Public Research Report

Main

The Pragmatic Engineer - MCP Research Report

This is our Research Report, accompanying the deepdive Building MCP servers in the real world. This report contains 4-5x as much raw details, data, and information than we are able to fit in the final newsletter.

Some comments are in green text throughout the report. These are comments from us (The Pragmatic Engineer team: Elin who created the report or Gergely).

Executive summary

I. Servers and use cases

1. Use cases and examples

2. Popular and notable MCP servers

3. MCPs built by respondents

II. Learnings and advice

1. For building MCPs

2. For using MCPs

3. General MCP learnings

III. The state of the MCP ecosystem

1. Advice for using MCP can differ a lot

2. MCPs for production is largely an unsolved problem

3. Evaluation, reliability and testing of MCPs is Not Trivial

4.MCP is like USB-C, in the bad ways as well

5. MCP adoptions inside of companies

6. More builders than users of MCP, and that can be an issue

7. The protocol and capabilities is constantly evolving

8. Prediction that MCP will “fade as a concept”

Research Report - MCP servers

Executive summary

The Model Context Protocol (MCP) has rapidly gained traction, standardizing how AI clients (like chatbots and IDEs) connect to data, files, and tools through dedicated servers, earning the moniker "the USB-C of AI." We wanted to learn how MCP is being adopted in the real world, how it’s being integrated into companies and workflows, and what learnings builders and users of MCP have to share. The main themes we’ve been researching are:

MCP usage - which MCP servers are people using, how are they using them, and what has MCP unlocked for them?
Building MCP servers - what kind of MCP servers have people been building, for whom, and what has the experience of building MCP servers been like?
The state of MCP - what trends, adoption patterns and best practices are emerging from the adoption of MCP?

This research, based on a survey and interviews, shows that MCP adoption is widespread, and is largely driven by two main forces: large, official servers from major developer-facing companies (e.g. Figma, Atlassian, Notion) and a surprisingly big number of internal, private MCPs built by companies to access internal data, documentation, and internal tools. A long tail of small custom-built MCP servers for primarily personal usage also exist, often created for individual experimentation or specific one-off use cases, or open-sourced with limited adoption within the MCP community.

Common use cases of MCP servers include integrating into CI/CD pipelines, accelerating prototyping by bridging design systems and tools (like Figma) with ticketing systems (like Jira). MCPs are also enabling non-developers to "vibe code" and contribute to the codebase, and allowing customer care agents to make use of internal APIs, data and platforms in new ways. Furthermore, connecting LLMs to internal wikis, documentation, and legacy codebases via MCP is proving beneficial for improving the quality and context of agent-driven work.

However, the experience is not without its challenges. Security, especially regarding access control and using content from untrusted sources, remains a primary concern in the community. Developers also note issues with context windows and “tool bloat," where agents become less reliable when given too many unnecessary tools. Despite these hurdles, the general sentiment is that MCP is a powerful, open technology, with some predicting it will replace self-service Business Intelligence by providing direct, agent-accessible access to internal data warehouses.

Who we’ve talked to

We ran a survey with 46 responses, gathered between September 11 and October 9 2025

Jeremiah Lowin, founder of Prefect and FastMCP
Den Delimarsky from Microsoft, core contributor to the MCP protocol, focusing on auth

MCP basics - recap

The MCP protocol was initially released in November of 2024

Commonly hailed as the “USB-C of AI”
Standardized protocol to connect Clients (chatbots, IDEs, AI applications) to data, files, and tools through Servers
The protocol will have a new big-ish release on November 25th (1 year anniversary update), with a release candidate on Nov 11th (source)

Update: The RC has been released, but the protocol update is still pending.

MCP Servers have three main components

Resources

Context and data for the user or LLM, e.g. file contents, git history
Controlled by the client/application

Prompts, e.g. templated messages and workflows

Controlled by the user, e.g. through chat or through commands, buttons, actions, etc
All prompts are declared in the protocol

Tools, e.g. functions and actions the LLM can work with, e.g. file write, POST requests, functions to invoke

Controlled by the model
Best result when designed and developed for LLMs to use
Basically Agent Computer Interface stuff!

E.g. what we talked about with the SWE agent article! In general MCP reminds me a lot of that, but on a higher and broader abstraction level, and with other types of tools, so not terminals and file browsing capabilities, but rather tools/”functions” for other software and services
Since it’s LLMs, at the end of the day, a lot of these tools are “accessed”/used through prompts and LLM instructions packaged in an MCP way, rather than through ACI or directly from the user

The MCP Protocol was developed by Anthropic, but maintained in the open

There’s 9 core maintainers, Den Delimarsky is one of them since this summer

He focuses on auth and security aspects of the protocol based on his professional background
He became maintainer after rewriting auth spec in June due to issues with initial proposal

“I had some issues with the initial Auth spec that they had proposed, so I started working with them to rewrite it. And that launched in June, and after than I got invited to be a core maintainer”

The governance of MCP has solidified over time, where there’s now governance docs and clear and open processes around decision making etc.

“Everything we do is in the open. It's in Discord, it's on GitHub. There are some exceptions with private company partnerships, but for the protocol itself, that’s in the open. That's one of the superpowers of the protocol, in my view, because anybody can contribute from anywhere.

I. Servers and use cases

This section covers the real world usage and use cases of MCP servers as reported in our research. It starts with higher-level examples for how people and teams report using MCP, and then we list all the MCP servers that were reported to us by category.

1. Use cases and examples

Test/debug sessions help

One person reported MCP helping with debug sessions prior to shipping a new feature

“An example of a flow that worked really well:

we built a new feature and lots of people in the company to test it
they added rows to a notion database with their testing results in
I used claude code to create a new database with aggregated/categorised test results in, grouped by the underlying issue
I iterated on that a bit manually in notion, then used the Linear MCP to create a new project and fill it with tickets based on the rows in the aggregated database

It worked quite well, the agent often gets the parameters wrong then retries with corrections which is kind of cool to watch. There were still points where I had to intervene and make some manual corrections or encourage the agent to do something differently (eg. link formatting) but broadly speaking pretty good (and fun)” - Theo Windebank, at customer ops AI startup Gradient Labs

CI/CD and repo integrations

“The integration with atlassian allows me to commit, push and create a Merge Request in a single command with Claude Code” - Backend dev at a startup
“Github MCP - interact with repo (create PR, trigger Agent Copilot, search for release history,..)” - Lukas Kurucz, React Native engineer at Preply

Prototyping, getting started with new work, and creating first drafts

Through using Figma and/or design system MCPs with context from ticketing systems or internal knowledge (notion, confluence, etc), getting up and running with prototypes and first drafts of work
“Confluence MCP - search for relevant documentation, update JIRA tasks and read description to bootstrap work. Figma MCP - works well with Jira MCP to bootstrap work for new task.” - Lukas Kurucz, React Native engineer at Preply

Allowing non-devs to do more

Contributions etc from Jira/Linear/similar

“We are using MCP servers to allow non devs to contribute to the codebase. Linear MCP + Obsidian MCP + Vscode has been a great unlock. A lot of work gets done in the actual tickets which really helps guide the agent.” - CTO at a stealth company

Know more

“Another MCP implementation is over our graphql gateway which can allow our customer care agents to get information more easily. This is still a PoC and we do not know if it works reliably or not.” - Harshal Shah, Engineering Manager at GetYourGuide
“Our MCPs expose information from our API data services. We build NatCat solutions, and we find it useful to have a GPT client feeding on our data, so that we can help non-SW Engineers aggregate data from different services.” - Staff geospatial engineer

Prototyping

“Vibe coding for product+design person[nel]: With this tool call we have enabled a lovable/replit-kind of environment for all our non-dev person[nel] to vibe code their ideas all within the design language of Razorpay and using our design system. This is the biggest challenge with all the vibe coding tools that they can't generate MVPs within your company's design language, coding practices, etc. With this tool we scaffold a base template with our coding practices and then the UI can be built using our design language so now anyone can take apps to production” - Kamlesh Chandnani

Making it possible to use highly legacy systems in new ways

“We are building an MCPto surface documents from Siemens Polarion ALM for tracking aircraft requirements and airborne software development. It's a legacy system with very poor integration points for external users of the document data, especially for AI. Access control due to the sensitive nature of the data is a really tough situation with the current MCP spec.” - Software engineer at an electric aviation company

Improving LLM and agent context through docs, wikis, etc

MCPs that connect agents/LLMs to additional context in order to do and “know” more, and improve the quality of their work
Software engineering

From official documentation from the internet

Context7, web search, official documentation MCPs (e.g. AWS)

By connecting to internal guidelines, styleguides and best practices

“Experimenting with an MCP to pull git repos and use them as documentation for agents via an MCP so our engineers can reference architecture and engineering docs that we maintain as markdown in git. Have paused building as there seem to be several similar ones around but nothing is quite hitting the mark as yet.” - Principal architect
“some information retrieval MCPs built internally by the company (such as API interface protocol queries, project knowledge bases, etc.)” - System eng

By providing context about internal systems, legacy codebases, etc

“I have also been working on developing my own MCP server for a project to give better context on legacy codebases to agents by providing an interface to search for similar implementation patterns, bugs, etc.” - Tech lead at a GovTech SaaS company
"I've built a MCP sharing information about our internal libraries: it suggests what internal library to use, it lists all libraries, it provides documentation of a library, it provides examples use of a library"
“Tool hosted internally that serves devex knowledge (how to guides, internal library documentation) to engineers working in agentic coding IDEs. Very straightforward (Spring AI based), the problem is in optimising content, not the MCP integration itself” - Andrew Eacott, Principal Engineer at Miro
“One of the internal MCP servers we have developed is one which talks to our service catalog and answers questions such as "who owns a given service", "which team does an individual belong to" and so on. “ - Harshal Shah, Engineering Manager at GetYourGuide

Company context

Access to internal wikis, docs, strategies, etc

“The Notion MCP has been useful for accessing Notion documents as context when creating product requirement documents to implement larger features in a React Native codebase. Sometimes, clients I work with will create style guides or tutorials for developers to reference when designing code solutions. Cursor has a web search feature that is handy to reference publicly available articles, but for resources that require authentication, this server has been great to securely access Notion documents without copy and pasting the entire contents of the article in an agent chat” - Joshua Yoes, Staff Engineer at Infinite Red.

Connection to internal datasets, platforms, etc.

“By far, the median MCP user is someone who's like, “I access my company's own data warehouse through an MCP server”. My colleague Adam recently said that he thinks that MCP will replace serf-service Business Intelligence, especially once there’s a really established way to just build dashboards from what comes out of it. I don't know how plugged in you've been to the buzzwords of the data world of the last decade, but it’s almost like the promise of The Semantic Layer is actually being realized through MCP in a way that never quite got out of the barn.” - Jeremiah Lowin

Design systems and UI development

Someone seeing a pattern

“I can't share clients tools, but using MCPs to make internal UI catalogues and library usage templates discoverable and insertable without too much context poisoning is a pattern I see being adopted in many orgs” - Mario Hachemer

Three additional people in the outreach mentioned MCP for their design system and/or component library

Razorpay's Blade system example below

Controlling and interacting with devices and browsers…

… for additional context

“have started using the Playwright MCP for giving the assistant context on what the frontend implementation looks like” - Development service company

… emulators/simulators/browser automation and E2E testing

iOS simulator

“[ios simulator MCP] has been useful for automating common quality assurance tasks I need to do to evaluate the quality of my work as a UI developer. [...] I have found that if I give clear instructions for navigating a UI flow that I know works, it can be handy for automating taking screenshots of key screens and screen recordings of flows. Often I need to include these in pull request descriptions in order for a reviewer to approve my code, so this has been a handy use case to speed it up. For some more complicated changes, I was able to successfully get 5 different screen recordings in one conversation. Other users online have shared that agents programs like Claude Code have had success getting basic scaffolding of new screens up using these server tools and a deep linking tool like `npx uri-scheme` to navigate to new screen in the simulator.” - Joshua Yoes, Staff Engineer at Infinite Red

… browser automation

APIs/tools that hooks into the browser, essentially an emulator/simulator for the web
“Browser automation via Playwright's accessibility tree. Interact with and test web apps deterministically via MCP” - Person at Aurora

Internal MCP tooling

“MCP as the interface” for internal tools/functionality

“We built an internal MCP server for our own chatbot in our platform. For now we do not plan to expose the MCP server externally, but we are already rolling out the chat feature in our platform that works integrated with the MCP Server. The chat (Claude-based) can perform some actions that previously took a few steps or some manual work, such as to create datasets in JSON to submit to our platform.” - Diogo Ferreira, Backend developer at Timefold

2. Popular and notable MCP servers

This section lists and describes all the MCP servers reported in our research. They are tied to the use cases above, but here we report on the tools themselves.

4 types of MCPs/color coding

We found that most MCP servers fit into four major categories described here, and color coded throughout this section.

Large, public and official MCPs

“There's like 10 MCP servers that are heavily used, made by the major developer-facing companies.” - Jeremiah Lowin from FastMCP

Figma, Github, Atlassian (Jira, Confluence), Linear, Notion, Sentry, Playwright/Puppeteer, and other “big names”
Context7 by the Upstash folks (the team behind Redis) is maybe an outlier for not being an enterprise-level name, but mentioned enough that it seems worth putting here

These are ones that are recommended by Claude or Cursor

The infinite tailend of MCPs with barely any users

Many of these are small, custom, “one-off” type MCPs for individual use and/or built to experiment

“Infinite tailend of MCPs with 0-1 users”
Essentially, the “more builders than users” trope is real

Often (should be) open sourced if meant to be used by anyone else

Universal recommendation to not use MCPs that are not open sourced or from a credible developer/company

“Community contributions”

There’s a general excitement that there’s lots of people building and contributing to MCPs, and making them available for others to use, update and improve.
There’s endless lists of MCP servers and registries online, including the official MCP repo, which currently features 856 community servers (besides the 470 “official ones”/e.g from companies)

Internal and private MCPs built for and used at companies

Jeremiah from FastMCP reported a surprisingly huge use case being companies building local MCPs to unlock and enable internal tooling, with no expectation to ever provide them as external tools
Also supported in the data - about a third of the responses mentioned building or using internal MCPs for various use cases

“the median MCP user is someone who's like, ‘I access my company's own data warehouse through an MCP server’” - Jeremiah Lowin

Others - e.g. not the “Big 10” but public and with decent user bases

Reference MCPs in and by the community

Sequential Thinking, Memory, etc

Smaller dev-facing companies

IcePanel, Glean, incident.io, Kagi, etc

Context and knowledge

Software development and coding

Context7

Developed by upstash, the folks behind Redis
Created to provide LLMs with up-to-date docs and code examples, in order to overcome the model training cutoff

Directory of up-to-date documentation, made searchable and “LLM-copy-pasteable” for a set number of tokens
Popular tool to use through MCP

Use with some caution!

One CTO has security concerns

“As a CTO, it is hard to recommend MCP servers that are capable of pulling in content from untrusted sources, e.g., Context7, due to security concerns.” - Ben Blackmore, CTO at observability startup Dash0

There’s been reported concerns about faked docs and repos
The team implemented some safeguards since then, including adding allow/blocklists and making it so people have to sign in to Context7 before adding sites or repos to it (previously a free-for-all)

Quotes

“This server has been useful for getting context for popular code documentation sites in a token-efficient way” - Joshua Yoes, Staff Engineer at Infinite Red
“It can be handy for rough research, but for most of my coding tasks, I want to have a lot of precision in what I want to use as context, so I use the simpler route of copy and pasting a URL or directly copy and pasting text from an article. I think if I were using it to research coding solutions I was unfamiliar with, I would find myself using this server more.” - Joshua Yoes, Staff Engineer at Infinite Red
“context7 for up to date documentation, so fewer hallucinated APIS and functions” - Wynand Pieters, consultant dev
“Context7 - great for allowing the model to quickly fetch documentation about a tool” - Federico Saravia, Head of Engineering at Make

AWS Knowledge

Managed remote server to provide documentation, code samples and knowledge about AWS APIs and CloudFormation
“Remote AWS knowledge base via Streamable HTTP, proxied to stdio for editor compatibility” - Person at Aurora

AWS Documentation

Access to AWS-specific documentation and content
I’m not clear on the difference between Knowledge and Documentation honestly, seems like two teams built and shipped the same thing..?

IcePanel

C4 diagrams for software systems (e.g. architecture diagrams)
Unclear if this is to give info/context to agents or to the human user.

Wikis, documentation and internal context

Notion

Hosted remote server for creating documentation, managing tasks, building reports and searching/finding content
“This server has been useful for accessing Notion documents as context when creating product requirement documents to implement larger features in a React Native codebase [...] this server has been great to securely access Notion documents without copy and pasting the entire contents of the article in an agent chat.” - Joshua Yoes, Staff Engineer at Infinite Red

Atlassian - Confluence

Atlassian has one MCP server that connects with Jira, Confluence and Compass so far
“Creating documentation in Confluence based on a recently introduced github actions based automation” - Harshal Shah, Engineering Manager at GetYourGuide

Glean

Platform for company knowledge for LLMs and agents with an MCP currently in beta (aim for GA in october)
“Search company documents and data using Aurora's Glean knowledge platform. Access internal documentation, policies, code, and institutional knowledge through natural language queries” - Person at Aurora

Lots of internal MCPs

Access to data from internal systems and platforms

"I've built a MCP sharing information about our internal libraries- it suggests what internal library to use- it lists all libraries- it provides documentation of a library- it provides examples use of a library"

Ticket, work and project management tools

Atlassian - Jira

Atlassian has one MCP server that connects with Jira, Confluence and Compass so far
“Interact with Jira (issues, projects, search) via MCP using a Personal Access Token” - Person at Aurora
“[I use Confluence/Atlassian MCP to] search for relevant documentation, update JIRA tasks and read description to bootstrap work” - Lukas Kurucz, React Native engineer at Preply
“Creating PRs for security tickets by passing ticket ID to claude code” - Harshal Shah, Engineering Manager at GetYourGuide

Linear

Hosted and managed remote MCP server for updating tickets, issues and projects
“[I use Linear MCP for] generating weekly executive summaries about our support load” - Ben Blackmore, CTO at observability startup Dash0
“The Linear one allows us to simply paste in a link to an issue and ask an AI like Cursor or Claude Code to complete the ticket” - Sirius Li

Shortcut

Project management tool for software teams with an official MCP

Clickup

MCP with 20+ tools for task management, search, comments, chat, docs, etc.
“ClickUp (third-party MCP server) is really useful as that's our ticketing system; I'll provide a ClickUp ticket to Cursor and tell it to plan and start building based on what's in the ticket.” - Andrew Minion, platform engineering manager at travel tech company iVisa

UI design and prototyping

Figma

Has both a hosted remote server, and a local server that can be used with the Figma desktop app
Has tools for generating code, extracting design context, ensuring code consistency, etc.
“This server has been handy for implementing Figma designs into React Native UI code. Cursor Agent mode using the tools available on this server often does an excellent job of creating a first draft of code that can be improved in future agent loops. The official MCP from Figma has been consistent for me since I have started using it and uses the existing authentication from the Figma desktop app.” - Joshua Yoes, Staff Engineer at Infinite Red

Laravel Boost

Has 16 different tools, ranging from generating code and tests, to doc search, to database functionality, etc (source)
“gives vibecoding a boost” - person at BrokerChooser
“Laravel Boost has been fantastic in testing.” - Person at an EdTech company

Testing and Browser automation

Playwright

Built by Microsoft
“Browser automation via Playwright's accessibility tree. Interact with and test web apps deterministically via MCP” - Person at Aurora

Puppeteer

Anthropic developed a reference MCP for Puppeteer, but it was deprecated in May -25

“This server can access local files and local/internal IP addresses since it runs a browser on your machine. Exercise caution when using this MCP server to ensure this does not expose any sensitive data.” (source)

As Puppeteer is just an open sourced javascript library, there’s plenty of community Puppeteer MCPs
Someone tried using Puppeteer as a way to read results from a website and advises against it

“Don't try to use Puppeteer to read GitHub action run results, as it won't work while burning tokens like there's no tomorrow” - Laurynas Biveinis

“Puppeteer is helpful for UI changes; I'll tell Cursor what local URL to visit and what it should see or what issues to look for” - Andrew Minion, platform engineering manager at travel tech company iVisa

Chrome dev tools

Reported by one person, hailing it as a great example of MCPs bringing capabilities to people who wouldn’t know about/use them otherwise
“For example, chrome-devtools-mcp, whose capabilities are based on the long-existing automation capabilities of Chrome DevTools. However, before chrome-devtools-mcp appeared, only a small portion of people familiar with UI automation could utilize its capabilities. With chrome-devtools-mcp, back-end developers and even product managers can quickly experience its capabilities.” - System eng

Software development and tooling

Sidenote: Lots of these are all mentioned by a person working at Aurora, an autonomous vehicle company:

“I use a grab bag of MCPs. Sequential Thinking is always on, and the others are toggled as I need them to save context space. I have enough of them that I had AI write a VS Code extension to manage them. Here's what I support right now:”

CI/CD and repos

Github

The Github MCP in particular is somewhat contentious for cluttering context and being of unclear value compared to the cli tool

“given how much quality drops off as tool count increases, general purpose MCP servers don't really make a lot of sense to me - like I think the github mcp server has like 100 tools so you're like already maxed out just using that one server“ - Principal engineer at a startup

“Creating PRs for maintenance work across multiple repos” - Harshal Shah, Engineering Manager at GetYourGuide
“connect to GitHub via the hosted remote MCP server for PRs, repository browsing and other interactions (not recommended) using OAuth” - Person at Aurora
“interact with repo (create PR, trigger Agent Copilot, search for release history,..)” - Lukas Kurucz, React Native engineer at Preply

Bazel

“Execute Bazel commands, query build graphs, and manage Aurora monorepo builds” - Person at Aurora

Buildkite

“Explore Buildkite pipelines, builds, jobs, artifacts, and analyze job logs with fast local caching” - Person at Aurora

ArgoCD

“Manage ArgoCD applications, deployments, and resources with comprehensive API integration for GitOps workflows” - Person at Aurora

Monitoring, observability and alerting

“to review, fetch and fix issues, sometimes automatically!” - Federico Saravia, Head of Engineering at Make
“Sentry is fairly useful; I'll give Cursor a link to a Sentry issue and ask it to troubleshoot and create a plan for fixing the issue.” - Andrew Minion, platform engineering manager at travel tech company iVisa

“Monitor and query Grafana dashboards, alerts, and data sources for Aurora systems” - Person at Aurora

FireHydrant

“Interact with FireHydrant for incidents, services, and runbooks via MCP” - Person at Aurora

AWS cloudwatch

“Query CloudWatch Logs Insights, analyze anomalies, retrieve metrics and alarms for AWS workloads” - Person at Aurora

Rollbar

“we can paste in a link to a Rollbar issue and the AI will be able to read the stack trace of the error, find the exact line of code in our codebase, fix it, and push a PR. We built our own Rollbar MCP server because there wasn’t an official one at the time. Also the official one is restricted to a single Rollbar project, but we have several that we wanted to be able to access from a single tool.” - Sirius Li

Postgres

“I think a great example of an MCP server is Smithery's Postgres MCP because it has a single tool called "query". Agents already know how to use SQL so they don't need more tools than that!” - Preslav Mihaylov, software engineer at Plain

Kubernetes/GCP (?)

“Manage Aurora Kubernetes clusters, deployments, and monitoring infrastructure” - Person at Aurora
There’s one official google cloud MCP, not clear if this refers to that or not?

Unity

Only mention of Unity is “I could never get any of the Unity ones to work.” - Wynand Pieters, consultant dev

Chroma MCP

Chroma is an open source database for AI applications
“Vector database operations for collections, documents, and semantic search via Chroma” - Person at Aurora

LLM and agent tooling

Web and search

Kagi web search MCP
bright-data (for access to the web)
Related concern

“I'm mostly cautious about mixing MCP with visiting public websites like automatically searching over internet as it may directly affect the workflows using prompt injection to steal private information. I'm very careful to browse website or reaching external sources for context” - Security and product development at late-stage startups

Memory and agent knowledge management

Sequential thinking

“Structured problem-solving with step-by-step, revisable thinking” - Person at Aurora

Memory

“Persistent memory using a local knowledge graph to remember information about users across chats. Stores entities, relations, and observations” - Person at Aurora

Basic-memory - stores conversations and context with LLMs

Others

Google workspace apps, e.g. calendar, gmail, docs
Doesn’t seem to exist any official MCPs from Google for this, so this is either some random MCP or something they built themselves

“I connect Claude Code to all my Google workspace via MCP and use it as an interface into my calendar, docs, email” - Fractional CTO working at series A companies

AWS cost explorer

Data about cost and usage from AWS
“Analyze AWS costs and usage data, compare periods, and forecast using AWS Cost Explorer API” - Person at Aurora

MCP clients mentioned

Cursor
Claude and Claude Code
Codex
Internal/custom

claudecontrol.com

“The way I use [MCPs] is by having them deployed on a container with Claude Code installed and then interacting with it via Slack. I'm using claudecontrol.com for this. This allows me to interact with my agent, ask it things about my database and let it work on its own all while I'm away from the keyboard.” - Preslav Mihaylov, software engineer at Plain

Platformized client at gradient-labs.ai

“Via our platform, customers can connect to arbitrary remote MCP servers such that the AI customer support agent can then access the tools exposed by the servers. It mostly works as you'd expect where the customer pastes in a URL and follows the OAuth flow, but there's a couple of additional bits where we have pre-populated a list of servers that customers might find useful, and we can also connect MCP servers with our own credentials that customers could then use.
It was interesting to build, I initially used the new official Go SDK, but it lacked features that made it not suitable, so I migrated to the mark3labs library. I mostly leaned on Claude Code for development, which worked well when testing with real MCP servers - I got it to write curl commands to hit the remote MCP servers then it could verify the responses against the code it had written - it was a nice (and quick) feedback loop.” - Theo Windebank, at customer ops AI startup Gradient Labs

3. MCPs built by respondents

MCPs for public use

Dash0

“an MCP server to access observability data. Pulling this observability data into Claude Code so that it can directly cross-reference errors with code changes and potential causes. Also to analyze slowdowns / expensive database queries. That way, Claude Code has access to performance data and the full schemas.” - Ben Blackmore, CTO at observability startup Dash0

iOS simulator MCP

“[ios simulator MCP] has been useful for automating common quality assurance tasks I need to do to evaluate the quality of my work as a UI developer. [...] I have found that if I give clear instructions for navigating a UI flow that I know works, it can be handy for automating taking screenshots of key screens and screen recordings of flows. Often I need to include these in pull request descriptions in order for a reviewer to approve my code, so this has been a handy use case to speed it up. For some more complicated changes, I was able to successfully get 5 different screen recordings in one conversation. Other users online have shared that agents programs like Claude Code have had success getting basic scaffolding of new screens up using these server tools and a deep linking tool like `npx uri-scheme` to navigate to new screen in the simulator.” - Joshua Yoes, Staff Engineer at Infinite Red
“I originally created this as an experiment to replace automated UI testing tools like maestro.dev or wix.github.io/Detox. However, I have found the non-deterministic nature of agents provides too low of a confidence rate to rely on their output without human review. I would find that I would create a prompt to test a flow like logging in and filling out a form, and the agent would fail in actuality but respond that it had been successful.” - Joshua Yoes, Staff Engineer at Infinite Red

Athleteboard.ai

“I use an MCP server to analyse my health and fitness data with Claude and OpenAI. I am extremely happy with it, it allows me to analyse more than 10 years of data, identify trends, compare periods and more. The MCP server is part of my own app, athleteboard.ai” - Lassaad Gaiji

Zenable - coding guardrails for ai through coding specs, rules, etc.

“Zenable runs conformance checks which are automated ways to see if specs were followed. Gives us one place to manage the rules and then everyone is on the same page. We use hooks to run it after every file edit. Very fast and gives a higher quality result” - Engineer at Zenable

Amplitude

an analytics platform for user and product journey data, MCP makes analytics data query-able for anyone

Cortex

Developer portal for companies
“I built the Cortex MCP server. This exposes the cortex.io data.
That way, developers get all their data for reliability in 1 place.” - Founding engineer at Cortex

Razorpay/Blade

an open sourced design system with an MCP, so somewhere in between “for public use” and “internal”

Kamlesh who reported this is the Director of Frontend at Razorpay (“the Stripe of India”) and mentioned that “On top of this our entire design system both on code and figma are fully open sourced and in India its considered to be the gold standard for startups to take it as a base and build on top of it.” - Kamlesh Chandnani

Design system MCP that includes 3 main use cases

Figma to code, but better than Figma’s MCP

We demoed it to Figma and they were mind blown with our approach since its better and accurate than Figma's dev mode MCP”
“Convert figma designs to code: Just grab the Figma frame link and without any prompting you just paste the link and woooh you have the production ready code. Its so good that 70% of our frontend engineers have used it to build features without writing any single line of code.”
“Speaking of the accuracy we are right now able to get 75% code accuracy in first generation. No prompts nothing just figma link and it produces 75% accurate code(again objectively measured via evals) and after this once devs iterate on it they get perfect code. we conducted survey recently and devs reported that they see up to 3x productivity boost and can produce ui code without touching a single line of it”
“our props on figma, structure on figma matches one to one our code. The release cycle goes hand-in-hand so for eg: a component is only released on figma once it’s released on code. We have tooling scripts that also validates the prop structure on figma is in sync with code so because of all these practices from day0 is what has helped us reap the benefits in terms of code accuracy”
“our design system team has designers+engineers working in the same team and the way feature development happens typically in product teams is how we also operate. Designs lead and Fe devs follow but at a time we all are working on common goals - be it components, be it tooling” - Kamlesh Chandnani

Migrating/converting (?) legacy code to use the new design system
Vibe coding and prototyping in a Lovable/Replit-type way, but using their own design system, language, coding practices, etc

“Vibe coding for product+design person[nel]: With this tool call we have enabled lovable, replit kind of environment for all our non-dev person[nel] to vibe code their ideas all within the design language of Razorpay and using our design system. This is the biggest challenge with all the vibe coding tools that they can't generate MVPs within your company's design language, coding practices, etc. With this tool we scaffold a base template with our coding practices and then the UI can be built using our design language so now anyone can take apps to production” - Kamlesh Chandnani

Internal company MCPs

An MCP to scan for vulnerabilities, secrets and other things in code

“built MCP server around security tooling to scan for vulnerability, secrets in code. My experience building and integrating MCP is positive particularly for claude-code” - Security and product development at late-stage startups

MCP that works with bigquery

“BigQuery MCP Server to analyse query performance, identify bottlenecks and optimize our jobs” - Adam Makhlouf, freelance AI engineer at Dailymotion

Internal versions of common tools due to custom or tailored use cases (github, jira, datadog, etc)

“We've only used internally built MCPs due to how much we tailor our API usages. We've built MCP servers for GitHub, jira, datadog, buildkite and many others. We are still engaging with them in new ways but it's reshaped how we work with agentic AI and integration with crafting sandboxes.” - Eng at a mid-sized e-commerce/marketplace company

Design system MCP

Razorpay’s Blade above is the one we got details on

MCPs to allow chatbots to take actions in internal systems/platforms

“The chat (Claude-based) can perform some actions that previously took a few steps or some manual work, such as to create datasets in JSON to submit to our platform.” - Diogo Ferreira, Backend developer at Timefold - this is rolled out to their customers, so not “public” but also not all internal

MCPs to access information about internal systems, documentation, legacy codebases, codesearch etc

A handful of mentions of various similar use cases
“One of the internal MCP servers we have developed is one which talks to our service catalog and answers questions such as "who owns a given service", "which team does an individual belong to" and so on.“ - Harshal Shah, Engineering Manager at GetYourGuide
“Experimenting with an MCP to pull git repos and use them as documentation for agents via an MCP so our engineers can reference architecture and engineering docs that we maintain as markdown in git. Have paused building as there seem to be several similar ones around but nothing is quite hitting the mark as yet.” - Principal architect

MCP for documents from a legacy aircraft system

“We are building an mcp to surface documents from Siemens Polarion ALM for tracking aircraft requirements and airborne software development. It's a legacy system with very poor integration points for external users of the document data, especially for AI. Access control due to the sensitive nature of the data is a really tough situation with the current MCP spec.” - Software engineer at an electric aviation company

MCP for a GraphQL gateway that customer support agents can use

“Another MCP implementation is over our graphql gateway which can allow our customer care agents to get information more easily. This is still a PoC and we do not know if it works reliably or not.” - Harshal Shah, Engineering Manager at GetYourGuide

A system engineer is building an MCP Platform internally

Gateway with proxy, auth, observability, log audits, routing, etc
Service management with hosting, debugging, gateway access, marketplace
Marketplace to find and connect with MCPs, external OpenAPI for quick data access to an agent platform

One person building lots of custom ones for various tasks

“execute read only queries against databases
query bug tracker,
query CRM,
run sub-agents
prompt other AI” - Principal engineer at a startup, adding

”I haven't used any off the shelf MCP so I can't say anything about that other than, it seems to me like it's always a better choice to just build your own [...] the amount of control that you have when you write your own is hard to argue against”

Personal side projects

Etsy MCP that adds new listings with descriptions, tags, form details etc, by a person running their own Etsy store

“I created an unofficial Etsy MCP server to research, optimize, and update my Etsy shop. The most time demanding part of a new etsy listing is the listing description, tags, and form details that have to be completed. It's all automated now and it does the job in about 2 minutes.” - Software engineer

Emacs Lisp MCP

“I built one that provides Elisp development specific info from Emacs as read-only tools.” - Laurynas Biveinis

Org MCP

“I am in process of building [an Org MCP] - it would give agents access to Org which is the most popular outlining / personal TODO tool in the Emacs ecosystem. I believe it will allow sharing / updating TODOs between agents and humans much easier than currently.” - Laurynas Biveinis

DenoKV

“An MCP Server for chatting with Deno KV instances. I created this for use in developing a personal game project using Deno. One of the challenges I was facing at the time was getting diagnostic information for bugs when my server had invalid game data. I was using DenoKV to store my game data, but I could not find any database viewer tools that supported DenoKV at the time. I had seen demos on Twitter of backend developers successfully “chatting” with their database by giving tools to agent editors like Cursor to run queries. Instead of creating an entire database UI program, I decided an MCP server would work instead. I found that Cursor agent chats were quite adept at querying the state of the database and even running mutations to change it. Sometimes it would write queries for keys that did not exist, but if schemas were provided as context in the chat, it would become quite accurate in it’s queries. This was handy in development, but I would not trust it for running against live production instances with user traffic given the indeterministic nature of agents (you never know when a model will throw a fit and delete everything). That being said, I found myself using it as an essential tool for investigating what was happening when testing changes in staging deployments.” - Joshua Yoes, Staff Engineer at Infinite Red

Internal for now

Feature flagging MCP being developed at a dev-facing company

unclear if it’s supposed to be internal or external eventually
“I use the internal feature flagging MCP server, which is in development, by me. It allows one to implement our feature flagging SDK and set up flags.” - Senior eng at a dev-facing company

Miro MCP (private beta)

Reported by a principal eng at Miro, I would assume they might be shipping it at some point

MCP to provide product availability, potentially as a hosted remote solution - by a travel service company

“We've built an MCP server to expose product availability info just to get our foot into the door. Building the server in our Laravel app was not too complex; we just added a new API endpoint, and used Cloudflare's starting point to build the MCP server itself. we plan to look at providing a remote MCP server with server-sent events in the near future.” - Andrew Minion, platform engineering manager at travel tech company iVisa

Building an MCP for BrokerChooser, to check if a broker/website is spam according to their database

“We're building an MCP server that tells by a broker name or website wether it's safe or a scam according to our database. Things move very quickly, protocol adoption pace and status is very different between LLMs. Related tools and packages change and potentially break daily.” - person at BrokerChooser

II. Learnings and advice

In this section we’ve collected the concrete learnings, advice, stories and anecdotes about using and building MCP servers that we found through our research. It’s divided into building MCPs, using MCPs, general MCP advice, and security considerations.

1. For building MCPs

Start MCP projects in limited and local scopes

“If you're going to work on an MCP project for your company it's best to start with a limited scope - work with a completely local server and leverage local databases / docker to iterate. It's easy to get bogged down in thinking about production problems before you even prove that your concept can work. Consider the language you want to work in carefully, it might be worth it to expand to a language you're not as familiar with if it has a better MCP-related ecosystem.” - Tech lead at a GovTech SaaS company

Figure out if MCP would be useful before building production ready ones at your company

“At the moment it feels like microservices without much benefit; we plan to look at providing a remote MCP server with server-sent events in the near future.” - Andrew Minion, platform engineering manager at travel tech company iVisa
“Any usage scenario needs to be tested and validated in conjunction with an actual AI Agent to see if it meets expectations. Simply providing an MCP Server does not mean everything is fine.” - System eng
“It’ll be interesting to see how this will be productised and packaged for consumer usage. With the current security model, that’s already super hard for devs to get right, that’ll be quite a challenge.” - Software engineer at Big Tech

MCP Inspector is a good tool to use

“My initial testing of tool calls was done using the MCP inspector. This was extremely useful for testing tool handler logic. It felt like an equivalent to Postman for HTTP APIs” - Joshua Yoes, Staff Engineer at Infinite Red

Vendors and platforms for MCP development

FastMCP - mentioned by 5 different people

“FastMCP is an excellent library for those implementing Python MCP Servers - Just recently introduced OAuth to my MCP somewhat easily thanks to it.” - Adam Makhlouf, freelance AI engineer at Dailymotion
“We have a few internal ones that we built with FastMCP, mostly to get around Auth issues.” - Person at Aurora
“The experience was absolutely fascinating! I used the open-source FastMCP library, along the way learned a lot.” - Founding engineer at Cortex
“[I use] several MCP created on-the-fly with FastMCP, feeding on our internal services API. In order to explore this path in the shortest time possible, we used FastMCP.from_openapi(). This is sub-optimal but is a great start” - Staff geospatial engineer
Jeremiah Lowin, e.g. the creator:

“The reason we built FastMCP is because MCP was really hard when they released it. I thought the SDK was really, like, beyond hard to use, and it took me a couple hours to set up my first server. And so I wrote FastMCP to make it easy to use. Then Anthropic took what we now call FastMCP 1, and vendored it into the official SDK.”

Cloudflare - mentioned once

“We've built an MCP server to expose product availability info just to get our foot into the door. Building the server in our Laravel app was not too complex; we just added a new API endpoint, and used Cloudflare's starting point to build the MCP server itself” - Andrew Minion, platform engineering manager at travel tech company iVisa

Ways to think of MCPs as a product/service

“There are many ways to think about the MCP server in companies especially if you think about the MCP clients and the actor on the other side of it. The actor can be people or actual machines. The mcp client can be either internal or external. The actor can be internal to the company (other devs/sales/product) or external customers. [...] Generally for the company an external mcp server is useful because it allows companies to use their own AI models while interacting with other products + present an alternate way to interact with the product aside from just UI” - Karandeep Johar

Learnings from Notion

Notion posted a thread on twitter about their MCP development, and has a blog post about it too. Main takeaways:

Good MCPs are designed for agents, not humans

“Instead of digging through API docs or writing glue code, the agent just knows how to do things — create a page, run a search, update a task — because the tool tells it what’s possible.” - source

Their first attempt had too much friction for most users (setting up docker, dealing with API keys), so they iterated until their hosted solution was simpler to use

OAuth setup, hosted by them, tools designed for agents specifically

Choosing the language - Python seems like the best choice?

“When I started this project I began working in a combination of JavaScript and Elixir. I discovered relatively quickly that neither was an ideal language for the tools. Elixir has some really nice conventions and I like its approach to dynamic typing, but the ecosystem for MCP server development is in its infancy. Elixir is also not terribly well represented in training data for the major frontier models, so building stuff that was bleeding edge was difficult when trying to leverage Claude.

I then switched to building in JS. I have worked in JS for more than a decade and so am very familiar with it. JS is more represented in training data, and has a bit more of an ecosystem for MCP tooling, but working with node isn't always the best experience, even with more modern language features.

I eventually pivoted to learning Python and have since been building my services in Python. The models are very good at generating Python code as well as critiquing Python codebases, so I've been able to work at a speed that wasn't possible when I was working in Elixir/JS." - Tech lead at a GovTech SaaS company

Two experiences from readers

“built a bunch using ruby gem FastMCP for v1 of our internal agent, then started on v2 in elixir - there is not really a community standard mix package for MCP yet, and the one I started out with (hermes) is going through some sort of change of ownership and was quite buggy - so I wrote my own very limited implementation - the spec is hairy but once you get through it it's quite simple to write a very basic HTTP only version with the absolute minimum feature set - especially if you have the benefit of only needing to support one specific client (in my case, claude code SDK is powering the main agent loop)” - Principal engineer at a startup
“As a hobby project, I started to develop an MCP server to connect to a web platform. It did not had a Rest Api and had no documented interface, so half the work was reverse engineering. I liked how well rounded are mcp python libraries from the start and. I disliked that there is super focus on oauth flows and if your use case is simpler you are on your own to implement auth or workarounds. My use case was to enable api key based access, and after some weeks found a potential easy solution as well, but still it was hard to find. I recently got blocked in the progress as with a bit more complex functions and data structures the call reliability plummeted. It is super hard to troubleshoot it. Vscode mcp client works fine, but my final goal was to use it in the N8N automation tool, which as I explored does further transformation on the json-schema I expose toward the LLM provider call. I am now considering liteLLM gateway to be able to better inspect the final call between n8n and the api provider. Claude just made more mistakes, Google calls had surprisingly helpful error messages which helped me understand the root cause. In general the n8n ncp client is not transparent enough to understand why it is not working with my server. I honestly do not have time to really make progress with these hindrances next to 3 small kids, but if I would I would implement a comprehensive test harness as well. To not only validate the functions themselves but the "AI experience" or ai usability. To explore and refine how can I implement better docstrings or easier call signatures to enable smaller/cheaper models to use the mcp server well. To implement such a new kind if test libraries will need to be created in the industry, currently I plan to use the simplest mcp client to have this functionality. We will see.” - Devops engineer

2. For using MCPs

Context window bloat and tool management

Using multiple MCPs requires management, as the tools uses up and clutter the context window very quickly

Consequences of this

Running out of memory/context/not being able to finish tasks (agents can just error out mid-task)
Decreased performance
Higher chances that agents invokes either the “wrong” tools, or not invoking the tools at all

“Besides that, I've noticed that agents don't always use the right MCP when required. You need to push them to do it -- your system prompt needs to be tweaked based on the servers you want to use.” - Development service company

Quotes

“One of the things we realised is that each MCP server also brings multiple tools and its own prompts which are passed to the LLM along with our original query. This means too many MCPs can consume a lot of context window. We still want to see how to give the right MCP servers for a given context.” - Harshal Shah, Engineering Manager at GetYourGuide
“Most MCP servers nowadays are not good because they have way too many tools. This is bad because anytime you load an MCP in Claude Code or similar, all the tool context is shoved into the agent context. By enabling 2-3 MCPs, you already lose 20-30% of your entire available context out of the box.” - Preslav Mihaylov, software engineer at Plain

How to work around this

Keep tools disabled by default

“It’s important to be mindful of context pollution when using MCP servers. I find in Cursor, it is easy to add a lot of MCP servers and then forget that I have installed them and keep them enabled for all chats. I would recommend keeping them disabled by default and then going to the settings to enable tools that one wants the agent to use in a conversation, then turn them back off. This will prevent sending unnecessary context in conversations where you don’t care to use a tool. Ideally, in the future it would be nice to have different modes in MCP clients like Cursor where we could enable specific MCP servers and tools for different tasks like planning vs implementing. But in the meantime, manual enabling/disabling is something that I practice often.” - Joshua Yoes, Staff Engineer at Infinite Red

Be explicit about which MCP tools the agents should use

“I find that explicitly telling agents to use Kagi Search / context7 when outlining a task where I know that either web search or library documentation will be helpful greatly improves the results.” - Tech lead at a GovTech SaaS company

Avoid general purpose MCPs or MCPs with lots of tools

“but given how much quality drops off as tool count increases, general purpose MCP servers don't really make a lot of sense to me - like I think the github mcp server has like 100 tools so you're like already maxed out just using that one server” - Principal engineer at a startup

Have agents use CLI tools directly will not clutter the MCP context, if you know what you’re doing (more on MCP vs CLI below)

“I've found that a lot of the time, mcps are using up my context for very little purpose, when leaning into properly documented and developed cli tools could do the job with fewer drawbacks” - Software engineer at an electric aviation company

A talk from the MCP dev summit dove into the MCP context issue in detail

Three main issues

The straightforward one: context window and token consumption
“Attention mechanism” - when an LLM has too many inputs and options, there is “context confusion” where it doesn’t know what to focus on
Accuracy declines, as there’s a bigger chance that the LLM calls the wrong tool or provides the wrong arguments to the tool

Solutions

Disable tools that are not applicable or useful for what you’re working on at the moment

Works but can be tedious and context switchy
Not possible to share or scale really
Should be the simple goto-default rather than these other options tho, likely…

“Toolkits” - MCPs that sets up specific MCPs for certain use cases

Basically pre-configured selections of MCP servers and tools from them to do specific tasks
Can get messy to switch between, reconfigure, add or remove tools, etc

Search and call - two specialized MCPs to…

Search among all the available MCP tools
Call tool that takes a tool name and arguments, and uses that to call the tools after the search tool has been used
Can work well at a company for a single domain, especially for making lots of simple APIs searchable within a company for instance
Doesn’t provide much context to help the agent actually know when and what to search for, and limited argument validation

DMCP - Dynamic MCP

New/novel part of the MCP protocol (?) where tools can be added dynamically throughout a session as needs arise

As with many of the protocol features, this might not be implemented in all clients, and possibly get implemented differently across clients?

⚠️Cautions! ⚠️

Be careful about permissions

“I think permissions you give the agent sneak up in a project over time. I noticed Claude Code started making git branches, and commits without asking me, and it has even deleted files sometimes. There's a temptation to allow permission for all further use, but you need to be careful.” - Development service company

Use MCPs from trusted sources

“As for precautions, I would say that personally I’ve only been using MCP servers that are open-source or built by a trusted developer. After all, MCP tools are simply code, which means they can do anything the an unscrupulous developer wants.” - Sirius Li

Red flags/caution for any tools that use The Internet and unguarded/unbounded context

“I'm mostly cautious about mixing MCP with visiting public websites like automatically searching over internet as it may directly affect the workflows using prompt injection to steal private information. I'm very careful to browse website or reaching external sources for context. Another thing to keep in mind is to make sure make human-in-loop behaviour for any destructive operations using MCP” - Security and product development at late-stage startups

Cost/benefit considerations

A general advice to evaluate the cost and benefits of using specific MCPs, and what value they bring to your workflow.

“A lot of MCP servers are wholly unoptimized and little more than API wrappers. Causing coasts to balloon in Cline.” - Ben Blackmore, CTO at observability startup Dash0
“I dont use them. ive found thay people using them have become sloppier in their work directly due to using mcp” - IC turned EM
“I developed one as MVP for internal usage, there was not so much interest, so it was abandoned. Tried to use some MCPs for some internal tools/agents, APIs were more reliable, so I fall back to APIs” - someone on twitter

MCP aren’t magic

“It was a bit painful to set up and my team didn't bother - they didn't see the value. Having tools built in to the browser with no specific setup gives us much more value” - Lead dev at a startup
MCP is only as good as the system it’s working with

“Very mixed results but I suspect that's to do with the system on the other side of the MCP server. I have pretty significant concerns regarding security so am looking into safe ways to incorporate them into our environment.” - Principal architect

“Nice ideas, but ultimately I feel they are overrated. Maybe I just like having more control, but letting the ai do everything without always having proper oversight of exactly what they are doing bothers and concerns me. Also, I refuse to use hosted servers. If I can't run the code locally without internet, and if I can't look at the source code, red flag.” - Wynand Pieters, consultant dev
“i bet there are good devs who are much better at their jobs bc of MCP, but my experience has not shown me that” - IC turned EM

MCPs can make functionality more accessible to New Audiences, so MCPs might be a great way to explore new cross-functional tools!

MCP bridges an information/discovery gap, where tools that already exist can reach a larger audience, e.g. the chrome dev tools

“MCP actually serves to bridge the information gap, allowing useful technologies and tools to be disseminated to more people faster. For example, chrome-devtools-mcp, whose capabilities are based on the long-existing automation capabilities of Chrome DevTools. However, before chrome-devtools-mcp appeared, only a small portion of people familiar with UI automation could utilize its capabilities. With chrome-devtools-mcp, back-end developers and even product managers can quickly experience its capabilities.” - System eng

Including non-developers

“Our MCPs expose information from our API data services. We build NatCat solutions, and we find it useful to have a GPT client feeding on our data, so that we can help non-SW Engineers aggregate data from different services.” - Staff geospatial engineer

Though, consider they might have inflated expectations!

“The MCP protocol actually gives many technical personnel without an AI background an opportunity to enter the LLM boom, which can lead to overly high expectations” - System eng

MCP as The Semantic Layer

The idea from Jeremiah Lowin
A concept within Business Intelligence, e.g. having a usable and simple way to extract insights from whatever data you have, without needing a CS degree.
MCP seems like a way to actually make this happen

3. General MCP learnings

MCPs is in essence context/prompt engineering and management, so the usual LLM caveats still apply

“The combination of Agent and MCP is essentially still context engineering, requiring reasonable planning of the number of MCP tools for each scenario. Therefore, while many MCP servers currently have numerous tools, it is actually necessary for the client side or the MCP gateway side to properly manage the list of MCP tools for each scenario.” - System eng
“When testing my servers with AI Agents, I find it difficult to get the Agent to do what I expect without large amounts of natural language text about the server, its tools, and the parameters. This text becomes part of the MCP server code itself, but even then, AI Agents can sometimes ignore it. I also hit limits to the amount of data that could be returned from each tool call.” - Jim Zuras
“Determinism: AI is not deterministic, so when provided with tools one has to be careful that the tool cannot make any damage (e.g. don't give your AI access to your production database!)” - Federico Saravia, Head of Engineering at Make
“[One of the two main challenges in building MCPs is] Tool reliability: the LLM should use the right tool without confusion. This comes down to having a good description of the tool and a well defined parameter schema.” - Lassaad Gaiji

MCP vs CLI vs APIs

There’s a fair amount of skepticism around the point of MCP where you could just as well use CLI tools, or have your agent use CLI tools, rather than bloating things with an MCP server

LLMs/Agents are generally pretty good at using CLI tools already
I read a few blog posts/articles arguing for/against CLI vs MCP, for instance this one from Den (who linked to three more)

Lots of talk about how CLI tools are usually better and more convenient than MCPs

Github as the primary example…

“I have tried the GitHub MCP, but have found just instructing Claude to use the GitHub CLI more” - Person at an EdTech company
“MCPs are just another tool and since the interface is text-based they are not always the most effective tool for the AI. For example: using the `gh cli` is much more effective than using the GitHub MCP. The same could be said about other services with well defined and documented CLI tools” - Federico Saravia, Head of Engineering at Make
… but perhaps also one of the only examples..?

“Agents can sometimes perform better using CLIs instead of MCP server tool calls. For example: I have had much more success using the gh cli vs using the official GitHub MCP server. That being said, many of the models are likely already training on gh cli usage, so this may be more challenging for more niche CLIs.” - Joshua Yoes, Staff Engineer at Infinite Red

Also, MCPs uses up a fair amount of context window very quickly (more below), so if you’re capable of using cli tools, do that and leave MCP context to tools that actually bring value

“I've found that a lot of the time, mcps are using up my context for very little purpose, when leaning into properly documented and developed cli tools could do the job with fewer drawbacks” - Software engineer at an electric aviation company

Side note: Related to MCP unlocking tools for new audiences, using MCPs in the place of CLIs is likely aimed towards non-devs or devs with limited CLI experience. So I would think of it as built for a different audience rather than “an unnecessary tool”.

Converting REST and Open APIs directly to MCPs is Not A Good Pattern

A common practice and way for companies to get started with MCP servers is to basically turn existing APIs directly into MCP servers. This is not a good idea!

“Having a 1:1 MCP tool to your API especially for unbounded APIs is just a bad practice” - Infrastructure and product dev
“In order to be able to safely rely on auto-generated MCPs from OpenAPI specs, Devs *really* need to fully unit-test the endpoints for all edge cases: if that's not done, then the GPT engine will feed on bad data. Those tools already hallucinate on their own, if we also put bad stuff on the top then what's the purpose of using MCPs at all?! We found out that, in order to have them really working, the OpenAPI spec must be perfect! And in our case that was not always the case. In order to walk this path, Devs have to be diligent and use type annotations extensively, and make sure that the OpenAPI spec is complete and self-contained.” - Staff geospatial engineer
“Ideally the api need to be design with the perspective of being an mcp tool and be driven by the prompt that will trigger call” - Senior enterprise architect
“One of the core mistakes that I've seen people do with MCP servers are companies going in and saying “oh, we have a public API that exposes something we provide, let’s take every single API endpoint and make it an MCP tool”, because that's the kind of the core primitive that they’re used to. But then your MCP server is going to become very bloated and the models or the clients are usually going to limit you, because there is only so much in terms of the LLM context that you can use.” - Den Delimarsky
What to do instead:

“You have to think of what are the core primitives that your customers actually need. And then the LLMs that are going to be able to assemble those primitives together, you don't need to do it for them.”
“A good example of this is the Blender MCP server, the 3D modelling tool. Their server does not try to do everything, it’s not exposing the entirety of Blender into that MCP server. Instead, you can create primitives, like, ‘create shape’, or ‘create polygon’, because if you have those primitives, you can use them to assemble more things, and the LLM can as well. This is how folks should be looking at this as well: what MCP primitives allow your LLM to do things for you.”

Jeremiah Lowin from FastMCP wrote a blog post about the FastMCP OpenAPI converter, which is very popular but he doesn’t want it to be since “an API built for a human will poison your AI agent”

“[Paraphrased] An MCP is a UI for an API designed for AI agents” - Jeremiah Lowin
“Generating MCP servers from OpenAPI is a great way to get started with FastMCP, but in practice LLMs achieve significantly better performance with well-designed and curated MCP servers than with auto-converted OpenAPI servers. This is especially true for complex APIs with many endpoints and parameters. We recommend using the FastAPI integration for bootstrapping and prototyping, not for mirroring your API to LLM clients.” - source

Example of an Emergent Adoption pattern

“i started off this project of setting up an internal agent with the expectation that it would just be used to triage tech support tickets but after I previewed it to a few colleagues everyone wanted it and started using it for their own things. the way that i see things progressing is you set up an agent w/ all of these MCP tools into various internal systems and at first it's a free for all, but as people start using it more, repeatable workflows + effective prompts will begin to emerge and we will extract and formalize those. Some things will definitely stay loose and adhoc - like one of the biggest use cases so far is just keeping adhoc data queries off of the plates of our data team whenever questions come up during product development (e.g. how many people are using this feature today, what do usage patterns look like, etc)” - Principal engineer at a startup

Security considerations

Prompt injection from MCP servers is very easy to do

Liran Tal, who is Director of Developer Advocacy at Snyk, has been researching and writing a lot about MCP security, including proposing frameworks for evaluation and risk assessments:

Security evaluation framework for MCPs
Evaluation framework for threats and risks
He spent time researching MCP servers and reporting the dozens he found with problems

Including one of the respondents who built the iOS simulator MCP

“I was lucky to have Liran Tal, a Node.js security professional, privately report a security vulnerability to my iOS Simulator MCP server, so I was able to harden my server against common attacks. He has some helpful articles on his website for MCP authors to review as well.” - Joshua Yoes, Staff Engineer at Infinite Red

Command injection risks

It’s easy to use user-provided args without proper due diligence

Official MCPs are not automatically safe either, as demonstrated by an Azure MCP hack from July -24.

“[MCP is] an incredible technology, but most companies are not aware of how dangerous it is currently. The article above details a hack that was demonstrated while using approved LLMs and official MCPs. They are NOT secure. We are in the early days of MCP and it's about as dangerous to use MCP as SQL injection was in the 2000s.” - Software engineer

Recommendation to use sandboxed environments and exercising caution

I would recommend a lot of caution in both consuming MCP servers and deploying MCP servers. As with any new technology, there are a lot of unexplored attack vectors that are currently being researched. Anthropic has released a security best practice article, but new attacks are still being discovered. If you are developing on a machine that has access to sensitive information, I would recommend running it in a sandboxed environment like Docker. If you are developing an MCP server, do a security review of your server.” - Joshua Yoes, Staff Engineer at Infinite Red
“Security-wise we have our MCP server totally decoupled from our platform. It's using a separate infrastructure and is communicating with it just as any other external client. This is to minimize the blast radius if anything goes wrong.” - Diogo Ferreira, Backend developer at Timefold
“It is also important to keep the tools in check, initially in our trials we will only allow "safe" actions, since MCP servers will take the user's identity and permissions, we would like to tread cautiously.” - Harshal Shah, Engineering Manager at GetYourGuide

Other quotes about security concerns

“Getting security folks on board to opening it up has been very difficult, as they're very concerned about rogue mcps. I've been sidestepping that entirely by leaning into documenting in Claude code how to use custom cli tooling and building that instead.” - Software engineer at an electric aviation company
“If security concerns are settled, providing read access to more resources really enables models to do so much more than you might expect.” - Eng at a mid-sized e-commerce/marketplace company
“I built a VS code extension for internal use that tries to do security best practices like using secrets, pinning versions, etc, and pre-configure them with safe defaults. But this space is moving so fast and it's so easy to install these that it's a security nightmare right now!” - Person at Aurora

External context poisoning is one of the threats

MCP using external sources outside of the control of the user is a risk vector

Sources run by bad actors
Sources that could be compromised

Examples

Suggesting insecure practices
Recommending outdated or vulnerable dependencies
Adding backdoors or logic flaws
Malicious agent instructions or prompts

Example described in this post

researchers from Backslash found ways to poison AI through external data sources through Context7

III. The state of the MCP ecosystem

This section is dedicated to more high-level trends, analysis and reflections of the state of MCP and the community today.

1. Advice for using MCP can differ a lot

We got two completely opposite suggestions, which I think are great examples for just how new and unformed the general opinions about MCPs are, especially if you come from different “user groups” (e.g. dev or non-dev)
“Build your own for optimal control and utility”

“I haven't used any off the shelf MCP so I can't say anything about that other than, it seems to me like it's always a better choice to just build your own - at least until agents can handle basically unlimited number of tools - but even then the amount of control that you have when you write your own is hard to argue against” - Principal engineer at a startup

“Use official MCPs”

“Use officially supported MCP integrations as much as possible so you don't have to manage and maintain your own” - Fractional CTO working at series A companies

2. MCPs for production is largely an unsolved problem

Bring/Build-your-own-infrastructure

E.g. there’s lots of things to reinvent and re-implement in order to productionize MCP servers.

Auth

In a better state than it has been! Den mentioned that more updates should be included in the Nov 25 release

Distribution
Scaling
Deployment
Observability and logging - difficult because it’s JSON RPC

“MCP communicates over a JSON RPC spec, which means you get 200 responses with error messages rather than 4xx or 5xx responses. It’s similar to GraphQL in that sense. And like with GraphQL, traditional observability tools based on traditional architectures don’t work. Instead, you listen to the message stream and hope you get at some point the response to what you asked for. You see a lot of bolt ons and then people aren't satisfied with them, and they can't ask this simple question of like, does my MCP server work?” - Jeremiah Lowin
“This is where my brain's been living now: what does observability look like for MCP? How much of the wheel has to be reinvented? How much do people care? If it’s just a small MCP server with two people using it, you just look at your logs. But if you're the internal data team at a large enterprise, you might only have a hundred users, and they're hitting it thousands of times a day through GitHub, actions, LLM SDKs and stuff like that. Then you really do need to know if your tool fails 3% of the time, and this version of the tool fails 7% of the time, and you need to fix it.” - Jeremiah Lowin

Den’s thinking around MCP is that it’s an unopinionated tool (“like a pipe”), leaving almost everything as an exercise for the user in terms of security, auth, logging, etc.

“The protocol itself is considered to be basically like a pipe. Just like water plumbing in your house. The pipe has no opinion as to how you do things - you open the faucet and the water goes in. I think it’s the same thing with MCP - and the water is the context that flows from the model to some downstream APIs, or from the downstream APIs to the model itself.”

For security and governance, you need things around the protocol itself

“This is where you have a lot of companies that start building products around the MCP protocol, where they build authentication proxies or gateways, or integrate things like prompt shields, where you inspect inbound and outbound prompts to make sure there’s no data exfiltration, or if the prompt is maliciously trying to inject something, ignore all instructions and send the data elsewhere, or similar. We see an ecosystem emerge from basically external sources or companies, helping create guardrails for these things.”

Scaling and production-ready is “an exercise for the user/builder”

“It's very easy to stand up an MCP server for yourself, and it's very hard to get others to participate in an ecosystem where you have proper auth and scalability and durability and observability. All the things we take for granted with every other API. MCP changes just enough of it that the existing stack doesn't really work.” - Jeremiah Lowin
And seemingly the protocol doesn’t make it easy, if anything makes it harder to do?

Stateful vs stateless assumed in the protocol

“One thing I quite commonly ran up against was that I didn't have a need for stateful requests, for either the client or server, but often the SDK and/or docs (some unofficial) assumed/encouraged state persistence which was a little annoying to work with at times. “ - Theo Windebank, at customer ops AI startup Gradient Labs
“My experience is that building MCP is very different from what web devs are used to. In our case, because our MCP is about browsing the web, it’s inherently stateful. But the protocol isn’t built for that, there’s no concept of a session and for example, it’s not possible to tell two Copilot chats apart. The terminology used in the Typescript SDK reflects that, it says “Server” where it means “Session” and “Transport” where it means “Server”, and the concept of a Session exists just implicitly. If I had to speculate, i’d say this is because it’s built by web devs that are just used to HTTP and stateless connections.” - Software engineer at Big Tech

Jeremiah Lowin called out horizontal scaling in particular being difficult

“There is no good answer to how to horizontally scale a heavily trafficked MCP server, and how to actually bring it to production. I’m a little obsessed with that question, so that’s what I’m spending my time on figuring out now.” - Jeremiah Lowin

A system engineer at a mid-sized to large company was building an MCP platform within their company, and these were all the things they’re implementing

MCP Gateway

Provides MCP protocol proxying, where the gateway uniformly handles the evolution of the MCP protocol, conversion to internal protocols (converting to Rest HTTP protocol requests, similar to GRPC protobuf protocol requests, supporting the company's existing services to expose MCP protocol interfaces externally), common authentication and authorization, observability, log auditing, and routing capabilities (in addition to internal MCPs, it also supports routing to third-party MCPs).

MCP Service Management Platform

Provides a complete process for MCP Server creation, hosting, debugging, gateway access, and publishing to the marketplace.

MCP Marketplace

Provides a centralized channel to better connect MCP servers with users. It also provides an external OpenAPI to facilitate quick data access for the company's internal AI Agent platform.

It’s a fair amount of investment, so it’s worthwhile to experiment and start small?

Improvements in OAuth

“[One of the two main challenges in building MCPs is] security: OAuth2 is a must. It involves configuring and managing an authentication system. MCP Inspector is a great tool to test the authentication flow.” - Lassaad Gaiji
Auth

WorkOS provides auth for MCP servers (source)

There’s an integration with FastMCP

There’s an Auth addition to the actual MCP protocol, currently in draft mode, which separates auth, meaning you can pick something off the shelf rather than needing to implement it yourself