Model context protocol (MCP), the emerging de facto standard for communication between agents and resources, is gaining ground. Like super uber mega fast. And yet, the tech crowd keeps treating MCP as “just another application-layer protocol,” lumping it in with yesterday’s APIs and moving on. Let’s be clear: That’s not just wrong. It’s dangerously naïve.
MCP isn’t just an API. It’s an actual application-layer protocol, carried by HTTP/S and invoked through an API, but operating at the very top of the OSI stack. MCP is in the business of moving business logic — application context, state and intent — between autonomous actors. And unlike a lot of so-called “stateless” protocols, MCP drags state along with it, making context the payload, the product and the target, all at once.
If you’ve looked at a real MCP payload, and especially who those instructions are meant for, you’ll immediately see that both the protocol and the risk profile are different. Sure, MCP inherits the usual bag of security headaches, but the new risks are where things get interesting and dangerous.
Rather than write a novel on every recycled security risk, here’s a chart for reference. Take a look at what’s truly new, and what’s just got a bigger blast radius thanks to MCP:
| Risk/Threat | New/Old | Risk | MCP/Architectural |
| Context Drift | New | N/A | MCP |
| Shadow Agents | New | N/A | MCP |
| Denial of Context | New | N/A | MCP |
| Agent Identity/Lifecycle Management | New | N/A | Architectural |
| Forensics on Context | New | N/A | MCP |
| Lateral Movement via Context | Old | Higher | MCP |
| Context Poisoning | Old | Higher | MCP |
| Impersonation/Spoofing | Old | Higher | Architectural |
| Third-Party Risk Amplification | Old | Higher | Architectural |
| Privilege Escalation via Context | Old | Higher | MCP |
| MitM Attacks | Old | Same | MCP |
| Endpoint Enumeration | Old | Same | Architectural |
| Role Misconfiguration | Old | Same | Architectural |
You’ll recognize the usual suspects: Spoofing, MitM, all the big hits of the last decade. But the real story is in the new risk column, where terms like Context Drift and Denial of Context are making their debut. And these aren’t just cute buzzwords: They’re direct consequences of the way MCP bundles everything an agent needs to make decisions into a living, breathing, shared context.
Context is Everything. That’s the Danger
With MCP, context isn’t just some accessory; it’s the main event. Agents aren’t simply tossing around requests; they’re syncing up, sharing state, and depending on this shared memory to do their jobs. The meaning of every operation, escalation, or hand-off lives inside the protocol itself. Lose control of that, and you’ve lost the whole plot.
Context Drift is what happens when agents disagree about what’s happening. Maybe one thinks the ticket is closed, another thinks it’s still open. This isn’t a simple mismatch. It’s a full-blown operational split-brain that can spiral into outages, data loss, or compliance failure. Because context is mutable, dynamic, and passed along with every message, drift isn’t a hypothetical; it’s inevitable if you’re not careful.
Denial of Context is today’s answer to denial of service. Forget crashing endpoints, now attackers can simply swamp or pollute the context pipeline. Agents freeze, workflows stall, and suddenly your business logic is stranded in limbo. And because this attack rides on the context itself, your perimeter and endpoint controls don’t even see it coming.
Shadow Agents are the stuff of nightmares. MCP lets new agents jump into the conversation on the fly. If you’re not actively tracking, authenticating, and auditing every participant, you’re asking for a ghost in the machine. Shadow agents can leak data, disrupt workflows, or worse, without ever tripping a traditional security alarm.
And as for Forensics on Context? Good luck. MCP context is ephemeral by design. It’s made to be updated, shared, and discarded. When things go sideways, reconstructing the who, what, and when of every context change is next to impossible unless you’re logging and auditing context flows like your job depends on it (because it does).
Security Needs to “Shift Up” the Stack
To really secure MCP, you’ve got to shift your security model upwards. Higher…higher. Yeah, there! Right there, at the top of the stack. Context is now the perimeter. Guarding endpoints and constraining connections aren’t enough; you need to validate and monitor what agents know, what they share, and what they act on.
Semantic guardrails are your first line of defense. Don’t just check the shape of the data, check what it means and whether it makes sense for the agent, the workflow and the policy. Intercept the nonsense before it turns into chaos.
Pruning context in MCP architectures isn’t just cleanup, it’s essential security. Letting old or irrelevant context linger leads to a stale state, larger attack surfaces, and degraded performance, as agents can act on obsolete or poisoned information. Enforcing strict TTLs, tight scoping and regular cleanup ensures agents only have access to what’s needed, reducing the risk of context drift, privilege escalation and data leakage. If you’re not pruning context, you’re not securing MCP; you’re just stockpiling risk and making it easier for attackers to exploit your system.
And don’t forget Audit Trails for Context. If you can’t piece together who sent what, when and why, you’re not just blind, you’re helpless. This is semantic logging, not just technical details. Persistent, searchable logs for context flows and agent actions are the only real hope for post-mortem analysis and closing the holes before the next incident.
This really is a new paradigm. GenAI didn’t change much, but AI Agents and Agentic AI? It’s going to disrupt every domain, and that includes security.
Security won’t be about connections anymore; it’s about context. If you get context right, you stay ahead. Get it wrong, and you’ll be mopping up after agents who were improvising their own rules.
Stay safe out there!
