Cisco Report: MCP Security Risks in the Agentic AI Era

A New Attack Surface Is Emerging

The rapid adoption of agentic AI has created a new category of cybersecurity risk that most organizations are not prepared to address. Cisco's 2026 State of AI Security report, published in February 2026, provides the most comprehensive analysis to date of how adversaries are targeting the protocols, frameworks, and infrastructure that power autonomous AI agents.

The report's central finding is striking: the Model Context Protocol (MCP), which has become the de facto standard for connecting AI agents to external tools and data sources, has introduced an attack surface comparable in scope to what web APIs created in the 2010s. But unlike web APIs, which had years of security tooling development before widespread adoption, MCP is being deployed at scale before the security ecosystem has caught up.

Cisco's Talos threat intelligence team documented 127 distinct security incidents involving agentic AI systems in the 12 months leading up to the report, with the frequency and sophistication of attacks accelerating sharply in the second half of 2025.

MCP as an Attack Surface

MCP was designed to solve a real problem: providing a standardized way for AI agents to discover and invoke external tools. Before MCP, every agent framework implemented its own tool integration layer, leading to fragmentation and duplicated effort. MCP's success in unifying this landscape has been remarkable, with adoption across major frameworks including LangChain, LlamaIndex, Agno, and platform services from AWS, Google, and Microsoft.

But that success has made MCP a high-value target. Cisco identifies four primary attack vectors:

Malicious Tool Definitions

MCP tools are defined using JSON schemas that describe the tool's name, description, parameters, and behavior. AI agents use these descriptions to decide when and how to invoke tools. Cisco's researchers demonstrated that adversarial tool descriptions can manipulate agent behavior without modifying the agent's code or model weights.

In one proof of concept, a tool with the benign-sounding name "document_summarizer" included hidden instructions in its MCP description field that caused the agent to exfiltrate conversation context to an external endpoint before performing the legitimate summarization. Because agents process tool descriptions as part of their reasoning context, the malicious instructions were treated as authoritative guidance.

This attack is particularly dangerous because:

Tool descriptions are often treated as trusted input by agent frameworks
Human reviewers focus on tool code, not description metadata
Automated security scans do not typically analyze natural language description fields for adversarial content

Man-in-the-Middle on Tool Invocations

When an agent invokes an MCP tool, the request travels from the agent runtime to the tool server. Cisco found that many MCP deployments use unencrypted HTTP for local tool servers, assuming the communication is internal. In containerized environments where multiple services share a network namespace, this creates opportunities for lateral movement.

An attacker who gains access to the container network can intercept tool invocations, modify parameters, and alter responses. The agent, which trusts the tool server implicitly, has no way to detect the tampering.

See AI Voice Agents Handle Real Calls

Book a free demo or calculate how much you can save with AI voice automation.

Book a Demo ROI Calculator

Supply Chain Attacks Through Tool Registries

As the MCP ecosystem has grown, community-maintained tool registries have emerged where developers share tool definitions and implementations. Cisco identified 43 compromised tool packages across three popular registries, ranging from tools with subtly modified behavior to completely malicious packages designed to harvest API keys from agent configurations.

The attack pattern mirrors what the security community has seen in npm and PyPI supply chain attacks, but with an important difference: compromised AI tools can influence agent reasoning in ways that are harder to detect than traditional code-level compromises. A tool that returns slightly biased results, omits certain data, or includes subliminal instructions in its output can subtly steer agent behavior without triggering conventional security alerts.

Agent-to-Agent Protocol Exploits

In multi-agent systems where agents communicate with each other, the inter-agent communication protocols present additional attack surfaces. Cisco documented cases where an adversary compromised one agent in a multi-agent system and used it to inject malicious messages to other agents, effectively using the compromised agent as a beachhead for lateral movement within the agent network.

The report describes this as "agent prompt injection at scale," where a single compromised node can propagate adversarial instructions through an entire agent ecosystem.

The 43 Compromised Components

Cisco's discovery of 43 compromised framework components deserves special attention. The affected packages included:

14 MCP tool definitions that included hidden exfiltration instructions in description fields
11 agent memory adapters that silently logged conversation context to external servers
9 model provider wrappers that intercepted API keys during authentication flows
6 utility libraries used in tool implementations that contained obfuscated data collection code
3 agent orchestration plugins that modified agent behavior based on external command-and-control signals

The compromised packages had been downloaded collectively over 180,000 times before detection. Cisco estimates that approximately 4,500 production agent deployments were affected.

Mitigation Strategies

The Cisco report does not just catalog threats. It provides a comprehensive mitigation framework organized into four layers:

Tool Verification

Cryptographic signing of MCP tool definitions with developer identity verification
Automated scanning of tool descriptions for adversarial instruction patterns
Behavioral sandboxing that runs tools in isolated environments and monitors for unexpected network activity during a probationary period before production deployment

Transport Security

Mandatory TLS for all MCP communications, including local tool server connections
Mutual authentication between agents and tool servers using short-lived certificates
Request signing that prevents tampering with tool invocation parameters in transit

Supply Chain Integrity

Dependency pinning and lock files for all tool packages, with automated alerts on upstream changes
Provenance verification that traces tool packages back to verified publisher identities
Regular audits of tool registries for behavioral anomalies in published packages

Agent Network Security

Zero-trust agent communication where each inter-agent message is authenticated and authorized
Message content validation that checks incoming agent messages for known injection patterns
Network segmentation that isolates agent clusters and limits blast radius when a compromise occurs

Industry Response

The report has catalyzed action across the agentic AI ecosystem. Anthropic announced enhanced security features for MCP, including description field scanning and signed tool definitions. The Linux Foundation's AI Security Working Group has formed a task force specifically focused on agent protocol security. Several major cloud providers are adding MCP-aware security scanning to their agent hosting platforms.

However, Cisco's researchers caution that the security community is playing catch-up. The speed of agentic AI adoption has outpaced security tooling development, and they expect the threat landscape to intensify throughout 2026 as more organizations deploy autonomous agents with access to sensitive systems and data.

Frequently Asked Questions

Is MCP fundamentally insecure?

No. MCP's design is sound, and the protocol itself is not flawed. The security issues arise from how MCP is deployed and from the ecosystem practices around tool distribution and trust. With proper transport security, tool verification, and supply chain integrity measures, MCP can be deployed securely. The problem is that most organizations are not implementing these measures.

Should organizations stop using MCP until security improves?

Cisco does not recommend abandoning MCP. The standardization benefits are significant, and the alternative — proprietary tool integration layers — would fragment the ecosystem and likely introduce even more security inconsistencies. Instead, organizations should implement the mitigation strategies outlined in the report and treat MCP tool management with the same rigor they apply to third-party software dependencies.

How can teams detect if they are using compromised MCP tools?

Cisco has published indicators of compromise (IOCs) for all 43 identified packages, along with detection rules compatible with major SIEM platforms. Additionally, the report recommends monitoring agent behavior for anomalous patterns: unexpected network connections, unusual data access patterns, or tool invocations that do not align with the agent's configured purpose.

Are proprietary agent platforms safer than open-source frameworks?

Not inherently. Proprietary platforms may have more resources for security review, but they also have less community scrutiny. The report found security issues in both open-source and proprietary agent deployments. The determining factor is not whether the platform is open or closed, but whether the organization operating it follows security best practices for tool management, transport security, and supply chain integrity.

Source: Cisco Talos — 2026 State of AI Security Report, Anthropic — MCP Security Enhancements, Linux Foundation — AI Security Working Group