According to F5’s 2025 State of AI Application Strategy Report, 96% of organizations are deploying AI models in mission-critical workflows, but only 2% are considered “highly AI-ready.” This readiness gap poses serious challenges for security teams trying to keep up with the pace of innovation.
AI agents are no longer a future concept; they’re embedded in your enterprise today. Tools like Claude, ChatGPT, and Llama are becoming a part of everyday workflows, from customer support to code generation and IT automation. As a result, developers are increasingly adopting the Model Context Protocol (MCP), a lightweight, open standard that allows AI models to “talk” to tools, apps, and services. However, as AI agents start to take real-world actions, a critical problem is emerging: How do you secure agentic AI applications like you would any other enterprise software?
“"MCP is becoming the connective tissue of the agentic ecosystem. F5 WAFs ensure that tissue is not a point of failure."”
That question becomes even more urgent with the rise of MCP, which makes it easy for developers to wire up AI models with data sources and capabilities such as file systems and internal apps. It’s what allows an AI agent to fetch a document, update a task, or trigger a workflow. But every new API or protocol is also a new attack surface. And with AI agents, the risks aren’t hypothetical.
MCP adoption is expanding the attack surface
Unfortunately, MCP adoption is not going unnoticed by threat actors. In June 2025 alone, multiple critical vulnerabilities targeting MCP implementations were disclosed:
MCP servers are quickly becoming the new attack surface in your security posture, which is why you need to put protections in place today. The Glama MCP Server Directory shows that over 7,000 MCP servers are currently in production, reflecting MCP’s rapid rise as a foundational protocol for AI agent integration.
AI agents don’t know when they’re being attacked because they cannot differentiate between a helpful request and a malicious prompt—making them vulnerable by design. That’s where F5 Web Application Firewall (WAF) solutions come in, which are a part of the F5 Application Delivery and Security Platform.
New F5 functionality to protect MCP-powered agents
F5 has been securing web apps from vulnerabilities and attacks like Injection, XSS, SSRF, and Broken Access Control, Remote Code Execution (RCE), among others for over a decade. We can now help you protect MCP-powered AI agents without rearchitecting your stack. Through an integration of the MCP Remote library working seamlessly with F5 WAFs, a transparent full proxy layer is produced and, as a result, AI agents can function normally but are now available to be secured. Whether you’re securing on-premises AI workloads or deploying agents in the cloud, F5 WAFs work with any large language model (LLM) and any environment.
The attack surface is growing faster than most security teams can map it. And yet, traditional AppSec tools don’t account for how AI agents retrieve, relay, or act on unstructured inputs. If you’re in SecOps, you’ve seen this pattern before where new tech arrives fast but so do the attacks and breaches. MCP is becoming the connective tissue of the agentic ecosystem. F5 WAFs ensure that tissue is not a point of failure.
Among the first to offer MCP protection
Despite 71% of organizations integrating AI into their security strategy, only 31% have implemented AI-specific protections like firewalls, according to our 2025 State of AI Application Strategy Report. That leaves the majority of enterprises exposed to new forms of attack—especially at emerging surfaces like MCP servers.
MCP is emerging as the standard protocol for communication between AI agents and the tools, APIs, and services they interact with, whether that’s retrieving files, triggering workflows, or querying internal systems. Like any other integration layer, it needs the same level of security scrutiny as any API or service layer. F5 is one of the first to offer MCP protection—enabling our customers to innovate confidently.
An F5 GitHub repository with the applicable code will be available soon, enabling you to integrate MCP protection into your AI workflows and start safeguarding your MCP servers right away.
If you’re planning to be at Black Hat USA next week, please visit F5 in Booth #5239 to see our demo.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...