Observatory can now detect internet-exposed MCP servers. As AI agents become a permanent fixture in corporate infrastructure, it seemed only a matter of time before they joined the list of things companies accidentally leave open to the internet. That time is now.
What MCP Actually Is
Model Context Protocol (MCP) is an open standard (originally built by Anthropic and now adopted by Google, OpenAI and others) that lets AI agents connect to the tools and data sources they need to do useful work. Think of it as a universal adapter—the USB-C for getting data into your AI model. One side plugs into your AI assistant, the other into your file system, your database, your internal APIs, your code execution environment. When it works well, it's genuinely powerful: agents can read documents, query databases, run shell commands, and call third-party services all through a single, standardized interface.
That last sentence should also be making you a little nervous.
The Reward
MCP unlocks a wealth of AI capabilities, allowing users to add context (data, files, permissions) to their queries and prompts. An agent with a well-scoped MCP server can automate workflows that previously required a human in the loop, pulling live data, writing and running code, coordinating across services. Development teams are deploying them to accelerate engineering work. Security teams are using them to automate triage. Senior leaders are excited about the promise of productivity boosts. The fact is: AI adoption is skyrocketing.
The Risk
Here's the thing about a protocol designed to give AI agents broad access to your systems: it works just as well for an attacker as it does for your developer.
An MCP server that's reachable from the public internet, without strong authentication, is effectively an open API into whatever it has access to. The folks at Risky Biz podcast recently described them as something like 'an API that enables RCE'. (nb: RCE = Remote Code Execution for those not drowning in cyber jargon). In the worst configurations—and these exist in the wild, we've seen them in our internet scanning—that means unauthenticated remote callers can list available tools, execute shell commands, read arbitrary files, or query internal databases. No exploit required. Just a network connection and a JSON request.
In conversations with potential customers, we get asked often about zero-day detection. Certainly 0-days are a risk, but securing your organization starts with the basics, which now also includes securing internet-exposed MCP servers. MCP servers are frequently stood up quickly, during prototyping or internal tooling development, with broad permissions and no auth, on the assumption they'll never be public. Our internet scanning data tells another story. Assumptions are not access controls.
Malicious automated scanners are already looking for these. The attack surface is new enough that most organizations haven't started auditing for it—which is exactly when exposure tends to be highest. We've built a new class of detections to fill this gap.
What Good Looks Like
MCP servers should not be internet-facing unless there is a specific, deliberate reason for it. When external access is required, strong authentication—API keys at a minimum, OAuth where possible—is non-negotiable. Tool scope should follow the principle of least privilege: an agent that only needs to read documents shouldn't have a shell. Log everything. Review what's registered. Treat the MCP server with the same seriousness as any other privileged API endpoint, because that's exactly what it is.
The speed at which AI tooling is being adopted is outpacing the security review processes meant to catch these things. Observatory now flags internet-exposed MCP servers so you can find yours before someone else does.