On this page · 9 sections
Summary. An AI agent is only as useful as the systems it can reach, and the Model Context Protocol (MCP) has become the standard way to connect one to your databases, internal APIs, and documents. As of July 2026, 78% of enterprise AI teams run MCP-backed agents in production, 28% of the largest US companies run MCP servers, and the ecosystem has more than 10,000 active public servers with roughly 97 million monthly SDK downloads. The catch is security. In March 2025, the firm Equixly found 43% of popular MCP servers had command-injection flaws and 30% were exploitable via SSRF, with no authentication by default, and a later audit of 5,200 servers found only 8.5% used OAuth. With the average data breach at $4.44 million globally and $10.22 million in the US per IBM's 2025 report, a leaky MCP server is a real liability. The specification also changes on July 28, 2026, moving to a stateless core. This is what a production-grade custom MCP server needs, and how eCorpIT builds them.
A quick internal MCP server is easy to stand up in an afternoon. A safe one that survives an audit, scales horizontally, and keeps to the new spec is an engineering job. That gap is the whole point of this article.
Why MCP won, and why it matters to your data
MCP is an open protocol that lets an AI agent call tools and read resources through a uniform interface, so one agent can talk to Slack, a Postgres database, a GitHub repo, and your internal API without a bespoke integration for each. That standardisation is why it spread fast. It now has adoption across ChatGPT, Cursor, Gemini, Microsoft Copilot, and Visual Studio Code, and the official registry counted 9,652 server records as of May 24, 2026, per MCP adoption tracking.
| Signal (2026) | Figure | What it means |
|---|---|---|
| Enterprise AI teams with MCP in production | 78% | MCP is the default agent-integration layer |
| Largest US companies running MCP servers | 28% | Large enterprises are already committed |
| Active public MCP servers | 10,000+ | A broad ecosystem to build on or against |
| Monthly SDK downloads | ~97 million | Developer momentum is real, not hype |
| Registry server records (May 24, 2026) | 9,652 | A curated directory is forming |
The reason this matters for your business is simple. The value of an agent is the systems it can act on. An agent that can only chat is a demo. An agent that can safely read a customer record, draft a reply, file a ticket, and update a CRM is a product. MCP is how you get from the first to the second, and doing it well is what we cover in our enterprise AI agent development and API integration and modernisation work.
The security problem nobody sees until an audit
Here is the uncomfortable part. Most MCP servers in the wild are insecure. The numbers are not close calls.
| Security finding | Share of servers | Why it matters |
|---|---|---|
| Command-injection flaws (Equixly, March 2025) | 43% | An attacker can run code on your server |
| SSRF-exploitable | 30% | The server can be tricked into hitting internal endpoints |
| Path traversal or arbitrary file read | 22% | Exposes files the agent should never see |
| Use OAuth for authorization | 8.5% | Most rely on weaker auth |
| Rely on static API keys or PATs | 53% | Long-lived secrets, often in environment variables |
Those figures come from Equixly's testing and a credential audit of 5,200 servers, reported by Checkmarx and Practical DevSecOps. The attack surface is specific to agents: prompt injection and tool poisoning, where malicious instructions hidden in a ticket or file manipulate the agent; the confused-deputy problem, where a server uses its own broad privileges on behalf of a user who lacks them; and token passthrough, where a client credential is forwarded to an upstream API it was never scoped for. Gartner has linked the coming wave of GenAI security breaches directly to MCP.
A production-grade server closes these deliberately. The OWASP MCP security guidance and the MCP security state-of-play converge on the same controls: OAuth 2.1 authorization with mandatory PKCE, token-audience validation so a server only accepts tokens minted for it, never passing a client token through to upstream APIs, allow-listing and validating every tool input, blocking SSRF egress to private IP ranges, and requiring human confirmation for any sensitive or irreversible action. This is the same guardrail discipline we apply in our AI agent security and guardrails and agentic browser data-security work.
The spec changes on July 28, 2026
Build now and you build against a moving target. The MCP specification ships a major revision on July 28, 2026, and the headline change is a stateless protocol core. The Mcp-Session-Id header and the protocol-level session are removed, so any request can land on any server instance, and the sticky routing and shared session stores that horizontal deployments needed before are no longer required at the protocol layer, per the release candidate notes. That makes servers far easier to scale.
Two extensions matter for real products. Tasks lets a server answer a tool call with a task handle that the client drives with tasks/get, tasks/update, and tasks/cancel, which is how long-running work fits the stateless model. MCP Apps lets a server ship an interactive HTML interface that the host renders in a sandboxed iframe, with every UI action going through the same audit and consent path as a direct tool call. The SDKs move too: the Python SDK renames FastMCP to MCPServer while keeping the decorator API, and the TypeScript SDK splits into focused @modelcontextprotocol/server and client packages.
The practical takeaway: a server written to the old session model needs rework, and a new build should target the stateless core from day one so it scales cleanly and does not need a rewrite in a quarter.
Buy, build, or have it built
Not every connection needs a custom server. Pre-built servers exist for common systems, and Anthropic publishes ones for Google Drive, Slack, GitHub, Git, Postgres, and more. The decision is about where your value and your risk actually sit.
| Approach | Best for | Watch out for |
|---|---|---|
| Pre-built vendor server | Common SaaS systems (Slack, GitHub, Drive) | Generic scopes; still needs auth hardening and review |
| Custom-built internal server | Your proprietary databases, APIs, and workflows | Security and spec-currency are on you |
| Partner-built and managed | Teams without in-house MCP and security depth | Choose a partner who builds to OAuth 2.1 and the 2026 spec |
Pre-built servers are the right call for standard SaaS. The moment an agent needs to reach your own database, your internal API, or a regulated workflow, you need a custom server, and that server is exactly where the 43% command-injection and 8.5% OAuth statistics should worry you. This is the work eCorpIT does.
How eCorpIT builds custom MCP servers
eCorpIT is a Gurugram-based, senior-led engineering organisation (founded 2021, CMMI Level 5, MSME certified) with partners including AWS, Microsoft, and Google. We build and integrate custom MCP servers that connect AI agents to enterprise systems without opening the holes the audits keep finding.
Our approach is straightforward. We start with a discovery pass over the systems an agent needs to reach, your databases, internal APIs, document stores, and CRMs, and map each to a small, least-privilege set of tools rather than one broad, dangerous one. We implement OAuth 2.1 with PKCE and audience validation, allow-list and validate every tool input, block SSRF egress, and require human confirmation for sensitive or irreversible actions. We build to the July 28, 2026 stateless core so the server scales horizontally, add audit logging so every tool call is traceable, and test against prompt injection and tool poisoning before anything reaches production. Where personal data is involved, we design aligned with Digital Personal Data Protection Act 2023 requirements, keeping data handling and residency explicit rather than assumed.
The engagement model is a scoped discovery, a hardened pilot server for one or two high-value systems, then production rollout with monitoring, so you see a working, audited integration before committing to the full estate. It suits enterprises that want agents to act on internal systems, and teams that stood up a quick MCP server and hit security or scaling limits. It pairs naturally with a RAG knowledge assistant when agents also need to read internal documents.
India-specific considerations
For Indian enterprises, MCP servers are where agent ambitions meet the DPDP Act 2023. A server that lets an agent read customer records is processing personal data, so consent, purpose limitation, and residency are engineering requirements, not afterthoughts. Least-privilege tools and full audit logging make it possible to show what an agent accessed and why, which is the kind of evidence a DPDP posture needs. Keeping the server and its data in an Indian region also simplifies residency questions that arise when agents route through overseas models. The cost case is easy to frame: against an average breach cost of $4.44 million globally, and $10.22 million in the US, the engineering to secure an MCP server is a small fraction of the downside it prevents.
FAQ
How eCorpIT can help
eCorpIT builds and integrates custom MCP servers so your AI agents can act on internal systems safely. We design least-privilege tools, implement OAuth 2.1 with PKCE and audience validation, add audit logging, and build to the July 28, 2026 stateless spec, with data handling designed aligned with DPDP Act 2023 requirements. If you want agents that reach your databases, APIs, and documents without opening a security hole, talk to our team about a scoped discovery. See also our enterprise AI agent development and AI agent security and guardrails services.
References
- The 2026-07-28 MCP specification release candidate - Model Context Protocol
- The state of MCP security in 2026 - Microsoft
- MCP security cheat sheet - OWASP
- MCP security statistics 2026: CVEs, vulnerabilities and breach data - Practical DevSecOps
- MCP enterprise adoption: the July 2026 state of play - andrew.ooo
- MCP adoption statistics 2026 - Digital Applied
- Introducing the Model Context Protocol - Anthropic
- MCP 2026-07-28 spec: what changed, what breaks - Stacktree
_Last updated: July 18, 2026._