Just last year, I ghostwrote an article on the OWASP Top 10 for LLM Applications, 2025 edition. At the time, it felt like the definitive map of where AI security was headed. Prompt injection, insecure output handling, training data poisoning, the whole spread. If you were building anything on top of a large language model, this was the list you were supposed to read.
Earlier today, while ghostwriting another article (this one on MCP tool poisoning), I came across the OWASP MCP Top 10. And it hit me how quickly the ground keeps shifting underneath us.
For those who haven’t been tracking it, the Model Context Protocol is the standard that lets AI assistants like Claude or ChatGPT connect to external tools, data sources, and systems. It’s the plumbing that turns tools that we’ve been using as a chatbot into an agent that can actually do things, like read your email, file a ticket, query a database, or push code. Useful, obviously. But it’s also a massive new attack surface.
The OWASP MCP Top 10, currently in beta and led by Vandana Verma Sehgal, catalogs the ten most critical security risks specific to MCP deployments. Token mismanagement and secret exposure. Tool poisoning. Shadow MCP servers. Context over-sharing. Command injection. Supply chain risks. The kinds of issues that don’t really exist in traditional web app security.
And this isn’t theoretical. Between January and February 2026 alone, researchers filed more than 30 CVEs against MCP servers, clients, and infrastructure. The risks are real, and they’re growing.
The OWASP Top 10 for LLM Applications and the OWASP MCP Top 10 cover different layers. The LLM Top 10 deals with the model and the application wrapped around it. The MCP Top 10 deals with the protocol that agent uses to reach into the rest of your company’s environment. You need both. If you’re securing an AI agent environment today and you’ve only read one of them, you’re protecting half the stack.
While OWASP is publishing frameworks, the AI labs themselves are building defensive tooling, and the pace there is even more telling. Just yesterday, OpenAI launched Daybreak, its umbrella effort to put frontier AI in the hands of cyber defenders. It brings together OpenAI’s most capable models, Codex Security as an agentic harness, and a network of security partners for secure code review, threat modeling, patch validation, and dependency risk analysis.
Earlier this year, Anthropic announced Project Glasswing, giving partners access to Claude Mythos Preview to find and fix vulnerabilities in foundational systems. Apple, Microsoft, Google, and Amazon have already signed on.
So in less than twelve months, we’ve gone from “here’s a list of risks for the LLM you’re building on” to “here’s a separate list of risks for the protocol that LLM uses to touch your systems,” with both major AI labs simultaneously shipping defender-side agents to help you keep up.
If you’re studying for your Security+, CEH, SecAI+, or any other certification right now, pay attention to where the exam objectives end and where the real world begins. A gap is actually an opportunity. Practitioners who understand both the foundational frameworks and the emerging threat landscape will be in a different tier than those who only studied for the test.
The OWASP MCP Top 10 is free, it’s short, and it’s exactly the kind of material that separates someone who passed a certification from someone who’s actually ready to become a cybersecurity pro.
