Securing the New AI Attack Surface: How F5 WAF Solutions Protect MCP Servers
According to F5’s 2025 State of AI Application Strategy Report, 96% of organizations are deploying AI models in mission-critical workflows, but only 2% are considered “highly AI-ready.” This readiness gap poses serious challenges for security teams trying to keep up with the pace of innovation.
AI agents are no longer a future concept; they’re embedded in your enterprise today. Tools like Claude, ChatGPT, and Llama are becoming a part of everyday workflows, from customer support to code generation and IT automation. As a result, developers are increasingly adopting the Model Context Protocol (MCP), a lightweight, open standard that allows AI models to “talk” to tools, apps, and services. However, as AI agents start to take real-world actions, a critical problem is emerging: How do you secure agentic AI applications like you would any other enterprise software?
That question becomes even more urgent with the rise of MCP, which makes it easy for developers to wire up AI models with data sources and capabilities such as file systems and internal apps. It’s what allows an AI agent to fetch a document, update a task, or trigger a workflow. But every new API or protocol is also a new attack surface. And with AI agents, the risks aren’t hypothetical.
MCP adoption is expanding the attack surface
Unfortunately, MCP adoption is not going unnoticed by threat actors. In June 2025 alone, multiple critical vulnerabilities targeting MCP implementations were disclosed:
MCP servers are quickly becoming the new attack surface in your security posture, which is why you need to put protections in place today. The Glama MCP Server Directory shows that over 7,000 MCP servers are currently in production, reflecting MCP’s rapid rise as a foundational protocol for AI agent integration.
AI agents don’t know when they’re being attacked because they cannot differentiate between a helpful request and a malicious prompt—making them vulnerable by design. That’s where F5 Web Application Firewall (WAF) solutions come in, which are a part of the F5 Application Delivery and Security Platform.
New F5 functionality to protect MCP-powered agents
F5 has been securing web apps from vulnerabilities and attacks like Injection, XSS, SSRF, and Broken Access Control, Remote Code Execution (RCE), among others for over a decade. We can now help you protect MCP-powered AI agents without rearchitecting your stack. Through an integration of the MCP Remote library working seamlessly with F5 WAFs, a transparent full proxy layer is produced and, as a result, AI agents can function normally but are now available to be secured. Whether you’re securing on-premises AI workloads or deploying agents in the cloud, F5 WAFs work with any large language model (LLM) and any environment.
The attack surface is growing faster than most security teams can map it. And yet, traditional AppSec tools don’t account for how AI agents retrieve, relay, or act on unstructured inputs. If you’re in SecOps, you’ve seen this pattern before where new tech arrives fast but so do the attacks and breaches. MCP is becoming the connective tissue of the agentic ecosystem. F5 WAFs ensure that tissue is not a point of failure.
Among the first to offer MCP protection
Despite 71% of organizations integrating AI into their security strategy, only 31% have implemented AI-specific protections like firewalls, according to our 2025 State of AI Application Strategy Report. That leaves the majority of enterprises exposed to new forms of attack—especially at emerging surfaces like MCP servers.
MCP is emerging as the standard protocol for communication between AI agents and the tools, APIs, and services they interact with, whether that’s retrieving files, triggering workflows, or querying internal systems. Like any other integration layer, it needs the same level of security scrutiny as any API or service layer. F5 is one of the first to offer MCP protection—enabling our customers to innovate confidently.
An F5 GitHub repository with the applicable code will be available soon, enabling you to integrate MCP protection into your AI workflows and start safeguarding your MCP servers right away.
If you’re planning to be at Black Hat USA next week, please visit F5 in Booth #5239 to see our demo.