Navigating the API Security Risks of MCP in the Age of Agentic AI
As AI agents begin making real-world decisions and executing complex tasks, a silent risk is growing beneath the surface—your APIs. In this APIsec|CON 2025 session, veteran tech journalist Bill Doerrfeld unveils how the emerging Model Context Protocol (MCP) is revolutionizing agentic AI—and why its rapid adoption could expose your systems to tool poisoning, supply chain attacks, and remote code execution. If you're in AppSec or DevSecOps, this is the wake-up call you didn't know you needed.

Navigating the API Security Risks of MCP in the Age of Agentic AI
By Bill Doerrfeld, Editor-in-Chief, Nordic APIs
As presented at APIsec|CON 2025
Introduction: From API Sprawl to AI Security
At APIsec|CON 2025, Bill Doerrfeld, veteran tech journalist and Editor-in-Chief of Nordic APIs, returned to explore an urgent new frontier: the security implications of Model Context Protocol (MCP)—an emerging standard at the intersection of APIs and agentic AI. Following his 2024 talk on API sprawl, Doerrfeld dives into how AI agents are increasingly using APIs to interact with real-world tools and data, and why this next wave of automation demands a renewed focus on security.
What Is MCP and Why Should You Care?
Model Context Protocol (MCP) is an open-source framework developed by Anthropic that enables AI agents to interact with APIs, services, and tools in a structured, active manner—not just reading data, but also performing write operations. Think of it as the "USB-C for AI"—a standard that lets agents connect to services in a predictable way.
Major players like OpenAI and Google have already embraced MCP, and developers are rapidly deploying thousands of MCP servers to power autonomous agents that drive customer service, backend automation, DevOps, and more.
🔎 But here's the rub: MCP may accelerate innovation—but it also dramatically expands the attack surface.
The Rise of Agentic AI: From Chatbots to Action-Oriented Agents
Doerrfeld highlights that agentic AI is evolving beyond static chatbots. With tools like MCP, AI agents can now:
- Chain together API calls
- Automate complex workflows
- Interact with other agents and services
- Execute real-world actions—not just return answers
Enterprises are already deploying AI agents at scale. According to Doerrfeld's research, leaders at companies like ServiceNow are “infusing AI agents everywhere to reimagine how we work.” Salesforce predicts 1 billion agents in production by the end of next year.
But as AI agents take action, they must do so securely—especially when APIs are involved.
MCP Security Risks: Tool Poisoning, Rug Pulls, and RCE
Despite its promise, MCP carries serious risks. Here are four major vulnerabilities identified by researchers:
- Tool Poisoning
Untrusted MCP servers can inject malicious instructions into tool descriptions, enabling indirect prompt injections and stealthy data exfiltration. - Rug Pulls
Trusted tools can turn malicious after being integrated—classic supply chain attack territory. - Tool Shadowing
Malicious tools can masquerade as trusted ones, redirecting requests and causing unexpected interactions or even man-in-the-middle attacks. - Remote Command Execution (RCE)
Shockingly, 43% of MCP servers tested allowed command injection. This opens the door to arbitrary code execution on live systems.
These vulnerabilities are exacerbated by the lack of default authentication in many MCP servers.
Security Best Practices for MCP and Agentic AI
Doerrfeld outlines a growing consensus among security professionals:
Don’t Connect AI Agents Directly to Production APIs
- Use API gateways to enforce access control and rate limiting.
- Introduce abstraction layers to decouple LLMs from critical systems.
Scan and Verify MCP Servers
- Use open-source tools like MCPScan to audit third-party MCP servers.
- Avoid unvetted packages and watch out for typo-squatting and supply chain abuse.
Apply API Security Fundamentals
- Follow the OWASP API Security Top 10 to enforce:
- Strong authentication and authorization
- Principle of least privilege
- Monitoring and logging
- Treat MCP servers as OAuth resource servers, not identity providers.
The Path Forward: Secure by Design
While some argue the vulnerabilities lie more in the AI model behavior than MCP itself, Doerrfeld emphasizes that secure deployment is key. Anthropic has signaled future improvements, including:
- Standardized registries for MCP tools
- Version control best practices
- Authentication plug-ins
- Community contributions via open source
For API-first organizations already following security best practices, the message is clear: you’re better prepared than most.
Final Thoughts: APIs Are the Key to Unlocking—and Securing—Agentic AI
MCP may become the backbone of the AI-native internet, but it must be secured from the ground up. As AI agents proliferate, API security is no longer optional—it’s existential.
"The future of agentic AI depends on secure, structured, API-first architectures."
AppSec and DevSecOps teams must stay ahead of this rapidly evolving threat landscape—because what’s empowering automation today may expose your systems tomorrow.
📥 Resources
- 🎥 Watch the full session on YouTube
- 📄 Read the original research by Invariant Labs
- 🛠️ Explore the MCPScan tool on GitHub
- 📚 Subscribe to Nordic APIs
About the Speaker
Bill Doerrfeld is a veteran tech journalist and Editor-in-Chief of Nordic APIs, the #1 API blog according to Feedspot. He contributes to InfoWorld, The New Stack, CIO.com, and more. Follow him on LinkedIn and Feld.io for future insights on API security, developer strategy, and AI.
Latest Articles
Earn your APIsec University Certificate
Earn an APIsec University certificate and badge for completing any of our courses.
Post your badge on LinkedIn and share your accomplishments. You can even receive CPE credits for taking these courses.
