Ninety-seven million monthly SDK downloads. Over 10,000 active server implementations. Fifteen months from specification to industry standard. Model Context Protocol, the open standard Anthropic published in November 2024 to let AI tools talk to external services, has crossed from "interesting experiment" into "thing everyone actually uses."
The protocol war, such as it was, appears to be over. Claude, ChatGPT, Gemini, Copilot, Cursor, and VS Code all support MCP natively. AWS, Cloudflare, and Azure have built-in hosting. Google's A2A and IBM's ACP protocols handle agent-to-agent coordination, but for the agent-to-tool layer (how an AI assistant calls your database, reads your Slack, or hits a REST API), MCP won.
In December 2025, Anthropic donated the spec to the Linux Foundation's new Agentic AI Foundation, co-founded with Block and OpenAI, backed by Google, Microsoft, AWS, Cloudflare, and Bloomberg. That kind of governance transfer is what separates a company project from actual infrastructure.
The Security Problem Nobody Solved Yet
Here's the catch. A study of roughly 1,900 open-source MCP servers found that one in five misuse cryptography. About 5.5% have tool-poisoning risks, where a malicious server could manipulate what an AI agent does. And 84% of deployed LLM agents are vulnerable to prompt injection attacks coming through tool responses.
The core issue: MCP was designed for interoperability, not security. Authentication is left to whoever builds the server. Authorization isn't defined at the protocol level at all. This is like building HTTP without HTTPS and hoping everyone figures out TLS on their own. Some will. Most won't.
For anyone running MCP servers in production right now, this means treating every server connection like an untrusted input. Audit what tools your agents can call. Don't assume that because a server exists on a public registry, it's been vetted.
Where the Money Is Going
The protocol itself is free. The businesses being built around it are not. Six distinct layers are forming:
- SDKs and frameworks - Manufact raised a $6.3 million seed round in February 2026, despite having 5 million SDK downloads and zero revenue. The "free protocol, paid tooling" model is familiar from open source, but the gap between adoption and monetization is striking.
- Hosting - Cloudflare launched remote MCP server hosting back in April 2025, letting you run servers at the edge without managing infrastructure.
- Discovery - Marketplaces like MCP Marketplace (taking an 85/15 revenue split) and Smithery are competing to be where you find servers.
- Security - Lakera ($20 million Series A, 2024) and StackOne ($20 million Series A, February 2026) are betting that enterprises will pay to lock down their MCP deployments.
- Observability - Largely unsolved. Tools like LangSmith and Arize offer partial visibility, but nobody owns this space yet.
- Enterprise governance - No production-grade solutions exist. This is probably the biggest gap for companies that want to deploy MCP agents with real compliance requirements.
The TCP/IP Parallel Is Instructive
The comparison to HTTP gets thrown around a lot, but TCP/IP is more accurate. Nobody made money from TCP/IP itself. The value went to the layers built on top: CDNs, firewalls, load balancers, monitoring. MCP is heading the same direction.
The protocol question is settled. The interesting questions are all about what gets built on top, and whether the security layer gets figured out before a high-profile breach makes the whole ecosystem look reckless. Right now, adoption is outrunning safety by a wide margin.