What Is MCP (Model Context Protocol), Really

MCP is the fix for the N×M integration mess: instead of every AI app writing a custom connector for every tool, everyone speaks one protocol. Here is what a host, client, and server actually are, the three primitives, and where it breaks.

Tech Talk News Editorial8 min read
ShareXLinkedInRedditEmail
What Is MCP (Model Context Protocol), Really

Key takeaways

  • MCP (Model Context Protocol) is an open standard Anthropic released in November 2024 that lets any AI application connect to any tool or data source through one protocol, replacing custom one-off integrations.
  • MCP solves the N×M integration problem: instead of writing N times M custom connectors for N AI apps and M tools, each side implements the protocol once, turning the math from multiplication into addition.
  • An MCP server exposes exactly three primitives: tools (functions the model can call), resources (read-only data the model can pull in), and prompts (reusable templates), all spoken over JSON-RPC 2.0.
  • By December 2025 MCP was no longer Anthropic-only: OpenAI adopted it in March 2025, Google and Microsoft followed, and it was donated to the Linux Foundation-backed Agentic AI Foundation, with over 10,000 public servers and 97 million monthly SDK downloads.
  • The biggest risk is the trust boundary: a third-party MCP server can hide instructions in a tool description (prompt injection and tool poisoning), and CVE-2025-54136 showed a server can swap its behavior after you approve it once.

Every explainer wants to hand you the same line: MCP is “USB-C for AI.” It is a fine analogy for a dinner party and a useless one if you actually have to build something. So let me skip it. MCP, the Model Context Protocol, is an open standard Anthropic released in November 2024 that lets any AI application connect to any tool or data source through one shared protocol instead of a bespoke integration for each pairing.[1] That is the whole thing. What makes it interesting is the specific problem it kills, and the specific ways it can bite you.

The way I think about it, MCP is the fix for a math problem that has haunted software integration since long before AI. Engineers call it the N×M problem, and once you see it you cannot unsee it.

Summary

MCP is an open protocol for connecting AI apps to external tools and data. An AI application (the host) runs clients that each talk to one server, and each server exposes three things: tools, resources, and prompts. Everyone implements the protocol once instead of writing custom connectors for every combination.

The N×M Problem, and Why It Is the Real Story

Picture the world right before MCP. You have N AI applications: ChatGPT, Claude, a Cursor-style IDE, some internal agent your company built. And you have M things you want them to reach: GitHub, Postgres, Slack, Google Drive, your internal ticketing system. If every app needs custom glue code for every tool, you are on the hook for N times M integrations. Ten apps and ten tools is a hundred connectors, each one written, tested, and maintained by someone who would rather be doing anything else.

That multiplication is where integration efforts go to die. It is the same reason we standardized on HTTP for the web and SQL for databases. A shared protocol turns multiplication into addition. Each AI app implements MCP once. Each tool exposes an MCP server once. Now you are at N plus M. Ten plus ten is twenty. Write your GitHub server one time and every MCP-speaking app in the world can use it, forever, without you lifting a finger.

This is not a novel insight. It is the oldest idea in systems design. What is new is that AI models finally got good enough at tool use that the payoff was worth the coordination cost, and one vendor with enough gravity to make the first move actually made it.

A shared protocol turns multiplication into addition. That single shift is the entire reason MCP exists.

Host, Client, Server: What Each One Actually Is

The three-word vocabulary trips people up because two of the words sound like the same thing. Here is the honest version, from an engineer's seat.[2]

  • Host. The AI application the user actually touches. Claude Desktop, an IDE with an AI panel, a customer support agent. The host holds the large language model and orchestrates everything. It is the thing that decides, this task needs the filesystem, let me go get it.
  • Client. This is the part people miss. A client is not a separate app. It lives inside the host, and its only job is to manage one connection to one server. Strict 1:1. If your host needs to talk to three servers, it spins up three clients. The client is a connector, not a program you install.
  • Server. The external program that actually exposes capabilities. A GitHub server, a Postgres server, a filesystem server. It can run locally on your machine or remotely behind an API. The server is where the useful stuff lives.

So the shape is: one host, many clients inside it, each client wired to exactly one server. That fan-out is what lets a single agent reach your local files, your database, and a web API in the same breath. Under the hood it all rides on JSON-RPC 2.0, a boring, well-understood remote-procedure-call format, over one of two transports: stdio for local same-machine servers, and Streamable HTTP for remote ones.[2] Nothing exotic. That is a feature, not a knock.

Nov 2024
open standard
MCP released by Anthropic
10,000+
as of Dec 2025
Public MCP servers
97M
Python + TypeScript
Monthly SDK downloads

The Three Primitives: Tools, Resources, Prompts

A server exposes capabilities through exactly three primitives, and the distinction between them is the part worth getting right.[3]

  • Tools. Functions the model can invoke to do something. Send an email, run a query, open a pull request. Tools are what give a model the ability to act in the world instead of just describing it. This is the primitive everyone actually uses, to the point where most people think MCP is only tools.
  • Resources. Read-only data the server offers up as context. A file, a database schema, a config, each addressed by a URI like a web page has a URL. The model pulls a resource in to read it, not to trigger side effects. Think of resources as the server saying, here is what I know, versus tools saying, here is what I can do.
  • Prompts. Reusable templates a server publishes so common tasks stay consistent. A code-review prompt, a bug-report template. This is the least-used of the three, and honestly it is the one whose value is still being argued over.

When a client connects, it asks the server what it has, and the server lists its tools, resources, and prompts. That discovery step is why you can drop a new server into a host and it just works, no hardcoding. The capability negotiation at connection time is the quiet part that makes the whole thing feel plug-and-play.

Plain English

Tools are verbs (do this), resources are nouns (read this), prompts are recipes (here is a good way to ask). A server can offer any mix. Most offer tools and nothing else, which is fine.

Where It Breaks: The Trust Boundary Is the Whole Problem

Here is the part the marketing skips, and it is the part I would not deploy without understanding. MCP's security model is genuinely hard, and not because the code is buggy. The trouble is structural.

When your agent runs, the user's prompt, the developer's system message, and a tool description written by some third-party MCP server all collapse into the same context window. The model cannot tell which tokens came from you and which came from a stranger's server. Whoever writes into that window is writing the model's instructions. Simon Willison flagged this in April 2025 in plain terms: an LLM will trust anything that can send it convincing-sounding tokens.[4] That is the confused-deputy problem, and MCP hands it a bigger surface.

This shows up in concrete attacks. In tool poisoning, a malicious server hides instructions inside a tool description that the user never sees but the model reads and obeys. In a rug pull, a server passes your review looking harmless, then mutates its own tool definitions after you have approved it. CVE-2025-54136, dubbed MCPoison and found by Check Point, demonstrated exactly this against config files: commit a benign MCP config, get it approved once, then swap the payload later.[5] You audited Day 1. By Day 7 your keys are somewhere else.

Heads up

An MCP server is untrusted code with a direct line into your model's instructions. Approving a server once is not the same as trusting it forever, because a server can change what it does after approval. Pin versions, read the tool descriptions your model will read, and do not point a capable agent at a server you did not vet.

None of this makes MCP unusable. It makes MCP a thing you sandbox, scope with least privilege, and treat with the same paranoia you would give any dependency that can touch production. The protocol itself is not going to save you here. That is on the host implementation and on you.

Takeaway

The same design that makes MCP powerful, a model that acts on whatever context it is handed, is exactly what makes it dangerous. Power and prompt injection are the same feature viewed from two sides.

Real Standard, or Anthropic-Shaped Hype?

Fair question, and for the first few months it was a legitimate one. A protocol released by one AI lab, adopted mostly inside that lab's own products, is a proprietary format wearing an open-source costume. So what changed my mind?

The competitors adopted it, and not quietly. OpenAI signed on in March 2025, with Sam Altman saying flatly “people love MCP and we are excited to add support across our products,” shipping it first in the Agents SDK.[6] Think about how unusual that is. OpenAI adopted a standard built by Anthropic, its sharpest rival. Google and Microsoft followed within months, with Microsoft wiring it into Windows 11 and Copilot.[1] When your three biggest competitors all implement your protocol rather than fork it or fight it, the network effect has already won.

Then came the governance move that actually seals it. In December 2025 Anthropic donated MCP to the Agentic AI Foundation, a directed fund under the Linux Foundation, co-founded with Block and OpenAI and backed by Google, Microsoft, AWS, Cloudflare, and Bloomberg.[7] That is the difference between a spec one company can change on a whim and infrastructure a neutral body stewards. The Linux Foundation has done this before, for Kubernetes, for a hundred other load-bearing projects. Handing MCP over is Anthropic saying the standard is bigger than its authorship, which is exactly what you want to see before you build on something.

The numbers back the vibe. By late 2025 there were more than 10,000 public MCP servers and 97 million monthly SDK downloads across Python and TypeScript.[7] You do not fake that. That is real adoption, real developers, real production usage.

When your three biggest competitors implement your protocol instead of forking it, the standard has already won.

My Honest Verdict

MCP is a real standard now. Not perfect, not finished, but real. It solves an actual problem, the N×M integration mess, with the oldest and most reliable trick in systems design, and it has the cross-vendor buy-in and neutral governance that separate a standard from a vendor's API. If you are building anything where an AI needs to reach the outside world, learning MCP is no longer optional, in the same way you learned HTTP without asking whether it would stick.

But go in clear-eyed about the security. The trust boundary is not a rough edge that will get sanded down in the next release. It is inherent in letting a model act on context it did not author. Sandbox your servers, scope their permissions, and remember that an approved server is not a trusted one forever. The protocol won the interoperability fight. The safety fight is still yours to lose. For more on how models are getting wired into real workflows, see our take on Claude Code routines and how tool-using agents actually run.

Sources and further reading

  1. 1.ReportingWikipedia, "Model Context Protocol". November 2024 release by Anthropic; OpenAI (March 2025), Google, and Microsoft adoption timeline; Windows 11 and Copilot integration.
  2. 2.PrimaryModel Context Protocol, "Architecture overview". Host/client/server roles, 1:1 client-to-server connection, JSON-RPC 2.0, stdio and Streamable HTTP transports, capability negotiation.
  3. 3.PrimaryModel Context Protocol, primitives reference. The three server primitives: tools (executable functions), resources (read-only URI-addressed data), and prompts (reusable templates).
  4. 4.ReportingSimon Willison, "Model Context Protocol has prompt injection security problems". April 9, 2025. The confused-deputy problem and why a model trusts convincing tokens regardless of source.
  5. 5.ReportingTrueFoundry, "MCP Tool Poisoning (CVE-2025-54136)". Tool poisoning and rug-pull attacks; MCPoison (CVE-2025-54136) found by Check Point, approve-once-then-swap config exploit.
  6. 6.ReportingTechCrunch, "OpenAI adopts rival Anthropic’s standard for connecting AI models to data". March 26, 2025. Sam Altman announces MCP support, shipping first in the Agents SDK.
  7. 7.PrimaryAnthropic, "Donating the Model Context Protocol and establishing the Agentic AI Foundation". December 9, 2025. AAIF as a Linux Foundation directed fund co-founded with Block and OpenAI; 10,000+ public servers; 97M+ monthly SDK downloads.

Frequently asked questions

What is MCP (Model Context Protocol) in simple terms?
MCP is an open standard that lets an AI application talk to external tools and data through one shared protocol instead of a custom integration for each. Anthropic released it in November 2024. The idea is that a chatbot or coding agent can connect to your files, your database, GitHub, Slack, or anything else as long as both sides speak MCP, the same way any browser can load any website because both sides agree on HTTP.
What problem does MCP actually solve?
MCP solves the N×M integration problem, where N AI applications each need custom code to connect to M different tools, producing N times M integrations that nobody can maintain. With a shared protocol, each AI app implements MCP once and each tool exposes an MCP server once, so the work becomes N plus M instead of N times M. That is the whole pitch, and it is a real one that engineers have wanted for data connectors for decades.
What are the three MCP primitives?
The three MCP primitives are tools, resources, and prompts. Tools are functions the model can invoke to take an action, like sending an email or querying a database. Resources are read-only data the server exposes for context, like a file or a schema, each addressed by a URI. Prompts are reusable templates a server offers so common tasks stay consistent. A server can expose any mix of the three, and the client discovers them at connection time.
What is the difference between an MCP host, client, and server?
The host is the AI application you interact with and it holds the model, a client is the connector inside the host that manages one dedicated connection to one server, and the server is the external program that exposes tools, resources, and prompts. The host might be Claude Desktop or an IDE. The client-to-server link is a strict 1:1 relationship. One host can run many clients to talk to many servers at once, which is how a single agent reaches your filesystem, your database, and a web API in the same session.
Is MCP secure?
MCP has real security problems that come from its design, not bugs you can simply patch. Because a tool description from a third-party server lands in the same context window as your prompt and the system message, a malicious server can hide instructions the model will follow, a class of attack called prompt injection or tool poisoning. CVE-2025-54136 showed a server can even pass approval once and then swap its payload later. Treat every MCP server as untrusted code with a foot in your model.
Is MCP a real standard or just Anthropic hype?
MCP is a real cross-vendor standard as of late 2025, not just an Anthropic project. OpenAI adopted it in March 2025, Google and Microsoft followed within months, and in December 2025 Anthropic donated it to the Agentic AI Foundation, a directed fund under the Linux Foundation co-founded with Block and OpenAI. With over 10,000 public servers and shared governance, it has cleared the bar where a spec stops being one company’s and becomes infrastructure.

Written by

Tech Talk News Editorial

Computer engineering background. Writes about software, AI, markets, and real estate, and the places where the three meet.

More about the author
ShareXLinkedInRedditEmail