I don’t like writing scare pieces. But this one? It needs to be written.
Because if your team is deploying AI agents or leveraging AI desktop tools using the Model Context Protocol (MCP) and you’re not securing them with a gateway, you’re basically leaving the doors and windows open and walking away.
So, what is MCP and why should I care?
The Model Context Protocol (MCP) is like the glue that connects AI agents to outside tools and information. It lets an AI model talk to your CRM, hit your internal APIs, or fetch files on your system.
Sounds useful, right?
It is. That’s why so many teams, from startups to massive enterprises, are adopting it. MCP makes AI agents way more capable. It turns them into doers and not just talkers.
But there’s a catch.
MCP servers require security considerations
A recent security assessment by Equixly looked at dozens of popular MCP implementations. The results weren’t promising:
- 43% had command injection flaws
- 30% allowed Server-Side Request Forgery (SSRF is basically letting attackers poke around your internal network)
- 22% exposed arbitrary file read vulnerabilities
- Only 30% of vendors even patched the issues when they were told
Worse? Some vendors claimed these risks were “theoretical” or “acceptable.” That’s like a car company saying exploding airbags are “edge cases”, and only happen when there’s an accident.
These are not theoretical. They’re real. And they’ve already caused real-world incidents.
The hacks are creative and terrifying
Let’s break down what’s happening out there:
- Prompt Injection: Attackers can sneak commands like “IGNORE ALL PREVIOUS INSTRUCTIONS” into API responses. Your AI agent happily obeys.
- SQL Injection: Old-school attack, new playground. Some MCP servers let you drop malicious SQL into prompts and exfiltrate data.
- Cross server shadowing: MCP metadata or responses change how the AI interacts with other servers.
- Server Spoofing/Tool Mimicry: MCPs trick the AI into using the wrong servers & tools.
- Authentication Bypass: Some servers don’t verify who’s calling. Others let you register rogue MCP endpoints and impersonate trusted tools.
- Tool Poisoning: A tool looks safe at install. Then one day, it updates silently and starts stealing data.
- Rug Pulls: Third-party MCP packages switch behavior after getting adopted widely—just like malicious npm packages have done for years.
This isn’t speculation. It’s already happened as detailed in security investigations from Composio and Equixly:
- One attack chain exposed Asana data via unsecured MCP endpoints
- Another let attackers run remote commands on public-facing servers
- One even granted access to private GitHub repos through a compromised MCP tool
Here’s what actually works: The MCP Gateway
Gateways act like bodyguards for your AI agents.
They sit between the AI client and the MCP server. Every request goes through the gateway. Every response does too.
The idea is simple: Centralize security. Remove trust from the server layer. Lock everything down.
Here’s how they help.
- They handle identity properly
- Full OAuth 2.0/2.1 support
- Short-lived tokens (so even if someone grabs one, it’s useless soon)
- Role-based access control
- Integration with enterprise identity systems like Okta, Azure AD
Your AI agents don’t manage auth. The gateway does. That’s safer and way easier to manage.
- They validate and sanitize everything
This is the magic. The gateway checks:
- Are prompts malicious?
- Is someone trying to inject SQL or shell commands?
- Are any tool descriptions poisoned?
It also strips out anything sketchy. Think of it like a metal detector for every request.
Some even use machine learning to detect suspicious prompts.
- They audit, monitor, and alert
Every request. Every response. Logged.
You can get real-time alerts when something fishy happens. You can plug into your SIEM. You can see what tools were called, by whom, when, and how.
This isn’t optional anymore. It’s table stakes for enterprise deployment.
- They lock down the tool supply chain
Before a tool is allowed through the gateway, it’s scanned:
- What’s the source?
- How popular is it?
- Has it ever been flagged?
- Is the repo still active?
Tools that fail checks can be blocked automatically.
If you’re not scanning tools, you’re just waiting to be breached.
So who’s building these gateways?
There are a number of gateway solutions now available, offering different levels of security, specialization, and enterprise readiness. Below are several strong options:
Enkrypt AI Secure MCP Gateway
Offers dynamic tool discovery, built-in prompt sanitization, and enterprise-grade authentication for secure MCP deployments.
- Built‑in security scans
- Dynamic tool discovery
- Works with enterprise authentication
- Performance‑optimized
Lasso Security MCP Gateway
Focuses on threat prevention with:
- Plugin architecture
- Server and tool risk scoring
- Automated blocking of high‑risk components
WAV Group Gateway Template (Real Estate Focus)
WAV Group offers a Gateway Template designed for real estate brokerages and MLSs. Key features:
- Prompt sanitization tailored for real estate contexts
- Guardrails for private client/buyer/seller data
- Role‑Based Access Control (RBAC) at agent/user levels
- Audit logging specific to real estate workflows
- MLS API integration controls and PII masking for real estate data
- Designed as a template clients can adopt to deploy secure, compliant AI agents in real estate environments
Obot MCP Gateway
Obot is an open‑source gateway focused on enterprise requirements. Some of the features:
- Admin control plane: IT can onboard MCP servers, define access policies, manage users/groups, monitor usage. 
- Catalog / discovery: A searchable directory of approved MCP servers, documentation, trust/reputation information. 
- Proxying & hosting: Support for both local and remote MCP servers; ability to proxy third‑party ones with audit and routing control. 
- Access control + logging: Role‑based access, enterprise auth integration (Okta etc.), audit logs for MCP‑client/server interactions. 
Kong Konnect / Kong AI Gateway
Kong is more known as an API gateway, but it’s also building out MCP support and gateway‑style features. Key capabilities:
- Kong Konnect MCP Server: Enables MCP clients (e.g. Claude) to query APIs, configuration, analytics via Kong’s control plane. 
- Securing & governing MCP traffic: Kong’s AI Gateway offers plugins and policies for authentication (OIDC / Key Auth), rate limiting, prompt filtering (guardrails) etc. 
- Observability: Metrics, logging, tracing for MCP traffic. 
What should your team do right now?
If you’re deploying MCP servers, or building on top of them, here’s a basic security checklist:
- Set up a gateway (before anything goes live)
This is non-negotiable. Even for internal tools.
- Use proper auth
Hook into OAuth. Integrate with your identity provider. Don’t hand-roll this.
- Validate inputs and outputs
Use JSON schemas. Sanitize tool responses. Strip out embedded commands.
- Lock down your network
Log everything. Store audit trails. Send alerts when strange stuff happens.
- Don’t trust tools blindly.
Scan them. Review their source. Watch for updates. Use a reputation system.
The future isn’t secure by default
MCP is a powerful idea. But it’s dangerously naive out of the box and can expose your most valuable asset, your data.
Vendors are moving fast. Too fast. And when 43% of servers have command injection flaws, you don’t get to say “well, we trust our stack.”
You lock it down. You build defensively. You audit, scan, and restrict.
This isn’t optional if you’re serious about deploying AI in production.
And finally: stop hoping and start securing
Hope is not a security strategy. “No one would ever target us” is how breaches happen. “It’s just a proof of concept” becomes a Common Vulnerabilities and Events (CVE).
The MCP ecosystem is still young. That means you get to choose your architecture now before someone else chooses it for you via an incident report.
So choose wisely.
Start with a gateway.
