MCP Is the New API: How Anthropic Accidentally Built the Standard That Will Connect Every AI Agent

In November 2024, Anthropic open-sourced a protocol called Model Context Protocol. The pitch was modest: a standardized way for AI applications to connect to external tools and data sources, using JSON-RPC 2.0 messaging and a client-server architecture. There was no major press event. No partner coalition at launch. Just a GitHub repository, Python and TypeScript SDKs, and a blog post.

Thirteen months later, MCP has 97 million monthly SDK downloads, support from every major AI company on earth, a Linux Foundation home, and an estimated $1.8 billion market that analysts project will reach $10.3 billion at a 34.6% CAGR. REST took a decade to become the default. GraphQL took three years. MCP did it in four months.

This is the story of how a protocol designed to solve a specific integration problem became the universal interface layer for the agentic AI era -- and why, despite a critical RCE vulnerability and widespread credential mismanagement, it is already too embedded to fail.

The N-Times-M Problem That MCP Actually Solves

Before MCP, every AI application that needed to interact with external tools had to build its own integration. If you wanted Claude to query a PostgreSQL database, someone wrote a custom connector for Claude. If you wanted ChatGPT to do the same thing, someone wrote a different connector for ChatGPT. Multiply that by every AI model and every tool, and you get an N-times-M integration problem that scales quadratically -- and that nobody wants to maintain.

The analogy used by IBM, Google Cloud, and the MCP community itself is USB-C. Before USB-C, every device needed its own proprietary connector. After USB-C, one standard handles power, data, and video for everything from laptops to phones to monitors. MCP does the same thing for AI: one protocol handles tool calling, data retrieval, and resource access for every AI application.

The architecture is deliberately simple. An MCP host (the AI application) contains an MCP client that maintains connections to MCP servers. Each server exposes tools, resources, or prompts through a standardized interface. A developer builds an MCP server once -- say, a Slack integration -- and it works with Claude, ChatGPT, Gemini, Copilot, and any other MCP-compatible client. The N-times-M problem collapses to N-plus-M.

This simplicity is why MCP won. Not because the protocol is technically superior to every alternative. But because it was simple enough for a developer to ship a working MCP server in an afternoon, and that low barrier to entry created a supply-side explosion that made every other approach economically irrational.

Four Months to Multi-Vendor Adoption: A Timeline That Should Not Be Possible

The speed at which MCP went from single-vendor open-source project to industry standard has no precedent in the history of API protocols.

The inflection point was March 26, 2025. Sam Altman posted: "People love MCP and we are excited to add support across our products." OpenAI rolled MCP into its Agents SDK, Responses API, and ChatGPT desktop application. In a single announcement, MCP went from "Anthropic's thing" to "the industry standard."

Google DeepMind followed in April 2025, with Demis Hassabis confirming MCP support for Gemini. Microsoft announced Windows 11 MCP integration at Build 2025 in May. By mid-2025, every major AI company on the planet was shipping MCP support. As The New Stack put it, MCP "achieved what few technology standards accomplish: industry-wide adoption backed by competing giants."

For context: GraphQL was open-sourced by Facebook in 2015, adopted by GitHub in 2016, and moved to the Linux Foundation in 2018 -- a three-year arc. MCP launched in November 2024 and was donated to the Agentic AI Foundation under the Linux Foundation in December 2025 -- 13 months. REST was defined in Roy Fielding's doctoral dissertation in 2000 and did not reach mainstream adoption until SOAP began declining around 2010. MCP bypassed the entire "academic theory" phase by shipping working code on day one.

Why did MCP compress a decade of standards adoption into months? Three reasons. First, the AI integration problem was acute and universal -- every developer building agent systems hit the N-times-M wall simultaneously. Second, Anthropic released it as a fully open standard with working SDKs, not a spec document. Third, and most importantly, the competitive dynamics of AI meant that once OpenAI adopted MCP, Google and Microsoft could not afford to build competing standards. The cost of fragmentation exceeded the cost of adopting a competitor's protocol.

The Supply-Side Explosion: 8,590 Servers and Counting

When a protocol wins, the ecosystem builds itself. The MCP server ecosystem is now growing faster than anyone -- including Anthropic -- anticipated.

PulseMCP, the largest MCP server directory, lists 8,590+ servers as of early 2026. The servers repository on GitHub has 79,017 stars, making it one of the fastest-growing open-source projects in GitHub history. MCP server downloads grew from roughly 100,000 in November 2024 to over 8 million by April 2025 -- an 80x increase in five months.

The TypeScript SDK alone pulls 3.4 million weekly downloads on npm. Across all languages -- Python, TypeScript, Java, Go, Rust, Ruby -- monthly SDK downloads exceed 97 million. Thoughtworks' assessment summarized the velocity bluntly: "Running an MCP server has become almost as popular as running a web server."

The most popular servers tell you where the value is concentrating. Microsoft Playwright (browser automation) pulls roughly 1.6 million weekly visitors. Context7 (documentation lookup) hits 574,000. GitHub, Slack, Google Drive, PostgreSQL, and MongoDB integrations fill out the top of the directory. These are not experimental toys. They are production infrastructure for AI agent systems that enterprises are deploying today.

Remote MCP servers -- hosted services rather than local installations -- are up nearly 4x since May 2025 and now outnumber local installations. This is a significant architectural shift. It means MCP is transitioning from a developer-local tool to cloud infrastructure, which opens up entirely new business models around managed hosting, metering, and authentication.

Who Is Spending Money on MCP

The venture capital signal is unambiguous. At least $22.4 million in funding has gone to startups building specifically on MCP infrastructure in 2025 alone.

Manufact, a Y Combinator company, raised $6.3 million in seed funding from Peak XV and Liquid 2 Ventures to build an infrastructure platform for MCP-powered AI agents. They claim 20% of the US Fortune 500 as users. Alpic, based in Paris, raised $5.1 million from Partech and K5 Global to build what it calls the first MCP-native cloud platform. Runlayer, focused on MCP security, raised $11 million from Khosla Ventures (led by Keith Rabois) and Felicis, with eight unicorn or public company customers including Gusto, dbt Labs, Instacart, and Opendoor.

These investments are notable less for their size than for their specificity. This is not "AI infrastructure" funding in the vague, catch-all sense. This is capital allocated to building on a single protocol -- MCP -- as the definitive integration layer for AI agents. The VCs are betting that MCP is the TCP/IP of the agentic era, and that the companies building tooling around it will capture outsized value.

Enterprise adoption reinforces the signal. Block (the parent company of Square and Cash App) built goose, an open-source AI agent framework, entirely on MCP. Bloomberg is a platinum member of the AAIF. Amazon, Autodesk, Salesforce, and ServiceNow are all building MCP integrations. Organizations implementing MCP report 40-60% faster agent deployment times compared to custom integration approaches. 72% of MCP adopters expect their usage to increase over the next 12 months.

The AAIF: How Competing Giants Agreed to Cooperate

The most strategically significant event in MCP's timeline was not OpenAI's adoption. It was the formation of the Agentic AI Foundation under the Linux Foundation in December 2025.

Anthropic donated MCP to the AAIF, transferring governance of the protocol to a vendor-neutral body. The platinum members read like a list of companies that should, under normal competitive circumstances, never agree on anything: AWS, Anthropic, Block, Bloomberg, Cloudflare, Google, Microsoft, and OpenAI. Gold members include Cisco, Datadog, Docker, IBM, JetBrains, Oracle, Salesforce, SAP, Shopify, Snowflake, Twilio, and Okta. Over 40 members total. Over 50 enterprise partners.

This governance structure matters for one reason: it removes the "Anthropic's protocol" objection. The same dynamic played out with Kubernetes (originally Google, donated to CNCF), PyTorch (originally Facebook, donated to the Linux Foundation), and GraphQL (originally Facebook, donated to the Linux Foundation). In every case, the donation to a neutral foundation was the inflection point that unlocked adoption by companies that would never build on a competitor's proprietary technology.

Google's Agent-to-Agent (A2A) protocol, announced in April 2025, initially looked like a competing standard. It was not. Google explicitly positioned A2A as complementary to MCP. The distinction is clean: MCP handles agent-to-tool communication (vertical integration), while A2A handles agent-to-agent coordination (horizontal communication). Both now co-exist under the broader AAIF umbrella. The protocol wars that many predicted never materialized because the competitive cost of fragmentation exceeded the strategic cost of cooperation.

The Moat Shift: From Models to Integration

Here is the business argument that MCP makes unavoidable: the competitive moat in AI is no longer the model. It is the integration layer.

Foundation models are commoditizing. GPT-4o, Claude 3.5 Sonnet, Gemini 1.5 Pro, and Llama 3 are all good enough for most enterprise use cases. The performance gap between the best and fourth-best model is shrinking with every release cycle. When models converge, the value migrates to the layer that connects models to the real world -- and that layer is MCP.

Consider what this means for incumbents. If you are Salesforce, you do not need to build a foundation model. You need to build an MCP server that exposes your CRM data, your workflow automation, and your analytics to whatever AI agent the customer is using. If you are a developer building an AI-powered application, you do not need to pick a single model provider. You build on MCP, and your application works with Claude today and GPT-5 tomorrow.

The companies that understood this earliest are the ones building the deepest MCP integrations. Autodesk contributed CIMD (Client-Identity Mechanism Delegation) to the MCP specification -- a mechanism for handling enterprise identity and trust delegation -- and is launching MCP servers for Revit, Fusion Data, and Model Data Explorer. This is not an experiment. This is a publicly traded company restructuring its platform strategy around MCP because the alternative -- building custom integrations for every AI model -- does not scale.

For startups, MCP creates a new wedge. Build the best MCP server for a specific domain -- accounting, legal research, medical records, logistics -- and you become the default integration point between AI agents and that domain's data. The playbook is identical to the API-as-distribution model that produced Twilio, Plaid, and Stripe: give developers a tool that works, let usage compound, and harvest enterprise contracts when scale demands it.

The Security Problem Nobody Wants to Talk About

MCP's rapid adoption has outpaced its security maturity, and the gap is dangerous.

The most alarming data point: CVE-2025-6514, rated CVSS 9.6 Critical, allows arbitrary OS command execution via mcp-remote when connecting to untrusted MCP servers. It is the first documented full remote code execution vulnerability in the MCP ecosystem. It will not be the last.

The systemic numbers are worse. An analysis of Microsoft's MarkItDown MCP server found an SSRF vulnerability, and extrapolation suggests roughly 36.7% of all MCP servers may have similar exposure. A Zuplo survey of over 5,000 MCP servers found that 53% use insecure hard-coded credentials. Over half of developers building MCP servers cite security or access control as their top challenge.

Real-world incidents have already occurred. Invariant Labs demonstrated an attack where a malicious MCP server silently exfiltrated a user's entire WhatsApp message history via tool poisoning -- injecting hidden instructions into tool descriptions that the AI model followed without the user's knowledge. In a separate incident, a privileged Cursor agent processed user-supplied SQL injection via Supabase support tickets, leaking sensitive integration tokens.

The root cause is architectural. As Red Hat's security analysis noted, "MCP was designed for interoperability and functionality, not with security as a primary, built-in concern." The protocol's threat surface includes command injection, prompt injection and tool poisoning, tool redefinition attacks in multi-server environments, token theft from servers that store credentials for multiple services, and OAuth confused deputy attacks through proxy servers.

The November 2025 spec update addressed some of these concerns. Autodesk's CIMD contribution added server identity verification via .well-known URLs, replacing insecure dynamic client registration. Enhanced OAuth flows and a new "elicitation" mechanism for credential acquisition closed some of the most obvious gaps. But the ecosystem is still largely running on trust -- trust that the MCP server you installed from a community directory is not malicious, trust that tool descriptions are not poisoned, trust that credential storage is properly implemented.

This is the classic tension of rapid adoption. MCP won because it was easy to build and deploy. That same ease means that thousands of servers were built without security review, without credential management best practices, and without awareness of the threat models that apply when an AI agent can execute arbitrary tool calls on your behalf. Runlayer's $11 million funding round exists precisely because the market recognizes this gap. The question is whether the security infrastructure can catch up before a major breach forces a reckoning.

What the Developer Survey Data Actually Says

The Zuplo State of MCP Report provides the most granular view of developer sentiment toward MCP. The headline number -- 72% of adopters expect usage to increase -- is bullish. But the details are more nuanced.

70% of developers already have 2-7 MCP servers configured in their development environment. This is remarkable density for a 13-month-old protocol. It suggests that MCP adoption is not experimental -- developers are not trying one server to evaluate the protocol. They are building multi-server environments as a core part of their workflow.

Over half of respondents are confident in MCP's long-term viability. But nearly 40% remain skeptical about its future, citing security concerns, spec instability, and the risk that a major vendor could fork the protocol or build a proprietary alternative. This skepticism is healthy -- it reflects the reality that MCP is still pre-1.0 in important ways, and that the governance transfer to AAIF is recent enough that vendor commitment has not been stress-tested.

The security concerns in the survey data align with the vulnerability data. When developers building MCP servers identify their top challenge, access control and security dominate the responses. The community knows the problem exists. The tooling to solve it is still catching up.

Who Wins and Who Loses

Winners:

Tool and SaaS vendors with deep integrations. Every SaaS company with an API now has a reason to build an MCP server. Salesforce, Shopify, Datadog, Snowflake -- if your product has data that AI agents need, an MCP server is the fastest way to become part of the agentic workflow. The companies that ship first will be the default integrations that developers configure and never remove.

MCP infrastructure startups. Manufact, Alpic, Runlayer, and the companies that follow them are building the picks-and-shovels layer: hosting, security, registry, and monitoring for MCP servers. This is the Cloudflare-to-the-web analogy -- the protocol is open, but the infrastructure around it is a business.

Developers who learn the protocol early. "MCP server developer" is becoming a real job description. The developers who can build, secure, and deploy production MCP servers will be in demand as enterprises scale their agent deployments. The skill set is achievable -- it is JSON-RPC, not quantum physics -- and the labor market has not caught up to the demand.

Losers:

Custom integration vendors. Any company whose business model depends on building bespoke AI integrations -- connecting Model A to Tool B through proprietary middleware -- is watching its market erode. MCP standardization turns custom integration work into commodity open-source code.

Walled-garden AI platforms. OpenAI's abandoned ChatGPT Plugins program and the decline of proprietary Assistants API approaches are the leading indicators. Platforms that try to lock users into vendor-specific tool-calling mechanisms will lose to the "write once, connect anywhere" model that MCP enables.

Companies that are slow to build MCP servers. If your competitor ships an MCP server for their product and you do not, developers building AI agents will integrate your competitor by default. In an ecosystem where switching costs compound over time, being late to MCP is being late to the distribution channel.

The Protocol Wars Are Over

MCP's trajectory is no longer in doubt. The adoption numbers -- 97 million monthly SDK downloads, 79,000 GitHub stars, 8,590+ servers, support from every major AI company -- are past the point where a competing standard could displace it. The Linux Foundation governance under AAIF removes the vendor-lock-in objection. Google's A2A is complementary, not competitive. The $22.4 million in MCP-specific startup funding reflects a market that has already chosen.

The remaining question is not whether MCP will be the standard. It is whether the security infrastructure, the enterprise tooling, and the governance processes can mature fast enough to match the adoption curve. A protocol that grows at 80x in five months -- from 100,000 server downloads to 8 million -- is a protocol that outran its own security model. The November 2025 spec update and the AAIF governance structure are steps in the right direction. They are not sufficient.

What MCP has accomplished in 13 months is, by any historical measure, extraordinary. REST defined a generation of web architecture. GraphQL gave frontend developers query power. gRPC optimized internal microservices. MCP is doing something different: it is building the universal connector between AI and everything else. The analogy is not REST or GraphQL. The analogy is TCP/IP -- a protocol so fundamental that it disappears into the infrastructure and becomes invisible.

We are watching that disappearance happen in real time. Within two years, "MCP server" will be as unremarkable a piece of infrastructure as "REST API" is today. The protocol wars are already over. The integration wars are just beginning.