MCP, Tool Use, and the New Attack Surface Nobody Is Mapping
The agent wasn’t compromised. The model wasn’t compromised. The tool wasn’t compromised. Every component did exactly what it was designed to do. The system still executed an action nobody authorized. That is not a vulnerability in the traditional sense. There was no implementation flaw to patch, no misconfigured permission to revoke, no anomalous credential activity…