What is MCP? The standard that lets AI actually do things
A year ago your AI invented the numbers. Now it opens the file and reads them. The thing that changed wasn't a smarter model — it was a plug.
Ask a chatbot to “pull last quarter’s numbers and draft the board update.” A year ago, you’d get a beautifully written email full of numbers it made up. The prose was perfect. The figures were fiction, because the model had never seen your spreadsheet and had no way to open it.
Today the same request can go differently. The assistant opens the actual file, reads the real figures, drafts the email in your tone, and drops it in your drafts folder. The model didn’t get smarter overnight. It got a plug— a standard way to reach out of the chat window and touch the systems where your work actually lives.
That plug is MCP, the Model Context Protocol: a single shared standard that lets any AI assistant connect to any tool or data source. It’s the quiet piece of plumbing that turned AI from something that talks into something that does — and in barely a year it went from one company’s experiment to a standard every major lab adopted. Here’s what it is, why it spread so fast, and where it still bites.
AI could describe your work, not do it
For the first two years of the chatbot era, a language model lived behind glass. It could reason about your problem in the abstract, but it had no hands. It couldn’t read the file on your desktop, check today’s calendar, query the database, or send the message. You were the hands — copying text in, pasting answers out, ferrying information across the glass by hand.
Builders did wire models up to real systems, but each connection was a one-off. Hooking an assistant to Slack meant writing Slack-specific glue. Hooking it to your database meant writing database-specific glue. Every new model spoke to those tools in its own dialect, so the work rarely transferred. The industry was hand-building the same connections over and over, no two quite alike.
The fix wasn’t a better model. It was an agreement — a common language so any assistant could talk to any tool the same way. That agreement is what Anthropic published on November 25, 2024 and open-sourced for anyone to use.
MCP is a universal plug, not a smarter model
The official docs reach for a hardware analogy, and it’s the right one: MCP is “a USB-C port for AI applications.” Before USB, every gadget shipped its own oddly-shaped cable. After it, one connector fit everything. MCP is that connector for AI: a single shape that any assistant and any tool can both speak, so they snap together instead of being soldered.
Underneath, the design is plain. The AI app — Claude, ChatGPT, an agent you wrote — is the client. Each tool or data source runs a small server. The client asks the server “what can you do?” and the server answers with a menu. When the model wants to act, it picks an item off that menu, and the server does the actual work. That’s the whole shape: a client, a server, and a menu they both understand.
That menu has three kinds of items, and the distinction is worth knowing. Toolsare actions the model can take — send an email, run a query, file a ticket. Resources are data it can read — a file, a table, today’s tickets. Promptsare ready-made templates the server offers, like a one-click “summarize this pull request.” A single server might expose all three.
Crucially, none of this changes the model itself. Its weights are frozen; its training is done. MCP works entirely at the moment you ask, by handing the model a menu of things it’s allowed to read and do. It’s the same insight behind retrieval— leave the model alone, change what you put in front of it — extended from “here are some documents” to “here are some tools you can actually use.”
Before MCP, every connection was hand-soldered
To see why a standard matters, count the connections. Say you have a handful of AI apps and a handful of tools you want them to use. Without a shared protocol, every app needs custom glue for every tool. Three apps and three tools is nine separate integrations. Ten and ten is a hundred. Each one written, tested, and maintained by hand.
With a common protocol, the math collapses. Each app learns to speak MCP once. Each tool exposes an MCP server once. Now any app talks to any tool through the same port — three plus three is six connections instead of nine, ten plus ten is twenty instead of a hundred. The savings grow with every piece you add. That collapse, from multiplying to adding, is the entire reason MCP exists.
Anthropic seeded the ecosystem on day one with prebuilt servers for the systems people actually use — Google Drive, Slack, GitHub, Git, Postgres — and a clutch of early adopters wired it into real products: Block and Apollo on the company side, developer tools like Zed, Replit, and Sourcegraph on the other. The protocol was open, the SDKs were free, and the first servers already worked. That was enough to light the fuse.
In one year, every rival plugged in
Here’s the part that almost never happens in this industry. A standard invented by one AI lab was adopted, within months, by all of its biggest competitors. Not grudgingly, not via a committee — publicly, and fast.
OpenAI went first. On March 26, 2025, it added MCP to its Agents SDK, with Sam Altman writing simply, “People love MCP and we are excited to add support across our products.” Two weeks later, Google DeepMind’s Demis Hassabis confirmed Gemini would support it too. The world’s three leading model makers had agreed on a plug.
Then it climbed out of the developer weeds and into products people touch. In October 2025, OpenAI launched apps inside ChatGPT — Spotify, Canva, Figma, Booking.com running natively in the conversation — on an Apps SDK built directly on MCP. A month later, Microsoft baked native MCP support into Windows 11, with connectors that let approved agents read your files and change your settings by request.
The capstone came in December 2025, when Anthropic donated MCP to the Linux Foundation, under a new Agentic AI Foundation whose platinum backers read like a roll call of rivals: AWS, Anthropic, Block, Bloomberg, Cloudflare, Google, Microsoft, and OpenAI. Handing your standard to a neutral body is the surest sign it stopped being yours and became everyone’s.
The ecosystem exploded — and most of it is noise
Open standards breed gold rushes, and this one was no exception. By the time of the Linux Foundation handoff, Anthropic counted more than 10,000 active public MCP servers. Independent trackers in early 2026 put the number higher still — one census indexed over 17,000 across the major registries, with directories like PulseMCP and Smithery each adding a thousand or more a month.
But quantity is not quality, and this is the part the hype skips. The same trackers that count the servers also grade them, and the grades are humbling: by one 2026 audit, only about 13% scored as “high trust” on documentation, maintenance, and reliability. Most of the catalog is abandoned demos, thin wrappers, and weekend projects. A universal plug means anyone can make one — including people who shouldn’t.
The universal plug is also an open door
A plug that lets an AI act on your behalf is, by definition, a plug an attacker would love to reach. The same wire that makes MCP useful makes it dangerous, and the security world noticed quickly. OWASP ranks prompt injection — tricking a model into following hidden instructions — as the top risk for AI applications, and MCP widens the surface it can hit.
The signature MCP attack is tool poisoning. Remember that menu a server hands the model? An attacker can hide malicious instructions in the fine print of a tool’s description — text the model reads and trusts because it looks like it came from the developer. The model then quietly does the attacker’s bidding. Two 2025 disclosures, catalogued as CVE-2025-54136 and CVE-2025-54135, proved the pattern was real, not theoretical. The security researcher Simon Willison flagged the core problem within months of launch: the moment you mix tools from different sources, one of them can hijack the rest.
This isn’t a reason to avoid MCP — it’s a reason to be choosy about what you plug in. The advice maps cleanly onto the trust numbers above: install servers from sources you’d trust with an app, not random ones off a directory. Grant each server the narrowest access it needs. And treat a server that can both read your private data and reach the open internet as the riskiest combination there is — that’s the pairing the NSA’s own MCP guidance warns about most.
What MCP means for you
If you don’t build software, you’ll likely never configure an MCP server, the same way you’ve never thought about the USB spec while charging your phone. What you’ll notice is the result: AI that stops being a clever conversation and starts being a colleague who can open the file, check the calendar, and take the action — because the plumbing to reach your tools finally exists and is shared.
If you do build, MCP is now the default answer to “how do I connect a model to this?” Write one server, and every MCP-speaking assistant — today’s and next year’s — can use it. That’s the rare piece of AI infrastructure unlikely to be obsolete in six months, precisely because it belongs to no single vendor.
The quietly important part is where the server runs. It doesn’t have to be in someone’s cloud. A server can run on your own machine, over your own files and apps, so the assistant acts on your data without a byte of it leaving your computer. The most useful AI is the kind that works with yourstuff — and that’s exactly the stuff you have the best reasons to keep on your own hardware. MCP is the standard that finally makes both true at once: an assistant with hands, working inside walls you control.
