… and that's exactly why they need Autonomous Security

As we work with customers to secure their adoption of AI—mapping the MCP servers, skills, plugins, and agents already running on their employees' machines—we get an insight into what enterprises are deploying. From our unique, up-close view of how organizations use AI agents, the picture that emerges is striking: the AI agent ecosystem isn't growing, it's exploding.

The public ecosystem already shows the scale. There are now more than 12,900 MCP servers indexed on PulseMCP, over 91,000 skills on skills.sh, nearly 29,000 plugins on claude-plugins.dev, 60,000 agent guides on agents.md, and 200+ sub-agent prompts on sub-agents.directory. But the more interesting numbers come from the customers.

When we look at AI coding tool adoption across the organizations we work with, Claude Code leads at 59%, with Cursor close behind at 57%. Claude (12.2%), VSCode (8%), JetBrains (6.9%), and ChatGPT (3.7%) round out a market where AI agents have moved from curiosity to core developer infrastructure in well under a year. (These percentages exceed 100% because most engineers use more than one tool.)

 

The data we've gathered on the MCP servers, while securing those same environments, is just as interesting. The most-used servers among our customers aren't niche developer utilities; they're everyday business systems: Context7 (19.8%), Playwright (19.6%), Figma (14.1%), Atlassian (10.7%), Hugging Face (8.9%), Notion (6.2%), GitKraken (6.1%), Sequential (5.4%), GitHub (5.1%), MongoDB (2.4%), and Datadog (1.6%). In addition, roughly one in three companies is building custom MCP servers, meaning the attack surface isn't just whatever's on GitHub; it's whatever your teams have shipped this quarter.

MCP is not dead

The debate about MCP's viability continues, yet our observations suggest a different story. During an AI security webinar in April 2026, 70% of participants confirmed they use MCPs. While market skeptics often prioritize headlines and social engagement, the reality is that organizations are poised to transition away from CLI as MCP evolves with improved stability and token efficiency. MCP offers a standardized framework for connecting agents to external services, making it a superior choice for enterprises focused on governance, risk mitigation, and credential sprawl management. Furthermore, as AI agents become more prevalent among non-developer audiences in their daily workflows, the complexity of CLI remains a significant barrier that MCP effectively addresses.

A new category of software needs a new category of security

Local AI agents—Claude Code, Cursor, Claude Desktop, and the long tail behind them—are a new category of software. And everybody uses them everywhere, every day. The scary part is that they are designed for productivity first, and therefore, they're semi-autonomous, deeply connected, and privileged. They’re capable of reading nearly everything on a user's machine. They introduce a great risk that security teams are struggling to catch up with. The traditional endpoint security stack, built around antivirus and EDR, was never designed to see them, let alone govern them.

We built Autonomous Security to close this gap between software and security. 

Our mission is straightforward: apply real-time guardrails to the prompts and actions agents take and provide security teams with visibility and control over MCP servers, skills, agents, plugins, and the secrets that feed them. And do this without slowing down the people using these tools to ship faster. We focus on the three risks that show up almost immediately when teams adopt MCP at any real scale:

• The mess of untrusted packages. With 12,900+ MCP servers in the wild, employees can, and do, pull random implementations off GitHub with no reliable way to vet them. A malicious Postmark MCP discovered earlier this year quietly BCC'd every outgoing email to an attacker; the bad code was a single line buried among hundreds. The last two months alone have seen three major attacks on popular open-source projects (with more traction than MCP), including Axios, LiteLLM, and TanStack, aimed at exfiltrating credentials.

• The sprawl of API keys. MCP's plug-and-play simplicity comes from pasting credentials into config files, such as mcp.json, that sit in plaintext on developer laptops, exactly where an AI agent can read them. Prompt injection attacks have already extracted these keys and gained access to production SaaS systems.

• The amplified attack surface from prompt injection. Every system you connect an agent to is both a feature and a backdoor. Anything an agent reads—emails, calendar invites, CRM contact-form submissions, web pages, and code comments—is potential input. Official connectors don't immunize you; the model itself remains susceptible by design.

How Autonomous Security closes the gap

Autonomous Security addresses these risks across the full lifecycle of agent adoption. Autonomous Security augments existing EDRs with AI, and introduces agentic Intent monitoring to track, analyze, and govern the actions of autonomous AI agents in real time.

First, you deploy the Autonomous Security OS-native endpoint security agent using your usual enterprise software deployment infrastructure (MDM).

The agent then starts a discovery and inventory phase, mapping every MCP server, skill, plugin, agent, and stored secret, API key, or password in the organization onto a dashboard. It then prioritizes them by risk. You now use this information to define your controls and guardrails.

With your controls and guardrails in place, the endpoint security agent continues to monitor and begins enforcing them. It:

• Scans for vulnerable content–including source code for compromised open-source packages–and automatically blocks or deletes rogue MCPs and malicious skills. This ability includes the skills that AI agents create—not just downloaded components—which can have vulnerabilities.

• Applies the guardrails to prompts, MCP, and shell commands and responses in real time to block prompt injection attempts or redact PII and secrets.

Now, when the next Axios- or LiteLLM-style supply-chain incident hits, you don't get just a vague advisor: the endpoint security agent blocks threats on your users’ workstations, and you get a list of affected machines and alerts for any follow-up actions. 

The bottom line

The growth of the MCP ecosystem isn't going to slow down. Companies that try to ban it will simply lose ground to those that adopt it safely. 12,000+ servers, 90,000+ skills, and a third of companies building custom MCPs are not trends you sit out. But it is a trend that demands controls tailored to how AI agents operate.

That's where Autonomous Security comes in: running MCP servers at enterprise scale is worth doing, and worth doing securely. Map what you have, vault your secrets, vet what your teams install, and put guardrails on what crosses the boundary between the model and your data. Do that, and the productivity gains stay yours rather than becoming someone else's to exploit.

Talk to us to see a demo.