Caleb Sima: [00:00:00] What you do is you define this interface and now you connect it to your MCP client, which in this instance is acting as Claude which is also the host, and it is going to connect to the server and it's gonna say, okay, anytime the host is the AI itself. Anytime I have deemed you're telling me to do something with a system or an operating system, I'm gonna know to interpret your statement or our conversation.

Format it correctly for this MCP server that has access to your desktop, pipe it to your desktop and run the commands and it will say, run these commands, get the output, and go back and forth with the MCP server until we have gotten something that is I would say satisfied.

Ashish Rajan: If you ever wondered how AI agents talk to each other, you probably have heard the terms MCP, A2A protocol and a lot more being thrown around.

In this episode, Caleb and I break that down for you. What is MCP? What is A2A? [00:01:00] Why do even people care about this? Why is this important and what you can do from a security perspective for MCP today as it, at least at the time of the recording? I feel like AI is moving at a hundred miles per hour. We're all trying to catch up.

So if you're someone who's working on ai, agent to agent communication or probably figuring out how do I take care of this? Or scratching your head about what is this MCP and how do I secure this? This is the episode for you. If you know someone else who's probably trying to figure this problem out as well, definitely share the episode with them.

They'll thank you for this later. Now, I will thank you. If you take a few seconds to just hit the follow button, if you're watching this on YouTube or LinkedIn, subscribe there. If you're listening to this on Apple or Spotify, definitely give us a follow. Subscribe there as well. It means a lot, takes only a few seconds for your time, but your support means a lot of you.

Taking that few seconds to hit that follow subscribe button on the favorite platform you're watching this audio video on now over the episode enjoys this episode talking about MCP and how agents talk to each other. I'll see you next one. Peace. Welcome to another episode of AI Cybersecurity Podcast.

And finally, we are doing it MCP. It's like MVP, but MCP it feels the [00:02:00] refer. We definitely be taking the industry by a storm. Caleb, maybe to set some context, you wanna talk about what is MCP and why there is so much attention and conversation about this.

Caleb Sima: Yeah. What's interesting about it is first we have, I don't even know, have we done a episode just directly on discussing agents and what age we have?

We have. I think we have.

Ashish Rajan: We have, but I don't think we've done one specifically talking about how agents talk to each other. It's like the foundation for this in a way. We spoke about agents and the. Yes, it's, and there's risk around it, but never about how do they even talk to each other?

Caleb Sima: Yeah. Okay. So let's just get into let's start with the problem. So first you start with agents, which agents are clearly AI's capability of being able to take information. Synthesize it, make decisions on it, and then want to go create actions, right? Yeah. So there are two primary things you need in order to do that.

You need information fed into it. And then you [00:03:00] need the ability for information to get out of it. And you need the information for the AI to act right now, today, and in most use cases AI has not been able to act. It's been a chat bot pal for you and or a researcher. Yeah. And what you need is you need to give AI hands and feet the ability to go do things. And so what people started doing is they started saying, okay, I will integrate AI's output with something like, let's say your terminal or your shell or a browser. And then now when AI says go browse, cnn.com, then it will go, and then you can write a little parser for it and it will say, go browse cnn.

And then you can then create a system interface to browse. Now your AI has some hands and feet. Right now it can go direct your browser to go do things when it decides it wants to do this, of course, this creates a new problem, which is the problem is what if I wanted to control [00:04:00] more than the browser, right?

I wanted to control Zoom, Slack, PowerPoint, Word documents, LinkedIn, like whatever you may want to call it. Then you have to write separate sort of interfaces and integrations in order to do this. Now we've seen all this before in every single phase of tech that we've ever seen, from the internet to the web to when, whenever you need to integrate things and multiple things because of adoption, you need to create standards.

And so how do I then be able to standardize the interface between the AI and its ability to go and do things. And so that is where MCP or model context protocol came around, which it says hey, don't custom code each integration to go control something. We need the equivalent of USB, your laptop to your accessories in order to go make that happen.

And so MCP is that sort of standardized [00:05:00] or wants to be standardized protocol that says, okay. If you wanna hook up a browser to your AI, there's this thin little layer of management. Yeah. And it, you, all you have to do is it's a standard interface and it, you can tell it to go do something. The browser can communicate back to you with information that's relevant and you can make decisions.

And now every single thing has, you only have to do an integration once with MCP itself, and then anyone can now use this. Another great example to think about this is like the app store. For mobile apps, right? You have an app store that has a platform that has the ability to deliver to you with standardized user experiences that are there, now you need that with AI. And so I think MCP's, primary purpose is I want to create that abstraction and that standardization so that you can use the tools you need in order to go get things done.

Ashish Rajan: Awesome. And I think to add a few more layers to this as well, and I think it's well explained by the way, I don't have [00:06:00] anything else to add to it, but I was gonna say in my mind the conversation we had about the whole agentic workflow and how, what agent is, as in worthwhile revisiting at this point in time as well. Because a lot of the conversation about MCP is about actual agents or is it about agentic workflow, because a lot of people have confused that terminology with MCP as well because to, and this, and maybe this is where I sometimes got lost as well as to why is this life changing for so many people because I thought that this is entirely agentic workflow to what you said, I want to integrate with LinkedIn. Go do a task. It's not going by itself and doing something. We are making it go and do something so worthwhile peeling that layer here as well.

Caleb Sima: Yeah. I feel like if I were to define agentic workflow.

I would define it how we define it as it's the things wrapping around an LLM in order to do more complex things. Yeah. Yeah. So like for example, you can create an agentic workflow that [00:07:00] is just an LLM integrated with a browser. And the entire purpose is I need to feed it information and it will browse to find that information.

When it finds it's relevant, it will then return back to me the results that I need. This is agentic. You have to create a lot of moving gears and pieces around your LLM in order to do things. That is an agentic workflow. However, an Agentic workflow or really an AI workflow, most people I think are, mixing the two doesn't, an AI you can put an entire workflow around an AI that has nothing to do with executing anything, right?

You could have just AI do interpretations or rewriting of your blog posts and you're creating entire, workflows around that AI and how it takes your information. Responds back to you and then rewrites a blog post for you. That itself is an agentic slash AI workflow. And so I think that's a little bit of a higher [00:08:00] level area than I would say MCP, MCP is more particular, right?

Like the other, I think good analogy is when you need to go do something, you need a tool belt. I. If you're gonna go work on things or go repair something, you have a tool belt and you have a series of tools to help you accomplish the job. And those tools will never go away. What they do is they amplify your ability to go do things.

If you can imagine trying to screw in a screwdriver with your fingers, we've all done this before. It's super painful and super slow. We need a tool. We need a screwdriver in order to do this. MCP is our hands and feet, right? It is the ability to say, okay, I can pick up a screwdriver. I can go and use this tool to expedite what I need to go get done versus the workflow is I need to screw in the Yeah. I need to go tighten the screw.

Ashish Rajan: And I wanted to call that out because a lot of the conversations that I find online, and and to your point, people have started mixing the two terms in a [00:09:00] way that you almost feel like, wait, are we, what are we talking about here?

And all of that. But to kind remember

Caleb Sima: our first episode, our entire first episode was dedicated to clarity of terms and definitions.

Ashish Rajan: Should definitely but then apparently people forget who would've thought, people forget. And we are trying to still talk about the same thing two years later.

Onto the MCP pieces. There are a couple of components that are, and to your point, the integration part is really interesting, which is very interesting from an enterprise perspective as well, because most enterprises are built on integration between different kinds of applications. Now the, there's obviously a lot of security pieces, but for people who are in a leadership role in organizations trying to understand, okay, now I understand it's my hands and feet using the tools to do the task.

That is on hand. In terms of the components that they should care about and where, or how it's being practically used, there's been a lot of examples on the internet for how people have used it. [00:10:00] I would wanna say a lot of them are focused more on your end users using it rather than an enterprise going, Hey, we have obviously there are vendors who made the MCP servers available as well. Maybe we can peel off the layers between what are the components? Yeah. And like the client, let's take this in tech a little bit, right?

Yeah. I think so. Maybe worthwhile. 'cause it's important to understand that before we kind, why is this even a thing?

Caleb Sima: So let's talk about, now we know at a high level analogy what it is. Let's talk about realistic use cases. Okay. Why do you need MCP? Okay. Let's say for example, first MCP was created by Anthropic. I think last year timeframe, if I'm, yeah. If I'm correct. Yep. Yeah. And there, there was a throwout of saying, this is our standard.

Okay, so where do you use it? Let's say you're having a chat with your AI and you're like, man, I really would love if you could tell me what the weather is today. And the problem is AI today doesn't have [00:11:00] knowledge of current events. It's stuck in a certain time period and it needs external information in order to do that.

So it would be great if you could just talk to your AI and say, what's the weather today? And it knows you're asking for, what is the current weather? I. In your location as I know it today, and it can go retrieve that from the internet in an external service and then return that back to you in a conversational way.

Oh, Ashish great for asking Ashish, it's gonna be a wonderful, sunny day today. In fact, quite warm. So make sure to leave your jacket at home, right? Like it, it's very personalized. It knows who you are. It's gonna talk to you about current information. This is the example of the ability to go use a tool to get information that's current.

Now, obviously that's the super simple example, but it can get very complex. For example, you might just say, Hey, you know what I've always wanted to do is I have my downloads folder on my laptop is an absolute chaos mess because nobody, like your desktop is thousands of [00:12:00] files on it and it's never organized.

Why don't you just tell your AI, Hey, AI, look at my downloads and desktop folder. It's a mess. Can you figure out what's needed, what's not, and then clean everything up. Do a nice house cleaning on my computer, and then it decides, okay, fantastic. I will go and do that. And then here's the thing is it knows about who you are.

Yep. It knows your personality. It knows what you most likely ask it. It can understand the files you save, that you access last because it gets filed date timestamps, it has access to your system. Now, it will go and automatically organize and clean up your downloads desktop folder for you and keep it clean.

You can say, Hey, I just want to keep this clean and make this sure. I'll make sure it's always tidy. Now you're starting to see, oh, now your AI can interact with your shell, with your laptop, with your system, and then make changes and understand context. And then all of a sudden now you have a clean Downloads desktop folder.

And obviously this gets [00:13:00] even more complex. When then you start thinking about different kinds of ways you interact with the world. So if you start getting into the enterprise and you start like giving an example of, okay, hey, I need to always review this set of Jira tickets in the morning in order to see if anything critical popped up that I need to go attend to or these support tickets.

All of a sudden now you can tell your AI. Hey, let's go and see if there's anything critical. It will automatically authenticate as you go into your Jira, pull your tickets, assess your tickets, identify what's good and what's not, and then produce that. And this is all through, hopefully, in what Anthropic is trying to drive a standardized interface.

So someone has already written an MCP server for Jira. Someone has already written an MCP server for MacOS, or for Windows for your laptop. So you can, now, all you have to do is just say. Just like App Store, I want the MacOS MCP, I want the Windows MCP, I want the Jira MCP. Install install. And now you can just tell your AI, [00:14:00] clean it up, look at my Jira tickets, do my things, and it will all magically happen.

Ashish Rajan: If only if that things were that easy. Huh?

Caleb Sima: But it is. It is. What's crazy is Ashish is it's, you can do that. I've done that. You can go today. Use Claude and tell it to clean up your folders. You can do it. You can tell it, Hey, go look at my today's Jira tickets and tell me what's important.

That's, this is not future. This is right now. I've done it.

Ashish Rajan: Yeah. Yeah. I, and sorry I was joking about the reason I joked about if it only was true because I feel like the trust level is still and reading all the articles about this and what people are working on, there's obviously a security component here as well that I the, by default, MCP doesn't have, I think it doesn't have authorization by default or authentication by default.

Caleb Sima: Yeah. It's, here's the question is so this is where we get into some technical architecture. So how does MCP work under the hood? Yeah. So MCP works under the hood because [00:15:00] someone has basically said, okay, I'm gonna write a server that runs with whatever permissions you decide to grant it.

So let's take our desktop cleaning example.

Ashish Rajan: Yeah.

Caleb Sima: I will write a server that has access to your system, to your shell, and whatever permission or role you have decided to run this server in, right? Yeah. Now you have an MCP server. What is this MCP server? It is the equivalent of APIs that have direct remote execution capability on your machine.

That is its purpose. So you could say that's a huge security issue. Of course it's a huge security issue. It is remote execution capability on your machine. However, almost all applications that you run on your machine also have remote execution capability to some degree that its purpose is to go and run things on your system.

And it has access to be able to do all sorts of different things. What you're doing now is you're putting an API on it and you're running it locally, right? So it's not exposed to the [00:16:00] internet. It's not exposed to the local network, at least not yet, but we're getting there. And then now what happens is you have an MCP server that you can connect to, even with your own API client and tell it to run a command on your system, and then you get the outputs of it.

But what you do is you define this interface and now you connect it to your MCP client, which in this instance is acting as Claude which is also the host, and it is going to connect to the server and it's gonna say, okay, anytime the host is the AI itself. Anytime I have deemed you're telling me to do something with a system or an operating system, I'm gonna know to interpret your statement or our conversation.

Format it correctly for this MCP server that has access to your desktop, pipe it to your desktop and run the commands and it will say, run these commands, get the output, and go back and forth with the MCP server [00:17:00] until we have gotten something that is I would say satisfied. A good example would be, Hey, can you please read this PDF?

That I just downloaded in my downloads folder. Oh, I know Caleb wants to access his system. I know there's an MCP server that is truly there to do that. Now I'm gonna go give a remote command. Here's where is this downloads folder I. Find it, look at the PDF, open that pdf, send that text of that PDF to me, and then I will then take it, analyze it, and respond with it.

So now we've got this sort of server client communication going on where it can accomplish its tasks. Now you could say this is a huge security vulnerability but I'd also like to say yes and no. We are in V0 one of this kind of protocol.

Ashish Rajan: Yeah. This is basically, and I guess what's, why calling out?

The only reason it got popular and to the point that this got a hugely adopted 'cause there was this whole [00:18:00] vendor lock in question a lot of people had as well, because the standard created by one of the LLM providers. And initially to your, to what you were saying as well, that the task seemed obvious that yes, we need something to , bridge the gap between a task that needs to finish.

Where it got interesting is when OpenAI came and said, Hey, we are gonna support this as well. I guess where I'm, there's the security piece, which is interesting for me A) is that yes, there's implementation use cases as you called out. We obviously use the example of downloads folder, but there are examples of people using it to connect to their databases, your Cursor, coding assistant can use it to talk to a database.

It's so many more use cases that are probably enterprise friendly as well, that people can expand this onto. I guess what my hope is, at least through the conversation that you and I are having these over here, the leaders and people who are trying to understand the space one of the security use cases you called out, is around the whole part that yes, there are, there's a balance to be found between security and usability, and we are on V0.1 of MCP. This could become [00:19:00] a lot better. Something that got announced recently at the Google Next Conference was the whole A2A protocol as well. And I, the reason I want to include that before we dig deeper into the whole the security part of the I guess because I feel like we need to take a step back and look at the security, the whole communication between agent to agent as how and I'm giving my answer there, the whole agent to agent protocol that was announced by Google Next by Google at Google Cloud Next, a couple of weeks ago.

Yeah, where does that fit into this? And then maybe we can go take a step back in. 'cause we are technically talking about security for the whole thing as a leader, we may go into the nitty gritty as well. But yeah. What is the role for A2A protocol In that analogy of my hand and feet are ready my tools are my task.

What's the A2A protocol or agent to agent protocol. The whole agent ecosystem they created.

Caleb Sima: So I would say this is where things do get pretty interesting. So Google announces A2A, which is agent to agent communication protocol. They are positioning it [00:20:00] as complimentary to MCP.

How is it complimentary? They're saying in my analogy of, okay, MCP is your tool belt that you go and do your job. Google is saying A2A is basically communication only model. So to me, a good example is. Okay. I call a repairman to come and fix something for me.

That is me talking to another model. That repairman comes to my place. He has a tool belt. He's then gonna use his tools to go fix whatever needs to be fixed. That's MCP, right? And so Google is positioning itself as A2A being the higher level of abstraction of communication from model to model, not from model to tools which is where MCP is taking its place. The interesting part about all of this, of course, is like when you read through the documentation and the specs of this, you it's a little bit off to me because. I can see where MCP would [00:21:00] do what A2A does. And I can see where A2A can just do what MCP does. Yep. But Google's clearly trying to say, I'm not going to fight MCP, I'm going to be complimentary to MCP.

And their example is, and again, this is a big need, which is, Hey, I'm, I want my AI model to talk to your AI model Ashish. Yeah. So I want Claude to talk to Grok. Yeah. How do you get that to happen today? Today you gotta go build a pipeline in order to make this thing work.

And what they're saying is yeah, you don't need to do that. What you need to do is just use A2A. We'll make it super easy for you, and then we'll get all the communication done. Now you know what, to me, again, when I was reading this, I was like why wouldn't MCP be able to accomplish this?

Because technically speaking, another AI model is just another tool. Yeah. So as a host I have, I am an MCP client. Why wouldn't I just [00:22:00] create an MCP server that then connects directly to Grok? So Grok could have its own MCP server and then I could just talk to Grok as a tool set. I can say, Hey, call, talk to Grok and get me this information.

And Anthropic would easily go and do that and use Grok as another tool similar I feel like with A2A they also, by the way, in their documentation, talk about how you can connect tools, right? Yes. So you can similarly just say, okay, I can connect Jira using A2A similarly, and then I can get the same thing accomplished.

And so like I almost, when going through this was like, okay, like there's supposedly no overlap in the way at which it is messaged, but when you look at the capabilities and areas they are, they overlap very much. It feels like for example with A2A, you need a way to be able to identify who you can talk to.

Yeah. So what other agents can I talk to? You [00:23:00] need a registry in order to go and do this. Or what Google is proposing is similar to like robots.text on a website. I placed a, very simple, API, schema. And by the way, this, by the way, if you guys remember XML and and all the rest, like this is all very similar, right?

Yeah. Process. You put a known file location and that becomes your, your protocol interface to discover whether, I don't know, CNN or Ashish or GitHub, have an A2A agent is go to that URL and then you'll get your card, your report card, essentially how to communicate. Similarly with MCP, MCP you need a way to discover, so MCP registries need to get created.

And it's interesting 'cause you look both at the roadmap of MCP. And the roadmap of A2A, and they're all very similar. They need to create registries, they need to do better authentication and access control. They need to do better role privileges. Like all of these [00:24:00] things are all like one-on-one.

Yeah. With their roadmap and how they're doing it. But effectively, A2A is Google's version, in my personal opinion of MCP. I could see where they're coming out with clout coming with all of these enterprise customers saying that they're gonna adapt A2A. Yep. But when you go through it, you wonder, is this, at some point, again, it's you could, you can see the line of MCP being different than A2A, but it's gonna get very fuzzy and, at some point I feel like it's gotta cross

Ashish Rajan: And my personal take on this whole thing is Google has learned from AWS and Kubernetes, the play here and obviously I think in a podcast if prediction comes out true, it'll be a, it'll be amazing. My thinking here is this is a Trojan horse because humans being humans, the Kubernetes was a similar challenge where Kubernetes became popular as an opensourcing. Google donated that to Linux [00:25:00] Foundation, but till today, Google is still linked as that one person who created this beautiful gift for the world that is being used everywhere to make all these amazing containerized applications.

My thinking here and my take so far is the fact that Anthropic has struggled so far, at least based on what I've read so far, that enterprise customers have been tough for them. Most enterprise that I'm talking to, a lot of them are using OpenAI enterprise model. There's obviously, because there's logging enable there, there's logging, you can get into it.

There's a lot of integration available, so people have leaned, at least the enterprise has leaned on that side. And MCP was still considered as an open source and usually an open source word is oh, supply chain. I don't know where we go, but it's, Anthropic so should be fine. And my hot take here on this whole thing is gonna be that in a few years time maybe even next year, Google is gonna just completely go actually, MCP was great. But now we'll deal with this ourselves. They did this back with Kubernetes where they started with Docker. Then [00:26:00] couple of years later when it became really popular, they just completely ditch Docker. Of course, Docker was what made Kubernetes popular and because, hey, because it supports Docker, it's great, blah, blah, and now a few, couple of years, I just go, you know what?

Thank you. But we want to be more open for everyone. We wanna be making more standards available. So unless Anthropic comes up with an MCP 2.0. I feel this is that Trojan horse. It's gonna come out in the future in a way, they have declared war on on the whole, Hey, we wanna own the standard, but they cannot go directly because there was a, if I was watching the social thread with the Sundar Pichai talking about couple of days before the announcement, he was like, Hey guys, what do you think MCP or not to MCP?

People just finding yes, do MCP and OpenAI announces it. Google Next I don't know if they've changed the wording for that, but they say, oh, we do support MCP, but they didn't really stop there. They had the development kit, less than 200 lines to build a connection. They had all the enterprise partners, which they, by the way they already have, [00:27:00] which Anthropic doesn't.

So I feel like there is a play here that we just don't see the full picture. At least my personal opinion on this is that. MCP is great for the current version because a lot of people have made to your point MCP registeries. There's a lot of similarities in the road path as well. Few things that stood out for me as I was seeing it, and to your point, we have seen this in the past as well, where the moment you allow a user to write code, like Caleb seems writing a code for MCP server, I'm writing an MCP server.

Next thing you know, you have. 30 versions of MCP servers running in the same company. We are trying to look to standardize it. Oh, we have a registry, but then registry is 25 items in there for 25 teams. Someone has to standardize it. I, my thinking is going there, coming from that world, I don't know if you're gonna believe what I'm saying is gonna Yeah,

Caleb Sima: I would, you're, you are there's both sides of the coin, I guess is maybe what I would say.

Like for example, you are right that Google was able to pull a Kubernetes. Which was really awesome to be able to see. But I think you could also point to [00:28:00] 500 failed Google projects at the same timeframe that didn't make it at all. I also tend to find like Anthropic, although they are losing, or let me rephrase that, they appear to be losing the battle from the enterprise side, or really from any side to a certain extent. For all intents and purposes, they are, and were at least way more enterprise capable than OpenAI. They were much more focused on safety capability, enterprise controls. They were doing that a lot earlier than OpenAI, where OpenAI was more flimm, flammy, hand wavy get it done kind of thing.

Ashish Rajan: Yeah.

Caleb Sima: They were better for the quote unquote enterprise, but I think, at the end of the day, OpenAI is the marketing machine. And that is what everyone knows as AI. That is where people drove. That is what happened. Yep. But even today, [00:29:00] depending on your, like even today in the enterprise, you would say that Claude is a better AI model for coding, right? Now, many people would argue versus 3.5 vs 3.7 I have lots of opinions on that too, but this is not the place for that.

That's another episode. Yeah. Whether Anthropic ruined that or not, who knows? But they clearly had a lead that was dominating in that field. And they were enterprise capable. Yeah. And of course now Google came out with 2.5 Pro which is pretty fantastic. One thing Google's very good at is enterprise scalability.

Yeah. And capability. The one thing that kills Google, ease of use. And so let's be clear who gets adopted. Is it scalability and reliability and the enterprise capability, or is it quick, get it done dirty, easy. My personal opinion is quick, get it done, dirty, easy, [00:30:00] that takes the market, right?

People love to talk about, scalability and poke holes and do this, but when they go start a project, they pick up the thing that's easy and simple. And MCP is dirty and simple, right? And

Ashish Rajan: yeah. Yeah anyone can use it and create it.

Caleb Sima: Yeah, and there are tons of people versus you go read about A2A and then you start figuring out ADK the, their agent development and Hey, there's a lot going on here.

Because in, in true typical Google fashion, they put a lot of effort and work into some great tech, but man, it's good, it's a lot to go figure out and how to get started versus MCP can fit on a single page. I don't know it's gonna be interesting to see how that works. Like for example we mentioned SOAP and remember web services, web services was, oh my God, yes. Was the machine to machine communication method of APIs and Oh yeah. [00:31:00] And web services was server

Ashish Rajan: SOAP client was same thing as well. SOAP client yeah.

Caleb Sima: You had the, the whole thing and it was, and that protocol and that standard was super comprehensive. Yeah, very extensible, very enterprise ready. But then JSON came around and then, dirty, quick, fast did not have any of the enterprise stuff that XML had, that JSON just basically destroyed it.

Ashish Rajan: So Yeah. And then YAML came in, destroyed JSON Yeah.

Caleb Sima: Even more dirtier and simple and less enterprise capabilities. Yeah.

Ashish Rajan: Yeah. It'll be really interesting to see, and I guess maybe the audience can keep us accountable. I'm definitely leaning more on the Google side. My hope is because the pressure is on for them to, because they're losing battle on the consumer side as well.

A lot of people are using Perplexity so they, they're fighting on both sides for consumer market and the enterprise market, and I guess as most people would know, enterprises where most [00:32:00] people make the most money as a vendor. So I imagine that's where, that's a key market as well, but you want the volume of consumers loving it to, to get into enterprise as a whole.

I'm sure there's strategic play there, but bringing it back to the security pieces then to, to what you said, irrespective of whichever path organizations take, the leaders who are listening to this, whether they go down the A2A protocol path or they feel more comfortable with it, quick and dirty, open source version, Hey, I'll fix this tomorrow.

What are some of the security things that come to mind that people have to consider and I guess maybe should they. Should they really start putting this in the roadmap? Because I feel recently we, when we spoke about the roadmap in the beginning of the year, there was no MCP conversation, then we were trying to figure out what agent use is gonna be.

Now I think I,

Caleb Sima: I called them as I thought what enterprises are gonna do, we're gonna be oracles. Which is, there's, it's similar to what we're getting but and like for example, my example was Jira will have its own AI oracle that you can [00:33:00] just talk to that is an expert in Jira. And so you wanna say, I want tickets around this, or I want the highest priority tickets.

It will just feed that to you versus this is a step in between that, which is, oh, I'll add an MCP server that knows how to query Jira and then you can use your AI to use it as a tool versus AI talking to another AI that is an expert on Jira. Yeah. I still predict that will come

Ashish Rajan: oh okay.

So you're still sticking with the Oracle part.

Caleb Sima: But yeah, I think because I think it's a no-brainer

Ashish Rajan: eventually, yeah. Yeah. But but not in this year though.

Caleb Sima: No. Not in this year. Yeah, I think they're being a, like Amazon has one already, right? Amazon has a AWS Oracle, where it knows AWS IAM rules, privileges, infra policies.

Ashish Rajan: Oh, yeah. Amazon Q think they call it.

Caleb Sima: Yeah. Q Yeah. And yeah, look it's rough, but

Ashish Rajan: Like they shoved it in every time I open the console, it's all there. But I know what you mean, but I think maybe to, I guess the question was more in terms of the whole security [00:34:00] roadmap for people who are building it.

'cause I feel like it feels so fluid and not that every organization is jumping on every new model that's being put out there, but these are changes, to your point about quick and dirty, how many people are using MCP within your organization? Without even going into the technical details of MCP in general, like we, when we started the AI conversation about security roadmaps, we're talking about shadow AI, we're talking about, hey, prompt engineering, prompt security. Then we had the episode with Joseph Thacker oh, MCPs gonna change the world. Next thing we're talking about MCP now. So it's like. I almost feel for the leaders who have to do, who have to kind of program this. 'cause on one end we have the AI for security, which seems to be doing its own thing with SOC automation, all of that.

This is more in that security for AI kind of bucket is how I see it, which was in the beginning. Let's see, Hey, what do I use? What's a good AI, what's the AI that I don't wanna deal with? That's where we put the open source bucket of DeepSeek in there. [00:35:00] I feel with the MCP coming into play and being used rapidly what are some of the things people should consider?

And I don't think there's any, there's no security tool that's talking about MCP apart from, Hey you plug into our MCP, but there's no one like, Hey, what do I look at all the MCP registries that I have? Yeah, you don't even know if we can. That's even possible right now.

Caleb Sima: The way I like to think about it, especially for enterprises is here is what's going to my prediction of what is happening.

Similar to when, just again everything is a cycle. Maybe it's me getting old, but I see patterns of everything being a cycle. You and I both getting old man. Yes,

Ashish Rajan: We were talking about SOAP, XML right now. I don't know how many people in our listernership would remember SOAP XML.

Caleb Sima: But here's the thing is like you could predict the future by just looking at the past.

Yep. To some certain extent. So computers first got started and you only had very few services that would run on a computer. But then what happened is people started writing all these services, so then they had all these ports that were open on services [00:36:00] and these things were exposed to the internet, and then hackers started breaking into these ports.

And then they said, oh, we can't do that. Let's put firewalls in front of it. Because we can't have all these services just open to everybody. Yeah. And then you put firewalls so that only internal communication between ports started happening, and then someone figured out, hey, we should just do one protocol, one port called web, because that is where, and then everyone just create webified ports that would serve the services that services used to do separately. Yeah. Right now you can do it all in one port. And then that was open everywhere. And then people said we can't do that either. Like we gotta close it down. So you can only have one port, one area. And then applications were then spread.

And so like I think what you're seeing is the webification here, what's gonna happen is every single enterprise is gonna wanna AI-ify their service, right? And AI-ify is both their commercial products, JIRA, Salesforce, whatever it is to be able to connect their AI to it. But all your internal stuff, [00:37:00] so all your internal portals, random applications, tool sets, Glue.

You know, all of these things that you have in your enterprise, they're gonna wanna AI-ify it. And the way you do that is you stand up MCPs, you create all these MCPs everywhere. So now what you have is you have two ways to access your service, the web port at which you originally had, and or SSH or something similar to that.

And then now your MCP, your AI capability of interacting with that service. And so now you've created two services. Now you're starting to go down this path of everything is gonna get AI-ified inside both anything that's web today, anything that's a service today on the internet or otherwise or internal to you will get MCPed because you wanna AI-ify it, right?

To make it so it can now integrate into these things, which creates thousands and hundreds of thousands of new services that are MCP services, which are effectively web. Which all gonna have to pipe through some sort of firewall. Yeah. And then so all the [00:38:00] security companies are gonna come up with MCP firewalls,

Ashish Rajan: Next Gen MCP firewalls,

Caleb Sima: Next Gen MCP firewalls, because if you haven't noticed any new technology, the first step is a proxy.

And it's going to be, it is http and you're gonna have to go through it. You're gonna have to watch the traffic, block the traffic. It's a new protocol. So instead of like web where it was click through and go through forms and posts, now it's going through APIs or API gateways. Now you're gonna go through MCP API in order to talk to AI and you're gonna have to figure out how to, how to solve that problem. And every single MCP is going to be a privilege problem. Yeah. So now remember, when you have a web server, you are running as a certain user and all of your controls are happening on the website, right? Yeah. And now an MCP, it depends on what it's doing and where it's going, or what kind of access it has to the system there, there has to be a proxy of privileges [00:39:00] because if you have a Jira MCP, you're gonna have to log in and carry your user to the JIRA interface. How's that gonna happen? That's gonna be more complicated. Here's what people are gonna do. 'cause we already know this. They're gonna create an MCP user that has higher level privileges and they're gonna try to manage it on the front end, which then creates a whole bunch of security problems or privilege escalation issues, right?

God forbid anyone who is locally, who are running MCPs locally that may or may not open these services up, that don't have, let's say. By default, I feel like everyone does this, but like your MacBook firewall's not running. And then you may have MCP ports that are open that do raw shell commands, and then you can just connect to it like in the old days on and then just execute commands on someone's laptop using their

Ashish Rajan: A hundred percent man. I definitely agree on this and I feel like the MCP to, to your point, I love the analogy of the third protocol as well, because in my mind I guess the, some of the [00:40:00] interesting things that I noticed and I, which I, which sparked the idea that actually, you know, what, how people have libraries that they create for, Hey hey developers use our code library for identifying if there are any bugs or whatever and going back into the past again and again, I'm gonna age myself, there used to be something called Enterprise Bus. Yeah. Imagine like an Enterprise Bus for MCPs as well that Yep. Every time you need a service, you plug into the Enterprise Bus and you're able to access a service without caring about what the MCP server written is.

All I care about is, hey, the service is being provided by the team that Caleb manages and correct. This is the API call that I have to make. Doesn't really matter what's behind. So there's definitely I guess lessons from our past or current that we can apply here. But I think where the,

Caleb Sima: what you want and what you're talking about is an MCP router.

Right.

Ashish Rajan: Yeah. Like that to me is that could be some definitely, I feel that could be a possibility as well. I would do it 'cause it makes sense because it is just network communication is how I Yeah.

Caleb Sima: You need an MCP of MCPs

Ashish Rajan: that's basically the Dot Admins MCPs and [00:41:00] then there is a normal user MCP

Caleb Sima: but your, to your point, even the MCPs protocol spec talks about how recursive mcps are capable, right? That is actually called out as a benefit.

Ashish Rajan: So in my mind I'm going, okay. Eventually we'll get to the point where imagine people have, one team has MCP. Everyone's creating MCP Security is creating their MCP.

Hey, if you wanna talk to us talk to our MCP server. It does static analysis, SCAs, whatever you want. In the background, we may change to whatever provider we want. You don't have to worry about that. Like the golden single pane of access for everything security. I definitely feel there's a, there's an opportunity for it, and I think that's where the Enterprise Bus came in.

To your point, security programs look at this as a, as another protocol that you have to build up on if you're using it. Is there something apart from making, keeping an eye on the registry of MCPs being created in within your organization, is there anything else people can do in the security programs to even get around this considering there's no next gen MCP firewall?

[00:42:00] Someone would hear this, maybe build one and get some funding.

Caleb Sima: I'm, I'm pretty sure that I would hope to some extent that any LLM firewall company, frankly, and frankly, let's be clear, any WAF company could easily be an MCP.

Ashish Rajan: Yeah. Or a API Security companies can

Caleb Sima: or API I gateway. Yeah. Any of these players can analyze MCP traffic, right?

Yeah. And understand what's going on. However, to your point is what do you do now, right? If people in your company and your enterprise are building and launching their own MCP servers, which by the way, they are. And this is happening really fast. Super fast right now. Yeah. How do you ensure these are secure is a, this is not a technical solution right now.

This is gonna be a political and compliant solution. To your point, Ashish, we need, if I were a CISO right now. I would say, [00:43:00] guys you have to some degree and unfortunately have to slow down progress by saying we need an internal mandated registry. Yeah. If you're building something in MCP, I'm all about you doing it, but I need you to register it with us so that we can audit it and make sure you're not basically exposing everybody and their brother to whatever they need to.

And by the, I think with MCP, authentication and authorization are gonna be very challenging. Yeah. Because the easiest thing to do is just launch an MCP that has the access that is needed, and then anyone can query that, but passing authentication through as a proxy to your end goal is going to be more challenging.

Most engineers won't be carrying it that far at the beginning.

Ashish Rajan: Yeah. Authorization and even what kind of data should, we are still talking about data that may be sensitive in nature as well. So what kind of data should be allowed for that level of access?

We Goes back to, I think we had the episode with [00:44:00] Adrian, we were talking about how. There'll be identities and there'll be identities of you and I floating around with API keys, yeah pretending to be us on the internet or using our MCP to talk about this. What would that look like?

And I don't know if the identity world is ready for it yet, but I think Okta made an announcement recently about something to do with AI authentication. Something yeah, recent. Developer preview. It is gonna happen. It just happening really slowly.

So it's almost guys, the entire world is on this, but why are we so slow behind it? But at least that's the hope so far. To your point and I agree with the. MCP registry is the go-to here. Last question on this particular thing then before we wrap up, today's where do you think the ecosystem is gonna go from here?

Caleb Sima: Ah, I have a lot, I have a lot of interesting thoughts about this. In fact, I want someone to go build this, what I'm about to tell you. Okay. I already told you history repeats itself.

Ashish Rajan: Yeah.

Caleb Sima: So the number one thing you need to be able to do is not just talk [00:45:00] model to model, right? But what I want to do is I need to call you.

So Ashish, like for example, if I create in Claude or Anthropic or you in OpenAI, you create your own GPT and I create my own GPT, I want my GPT to talk to your GPT. How do we make that happen? And if so, then what you need is, you need a way for me, my AI, to directly call your AI.

There's no way to do that right now. There's no phone number or DNS for AI. And so what I want is I want there to be a DNS for AI, which is, this is coming. I want to go reserve my own unique at Caleb AI DNS, and then Ashish. Whenever you're in your AI client, you can just say, ask at Caleb and it will go directly connect to my AI and have a conversation with that AI model about what it is.

And you can, so like this, the sign of success here, by the way, [00:46:00] is we can, in a single Claude chat, which by the way, I think this is very buildable right now. In your single Claude Chat, I can say, go talk to Ashish and see what he's been up to today, and then you can just sit by and then my AI model will talk to your AI model, figure out how to answer, and I can get a report.

Here's what Ashish did today, and then you can get a report from your model that says, Hey, by the way, Caleb contacted me, asked about your day. Here's what I told him.

Ashish Rajan: Oh,

Caleb Sima: and then now you have models to models communicating in a reference or similarly I want to do a conference call with AI models.

Yeah. I will. I want your model, my model, and someone else's model to all get together and discuss about the current stuff in MCP and then give a similar report to each of us as to what was discussed. This is how do you do model to model communication? How do you do conference call communication in a model. This is all like again, it's if AI is like humans, all [00:47:00] you have to do is look at what's the most critical thing for humans and then you model it right on top of AI. And the most critical thing is communication. Yeah. And so whoever goes and builds and focuses on model to model communication, ability to call them directly, have your own reserved, unique identifier.

This now is your DNS. You need a DNS server for AI so that I can now call you directly. And there's a protocol that initiates that call. Now, whether that's A2A that does this, or MCP that does this, I don't know, but neither one of them have discussed or talked about referencing or directly calling other models and communicating with them, with having some sort of unique identifier for it?

Ashish Rajan: Yeah.

Caleb Sima: I think

Ashish Rajan: also because it's quite early in that AI is lifecycle, we are in at this point in time because I guess instantly when he told me that, my first thought was, what's the objective of my AI going to be? There's so many questions as a life level. As a we continue [00:48:00] to evolve as a identity for, it doesn't have to be just human, but business as well.

Today, our business support or, and before AI was announced, most business was just doing whatever was normal. No one thought about AI. Now suddenly AI, now everyone's objectives have changed completely. Every month is a new update. So I definitely agree on the conference call thing and I wonder it's one of those ones where the challenge is gonna be if the AI is gonna be smart enough.

Now, like one of the things that I've been looking at is 'cause I obviously work in a lot of, in the content space. Text is the easiest was the text code. Your images were like the top three that got disrupted straight away because there's enough memory there. One thing that is probably gonna be disrupted right in the end and probably take a lot a long time is the whole video thing.

How do you put a one hour or three hour podcast episode of Joe Rogan onto a LLM provider and figure out, hey, what do you think of this? Why is Joe Rogan so popular because of this particular episode? Just because Elon Musk smoked some weed? Or what was that [00:49:00] moment that humans get it sorry, the highlight reel.

Caleb Sima: You wanna give me the highlight reel, right? Yeah,

Ashish Rajan: yeah. Gimme the highlight. I don't wanna watch three hours of this content, but the point being I definitely believe what you said is on the money. There's definitely gonna happen. And I wonder because I read the whole cloud security podcast thing but's funny is similar to this pattern there as well has history repeating itself.

There was AWS, there was Azure, there's Google Cloud. All three were behemoths or are still behemoths. There was no intercommunication between them. The basic protocol network is what still applies. They don't like communicating, which they talk about, Hey, we can use your API. And like in this scenario, A2A can say, I can use your MCP, but you gotta use me more. 'cause my ecosystem is bigger. They lack features. Yeah. But I unfortunately feel egos will come into this.

Caleb Sima: Yeah. What I want is, this is coming, is, at the most generic level, I think you can use MCP for this today, which is I'm in code. I am going through my stuff. I run [00:50:00] into a bug.

I actually think Grok 3 is really good at debugging. I want Grok 3 to go handle the debugging of this project, and it should have the context to understand how to do that, right? Yeah. Or to more serious nature, which is, hey, how do I know what is the official MCP server for Atlassian?

I need an at an app, JIRA. MCP server that is official, and I wanna be able to call that at MCP server because it has my authentication capability so I can auth with them and then go and do that. So I need the at auth Atlassian server for this. I want you to go query this and this about my Jira tickets.

Yeah. Where, and so all of those things, the ability to reference and call and contact and have communication happen I think is super critical. And right now there's no, there's no identifiers for these things so that you can do that.

Ashish Rajan: No, but maybe my prediction of Google having those enterprise relationship they may want to be, they may, they might become the first one.

I don't know. And again, I would wanna say,

Caleb Sima: [00:51:00] Google's been kicking ass. I gotta tell you, like I. I was pretty sure Google was gonna die. Yeah. Yeah. I was like, this is the only thing Google should have been king at but they're not, and like they are making their way back like

Ashish Rajan: a hundred percent.

I think

I'm impressed by as well. It's, but just I wanted to call it out. I'm not a Google fan, but the recent announcements they've done makes me go holy shit there's a possibility here. That they could 'cause Apple's already outta the race. They're basically going, Hey, we'll just use whatever you guys have.

We don't wanna make our own. So it's between OpenAI Anthropic, if you wanna squeeze that in there. But technically between OpenAI and Google is where the true battle is at this point in time.

Caleb Sima: Yeah. Don't forget about you haven't heard much, but don't forget about LLamas and other DeepSeek on these models.

Ashish Rajan: DeepSeek

Caleb Sima: yeah. Don't forget they're. They're there and they're still making big strides.

Ashish Rajan: Yeah, it'll be interesting though. I think probably one of those equalizers for everyone. Now we have Perplexity because that [00:52:00] feels they can challenge Google.

Caleb Sima: So I think the Perplexity is also in trouble, right? It's the, because now everything, there is a deep research. Now Google does it, OpenAI does it. They all have web capabilities. Now that's not, and Perplexity's unique capability was its web capability right in the beginning. Yeah.

This was beating Google search because this is how I wanted to search now. Now every AI has this and they have deep research already. And so if I can use it, I use Google's a lot because I think it's really good. Perplexity goes a little bit more. I. It's, you usage drops.

Right? The problem is being first in this doesn't mean that you're gonna win. Yeah.

Ashish Rajan: No, but I saying that I'm just I know we wanted to primarily focus on MCP, A2A, but I think we ended up talking about her whole agent to agent protocol. Hopefully people got some value from what they can do today.

At least to start, we didn't talk about a ADK, either the agent, Google's agent development kit. Development kit. Yeah. I think I definitely feel. [00:53:00] Yeah, I think we need to do a whole episode on the whole agent in general, again, on the whole ADK and A2A protocol and everything else as well. I think it'll be pretty awesome to see how this goes in the next few months as more people start using this.

And then we have a few more use cases about it as well. 'cause people are definitely starting to use MCP more at this point in time. Hopefully A2A comes in. But that said, I think that's what you wanna talk about today. Hopefully you guys loved our XML and SOAP analogies as well, and leave us.

Don't leave with hate comments about XML, how old we are, but life definitely has given us some scars. Let's just say SOAP XML was not the highlight of our cybersecurity history of it used to be really fun, but probably the ugliest language that you could see on the, on a screen. But hopefully enjoyed the episode and we'll see you in the next one.

But thanks so much for your time, everyone, and let us know how you go. Thanks, peace. Thank you so much for listening and watching this episode of AI Cybersecurity Podcast. If you want to hear more episodes like these or watch them, you can definitely find them on our YouTube for AI Cybersecurity podcast or also on our website, www.aicybersecuritypodcast.com. And if you are [00:54:00] interested in Cloud, which is also our sister podcast called Cloud Security Podcast, where on a weekly basis we talk to cloud security practitioners, leaders who are trying to solve different clients of cloud security challenges at scale across the three most popular cloud provider, you can find more information about Cloud Security Podcast on www.cloudsecuritypodcast.tv thank you so again for supporting us. I'll see you next time. Peace.

‍