Understanding MCP security implications

Bill Doerrfeld | May 21, 2025

My talk at APISEC|CON 2025 covered agentic AI and MCP security risks and mitigations

Today I presented at APIsec University's APISEC|CON event, sharing my (limited) knowledge about MCP security implications. Since some attendees asked for them, here are my slides:

SLIDES: Understanding MCP Security Implications [PDF]

As I covered on The New Stack recently, researchers have discovered that MCP is not secure by default. It's prone to vulnerabilities such as tool poisoning, rug pulls, tool shadowing, and remote control execution (RCE).


My presentation covered the hype around agentic AI and the excitement around MCP. It then looks at these risks and suggests some mitigations.


It was very helpful for me to put this together, and I'll post the recording of the session once it's out.


 I'm looking forward to closely following autonomous AI, MCP, and related standards, and what all this means for protecting access to underlying APIs. 


Watch: Understanding MCP security risks (recording coming soon)

Exploring frontier models for physical AI

By Bill Doerrfeld February 28, 2026
While hardware usually gets the spotlight in physical AI, the real differentiator won't be hardware. It'll be the models.

Workato's internal MCP success story

By Bill Doerrfeld February 27, 2026
In the latest DirectorPlus, Workato's CTO explains how MCP-enabled integration catalyzed internal AI usage and ROI.

5 official MCP servers from major clouds

By Bill Doerrfeld February 18, 2026
My latest on InfoWorld reviews MCP servers from 5 major cloud providers

6 agentic knowledge base styles in practice

By Bill Doerrfeld February 18, 2026
How are organizations actually using agentic knowledge bases in practice? My article for The New Stack looks at six emerging patterns.
eBPF in Production Report

Report: eBPF In Production

By Bill Doerrfeld February 12, 2026
My report for the eBPF Foundation explores enterprise eBPF case studies, production deployments, and real business outcomes across cloud-native environments.
Close-up of whole bean coffee Bottomless

I’m a fan of Bottomless coffee

By Bill Doerrfeld February 10, 2026
Longtime Bottomless user sharing why I love automated coffee delivery triggered by a smart scale, plus a referral link for a free first bag.

Tips and tricks to reduce MCP token bloat

By Bill Doerrfeld February 5, 2026
MCP servers can quickly drain context windows without guardrails. Thankfully, there are ways around this, say the experts.

The state of AI agents in finance

By Bill Doerrfeld February 4, 2026
It may seem like AI agents are suddenly doing everything across industries. But in reality, the pace of agentic AI is moving carefully, and very deliberately, in highly regulated environments like finance and banking.

Should AI agents scrape or integrate external data?

By Bill Doerrfeld February 3, 2026
My latest feature for InfoWorld explores when it makes sense to scrape public web sources, and when official API integrations are the better choice for external data.

Going nano with software updates

By Bill Doerrfeld January 30, 2026
What does it mean to go nano with your software updates — to "carve with a scalpel" instead of swinging a hammer? For my latest DirectorPlus piece, I caught up with Chainguard VP Dustin Kirkland to dig into that idea.