Demystifying MCP Security: The Missing Layer in Enterprise AI Infrastructure

As the year 2025 is gloriously dubbed the “Year of the Agent,” we’re seeing the agent paradigm rapidly penetrate the cybersecurity realm. Recently, our AI and cybersecurity team at Sixty Degree Capital (shout out to Jojo Ye, MBA and Mohan Zhang ) collectively conducted research focused on the core MCP (multi-agent control plane) security components within the broader agent security framework.

MCP is reshaping Enterprise Architecture. Fundamentally, MCP reframes how LLMs interact with enterprise systems by enabling unified communication between large language models and SaaS applications. It introduces an abstraction layer over resources—data (text or binary, such as URIs or tables) and the actions on those resources (e.g., list, read, update). This unified framing offers power and convenience, but introduces novel security challenges across the MCP lifecycle.

There are two primary phases to securing MCP:

Pre-deployment or Build Phase – This is when services and APIs are registered within the MCP framework. One of the biggest concerns during this phase is the emergence of shadow MCPs and untracked APIs. While API penetration testing is commonly employed to detect issues before release, MCP introduces a new and complex attack surface, including threats like supply chain attacks originating from poorly governed service registration or third-party dependencies.

Runtime Phase – As MCP enters production, it begins mediating intensive data interactions between LLMs and enterprise systems. It not only authorizes and accesses potentially sensitive data, but also injects prompts into LLMs—creating the same risk surface faced by agents in terms of prompt injection, data leakage, or misuse of authority. To address these, traditional multi-layered data protection approaches—like fine-grained user management, authentication, and real-time data access analysis—need to be extended and re-engineered to fit the MCP paradigm.

More specifically, identity management and policy enforcement remain critical gaps. MCP’s role as a centralized proxy allows it to break silos between SaaS applications, but its identity control mechanisms are often underdeveloped. Without proper identity modeling and policy orchestration, engineers are reluctant to adopt fully centralized MCP structures—resulting in operational friction and security debt.

Last but not least, the action flow across MCP—both inbound data integration, outbound LLM interaction and further exposes SaaS APIs may lead to potential misuse. Any outbound action triggered through MCP can affect downstream applications or services, reinforcing the need for tighter guardrails, context-aware access controls, and runtime validation mechanisms to mitigate risks associated with delegated authority and prompt-driven behaviors.

From our research, we’ve identified four foundational subspaces where builders and investors should pay close attention:

• Authorization & Authentication stay at the frontline of MCP defense. Market demand is strong for embedding IAM functions—particularly access control—into agent security product stacks. While Auth0 offers solid coverage, we’ve tracked over ten emerging startups vying to become the crown jewel of agentic identity protection. Agent authorization chains differ greatly from human ones, introducing new ambiguity in authentication and access control. We expect more non-human identity providers to pivot or expand into MCP security—some already have successfully done so such as Descope and Natoma .
• Data security challenges mirror GenAI concerns—but at a new scale. Shared risks include data leakage via chat agents or copilots. Still, agent-native use cases bring new scaled problems: enterprises launching hundreds of thousands of agents this year alone face overwhelming volumes of data queries. Traditional GenAI tools enforce rules on tens to a few hundred models, but agents create scaling hurdles around access control, scanning, and registration. Their ephemeral and autonomous nature further complicates real-time monitoring.
• Startup innovation continues to ramp up. Competitive differentiation will come from tools that can automatically infer agent context and intent at scale, and rapidly generate agent-specific rules or models for leakage detection. Existing AI DLP vendors that already tackle prompt-injection and sensitive data leakage may transition effectively—if they can master agent intent identification and scalability.
• Visibility & governance are maturing fast. Startups focused on shadow AI and governance—such as Zenity and Aim Security —are already addressing agent visibility and governance. Cybersecurity companies with strong API tracing and anomaly detection are making headway in agent discovery. The gap between traditional AI and agent monitoring is narrower here than in data protection, enabling GenAI security players to extend into agent governance more seamlessly. The boundary between GenAI and agent-specific security is increasingly blurred.
• Upstream and downstream expansion options are emerging. MCP security vendors may move upstream into agent supply chain integrity, testing frameworks, and threat intelligence. Downstream, agent vulnerability management and detection/remediation are logically adjacent and likely fertile ground for new innovations.

Given that it’s still early days in agent security, we’ll continue deepening our research and issue new editions of our agent security map. We’ve kept some stealth startups anonymous for now—but as these entities emerge publicly, we’ll add them to our evolving map, alongside new logos as they appear.