What is MCP? Model context protocol for LLMs

MCP definition

Model context protocol (MCP) is an open source standard, developed by Anthropic, that connects AI models and applications to external systems. Large-language models (LLM) can integrate with external data sources without the need for custom connectors.

With MCP, AI models and tools can communicate with databases, applications, and services. It enables AI tools to ingest up-to-date information and data, perform actions, and improve workflows.

Previously, vendors needed to create custom connectors for each tool or service that a client wanted to connect to an AI model or application. The number of connectors continued to grow as more models were released, and the amount of tools that clients wanted to integrate with increased. Maintaining these custom connectors also proved to be a challenge.

MCP simplifies this issue by serving as a universal connector between AI models and tools and external sources.

MCP use cases include helping AI models to:

• Query a knowledge base for documentation and retrieving structured data.
• Orchestrate workflows with AI agents or interacting with external services.
• Analyzing data, querying logs, or retrieving alerts for security teams.

Why MCP is important for AI tools

On their own, LLMs and AI tools are trained upon a static knowledge base, but are otherwise isolated from up-to-date or real-time data access. Without that, its accuracy and knowledge would be limited and this can lead to more frequent hallucinations.

Initially, this was solved with custom connectors from databases or tools to AI models. However, the number of these bespoke connectors would grow and become untenable, both for developers and teams trying to maintain them.

The challenge of creating a custom connector for every client became known as the MxN integration problem. Basically, it meant that for every AI model or tool, there needed to be a growing number of custom connectors for each external tool or system clients wanted it to access.

MCP solves this by being an open source standard that any AI model can use to connect with external systems or data. MxN becomes M+N and scales more easily.

Benefits of MCP

MCP benefits include the following:

• Provides standardization for tool integration: Vendors can integrate MCP with their AI model or tools and know that clients can connect any external system they want without the need for custom connectors.
• Reduces development time: Developers don’t need to waste time building custom connectors, but instead can reuse existing MCP servers that fit their needs.
• Enables simpler interoperability: Clients can more easily swap between AI models or tools if their unique business needs change without worrying about how they will integrate them with external systems.
• Makes AI models more reliable: MCP makes it easier for clients to connect AI models they use to up-to-date knowledge bases, ensuring that AI model output is accurate and less likely to hallucinate.

Core components of MCP

At a high level, MCP follows a client-server architecture that consists of three main components:

1. MCP host: The LLM or AI application that requests access from an MCP server.
2. MCP client: Sends context or action requests to and from the AI application to an appropriate MCP server.
3. MCP server: The intermediary component that relays the context or actions from an MCP host to target external systems.

Within that, MCP has two layers:

1. Data layer: It defines the client-server JSON communication for core primitives (the actions or data the host and server can offer each other) and MCP lifecycle management (connection initialization, capability negotiation, and connection termination).
2. Transport layer: It handles the communication and data transmission between the MCP host and MCP server, whether performed on a local or remote system. Local uses stdio transport, while remote server uses HTTP POST.

As mentioned, the data layer has what are known as primitives, which are the contextual information and actions that can be shared from host to server. This is broken down into:

1. Tools: The actions that models can request, such as run a query, execute code, or call an API.
2. Resources: The data that models can retrieve, such as documents, files, and database records.
3. Prompts: The reusable templates used to enable interactions between tools, such as for discovery, retrieval, or execution.

How MCP works

MCP works by taking a user’s prompt directed at the MCP client, such as asking an LLM to query an internal database or create a Jira ticket, which connects to the AI model or tool.

The AI model responds to the MCP client about the appropriate tool or system needed to react to the prompt. The MCP client then sends the task to the MCP server of the selected tool, such as the Atlassian MCP server for Jira.

The MCP server determines whether the requested action is available and passes it on to the tool or system. That tool or system executes the task and sends an output of the action to the MCP server, which relays it back to the MCP client.

Lastly, the MCP client provides the output to the AI model or tool, which creates a response for the user in regards to their prompt, such as providing data or the Jira ticket information.

MCP security considerations

Because MCP sits between AI models and databases and other external systems, where sensitive data could be shared, there are naturally security concerns to be aware of.

Some MCP security challenges include:

• Inter-agent protocol abuse: Attackers target MCP with consent bypass or context hijacking, which causes unauthorized AI actions. This can include abusing embedded trust in protocols or misleading agents with poor consent flows.
• Indirect prompt injection: Hidden instructions in a website or query parameters in API requests that cause the AI model to perform actions it otherwise wouldn’t.
• Weak access control: Attackers could exploit static client IDs, dynamic client registration, or consent cookies in MCP servers to collect authorization codes that user permissions would normally not allow – an issue called a “confused deputy” vulnerability.

Some MCP security best practices include:

• Implement strong authentication and authorization: This includes using OAuth 2.1 and JSON Web Tokens (JWT) for client-server authentication, rotating API keys, and adopting least privilege and role-based access (RBAC).
• Limit model behavior: Prevent prompt injection and other AI attacks by limiting what actions or responses an AI agent can make and instruct it to ignore attempts to alter those limits.
• Require human consent: For high-risk actions, require human-in-the-loop permission to prevent the confused deputy problem and not assume authentication from a program alone.
• Use rate limiting: Restrict requests to prevent query abuse.
• Protect data: Encrypt all data used or stored by the MCP server and use input sanitization to prevent prompt injection attacks. 
• Adopt observability: Monitor AI agent interactions with MCP to ensure malicious users aren’t abusing access or requesting privileged actions.
• Perform security scans: Scan public MCP servers before adopting them to ensure they are secure and not malicious.

MCP and Sysdig

We’ve released the Sysdig MCP Server so that any compatible AI model and tool can securely access our Cloud Security APIs and data.

With Sysdig MCP server, any AI model can query real-time security data on findings, vulnerabilities, and misconfigurations. This includes runtime threat detections, cloud security posture, and the discovery of any critical vulnerabilities.

Sysdig MCP server also enables AI models to generate security recommendations based upon Sysdig Secure^TM and Sysdig Monitor^TM insights.