* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [AI Security](https://www2.paloaltonetworks.com/blog/category/ai-security/)
* The New AI Attack Surface...

# The New AI Attack Surface --- How Cortex Cloud Secures MCP

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2025%2F06%2Fcloud-security-model-context-protocol-mcp-security%2F)  
[](https://twitter.com/share?text=The+New+AI+Attack+Surface+%E2%80%94+How+Cortex+Cloud+Secures+MCP&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2025%2F06%2Fcloud-security-model-context-protocol-mcp-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2025%2F06%2Fcloud-security-model-context-protocol-mcp-security%2F&title=The+New+AI+Attack+Surface+%E2%80%94+How+Cortex+Cloud+Secures+MCP&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2025/06/cloud-security-model-context-protocol-mcp-security/&ts=markdown)  
\[\](mailto:?subject=The New AI Attack Surface — How Cortex Cloud Secures MCP)  
Link copied  
By [Ory Segal](https://www.paloaltonetworks.com/blog/author/ory-segal/?ts=markdown "Posts by Ory Segal"), [Aviv Sasson](https://www.paloaltonetworks.com/blog/author/aviv-sasson/?ts=markdown "Posts by Aviv Sasson") and [Elad Shuster](https://www.paloaltonetworks.com/blog/author/elad-shuster/?ts=markdown "Posts by Elad Shuster")  
Jun 13, 2025  
7 minutes  
[AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown)  
[AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown)  
[AI](https://www.paloaltonetworks.com/blog/tag/ai/?ts=markdown)  
[Cortex Cloud](https://www.paloaltonetworks.com/blog/tag/cortex-cloud/?ts=markdown)  
[MCP Server](https://www.paloaltonetworks.com/blog/tag/mcp-server/?ts=markdown)  
[Real-Time Security](https://www.paloaltonetworks.com/blog/tag/real-time-security/?ts=markdown)  
[WAAS](https://www.paloaltonetworks.com/blog/tag/waas/?ts=markdown)

With remarkable momentum behind its adoption, the Model Context Protocol (MCP) is quickly becoming the de facto interface for connecting large language models (LLMs) to tools, APIs, databases and other services. Think of it as the USB-C of AI development -- an elegant, standardized bridge that enables dynamic interaction between AI models and external environments. Major AI platforms, like ChatGPT, Gemini and Claude, already rely on it. (MCP is in fact [Anthropic's creation](https://www.anthropic.com/news/model-context-protocol), a solution designed for Claude Desktop).

Like anything, though, as MCP adoption accelerates, so does the risk. Because MCP connects models to powerful systems and sensitive data in real time, it creates new attack surfaces that conventional security tools weren't designed to handle.

To meet this challenge, we've built MCP Security to safeguard AI communications at their source.

## MCP --- An Operational Framework

The Model Context Protocol follows a client-server architecture that defines how AI applications communicate with tools, services and data sources in real time. It's not just a bridge; it's an operational framework that allows LLMs to interact with external environments in structured, context-rich ways.

MCP deployments typically include the following components:

* **MCP Hosts --** Applications, such as Claude Desktop, IDEs or AI assistants, that initiate data access through MCP.
* **MCP Clients --** Components that manage and maintain persistent connections to servers.
* **MCP Servers --** Lightweight services that expose capabilities through the standardized protocol.
* **Local Data Sources --** Files, databases and services that MCP servers can access within the local environment.
* **Remote Services --** External APIs and internet-connected systems reachable through the protocol.

Unlike traditional APIs, MCP supports complex context structures. Applications can:

* Pass rich, structured information with each request.
* Expose live data and content to LLMs as "Resources."
* Reuse prompt templates called "Prompts."
* Enable models to take defined actions through "Tools."
* Request completions through a mechanism called "Sampling."

![The traditional approach to AI applications and the MCP approach to AI applications.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340593-1.png)
MCP creates a standardized bridge between AI application and external services.

MCP's architecture is designed for the kind of flexible, dynamic integrations that next-generation AI applications require. While adoption is still in early stages, the protocol's potential impact on how AI systems access external resources makes it worth security teams' attention.

## The Emerging MCP Attack Surface

MCP enables AI applications to access the same tools and data that human users rely on -- email systems, customer databases, file shares and internal APIs. While this creates powerful capabilities, it also means that AI applications inherit the same access privileges as their users.

Consider common use cases. An AI assistant helping with customer support might need read access to CRM data, or a development copilot might access code repositories and deployment tools. These aren't necessarily "sensitive systems" by design, but they contain business-critical information that requires protection, which creates new security considerations. When AI models can dynamically access multiple systems through MCP, several risk categories emerge.

### Protocol Design Vulnerabilities

Because MCP is a relatively new protocol, implementations can vary in their security approaches. For example, some MCP servers might include sensitive session information directly in web addresses where it could be logged or cached. Others might use different authentication methods that don't consistently verify who is making requests.

Perhaps the most concerning aspect is how MCP servers don't always validate the data they receive before processing it. This means an attacker could potentially send malicious commands disguised as legitimate MCP requests -- similar to how SQL injection attacks work against databases but targeting the AI communication layer.

### Centralized Credential Risk

MCP servers often store access tokens for multiple systems. A single compromise can grant attackers lateral access to a wide range of services.

### Tool Poisoning Attacks

Attackers can embed hidden prompts or instructions in tool metadata. Although invisible to users, LLMs may interpret these as commands, triggering data exfiltration or unauthorized actions.

### Multiserver Conflicts

In environments with multiple MCP servers, organizations risk prompt hijacking, tool name collisions and uncoordinated server behavior that introduces unpredictable vulnerabilities.

### Implementation Level Flaws

Poorly implemented MCP servers often contain command injection flaws, improperly evaluate user input, or lack isolation between processes. These issues can enable privilege escalation and lateral movement.

The bottom line? MCP changes how models interact with the broader environment, but also introduces a dynamic, high-risk surface. The security challenges are particularly concerning because MCP facilitates communication between powerful AI models and sensitive systems, potentially enabling sophisticated attack vectors that traditional security tools aren't designed to detect.

## MCP Security in Cortex Cloud WAAS

At Palo Alto Networks, we're committed to securing the technologies that drive innovation. Our new MCP Security capability in Cortex Cloud WAAS addresses the unique risks inherent to MCP communications. The feature provides two critical lines of defense.

### 1. Intelligent Protocol Validation

The WAAS protocol validation engine identifies and inspects MCP communications within general API traffic. It verifies structure against expected patterns, detects manipulation of protocol elements, and detects injection attempts aimed at protocol parsing. While MCP allows for implementation flexibility, the engine adapts to legitimate variations and enforces consistency across requests.

### 2. API-Based Attack Detection

WAAS also detects API-layer attacks targeting MCP endpoints. These include parameter tampering and other [Layer 7](https://www.paloaltonetworks.com/cyberpedia/what-is-layer-7) threats. Protections align with the OWASP API Security Top 10 to prevent misuse even when requests are well formed.

## Security Recommendations for MCP Builders

Teams adopting or building on MCP can reduce their risks by implementing these best practices:

* **Use Strong Access Controls** -- Apply least-privilege to every MCP tool and server.
* **Protect Credentials** -- Avoid hardcoding credentials, rotate keys regularly and isolate secrets.
* **Isolate Runtime Environments** -- Run MCP servers in isolated containers or sandboxed environments to prevent lateral movement if a server is compromised.
* **Enable Detailed Logging** -- Capture full MCP operations logs for anomaly detection.
* **Validate Server Identities** -- Ensure connections go to trusted MCP implementations.
* **Require Confirmation for Sensitive Actions** -- Don't let the model act silently on risky requests.

## Comprehensive AI Protection --- Beyond MCP Security

Securing MCP communications is imperative, but organizations need a holistic approach to AI security. Cortex Cloud offers additional capabilities that complement MCP Security to provide end-to-end detection for AI applications and infrastructure:

### AI Security Posture Management (AI-SPM)

[Cortex Cloud AI-SPM](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management) works alongside MCP Security to provide complete visibility and protection across your entire AI ecosystem, ensuring your teams can:

* **Discover and inventory AI models** deployed across your cloud environments.
* **Assess AI-specific risks,** including data exposure, insecure model configurations and vulnerable dependencies.
* **Monitor the AI supply chain** to identify poisoned datasets or unauthorized models.
* **Enforce governance policies** for responsible AI use and regulatory compliance.
* **Detect misconfigurations**in AI workflows that could lead to sensitive data exposure.

The combination of MCP Security and AI-SPM creates layers of defense, protecting how AI applications communicate via MCP and ensuring the underlying models, data and infrastructure follow security best practices.

## What This Means for AI Builders

The introduction of MCP Security in Cortex Cloud WAAS represents an impactful step in securing the future of AI applications. By validating MCP communications and preventing API-based attacks, organizations can:

1. **Deploy AI Applications Confidently** -- Implement MCP-based solutions with the assurance that communications are secured.
2. **Protect Sensitive Data** -- Prevent unauthorized access to resources and context information.
3. **Maintain Model Integrity** -- Ensure LLMs receive only legitimate requests and context.
4. **Enable Secure Innovation** -- Adopt new AI capabilities without compromising security.

MCP Security will be available to Cortex Cloud WAAS customers at the end of May 2025. Organizations interested in using MCP Security can [contact](https://www.paloaltonetworks.com/company/contact-sales?ts=buy-now-general:contact-us) their Palo Alto Networks representative.

*** ** * ** ***

## Related Blogs

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Partnering with Precision in 2026](https://www2.paloaltonetworks.com/blog/2025/12/partnering-with-precision-in-2026/)

### [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### A Policy Roadmap for Secure AI by Design](https://www2.paloaltonetworks.com/blog/2025/11/policy-roadmap-secure-ai-by-design/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Ignite](https://www.paloaltonetworks.com/blog/category/ignite/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma AIRS 2.0 Is Powering the Next Wave of Secure AI Innovation](https://www2.paloaltonetworks.com/blog/2025/10/prisma-airs-powering-secure-ai-innovation/)

### [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### AI, Quantum Computing and Other Emerging Risks](https://www2.paloaltonetworks.com/blog/2025/10/ai-quantum-computing-emerging-risks/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Securing the AI Before Times](https://www2.paloaltonetworks.com/blog/2025/08/securing-ai-before-times/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown)

[#### Why Your AI Agent Needs a Performance Review](https://www2.paloaltonetworks.com/blog/sase/why-your-ai-agent-needs-a-performance-review/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language