived scoped tokens?
• Can access be restricted per user or per session?

Runtime behavior

• Can tool definitions change after installation? If yes, is there automatic drift detection?
• Does it make outbound network calls, and to which specific endpoints?
• Can it initiate write or destructive actions without explicit user confirmation?

Governance & compliance

• Does it generate structured audit logs suitable for DORA reporting?
• Is data residency documented for any EU data flows?
• Is there a named security contact with a public security.txt?

A server that can’t answer all of this should not be approved for any system handling regulated data, production credentials, or customer communications. And this checklist doesn’t expire — re-run it on every material version update.

A 90-Day Program to Get From Zero to Defensible

Only 38% of organizations currently monitor AI traffic end-to-end. Here’s a concrete program to get control.

Days 1–30 — Discovery. Issue a written policy: no new MCP servers connected to production during this phase. Survey developer tooling (Cursor, Claude Desktop, VS Code Copilot, Cline, custom agents). Add MCP servers to your CMDB as a new asset class, linked to the installing user and the business process. Correlate against network egress logs to surface unregistered servers. Deliverable: a signed-off inventory with owner, publisher, version, and data-classification tag per entry.

Days 31–60 — Analysis. Run a certification pipeline against every server in inventory: SAST, taint, supply-chain, secrets scanning. Score each one. Classify by blast radius — Tier 1 (production + regulated data), Tier 2 (production), Tier 3 (sandbox only). Deliverable: a risk-scored catalog with a remediation plan for anything below a basic security certification.

Days 61–90 — Enforcement. Deploy an execution layer that validates cryptographic hashes and certification level before any tool is exposed to a model. Wire execution events into your SIEM for DORA-compliant incident reporting. Define alert thresholds for new endpoints, new tool definitions, and data-egress volume anomalies. Deliverable: policy document + runtime enforcement + 90-day board report demonstrating control coverage.

Key Takeaways

The center of gravity for MCP risk is not network security — it’s least-privilege enforcement, provenance, and runtime attestation. An organization that gets those three right will handle the rest. One that ignores any of them will have a hard time explaining to a regulator why they didn’t know what their AI agents were doing.