TL;DR: 1,862 MCP servers were exposed to the internet, and all 119 sampled servers allowed unauthenticated access to internal tool listings, while the protocol’s weak authorization defaults can expose files, credentials, and cloud spend, according to Knostic. The risk is not just discovery, but unmanaged tool access that turns MCP into an identity boundary without identity controls.
NHIMG editorial — based on content published by Knostic: exposed MCP servers and unauthenticated tool access
By the numbers:
- Knostic discovered a total of 1,862 MCP servers exposed to the internet.
- From 119 servers sampled for manual verification, all 119 allowed access to internal tool listings without authentication.
- Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
Questions worth separating out
Q: How should security teams secure exposed MCP servers without breaking AI workflows?
A: Start by authenticating every MCP endpoint before any tool catalog is revealed, then limit each server to the smallest tool set and secret scope it needs.
Q: Why do unauthenticated MCP tool listings create identity risk?
A: Because a tool listing is a capability map.
Q: What breaks when MCP servers are exposed without access scoping?
A: The server becomes a publicly reachable control point with no meaningful boundary between discovery and use.
Practitioner guidance
- Inventory every externally reachable MCP endpoint Map internet-facing listeners, common paths, and protocol fingerprints so you know which MCP services are discoverable before they become exploitable.
- Require authentication before tool enumeration Block anonymous tools/list responses and make tool visibility part of the authorisation decision, not a public discovery function.
- Scope MCP permissions as privileged NHI access Bind each server to the minimum tools, data sources, and downstream actions required for its role.
What's in the full report
Knostic's full research covers the operational detail this post intentionally leaves for the source:
- Shodan filter logic and the custom fingerprinting approach used to identify MCP servers in the wild.
- The full validation workflow for confirming a true MCP server, including protocol-compliant handshake checks and endpoint probing.
- Safe, read-only verification techniques such as tools/list that distinguish exposure from active tool execution.
- Knostic's recommendations for securing MCP environments beyond discovery, including the operational controls it discusses on its blog.
👉 Read Knostic's analysis of exposed MCP servers and unauthenticated tool access →
MCP servers exposed to the internet: what IAM teams need to fix?
Explore further
Exposed MCP servers create a new identity boundary, not just a new attack surface: The problem is not that MCP exists, but that its tool layer is often reachable before any meaningful access decision is made. Once tool discovery is public, the server has already crossed from software endpoint into privileged identity surface. Practitioners should treat internet-facing MCP exposure as an identity governance issue, not a purely network one.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: What should IAM teams prioritise when MCP is part of the stack?
A: Prioritise ownership, authentication, secret hygiene, and lifecycle control for every MCP server exactly as you would for a privileged workload. The service should have a named owner, scoped credentials, rotation rules, and a decommissioning path. Without those controls, the protocol becomes another unmanaged non-human identity surface.
👉 Read our full editorial: Exposed MCP servers reveal a growing identity and access risk