MCP Won. Now Comes the Hard Part.
97 million monthly downloads, 9,400 servers, 30+ CVEs in eight weeks. The protocol standardized the easy 20%. Production is the other 80%, and I've shipped it.
The Model Context Protocol crossed 97 million monthly SDK downloads this month, up from about 2 million at launch sixteen months ago. There are over 9,400 public servers. Every major lab supports it natively. Since December it has lived under the Linux Foundation’s Agentic AI Foundation, which is the institutional equivalent of a standard taking off its startup hoodie. MCP won, and it deserved to: it killed a thousand bespoke integrations by standardizing how an agent discovers and calls a tool.
Also this quarter: security researchers filed more than thirty CVEs against MCP servers in January and February alone.
Both facts are true, and the second one follows from the first. I want to explain why, because I spent last summer putting an MCP system into production at Zscaler, inside an environment that processes over 500 billion events a day, and the lesson of that project was not “MCP is great” or “MCP is dangerous.” It was: MCP is a connector standard, and everyone is treating it like a control plane.
What the protocol actually covers
Read the spec with production eyes and notice what it standardizes: tool schemas, capability discovery, transport, sessions. This is real work and it is the easy 20%, in the sense that it is the part every team would otherwise reinvent identically. The protocol’s genius was picking the layer where standardization is pure win.
Now list what my production deployment needed that the spec, correctly, does not give you:
- Identity. When the agent calls a tool, who is acting? The user? A service account? The agent itself? Every audit and every permission decision hangs on this, and “an API key in an env var” is not an answer a security review accepts.
- Authorization. Least privilege per tool, per argument. A
read_tabletool and adrop_tabletool are the same shape on the wire. - Audit. A tamper-evident record of what the agent did, keyed to the identity above, retained the way your compliance regime demands.
- State. Sessions that survive a load balancer. Stateful transports and horizontal scaling are still an awkward pair, which is exactly why gateway vendors smell blood.
- Blast radius. The question that decides whether you ship: when this server is compromised or just wrong, what is the worst it can do, and what stops it?
Why the CVE wave was inevitable
The thirty-plus CVEs are not evidence that the protocol is broken. They are evidence of a category error the ecosystem made at scale: servers written as weekend demos are being run as infrastructure. A demo server holds one user’s credentials and talks to one laptop. The same code, deployed behind a company’s agent fleet, is a confused deputy with root and a public address.
We have seen this movie. It is containers in 2015: a runtime standard everyone adopted
in a rush, followed by years of building the actual production layer around it,
registries, signing, admission control, runtime policy. Nobody concluded Docker was a
mistake. Everyone concluded that docker pull random/image into prod was a mistake.
npx some-mcp-server is exactly that moment, and treating a tool description as
trusted input is this ecosystem’s latest tag.
The prediction that falls out of the container analogy: the money and the merger activity in this space will happen at the gateway. Gartner already projects that 75% of API gateway vendors ship MCP features by the end of the year. The gateway is where identity, policy, audit, and rate limits naturally live, which means the gateway is where the enterprise checkbook naturally opens.
What shipping it actually took
For the record, the things that made our deployment work had almost nothing to do with the protocol and everything to do with the perimeter we built around it: every tool call attributed to an identity, scopes narrowed per tool until the agent could do its job and nothing adjacent to its job, structured logs on every invocation, humans in the loop on any write that crossed a system boundary, and load-tested failure modes before anyone typed the word “autonomous” in a design doc. The result automated 100+ weekly workflows and paid for itself several times over. None of that came from the spec, and none of it could have. Specs standardize interfaces. Operations is local.
So: adopt MCP. It won, it deserved to, and fighting a settled standard is a waste of your one professional life. But hold two ideas at once. The protocol solved integration. You still own trust. If your MCP rollout plan fits in one sprint, what you have planned is a demo.