Model Context Protocol
The Model Context Protocol (MCP) is an open protocol developed by Anthropic that provides a standardized interface for connecting large language model (LLM) applications with external data sources, tools, and services. Co-created by Anthropic engineers David Soria Parra and Justin Spahr-Summers, the protocol began as the internal project Claude Connect before being developed into a full protocol. Released in November 2024, MCP uses a client-server architecture with JSON-RPC 2.0 messaging to establish stateful sessions between AI applications and context providers. The protocol was inspired by the Language Server Protocol (LSP), which standardized how development tools interact with programming languages.
MCP addresses the combinatorial complexity of integrating multiple LLMs with multiple tools, known as the "M×N problem," by providing a unified protocol that both LLM vendors and tool builders can follow. Rather than requiring custom adapter code for each integration, MCP converts the M×N problem into a more manageable M+N problem, where a single implementation on each side enables universal interoperability. The protocol focuses solely on context exchange and does not dictate how AI applications use LLMs or manage the provided context.
The protocol ecosystem includes the MCP specification, official SDKs for TypeScript, Python, Java, Kotlin, C#, Swift, Rust, and Dart, development tools such as the MCP Inspector, and reference server implementations. By March 2025, over one thousand community-built MCP servers and thousands of MCP-integrated applications had been deployed. [[OpenAI]] adopted MCP in March 2025, with CEO Sam Altman stating that "People love MCP, and we're excited to add support for it in our products." [[Google|Google DeepMind]] announced support for the standard in April 2025. At Google I/O in May 2026, the company announced that Gemini Spark, its flagship 24/7 personal AI agent, connects to third-party tools through MCP, and launched Antigravity 2.0 with first-party Google Workspace MCP servers for Gmail, Drive, Calendar, Chat, and People API — leading industry observers to declare the protocol debate effectively settled for the agent era. By December 2025, the ecosystem had grown to over 10,000 active public MCP servers and 97 million monthly SDK downloads, with the protocol accumulating over 37,000 GitHub stars in under eight months. By April 2026, monthly SDK downloads had reached 110 million — a milestone that took React three years to achieve. A Nerq census in Q1 2026 indexed 17,468 MCP servers, with remote server deployments growing 400% since May 2025 and 59% of servers using Streamable HTTP transport.
On December 9, 2025, Anthropic transferred stewardship of the protocol to the Agentic AI Foundation (AAIF) under the Linux Foundation, with founding members including Amazon, Anthropic, Block, Bloomberg, Cloudflare, Google, Microsoft, and OpenAI. The AAIF grew to 190 organizations through two expansion waves in 2026, adding members including JPMorgan Chase, American Express, Red Hat, Stripe, F5, GoDaddy, and TRON alongside research institutions, government agencies, and South Korean and European AI engineering firms. The first MCP Dev Summit was held in New York City in April 2026 with approximately 1,200 attendees. Two flagship conferences — AGNTCon + MCPCon Europe in Amsterdam (September 17–18) and AGNTCon + MCPCon North America in San Jose, California (October 22–23) — anchor the 2026 calendar, alongside regional MCP Dev Summits in Bengaluru, Mumbai, Seoul, Shanghai, Tokyo, Toronto, and Nairobi.
By early 2026, MCP entered a phase of broader scrutiny alongside its rapid growth. A benchmark found that when connecting to multiple servers, up to 72% of an agent's context window could be consumed by tool schema definitions alone. Mitigations emerged at the client layer — Claude Code implemented progressive tool discovery achieving approximately 85% token reductions, and Cloudflare introduced Code Mode, which collapsed all tool definitions into two search-and-execute tools for a 94% reduction in token overhead. The gateway pattern emerged as the dominant architectural approach for enterprise deployments, with organizations converging on a centralized gateway paired with a registry as the control plane for all agent interactions. Security researchers identified widespread vulnerabilities across the ecosystem: a systematic study of 67,057 MCP servers across six public registries found 833 servers with exploitable vulnerabilities, and an OWASP MCP Top 10 framework formalized ten critical risk categories. Independent surveys converged on 38-41% of MCP servers having no authentication whatsoever, with only 8.5% using OAuth. In May 2026, the NSA's Artificial Intelligence Security Center issued its first formal security guidance on MCP, identifying serialization risks, trust boundaries, and agent misuse as significant concerns. In June 2026, an IETF Internet-Draft formally analyzed recurring MCP vulnerability classes and introduced Protocol Pivoting as a cross-protocol lateral-movement pattern. Academic research produced the first formal security analysis of MCP (arXiv:2601.17549), identifying three architectural vulnerabilities and demonstrating that the proposed MCPSec extension reduced successful attacks from 52.8% to 12.4%. The nginx-ui vulnerability (CVE-2026-33032, CVSS 9.8) became the most high-profile MCP-specific CVE, actively exploited in the wild within weeks of disclosure, and a fundamental design flaw in the STDIO transport mechanism was disclosed potentially affecting over 200,000 server deployments. Six documented real-world security incidents spanning 2025 to 2026 demonstrated that traditional security monitoring was not designed to detect MCP attack patterns. Academic research further demonstrated that LLMs cannot reliably self-enforce tool access control via prompts, with role escalation attacks achieving up to 96% unauthorized invocation, while a proxy-enforced attribute-based access control layer achieved 0% by filtering tools at discovery time. Enterprise security platforms emerged to provide content firewalls, immutable audit logging, and zero-trust identity management for MCP deployments. By mid-2026, MCP was transitioning through the Gartner Hype Cycle's trough of disillusionment, with critics citing token overhead, security concerns, and protocol complexity, while enterprise adoption continued to accelerate through centralized gateway architectures, OAuth 2.1 standardization, and the forthcoming specification update.
MCP Apps, released in January 2026 and standardized under SEP-1865, extended the protocol to support interactive UI components through sandboxed iframes with bidirectional JSON-RPC over postMessage, and was adopted by Claude, ChatGPT, VS Code with GitHub Copilot, Goose, Postman, Microsoft 365 Copilot Chat, and Elastic within months. The MCP-Cosmos research framework (arXiv:2605.09131, May 2026) demonstrated that world model-augmented MCP agents raised tool call success rates from 77.7% to 100% and parameter accuracy from 31.3% to 61.0%. A specification update planned for July 2026 — the largest revision of the protocol since launch — introduced a stateless protocol core enabling horizontal scalability on plain HTTP infrastructure, a formal extensions framework under which MCP Apps and Tasks became the first official extensions, authorization hardening with OpenID Connect alignment, and a formal deprecation policy with Roots, Sampling, and Logging deprecated. The 2026 MCP roadmap shifted from milestone-based releases to priority-driven development across four areas: transport evolution and scalability, agent communication, governance maturation, and enterprise readiness.
Enterprise MCP adoption accelerated across multiple sectors. Salesforce released the Data 360 MCP Server as an open-source developer preview, consolidating 200 REST API endpoints behind three facade tools. Workable launched a native MCP server with 59 tools across recruiting and HR at no additional cost. Sectigo introduced the industry's first globally available MCP server for certificate lifecycle management. eXo Platform released an MCP server exposing 98 tools across 10 digital workplace capability domains. Xinhua Finance (China's state financial information platform) launched a comprehensive MCP service matrix with 30+ core services across six categories, covering 200+ countries and 68 million market entities. [[Tencent Cloud]] built an extensive MCP ecosystem including 34+ cloud product MCP tools and an MCP Hub strategy driving the transition from Function Call integrations to standardized protocol adoption. China's Ministry of Industry and Information Technology opened public consultation on MCP application security requirements in June 2026, signaling regulatory engagement with the protocol in the world's largest AI market. The Agent-to-Agent protocol reached v1.0 with a formal Technical Steering Committee, and Google's A2A and Anthropic's MCP were positioned as complementary layers in an emerging multi-protocol agent stack. Enterprise MCP deployments from Block, Microsoft, Forbes, Cloudflare, Autodesk, and Uber confirmed MCP was operating at production scale across ride-sharing, retail, financial data, and professional services.