The largest independent security assessment of the Model Context Protocol ecosystem ever conducted. We analyzed every publicly available MCP server. The results demand immediate action. This is the first in a series of ongoing MCP ecosystem security assessments.
ddot Labs conducted a comprehensive automated security assessment of 1,693 MCP servers -- representing effectively the entire public MCP ecosystem. The analysis covered 15.2 million lines of code across TypeScript, Python, Go, Rust, Java, C#, and Ruby implementations.
"Every enterprise deploying MCP servers today is operating without the security controls they would demand from any other infrastructure software. The gap between what organizations assume they have and what actually exists is not a crack -- it is a chasm."
-- ddot Labs Security Research, March 2026
This assessment represents the most comprehensive security analysis of the MCP ecosystem ever conducted, covering servers across all major programming languages and use cases.
| Servers Analyzed | 1,693 |
| Lines of Code | 15,227,815 |
| Source Files | ~200,000+ |
| Languages | TypeScript, Python, Go, Rust, JavaScript, Java, C#, Ruby |
| Source | Public GitHub repositories from Awesome MCP Servers directory + official Anthropic repos |
| Date | March 24, 2026 |
| Detection Patterns | 30+ |
| Security Categories | 13 |
| Standards Mapped | NIST 800-53, OWASP LLM Top 10, CMMC Level 1 |
| Method | Static pattern analysis + architecture assessment + supply chain review |
| Execution | Parallel analysis across 32 CPU cores, all source processed locally |
| Reproducibility | Fully automated, deterministic, auditable |
The bell curve skews heavily toward failure. 76% of all MCP servers score D or below. Only 1.4% achieve enterprise readiness.
How common each security gap is across all 1,693 servers. These are not edge cases -- they are the norm.
Enterprise-critical categories -- Database, Cloud, and Memory/Knowledge servers -- score the lowest. The servers handling the most sensitive data have the weakest protections.
| Category | Servers | Avg Score | Score | Risk Assessment |
|---|---|---|---|---|
| Memory / Knowledge | 33 | 51.5 | CRITICAL Stores user data, conversation history, knowledge graphs -- with the lowest avg score | |
| Media | 18 | 51.6 | HIGH Image/video/audio processing with command execution risks | |
| Database | 42 | 52.5 | CRITICAL Direct production database access with SQL injection and no auth | |
| Data / Analytics | 32 | 54.2 | HIGH Data pipeline access without encryption or access control | |
| Filesystem | 10 | 55.8 | CRITICAL Direct host filesystem read/write with path traversal risk | |
| AI / LLM | 46 | 56.8 | HIGH LLM integrations without prompt injection protection or output filtering | |
| Browser / Web | 32 | 57.6 | HIGH Browser automation with unrestricted navigation and command execution | |
| Cloud / Infra | 31 | 58.3 | CRITICAL AWS/Azure/GCP access with hardcoded credentials and no isolation | |
| Security | 35 | 60.1 | HIGH Security-focused servers that fail their own security standards | |
| General | 1,213 | 60.3 | MEDIUM Broad category, systemic lack of security controls | |
| DevTools | 31 | 60.5 | MEDIUM Developer tooling with elevated privileges and command execution | |
| Communication | 26 | 61.4 | MEDIUM Slack/Discord/email access without authentication controls | |
| Git / Code | 74 | 62.1 | MEDIUM Source code access with command execution vectors | |
| Search | 40 | 64.0 | MEDIUM External search APIs without result sanitization | |
| CRM / Business | 15 | 70.7 | MEDIUM Best category score but still below enterprise threshold |
Some findings go beyond concerning into absurd. Security-branded servers that fail security. Secrets managers that leak secrets. These examples illustrate the depth of the industry's problem.
Eight servers received the minimum possible score of 0/100, meaning every security check failed.
When the product's name promises security but the code delivers the opposite.
Servers deployed in enterprise environments with critical access to sensitive systems.
| Category | Servers | Failing (F) | Failure Rate | Risk |
|---|---|---|---|---|
| Database Servers | 42 | 24 | 57% | Direct access to production data with SQL injection and no auth |
| Cloud/Infrastructure | 31 | 15 | 48% | AWS/Azure/GCP control plane access, credential exposure |
| Security Tools | 35 | 15 | 43% | Security tools that fail security assessment |
| Finance | 15 | 6 | 40% | Payment processing, trading, crypto operations |
| Communication | 26 | 9 | 35% | Slack, email, messaging -- corporate communications |
ddot addresses every finding in this report. Every red bar above turns green when agents operate through the ddot security gateway.
| Security Control | Industry (1,693 Servers) | ddot Gateway |
|---|---|---|
| Sandboxing | ABSENT in 64% -- Full process privileges | Wasm sandbox (Wasmtime) -- DENY-ALL capabilities, fuel metering, memory ceilings |
| Authentication | ABSENT in 53% -- Anonymous tool invocation | Ed25519 signing chain (Master -> CA -> Signing Key) with CRL |
| Audit Trail | ABSENT in 85% -- Zero forensic trail | Tamper-evident SHA-256 chain with Bitcoin OP_RETURN attestation |
| Rate Limiting | ABSENT in 73% -- Unlimited invocations | Per-user + 10K/min global ceiling, configurable per-skill |
| Input Firewall | ABSENT in 29% -- Raw input to tools | 5-layer Airgap prompt firewall with canary token detection |
| Output Sanitization | ABSENT in 61% -- Raw output from tools | Response sanitization + prompt injection detection |
| Transport Security | PARTIAL -- Most support HTTPS | Mandatory TLS, origin validation, no HTTP fallback |
| Memory Isolation | ABSENT -- Shared process memory | Per-user isolation with provenance + NIST 800-88 secure deletion |
| Supply Chain | 47% missing lockfiles | Rust binary, cargo-audit, Clippy, MSRV 1.91, 0 unsafe blocks |
| CMMC Adherence | 0 servers claim adherence | 17/17 CMMC Level 1 practices MET with documented evidence |
| Red Team Testing | 0 servers publish red team results | 25 red team tests + 10 PQC tests + 373 total tests + 10 CI gates |
| Post-Quantum Cryptography | 0 servers -- Ed25519 only, vulnerable to Shor's algorithm | Hybrid Ed25519 + ML-DSA-65 (FIPS 204) -- NIST Level 3 quantum resistance. Dual-family hashing (SHA-256 + SHA3-256). Both algorithms must verify independently. |
| Crypto Agility | 0 servers -- Hardcoded algorithms, no upgrade path | Three security levels (Classical, Hybrid3, Hybrid5). Algorithm selection per-signature. Backward-compatible with pre-PQC signatures. ML-DSA-87 (NIST Level 5) for government/military. |
The ddot Agent Security Audit provides instant, free security scoring for any MCP server or AI agent. For production deployments, ddot Certification verifies that agents operate through the ddot security gateway with full Wasm sandbox isolation, cryptographic signing, and tamper-evident audit trails.
ddot.build | The SSL of Agentic AI
Every MCP server in this assessment uses classical cryptography vulnerable to quantum computers. ddot is the first agentic AI security protocol to implement post-quantum defenses.
Shor's algorithm, running on a sufficiently large quantum computer, breaks Ed25519 in polynomial time. Every signature, every key exchange, every identity verification in the MCP ecosystem becomes forgeable.
This is not theoretical. NIST finalized post-quantum standards (FIPS 203/204/205) in 2024 precisely because the threat timeline is measured in years, not decades. Data harvested today under "harvest now, decrypt later" attacks will be exposed when quantum capability arrives.
0 of 1,693 MCP servers implement any form of post-quantum cryptography.
ddot implements hybrid classical + post-quantum signing using the belt-and-suspenders approach recommended by NIST SP 800-227:
| Classical Layer | Ed25519 (FIPS 186-5) |
| Quantum Layer | ML-DSA-65 (FIPS 204, lattice-based) |
| Hash Families | SHA-256 + SHA3-256 (dual-family) |
| Verification | Both algorithms must pass independently |
If quantum computers break Ed25519, ML-DSA holds. If a cryptanalytic breakthrough weakens ML-DSA, Ed25519 holds. An attacker must break both algorithms simultaneously.
| Level | Algorithms | NIST Category | Signature Size | Use Case |
|---|---|---|---|---|
| Classical | Ed25519 only | Level 1 | 64 B | Legacy backward compatibility only |
| Hybrid3 | Ed25519 + ML-DSA-65 | Level 3 | 3,373 B | Default for all new signatures |
| Hybrid5 | Ed25519 + ML-DSA-87 | Level 5 | 4,691 B | Government, defense, critical infrastructure |
"The rest of the industry is building security for 2026. ddot is building security for 2036. When quantum computing renders every Ed25519 signature in the MCP ecosystem worthless, ddot-signed skills will still verify."
-- ddot Labs, on why post-quantum cryptography is non-negotiable
Based on the analysis of 1,693 MCP servers, ddot Labs recommends the following immediate actions for the ecosystem.