Custom MCP servers in 2026: connect your enterprise data to any AI agent

MCP connects AI agents to internal systems; 78% of enterprise teams run it, but only 8.5% of public servers use OAuth. What production-grade needs.

Read time
11 min
Word count
1.5K
Sections
9
FAQs
8
Share
A glowing hub node linked to document, database and app icons on a dark surface
Custom MCP servers connect AI agents to enterprise systems, securely.
On this page · 9 sections
  1. Why MCP won, and why it matters to your data
  2. The security problem nobody sees until an audit
  3. The spec changes on July 28, 2026
  4. Buy, build, or have it built
  5. How eCorpIT builds custom MCP servers
  6. India-specific considerations
  7. FAQ
  8. How eCorpIT can help
  9. References

Summary. An AI agent is only as useful as the systems it can reach, and the Model Context Protocol (MCP) has become the standard way to connect one to your databases, internal APIs, and documents. As of July 2026, 78% of enterprise AI teams run MCP-backed agents in production, 28% of the largest US companies run MCP servers, and the ecosystem has more than 10,000 active public servers with roughly 97 million monthly SDK downloads. The catch is security. In March 2025, the firm Equixly found 43% of popular MCP servers had command-injection flaws and 30% were exploitable via SSRF, with no authentication by default, and a later audit of 5,200 servers found only 8.5% used OAuth. With the average data breach at $4.44 million globally and $10.22 million in the US per IBM's 2025 report, a leaky MCP server is a real liability. The specification also changes on July 28, 2026, moving to a stateless core. This is what a production-grade custom MCP server needs, and how eCorpIT builds them.

A quick internal MCP server is easy to stand up in an afternoon. A safe one that survives an audit, scales horizontally, and keeps to the new spec is an engineering job. That gap is the whole point of this article.

Why MCP won, and why it matters to your data

MCP is an open protocol that lets an AI agent call tools and read resources through a uniform interface, so one agent can talk to Slack, a Postgres database, a GitHub repo, and your internal API without a bespoke integration for each. That standardisation is why it spread fast. It now has adoption across ChatGPT, Cursor, Gemini, Microsoft Copilot, and Visual Studio Code, and the official registry counted 9,652 server records as of May 24, 2026, per MCP adoption tracking.

Signal (2026) Figure What it means
Enterprise AI teams with MCP in production 78% MCP is the default agent-integration layer
Largest US companies running MCP servers 28% Large enterprises are already committed
Active public MCP servers 10,000+ A broad ecosystem to build on or against
Monthly SDK downloads ~97 million Developer momentum is real, not hype
Registry server records (May 24, 2026) 9,652 A curated directory is forming

The reason this matters for your business is simple. The value of an agent is the systems it can act on. An agent that can only chat is a demo. An agent that can safely read a customer record, draft a reply, file a ticket, and update a CRM is a product. MCP is how you get from the first to the second, and doing it well is what we cover in our enterprise AI agent development and API integration and modernisation work.

The security problem nobody sees until an audit

Here is the uncomfortable part. Most MCP servers in the wild are insecure. The numbers are not close calls.

Security finding Share of servers Why it matters
Command-injection flaws (Equixly, March 2025) 43% An attacker can run code on your server
SSRF-exploitable 30% The server can be tricked into hitting internal endpoints
Path traversal or arbitrary file read 22% Exposes files the agent should never see
Use OAuth for authorization 8.5% Most rely on weaker auth
Rely on static API keys or PATs 53% Long-lived secrets, often in environment variables

Those figures come from Equixly's testing and a credential audit of 5,200 servers, reported by Checkmarx and Practical DevSecOps. The attack surface is specific to agents: prompt injection and tool poisoning, where malicious instructions hidden in a ticket or file manipulate the agent; the confused-deputy problem, where a server uses its own broad privileges on behalf of a user who lacks them; and token passthrough, where a client credential is forwarded to an upstream API it was never scoped for. Gartner has linked the coming wave of GenAI security breaches directly to MCP.

A production-grade server closes these deliberately. The OWASP MCP security guidance and the MCP security state-of-play converge on the same controls: OAuth 2.1 authorization with mandatory PKCE, token-audience validation so a server only accepts tokens minted for it, never passing a client token through to upstream APIs, allow-listing and validating every tool input, blocking SSRF egress to private IP ranges, and requiring human confirmation for any sensitive or irreversible action. This is the same guardrail discipline we apply in our AI agent security and guardrails and agentic browser data-security work.

The spec changes on July 28, 2026

Build now and you build against a moving target. The MCP specification ships a major revision on July 28, 2026, and the headline change is a stateless protocol core. The Mcp-Session-Id header and the protocol-level session are removed, so any request can land on any server instance, and the sticky routing and shared session stores that horizontal deployments needed before are no longer required at the protocol layer, per the release candidate notes. That makes servers far easier to scale.

Two extensions matter for real products. Tasks lets a server answer a tool call with a task handle that the client drives with tasks/get, tasks/update, and tasks/cancel, which is how long-running work fits the stateless model. MCP Apps lets a server ship an interactive HTML interface that the host renders in a sandboxed iframe, with every UI action going through the same audit and consent path as a direct tool call. The SDKs move too: the Python SDK renames FastMCP to MCPServer while keeping the decorator API, and the TypeScript SDK splits into focused @modelcontextprotocol/server and client packages.

The practical takeaway: a server written to the old session model needs rework, and a new build should target the stateless core from day one so it scales cleanly and does not need a rewrite in a quarter.

Buy, build, or have it built

Not every connection needs a custom server. Pre-built servers exist for common systems, and Anthropic publishes ones for Google Drive, Slack, GitHub, Git, Postgres, and more. The decision is about where your value and your risk actually sit.

Approach Best for Watch out for
Pre-built vendor server Common SaaS systems (Slack, GitHub, Drive) Generic scopes; still needs auth hardening and review
Custom-built internal server Your proprietary databases, APIs, and workflows Security and spec-currency are on you
Partner-built and managed Teams without in-house MCP and security depth Choose a partner who builds to OAuth 2.1 and the 2026 spec

Pre-built servers are the right call for standard SaaS. The moment an agent needs to reach your own database, your internal API, or a regulated workflow, you need a custom server, and that server is exactly where the 43% command-injection and 8.5% OAuth statistics should worry you. This is the work eCorpIT does.

How eCorpIT builds custom MCP servers

eCorpIT is a Gurugram-based, senior-led engineering organisation (founded 2021, CMMI Level 5, MSME certified) with partners including AWS, Microsoft, and Google. We build and integrate custom MCP servers that connect AI agents to enterprise systems without opening the holes the audits keep finding.

Our approach is straightforward. We start with a discovery pass over the systems an agent needs to reach, your databases, internal APIs, document stores, and CRMs, and map each to a small, least-privilege set of tools rather than one broad, dangerous one. We implement OAuth 2.1 with PKCE and audience validation, allow-list and validate every tool input, block SSRF egress, and require human confirmation for sensitive or irreversible actions. We build to the July 28, 2026 stateless core so the server scales horizontally, add audit logging so every tool call is traceable, and test against prompt injection and tool poisoning before anything reaches production. Where personal data is involved, we design aligned with Digital Personal Data Protection Act 2023 requirements, keeping data handling and residency explicit rather than assumed.

The engagement model is a scoped discovery, a hardened pilot server for one or two high-value systems, then production rollout with monitoring, so you see a working, audited integration before committing to the full estate. It suits enterprises that want agents to act on internal systems, and teams that stood up a quick MCP server and hit security or scaling limits. It pairs naturally with a RAG knowledge assistant when agents also need to read internal documents.

India-specific considerations

For Indian enterprises, MCP servers are where agent ambitions meet the DPDP Act 2023. A server that lets an agent read customer records is processing personal data, so consent, purpose limitation, and residency are engineering requirements, not afterthoughts. Least-privilege tools and full audit logging make it possible to show what an agent accessed and why, which is the kind of evidence a DPDP posture needs. Keeping the server and its data in an Indian region also simplifies residency questions that arise when agents route through overseas models. The cost case is easy to frame: against an average breach cost of $4.44 million globally, and $10.22 million in the US, the engineering to secure an MCP server is a small fraction of the downside it prevents.

FAQ

How eCorpIT can help

eCorpIT builds and integrates custom MCP servers so your AI agents can act on internal systems safely. We design least-privilege tools, implement OAuth 2.1 with PKCE and audience validation, add audit logging, and build to the July 28, 2026 stateless spec, with data handling designed aligned with DPDP Act 2023 requirements. If you want agents that reach your databases, APIs, and documents without opening a security hole, talk to our team about a scoped discovery. See also our enterprise AI agent development and AI agent security and guardrails services.

References

  1. The 2026-07-28 MCP specification release candidate - Model Context Protocol
  1. The state of MCP security in 2026 - Microsoft
  1. MCP security cheat sheet - OWASP
  1. MCP security risks, real-world incidents, and security controls - Checkmarx
  1. How to secure MCP servers: auth, prompt injection and defenses - Codersera
  1. MCP security statistics 2026: CVEs, vulnerabilities and breach data - Practical DevSecOps
  1. MCP enterprise adoption: the July 2026 state of play - andrew.ooo
  1. MCP adoption statistics 2026 - Digital Applied
  1. Everything your team needs to know about MCP in 2026 - WorkOS
  1. Introducing the Model Context Protocol - Anthropic
  1. Cost of a data breach 2025 - IBM
  1. MCP 2026-07-28 spec: what changed, what breaks - Stacktree

_Last updated: July 18, 2026._

Frequently asked

Quick answers.

01 What is an MCP server?
An MCP server is a program that exposes tools and data to an AI agent through the Model Context Protocol, a standard interface. Instead of a bespoke integration per system, an agent uses one protocol to call Slack, a database, or an internal API. As of 2026, 78% of enterprise AI teams run MCP-backed agents in production.
02 Why not just use a pre-built MCP server?
Pre-built servers are ideal for common SaaS like Slack, GitHub, and Google Drive. But when an agent must reach your proprietary database, internal API, or a regulated workflow, you need a custom server. That is also where security matters most, since audits found 43% of public servers had command-injection flaws and only 8.5% used OAuth.
03 How do you secure a custom MCP server?
Use OAuth 2.1 with mandatory PKCE, validate the token audience so you only accept tokens minted for you, never pass a client token upstream, allow-list and validate every tool input, block SSRF egress to private IPs, and require human confirmation for sensitive actions. Add audit logging so every tool call is traceable and reviewable.
04 What changes in the July 28, 2026 MCP spec?
The specification moves to a stateless core, removing the session header so any request can land on any server instance, which makes horizontal scaling far easier. It adds a Tasks extension for long-running work and MCP Apps for sandboxed interactive UIs. New servers should target the stateless core from day one to avoid a rewrite later.
05 Does MCP affect DPDP compliance in India?
Yes. An MCP server that lets an agent read personal data is processing that data, so consent, purpose limitation, and residency apply under the Digital Personal Data Protection Act 2023. Least-privilege tools, audit logging, and keeping the server in an Indian region give you the traceability and control a DPDP posture requires.
06 How long does a custom MCP server take to build?
It depends on the systems and the security bar, which is why eCorpIT starts with a scoped discovery and a hardened pilot for one or two high-value systems before a full rollout. You see a working, audited integration early, then expand. Building to the 2026 stateless spec upfront avoids a rewrite when the specification lands.
07 What is tool poisoning, and why should I care?
Tool poisoning is when malicious instructions hidden in a data source, such as a ticket or file, manipulate an agent through the tools an MCP server exposes. Combined with prompt injection and the confused-deputy problem, it means a naive server can be steered to misuse its own privileges. Input validation and human confirmation for sensitive actions are the defences.
08 Can eCorpIT integrate MCP with our existing systems?
Yes. We map your databases, internal APIs, document stores, and CRMs to least-privilege MCP tools, implement OAuth 2.1 and audit logging, and test against prompt injection before production. We design data handling aligned with DPDP requirements. It pairs with our API modernisation and RAG work when agents also need to read internal documents.

About the author

Manu Shukla

Founder & Director

Founder of eCorpIT. Hands-on engineer leading senior-only delivery for AI apps, custom software, and cloud systems for global clients.

Subscribe

One engineering note a week. No fluff, no spam.

Senior-architect playbooks on AI agents, mobile apps, cloud, security, data, and marketing — delivered every Wednesday.

Past the reading

Read enough. Let's build something.

A senior architect responds in 24 working hours with scope, indicative cost, and a timeline. NDA before any technical conversation.