The Model Context Protocol (MCP) has become the connective tissue of agentic AI. It is how agents reach tools, data, and APIs — and it is being adopted faster than almost any standard in enterprise software history. But speed of adoption is not the same as readiness for the enterprise. That gap is exactly why PointGuard AI is collaborating with the Cloud Security Alliance (CSA) to define, test for, and publicly disseminate risk ratings for AI models and MCP servers — work that expands CSA’s RiskRubric database to cover the agentic control plane. So we tested the public MCP ecosystem, and the top-line finding should alarm every security leader: two-thirds (67%) of the 36,527 MCP servers we scored carry serious security flaws that make them unsafe for enterprise use.
PointGuard AI has now applied our Trusted AI scoring methodology to 36,527 MCP servers publicly available on GitHub. Each server receives a letter grade from A to F. The results should give every security leader pause.
The data: most public MCP servers fail
Here is the full distribution across all 36,527 servers we scored:

Read from the bottom up, the picture is stark. Roughly two-thirds — 67% — of the MCP servers we tested earned a D or an F, meaning they carry serious security flaws and are not recommended for enterprise use. Add the C grades and the number climbs to over 85%. Fewer than 15% of public MCP servers earned an A or a B.
In other words, if your agents are reaching for tools from the open MCP ecosystem — and most are — the odds are overwhelming that they are connecting to code you would not knowingly allow into production.
How we score: three pillars of trust
A letter grade is only useful if the method behind it is rigorous and transparent. Our methodology evaluates every server across three weighted pillars.
Security Maturity (50%). We scan server code with SCA and SAST tooling to detect vulnerabilities and attack vectors, then consolidate and risk-rank the findings using CVSS, EPSS, and the CISA Known Exploited Vulnerabilities catalog. This pillar also accounts for hardcoded secrets and whether the project publishes and maintains a security policy.
Operational Maturity (30%). Drawing on GitHub metadata, we assess verified or official publisher status, publisher-location transparency, license type and compliance, issue-resolution velocity, and peer-review status — the signals that separate a maintained project from an abandoned one.
Adoption Maturity (20%). Finally, we weigh community signals: downloads, likes, stars, and forks. Popularity is not proof of safety, but it provides context for how widely a given risk is already propagating.
The weighting is deliberate: security counts for half the grade because, for an enterprise, a well-adopted server with a critical vulnerability is not a good server — it is a widely distributed liability.
Why the grades matter: the risk is already real
These are not theoretical scores. The failure modes we grade against are the same ones showing up in the wild, which we document in our AI Security Incident Tracker.
A recent entry illustrates the danger precisely: poisoned MCP tool descriptions that turn trust into risk. In this class of attack, a server’s tool descriptions — the very metadata an agent reads to decide how to act — are laced with hidden malicious instructions. Because the agent treats that description as trusted context, the injected commands can quietly redirect its behavior: exfiltrating data, invoking unauthorized operations, or chaining into other tools. Nothing about the interaction looks anomalous at the network layer. The compromise lives in content the agent was designed to trust.
This is what makes the MCP problem different from a conventional software supply-chain risk. The attack surface is not just the code an MCP server runs; it is the instructions and descriptions it presents to an autonomous system that acts on them at machine speed. A D or an F in our scoring is a direct signal that a server carries exactly this kind of exposure.
A public standard, in partnership with CSA
This research is one input into a larger effort. Together with the Cloud Security Alliance (CSA), PointGuard AI is working to define, test for, and disseminate risk ratings for AI models and MCP servers to the public — expanding CSA’s RiskRubric database to cover the agentic control plane. The goal is to move MCP risk scoring from any single vendor’s opinion toward an open, industry-recognized standard that enterprises everywhere can act on.
You can read more in our announcement, PointGuard AI and CSA Evolve RiskRubric v2 to Secure the Agentic AI Ecosystem, and in CSA’s press release, CSA-I Foundation Announces RiskRubric v2 as the Next Key Milestone to Secure the Agentic Control Plane.
The broader point: MCP must be governed, not trusted by default
The data leads to one conclusion. MCP is a serious, systemic security issue, and the open ecosystem cannot be trusted by default. When 85% of public servers grade at C or below, “just pick a popular one” is not a security strategy. Enterprises need to know which servers their agents are allowed to use, on what terms, and with what continuous oversight — because a server that grades well today can regress tomorrow when a maintainer disappears or a tool description quietly changes.
That requires governance and runtime control: an inventory of every server in play, a defensible risk score for each, enforcement at the point where agents actually connect, and continuous monitoring as the ecosystem shifts. Discovery without enforcement leaves the exposure in place; enforcement without scoring is blind.
How PointGuard AI helps
PointGuard AI provides the control plane that turns this data into protection.
Know what your agents are reaching. Our platform discovers the MCP servers and agents already in use across your environment and scores each with the same A-to-F methodology behind this research — so risk is visible before an agent ever connects.
Enforce at the point of connection. Our MCP Gateway sits between your agents and their tools as a single policy enforcement point: tool- and operation-level authorization, read/write separation, and content inspection on every call — so a low-scoring or poisoned server cannot silently redirect an agent.
Govern continuously. Posture, threats, and compliance are unified in one view, with framework mapping and tamper-evident evidence, so scores stay current as the ecosystem changes.
The MCP ecosystem will keep growing, and so will the risk inside it. The question is not whether your agents will use MCP — they already do — but whether you can see and control what they connect to.
Data reflects PointGuard AI’s Trusted AI scoring of 36,527 public MCP servers on GitHub. Scoring methodology weights Security Maturity (50%), Operational Maturity (30%), and Adoption Maturity (20%).




