What Is MCP? The New Protocol Reshaping AI Agent Security – Source: securityboulevard.com

We’ve talked a lot about the rise of agentic AI, and we’re now seeing it move from concept to infrastructure. Today, it’s starting to show up in real workflows and real user interactions. From shopping carts to support chats, AI agents are now browsing, transacting, and making decisions on behalf of humans. And as they become more capable, the line between human and machine behavior keeps getting harder to draw.

That shift poses serious challenges for security teams. Most existing frameworks still rely on a simple binary: bot or not. But semi-autonomous agents acting with good intentions on behalf of a user don’t fit neatly into that model. And as adoption grows, so do the risks: impersonation, hijacking, misuse, and fraud.

The Model Context Protocol (MCP) is one proposed answer. It gives AI agents a standardized way to carry context—who they are, what they’re allowed to do, and what they’re doing it for. In practice, it works like a digital passport for AI.

It’s a promising idea. But if agentic AI is going to play a lasting role in how people interact with the web, we’ll need to get serious about how we secure it.

The rise of AI agents

Agentic AI is changing the shape of the internet. Gartner predicts that by 2028, 33% of enterprise software will include agentic AI, and 20% of digital interactions could be handled entirely by machines acting on behalf of humans.

That’s great for productivity, but high risk for fraud. These AI agents don’t use browsers, follow UX paths, or respect robots.txt. They don’t always identify themselves. And just because something looks human (or even helpful) doesn’t mean it has good intentions.

In general, AI traffic across the web is surging. Every month, DataDome observes upwards of: 

• 180+ million requests from LLM crawlers
• 10+ million specifically from ChatGPT

These interactions aren’t malicious by default. But they can contribute to content theft and unwanted scraping, and AI agents introduce a new slew of potential misuse.

MCP: what it is and why it matters

MCP is designed to add structure to agentic AI use. At its best, it gives AI agents a way to carry metadata—like model version, permissions, origin, and context—across systems. Done right, it could help:

• Enforce usage policies in real time
• Detect unauthorized or rogue agents
• Improve auditability and forensics
• Support secure, composable workflows between agents
  

But beyond metadata, the real breakthrough lies in how MCP enables AI agents to engage in continuous, dynamic interaction—not just fire off one-time commands.

Unlike standard tool-calling systems where an AI sends a single request and receives a static response, MCP introduces a bidirectional communication channel. Using a feature called Sampling, MCP allows the server to pause mid-operation and prompt the AI for further guidance based on results gathered so far. This allows for adaptive workflows, where decisions are made iteratively with live context.

That’s what makes MCP different: it empowers agents to handle more complex, multi-step tasks by continuously exchanging state and context with the systems they’re interfacing with. In this sense, MCP doesn’t just structure AI behavior—it enables a new class of interactions altogether.

And while this interactivity unlocks more powerful agentic capabilities, it also introduces a broader and more dynamic attack surface. That’s why secure implementation, complete with validation, permissions scoping, and behavioral monitoring, will be critical as MCP adoption grows.

Identity & intent: the real battlefront

Historically, security focused on identity. Is this a human? Is it a bot? But that binary is outdated, and identity is fungible. Not all bots are bad, and not all humans are good. Today, it’s about intent.

At DataDome, we see both attackers and defenders using AI. And what matters most isn’t who is making a request—it’s what they’re trying to do.

That’s why our platform is built to analyze:

• Behavioral signals
• Navigation patterns
• Frequency and velocity of requests
• Context and session logic

We don’t just ask, “Is this a bot?” We ask, “Is this behavior consistent with legitimate intent?”

The risks of a poorly implemented MCP

As Multi-Agent Collaboration Protocols (MCPs) gain traction, their design choices will shape the future of digital security. But if these systems scale without built-in protections, we could see critical vulnerabilities emerge as early as H2 2025.

Several risk areas stand out.

First, identity management must be airtight. If MCP tokens aren’t cryptographically signed, attackers could spoof agents or issue unauthorized commands—similar to past exploits involving weak JWT signatures. Compounding this is the risk of over-trusting context metadata. If shared context isn’t verified, malicious agents can manipulate it to hijack decisions or inject false data, as we’ve already seen with prompt injection attacks.

There’s also the issue of agent isolation. When agents operate without proper sandboxing or scoped access, a single compromised agent can interfere with others—leaking data or escalating privileges across the ecosystem. And even well-meaning agents can become a threat if they’re granted excessive permissions. Without tight scoping, a single compromise could expose APIs, memory, or entire systems.

Parsing and validation also matter. Inconsistent logic for reading tokens or context payloads can lead to policy bypasses—a common root cause in high-profile breaches. And as natural language becomes the medium for agent behavior, the threat of prompt injection grows. Without sanitization, attackers can subtly manipulate how agents behave.

A newer, MCP-specific concern is server-side tool poisoning. Because MCP servers expose tools and often rely on prompt templates to guide AI behavior, a compromised or poorly secured server could act as a vector for injection or misuse. Unless companies deploying MCP servers build in integrity checks and safeguards, they risk leaking sensitive data or handing control to malicious actors mid-operation.

In short: MCP is powerful—but without strong safeguards, it risks becoming a high-value attack surface. Identity, intent, and execution all need to be secured in real time to prevent impersonation, escalation, or misuse at scale.

How DataDome’s AI helps secure agentic AI

Our platform processes over 5 trillion signals daily to deliver real-time protection against bots and fraud, whether the source is a script, a browser, or an AI agent.

Here’s how we do it:

• Accuracy: Hundreds of AI models assess every request in real time, across industries and traffic types. Our false positive rate is just 0.01%.
• Speed: We make decisions in <2ms, blocking threats before they can cause harm.
• Adaptivity: Our AI evolves in real time to detect and respond to new threats.

We’re not just identifying bots. We’re fingerprinting every LLM and agent, monitoring intent and behavior, and giving customers full visibility into this traffic.

Want to block malicious AI agents? Go for it. Want to monetize legitimate AI traffic? We’ll help you do that too—with insight, control, and flexibility.

A multi-layered approach to securing Agentic AI 

MCP is a powerful step toward making AI agents more secure and transparent. Giving agents a structured way to communicate their identity, intent, and permissions could unlock safer collaboration across systems—and help security teams regain some control in an increasingly autonomous digital world.

But no single protocol, no matter how well designed, is enough on its own.

Just like traditional APIs, browsers, and mobile apps, AI agents will be targeted by attackers looking for gaps in implementation, scope, or enforcement. A secure MCP still needs protection from spoofing, misuse, and abuse in the wild. And that means layering detection, enforcement, and monitoring around it.

That’s where DataDome comes in.

As MCP adoption grows, DataDome serves as a complementary layer of protection—an AI-powered detection engine that monitors agent behavior in real time, flags anomalies, and blocks misuse before it becomes a breach. Whether agents are misrepresenting themselves, scraping content, or attempting unauthorized actions, we see the signals and respond instantly.

If agentic AI is the future of the web, security must evolve alongside it. Protocols like MCP are foundational. Want to see how DataDome can help your organization understand, control, monetize, and protect how AI agents interact with your business? Schedule a demo now.