Your CTEM Program Is Probably Ignoring MCP. Here’s How to Fix It

Model Context Protocol (MCP) has quietly become the connective tissue for agentic AI, allowing developers to plug large‑language models into custom workflows. While this accelerates productivity, it also creates a shadow AI layer that bypasses traditional software‑risk controls. Unlike conventional dependencies, MCP servers and configuration files often sit on developer workstations, pulled from public registries without formal vetting, making them invisible to existing asset inventories. This lack of visibility mirrors the early days of shadow IT, where unchecked tools introduced supply‑chain and credential‑theft vectors that security teams struggled to detect.

Recent incidents illustrate the urgency. In 2025, a malicious npm package named postmark‑mcp masqueraded as a legitimate integration tool, amassing 1,500 weekly downloads before a single malicious version exfiltrated emails from roughly 300 organizations. Parallel research uncovered hard‑coded API keys for services like OpenAI, Stripe, and AWS leaking into public repositories, enabling rapid fraudulent cloud charges. Moreover, two critical CVEs—CVE‑2025‑6514 and CVE‑2025‑49596—demonstrated that a compromised MCP connection can grant attackers remote code execution and full system control. These examples show that MCP magnifies classic vulnerabilities, turning them into AI‑specific threats that bypass traditional detection mechanisms.

Integrating MCP risk into a Continuous Threat Exposure Management (CTEM) program offers a pragmatic remedy. CTEM’s five‑phase workflow—scoping, discovery, prioritization, validation, and mobilization—can be extended to inventory MCP servers, monitor configuration drift, and assess the impact of exposed credentials. By scoring exposures based on potential attacker impact rather than sheer volume, security teams can focus on high‑risk agents with elevated privileges. Effective mobilization also requires close collaboration with engineering, translating technical findings into actionable tickets that developers can address without slowing innovation. As AI tooling becomes foundational, treating MCP as a first‑class asset within CTEM is essential for maintaining a resilient security posture.