AI & Cloud Infrastructure

Model Context Protocol in Production: One Year Review

By Technspire Team
January 2, 2026
12 views

Model Context Protocol (MCP) was announced by Anthropic in late 2024 and spent 2025 going from curiosity to de facto standard for connecting LLMs to the outside world. One year in, the adoption picture is clearer: broad across IDE and agent tooling, still settling at the enterprise server layer, and beginning to raise security concerns that need answers before MCP becomes invisible plumbing.

What MCP Actually Is

MCP is a protocol. Not a library, not a framework. It defines a handshake and message format that lets any MCP-aware client (an IDE, an agent runtime, a chat app) talk to any MCP server (a filesystem bridge, a database, a SaaS API wrapper) without either side knowing about the other. The value is exactly what open protocols always deliver: network effects, where each new client can use every existing server and vice versa.

Concretely, an MCP server exposes three kinds of primitives:

  • Tools. Functions the model can invoke (search_crm, create_ticket).
  • Resources. Read-only data the model can pull into context (file://report.md, db://customers/42).
  • Prompts. Reusable, parameterized prompt templates exposed by the server.

Where Adoption Landed in 2025

  • IDE and developer tools. Claude Code, Cursor, GitHub Copilot-adjacent tools. All shipped first-class MCP support. This is the strongest adoption surface and set the de facto expectations.
  • Agent runtimes. Microsoft Foundry, LangGraph, and independent agent frameworks moved from proprietary tool formats toward MCP compatibility.
  • Enterprise SaaS servers. Most major SaaS vendors either ship or are building an MCP server. Quality varies dramatically. Some are thin wrappers around REST, others are thoughtfully scoped.

Building a Custom MCP Server

The TypeScript SDK remains the fastest path for custom servers. A minimal server looks like this: 

import { Server } from '@modelcontextprotocol/sdk/server/index.js';
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
import { z } from 'zod';

const server = new Server({ name: 'ticket-system', version: '1.0.0' });

server.tool(
  'create_ticket',
  {
    description: 'Create a support ticket in the internal system',
    inputSchema: z.object({
      title: z.string().max(200),
      priority: z.enum(['low', 'med', 'high']),
    }),
  },
  async ({ title, priority }) => {
    const id = await ticketApi.create({ title, priority });
    return { content: [{ type: 'text', text: `Created ticket ${id}` }] };
  },
);

await server.connect(new StdioServerTransport());

The Security Story

Prompt injection via MCP

A malicious MCP server can return tool output that contains instructions designed to hijack the model. This is classic indirect prompt injection, but at protocol scale. The mitigation is model-side (instruction hierarchies that down-weight tool-returned content) and client-side (treat tool output as data, not instructions, at the UI layer). Both are still maturing.

Tool poisoning

A server can declare a tool named read_public_docs whose description says "public documents only" while the implementation exfiltrates everything. The model has no way to verify implementation against description. The answer is infrastructure-side: scoped identity, per-tool RBAC, and runtime monitoring of what tools actually do.

Auth is the weakest link

MCP's auth story is still catching up. Many servers run with ambient credentials or long-lived tokens. Production deployments should assume that MCP auth will look like OAuth 2.1 + per-agent identity by end of 2026 and build toward that now. Microsoft Entra Agent ID is the emerging answer for the Entra ecosystem.

Patterns That Worked

  • Narrow, purpose-built servers over kitchen-sink ones. A "generic filesystem" server invites abuse. A "read-only access to /docs" server is auditable.
  • Per-organization server deployments. Shared multi-tenant MCP servers keep raising auth and data-isolation questions no one wants to answer. Per-org deployment punts the problem sensibly.
  • Explicit allowlists at the client. Clients that allowlist servers and tools by ID catch policy regressions that server-side checks miss.

What to Watch in 2026

  • Formal security audit patterns. An industry-standard way to audit an MCP server (think OpenAPI-for-agents) would unlock enterprise adoption.
  • OAuth 2.1 integration profile. The community draft here is gaining momentum.
  • Cross-agent composition. Agentic systems where agent A calls agent B via MCP is an emerging pattern with real identity-propagation challenges.

MCP's one-year story is a quieter version of what HTTP went through thirty years ago: the protocol wins, the security plumbing catches up later, and the interesting engineering moves to the servers. Teams treating MCP as a serious distributed-systems protocol. With auth, observability, and scoped identity. Are the ones positioned for the next year.

Ready to Transform Your Business?

Let's discuss how we can help you implement these solutions and achieve your goals with AI, cloud, and modern development practices.

No commitment required • Expert guidance • Tailored solutions

Tags

MCP
Model Context Protocol
AI Agents
Tool Use
Anthropic
← Back to all posts