Safeguard
AI Security

MCP Definition: What the Model Context Protocol Actually Is

The MCP definition in one line: an open standard that lets AI assistants connect to your tools and data through a single, consistent interface instead of a tangle of one-off integrations.

Aisha Rahman
Security Analyst
6 min read

The simplest MCP definition is this: the Model Context Protocol is an open standard that lets AI assistants connect to external tools, data sources, and systems through one consistent interface. Instead of writing a bespoke integration for every combination of model and system, developers implement the protocol once and any compatible client can talk to any compatible server.

MCP was introduced by Anthropic in November 2024 and has since been adopted well beyond its origin, with other major AI providers building support for it. If you have heard the term thrown around and want a definition that actually holds up, this is where it starts.

Why the protocol exists

Before a standard like this, connecting a language model to a real system meant custom glue code every time. Wiring a model to your ticketing system, your database, and your file store meant three separate integrations, each with its own auth, its own data shape, and its own maintenance burden. Add a second model and you were potentially rewriting all of it.

That does not scale. MCP addresses the problem the same way earlier standards did for other domains: define one protocol, and let both sides implement it independently. A tool author exposes their system through the protocol; an application author consumes it. Neither needs to know the internals of the other.

The client-server model

MCP is built on a client-server architecture, and getting these roles straight is most of understanding the protocol.

  • An MCP server wraps a system or capability and exposes it over the protocol. A server might front a database, a code repository, a filesystem, or a SaaS API.
  • An MCP client lives inside an AI application (the "host"). It opens a connection to one or more servers and makes their capabilities available to the model.

The host application, such as a desktop assistant or an IDE, manages the model and the clients. When the model needs something a server offers, the client relays the request, the server does the work, and the result flows back into the model's context.

The three core primitives

An MCP server can expose three kinds of things, and this trio is worth memorizing because it defines what the protocol can do:

  1. Tools are actions the model can invoke, like "create an issue" or "run this query." These are function calls with defined inputs and outputs.
  2. Resources are data the model can read, like the contents of a file or a record from a system. These are context, not actions.
  3. Prompts are reusable templates a server can offer to structure a common interaction.

Tools are the part people focus on because they let a model do things, but resources are what let it know things, and both matter for building something useful.

Where security enters the picture

Here is the part a definition alone will not tell you: connecting a model to real tools is also connecting it to real risk. Every MCP server is a new entry point, and the same properties that make the protocol powerful make it worth scrutinizing.

Consider what a tool call actually is. The model, influenced by whatever text is in its context, decides to invoke an action against a live system. If that context can be manipulated, for example through content the model reads from an untrusted source, you have the ingredients for prompt injection that turns into a real side effect. A server that both reads untrusted data and exposes a write tool needs to be treated as a genuine attack surface, not a convenience.

A few things to weigh when you adopt MCP servers:

  • Provenance of the server itself. An MCP server is software, often installed from a package registry. It carries dependencies and can be malicious or compromised like any other package. The wave of registry-based supply chain attacks over the past year applies here too; scanning a server's dependency tree with software composition analysis before you run it is the same discipline you would apply to any other build input.
  • Scope of the tools exposed. A server that can delete records or spend money should require far more caution than a read-only one. Least privilege belongs at the tool boundary.
  • Trust boundaries between data and action. Data a model reads through a resource can influence a tool call it makes next. Keep untrusted input away from high-privilege tools.

MCP versus a plain API

People sometimes ask how this differs from just giving a model an API. Functionally an MCP server often is a wrapper over an API. The difference is standardization and discovery. Because every server speaks the same protocol, an AI application can enumerate what a server offers, understand the shape of each tool, and use it without custom code written for that specific integration. It moves the integration effort from N-times-M (every app times every system) down to N-plus-M (each side implements the standard once).

That is the practical payoff behind the formal definition. The protocol is not doing anything a determined engineer could not do by hand for a single integration. It is making integrations composable across the whole ecosystem.

Adopting MCP without regret

If you are bringing MCP into an environment, treat servers with the same rigor you apply to any third-party dependency. Pin versions, review what a server can access, and prefer servers whose source you can inspect. Keep an inventory of which servers are connected to which assistants, because that mapping is your real attack surface. Our AI security notes in the Academy go deeper on threat-modeling agentic tool use.

Used carefully, MCP genuinely simplifies a problem that used to be a maintenance sink. The trick is remembering that "connect your AI to everything" is a security statement as much as a productivity one.

FAQ

What is the MCP definition in one sentence?

MCP, or the Model Context Protocol, is an open standard that lets AI assistants connect to external tools and data sources through a single consistent interface rather than custom per-integration code.

Who created MCP?

Anthropic introduced the Model Context Protocol in November 2024. It was released as an open standard and has since been adopted by other major AI providers.

What are the three primitives in MCP?

An MCP server can expose tools (actions the model can invoke), resources (data the model can read), and prompts (reusable interaction templates).

Is MCP a security risk?

The protocol itself is a specification, but any MCP server you connect is new software with its own dependencies and its own access. Treat servers as third-party code: review their scope, scan their dependencies, and keep untrusted input away from high-privilege tools.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.