The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for MCP Dev Summit North America to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration..
IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
Sign up or log in to add sessions to your schedule and sync them to your phone or calendar.
Building your first MCP agent is exciting. Building a platform where dozens of teams can safely deploy their own agents is a different beast entirely. This talk will share lessons learned scaling an MCP powered agent platform from a single prototype to a multi-tenant platform supporting diverse agent workloads.
A survivor of at least 1 AI winter, Diamond leads Datadog's AI Skunkworks group. He joined Datadog through the acquisition of Augmend, the DevOps AI assistant startup he co‑founded.
Diamond has over 15 years of AI experience building assistants and developer platforms, from the early days of Microsoft Cortana and Amazon Alexa to open-source work on PyTorch at Meta. Today he focuses on “unhobbling” enterprise agents: durable control flow, strong evaland... Read More →
Building your first MCP agent is exciting. Building a platform where dozens of teams can safely deploy their own agents is a different beast entirely. This talk will share lessons learned scaling an MCP powered agent platform from a single prototype to a multi-tenant platform supporting diverse agent workloads.
Core Maintainer of MCP and Co-founder & CEO, MouseCat
Nicholas Aldridge is a Core Maintainer of MCP and the Co-founder and CEO of MouseCat, which builds AI agents for fraud investigation. He spent 6.5 years as a Principal Engineer at AWS AI, where he helped launch and lead Amazon Bedrock Knowledge Bases, Agents, and AgentCore. He also... Read More →
Over the 2025 holiday break, I built MARVIN, an AI assistant that connects to my email, calendar, Jira, Confluence, and meeting notes through MCP servers. The most surprising lessons came from teaching a non-technical friend in marketing to use it. Within a day, she took a task that typically required 4+ hours and completed it in 30 minutes.
In this talk, I'll share practical insights from building and deploying MCP-powered agents in real workflows:
- Architecture decisions: How I structured MCP servers for Gmail, Google Calendar, Jira, and other integrations, and where I got it wrong - The "junior intern" pattern: Why treating AI agents like trainable assistants drives real usage - The naming problem: Why "MCP" is a terrible name for mainstream adoption and what we should call it instead - Curiosity over mandates: Why top-down AI adoption fails, and what ground-up adoption looks like
I'll walk through 25 minutes of hard-won lessons from building something real, watching people use it, and iterating based on what actually worked.
Sterling Chin is a Founding Developer Advocate, where he focuses on AI-powered API development and the intersection of agents and APIs. At Postman, he lead the team that shipped 7 new products in 2.5 years including Postman's first AI Assistant, and now spends his time helping developers... Read More →
MCP launched a revolution in peoples expectations of what Generative AI could achieve. Since then, MCP has been supplemented by other protocols, techniques and extensions.
At Hugging Face we have 1000s of AI Applications deployed, using MCP for interconnectivity, as well as supporting Remote MCP via Inference Providers.
This experience based session explores how inference, compute and storage workloads are shifting in an agentic world, and how MCP supports us in a rapidly changing environment.
We will: - Contrast how ACP and Open Responses work within our MCP infrastructure and our experience deploying them. - Explore how Skills, and Code Generation fit, the impact future models will have on the landscape - and why things that may seem obvious in hindsight weren't. - Discuss the value of multi-model environments and how subagent patterns are critical for certain tasks. - Report on the trends we see in shifting Agentic and Inference workloads, and MCPs continued role in supporting them - Examine our unique multimodal demands - and what needs we and our community have to support mixed content.
Shaun Smith leads Open Source MCP at Hugging Face, and is an MCP Steering Committee member serving as a Community Moderator and within the Transports Working Group.
As MCP adoption accelerates across platforms, the risks of giving LLMs tool access are growing quickly. This session explores the real threat surface of MCP systems: prompt injection, tool poisoning, unsafe permissions, supply-chain “rug pulls,” cross-tool escalation, and data-exfiltration risks that arise when agents can call arbitrary tools. Building on Microsoft's recent work hardening MCP on Windows, we outline a practical reference architecture for secure deployments: signed and verified tool manifests, unique server identities, scoped capabilities, sandboxed execution, authenticated connections, governance via registries, audit logging, and runtime anomaly detection. Attendees will leave with a blueprint for running MCP in production: what to lock down, how to operate it safely, and how enterprises can integrate MCP into existing security, IAM, and compliance frameworks. This talk equips developers, architects, and security teams to build safer agentic systems and contribute to a more secure MCP ecosystem.
Peter Smulovics is a Distinguished Engineer at Morgan Stanley with 15+ years at the firm and 30+ in the industry. A 2× Microsoft MVP and co-creator of C#, he serves as Vice Chair of FINOS (Linux Foundation) Technical Oversight Committee and leads Open Source Readiness. He focuses... Read More →
Most MCP integrations power chat: an agent responds to a prompt. But MCP can power continuous loops — agents that run on schedule, find issues, and ship fixes without human prompting.
This talk covers how to build MCP servers for autonomous operations. The core pattern: Detect → Analyze → Propose → Execute → Report. Each loop queries MCP resources, processes data, and takes action based on its trust level.
I'll show three examples from e-commerce: (1) a learnings database — optimization patterns exposed as MCP resources that agents query to diagnose codebases; (2) CDN observability — requests, bandwidth, cache rates as queryable resources for finding performance issues; (3) conversion analytics — pageview and conversion data that agents correlate to propose content changes.
The key design question: when can agents act autonomously vs. require human approval? I'll present a trust framework where loops graduate from report-only → PR with review → auto-merge based on accuracy over time.
Takeaways: how to structure domain expertise as MCP resources, architecture for connecting observability to agents, and patterns for safe autonomous execution.
Co-founder & CEO of decocms.com, an open-source framework for building and deploying MCP-based Internal AI Platforms. Previously spent 9 years at VTEX through its NYSE IPO, where he led the first version of the Store Framework and VTEX IO Developer Platform. Based in Rio de Janeiro... Read More →
The impulse to rewrite the auth stack for AI agents is strong, but we cannot design away the fundamental relationships standards protect. This session explores how MCP is reshaping OAuth—not abandoning it—to meet the ecosystem's unique challenges:
The "Unregistered Client" Problem: Traditional OAuth requires pre-registration. MCP breaks this. We’ll see how Client ID Metadata Documents (CIMD) allow agents to bring their own identities to arbitrary servers, how it improves on Dynamic Client Registration, and how to mitigate the risks of unregistered clients.
Separation of Concerns: Why your MCP server shouldn't be your Authorization Server. We’ll cover how Protected Resource Metadata (RFC 9728) enables dynamic auth server discovery, keeping agents lightweight and security boundaries clean.
Enterprise-Managed Authorization: To stop "click-through fatigue," we’ll introduce the Identity Assertion Authorization Grant. This moves consent to the enterprise policy layer, enabling secure, scalable adoption.
Join me to secure the agent ecosystem—from discovery to governance—not by reinventing the wheel, but by making incremental improvements to the way it turns.
Aaron Parecki is Director of Identity Standards at Okta, and active in multiple standards development organizations including IETF, OpenID Foundation, W3C, and MCP. He is an editor of OAuth 2.1 along with several other OAuth specifications, and has been influential in shaping how... Read More →
MCP servers often begin as simple side projects. You build a quick integration, get a basic connection working, and show a demo. But as users begin to rely on your tool, the stakes change. In this talk, we share the lessons learned from taking multiple of MCP servers from initial Proofs of Concept to robust production standards, supporting tens of thousands of developers across open-source and enterprise environments. These are the real-world realities of treating your MCP server as a shipping product.
Roy Derks is a lifelong software developer, author and public speaker from the Netherlands. Currently chasing his dreams in Silicon Valley, California. Roy's mission is to make the world a better place through technology by inspiring developers all over the world, more specifically... Read More →
Sr. Product Manager, Gen AI, HashiCorp, an IBM company
Gautam is a passionate technologist who thrives on solving DevOps puzzles and building meaningful solutions. He's all about automating stuff, streamlining workflows, and building scalable systems. Through his talks, Gautam shares practical insights and inspires others to dive into... Read More →
Creative assembly tasks - where agents compose pieces into coherent wholes - present unique challenges: tracking progress across turns, validating outputs, and recovering when something doesn't fit. This talk shares patterns for multi-turn workflows, illustrated through avatar generation where an agent assembles clothing into cohesive outfits. Pattern 1: Session Memory - Track selections, failed searches, and partial progress across turns. Know what's in the cart before suggesting more. Pattern 2: Composite Tools - Combine operations (search + fetch thumbnails) into single tools that reduce round-trips and give agents richer context. Pattern 3: Pre-flight Validation - Check compatibility before expensive operations. Catch conflicts early (clashing items, missing pieces) rather than failing at generation. Pattern 4: Validate-and-Retry Loops - Use VLM scoring on outputs, track best-of-N attempts, and guide agents toward improvements when quality falls short. Avatar generation makes these patterns concrete - "getting dressed" is intuitive - but they apply broadly to document assembly, configuration builders, and any workflow composing parts into wholes.
Rohan Gangaraju is a Senior Machine Learning Engineer on the Economy ML team at Roblox, where he works on building recommendation systems for virtual economy and avatar marketplace. He holds a CS degree from UMass Amherst.
Jason Ding is a Software Engineer at Roblox, where he drives Avatar Generation efforts focused on ML powered avatar creation. He holds degrees in Electrical Engineering and Computer Science (EECS) and Business from UC Berkeley through the M.E.T. program.
MCP is becoming stateless in one of the largest changes to the protocol since its launch.
This change simplifies the deployment of robust servers, making MCP ready for the next wave of scaled usage driven by agents and use cases like MCP Apps.
This session led by members of the Transports Working Group: - Explores the upcoming changes - and sharing real data from Google and Hugging Face on the motivation behind them. - Details the latest approaches on handling serverless Elicitation, Sampling and Sessions. - Introduces the application and infrastructure patterns that can take advantage of the stateless protocol.
We'll also update on the latest roadmap status and expected migration timelines and approach
Shaun Smith leads Open Source MCP at Hugging Face, and is an MCP Steering Committee member serving as a Community Moderator and within the Transports Working Group.
Kurtis Van Gent is a MCP Core Maintainer and leads the MCP Transports Working Group. By day, he leads AI Ecosystems + Integrations for Google Cloud Databases and helped create MCP Toolbox for Databases.
To implement "Zero Trust", authorization must be enforced consistently across every layer: inside the agent, in the cloud (like MCP gateways and services), and down to the database. Each layer needs its own dynamic authorization decision engine, yet those decisions must remain aligned and explainable.
As AI agents become first-class actors in enterprise systems, traditional security models start to strain. This session examines how agentic workflows challenge today’s delegation mechanisms, especially when agents act autonomously, chain operations, or cross trust boundaries. We’ll explore where OAuth works well and where it falls short.
The session argues for centralized policy management using Cedar, decoupled from application code to prevent policy drift. It will introduce emerging governance models like GovOps, which treat policies, schemas, and authorization logic as managed assets with lifecycle controls and automated compliance. Attendees will leave with a practical ideas for secure agent delegation and governing agentic systems at scale.
The discussion frame is two narratives: a 15th century myth and a 2025 Apple TV mini-series based Martha Wells' books.
Mike is the founder of cybersecurity software vendor Gluu, BD of the Linux Foundation Janssen Project, and twice a week hosts the livestream Identerati Office Hours. He is also author of "Securing the Perimeter" (Apress 2018) about open source digital identity. His podcast "Open Source... Read More →
MCP Apps open a new world of possibilities for interactions in AI chats. While SEP-1865 defines how they work, this talk is about how to build them well.
We'll share the patterns emerging from real MCP Apps development: understanding the data flow between servers, apps, and models — including the interplay of tool inputs and results (streamed or complete), when to use structuredContent versus _meta, how model context updates propagate, how to create tools visible to your app only, etc.
Beyond the protocol mechanics, we'll cover practical concerns: building apps that work across hosts, handling authenticated data at scale, managing state persistence, and keeping heavy visualizations performant. We'll also walk through the common pitfalls — the silent failures and subtle bugs that waste hours — and the debugging workflows and tools that surface them.
You'll leave with tricks and patterns you can apply immediately and a mental model for reasoning about MCP Apps architecture.
Co-author of the MCP Apps extension, Olivier joined the MCP team at Anthropic in 2025, after working at Google (mostly AdSense) for 13 years. In recent years, he contributed to OSS projects such as OpenSCAD & llama.cpp, and is particularly excited by tool calling as the next interoperability... Read More →
Remember when the mobile app stores launched? The first wave of apps were glorified websites, until someone made you tilt your phone to "drink" a virtual beer. That novelty unlocked the iPhone's true potential: apps that felt native to the device. Today, we're at a similar inflection point with ChatGPT Apps and MCP integrations.
After building dozens of AI-powered applications, we’ve identified some interaction patterns that truly shine and those that fall flat.
This talk explores what makes ChatGPT (& MCP) apps fundamentally different from traditional software.
We'll examine novel use cases like adaptive gaming where models seamlessly adopt complex roles, analytics tools that merge interactive visualizations with conversational insights, and SaaS integrations that surface the right features at the right time.
You’ll learn how to design for this new paradigm: what to expose, how users move through AI-native workflows, and what doesn’t work. Your product now lives inside the highest-distribution AI platform. The real question isn’t whether to build for it, but how to make apps that feel truly revolutionary.
Co-founder of Alpic, seasoned infrastructure builders with deep experience in distributed systems, serverless architecture, and developer platforms. Previously, built Streamroot, a video delivery startup acquired by a major US telco, and now focused on making agent-native apps easy... Read More →
As the MCP specification evolves, so do the subtle behavioral differences between implementations that undermine the protocol's core promise: compatibility without coordination. How do you ensure a client built with the Python SDK behaves identically to one built with TypeScript, C#, or Go?
This talk introduces MCP's conformance testing infrastructure. Real SDK implementations run against scenarios that analyze their behavior and assess conformance. Each scenario exercises a specific protocol interaction from OAuth flows and Client ID Metadata Documents to resource metadata discovery, verifying that every SDK handles it correctly.
I'll cover how we built this, what we found when we ran it across SDKs, and how it's changed the way we develop and ship spec changes. You'll learn how conformance testing prevents entire categories of bugs, accelerates code generation of new implementations, increases security guarantees by simulating attacks, and enables evidence-based SDK tiering. I'll also cover how you can get involved: writing new scenarios, running tests against implementations, and helping close the gap between spec and reality.
Paul Carleton is a Core Maintainer of the Model Context Protocol and Auth Nerd at Anthropic, where he leads auth implementations across Anthropic's clients and the TypeScript and Python SDKs. He drives MCP conformance testing efforts to ensure consistent behavior across the ecosy... Read More →
The Model Context Protocol (MCP) has standardized how we connect models to data, but the security layer remains a work in progress. Currently, MCP implements authorization via standard OAuth scopes.
While this works for handling coarse-grained tool access, it presents challenges for finer grained permissions.
To solve this, we must move toward intent-based authorization—a model where agents are authorized to perform actions based on the specific context of a task, rather than a pre-approved list of capabilities.
This presentation will dissect the consequences of the current OAuth model on agent design and present ideas of how to address them. We will discuss how to implement dynamic authorization that allows agents to be helpful without being intrusive, ensuring that security scales alongside intelligence.
MCPs unlock agent data access, but that's only the first step towards building agents that can work autonomously. How do we build a complete system where multiple agents work together, maintain state across sessions, and the whole thing runs reliably every day.
I use agents that work with 10+ connections daily for both personal and work use cases: health MCPs/APIs (Strava, Apple Health), productivity tools (Calendar, Linear), business systems (Attio CRM, email), and developer tools (GitHub). This talk shares effective architectural patterns that emerged from actually using this system.
We'll cover MCP composition (Virtual MCPs) and how to orchestrate multiple agents with memory. We show how state management using Git as agent memory is effective, as it provides versioning and rollback. We treat CLAUDE.md files as behavioral memory in the same system. Finally, we cover security concerns and best practices to manage agents that have access to sensitive and/or untrusted data.
Jiquan Ngiam was a senior staff researcher at Google Brain and founding team member at Coursera, where he helped build Andrew Ng's online machine learning course from the ground up. He co-authored pioneering work in multimodal deep learning at Stanford. Currently co-founder and... Read More →
The AI agent ecosystem is fragmenting into competing paradigms, each promising to be the future of how AI systems interact with the world. Skills are simple markdown local workflows using scripts, MCP provides structured tool access across platforms, and Code Mode solves Context bloat problems by executing MCP Tools as code. Most people think these are competing paradigms. They are not.
This talk cuts through the hype and developer frustration to examine what these approaches actually enable, how they overlap, and how do they complete each other.
**Key Learnings**
- Clear mental model explaining the concepts behind Skills, MCP, and Code Mode: what each actually does vs. marketing claims - How these paradigms complement rather than compete: practical patterns for combining them (Skills in MCP Servers!) - Decision framework: when to reach for each approach based on your use case, and a map of in which MCP Client each concept is already implemented - Where the ecosystem is heading and how to future-proof your architectural choices
Nikolay Rodionov is a cofounder and COO at Alpic, an AI infrastructure startup for MCP, and creator of Skybridge, an open-source framework to build MCP Apps. He previously founded Streamroot, a P2P video delivery technology that powered multiple Super Bowl streaming events before... Read More →
AI agents are rapidly becoming the primary consumers of technical documentation. At Apollo GraphQL, our traffic data shows agents on pace to become our #1 traffic source, prompting a shift in how we write, structure, and serve docs. We now have two distinct audiences that read differently: AI needs patterns, not paragraphs. Connecting sentences that help humans are now wasted tokens.
As the sole documentation engineer at Apollo, I’ve spent the past year building MCP tooling for our docs. This talk covers what worked, what failed, how we tested, and what surprised us.
I’ll walk through the evolution from serving AI full pages to chunked retrieval strategies that balance completeness with token usage. You’ll see how we used AI tooling to restructure docs for AI readability and exposed them as MCP tools agents are compelled to use.
To measure progress, we built an evaluation suite: a sandboxed runner that executes end-user prompts against our MCP server, builds an application, seals the output, then passes it to a second model for scoring against a reference solution and rubric. I’ll demo this live and share how it produced stable metrics in a non-deterministic AI world.
Daniel Abdelsamed is a Staff Software Engineer at Apollo, where he has spent the last four years architecting and scaling the company’s documentation platforms. With nearly a decade of experience in TypeScript and application design, he focuses on building durable, developer-friendly... Read More →
In November 2025 the Model Context Protocol introduced Tasks, which deliver first-class async semantics, something that is both excellent, and hard. Tasks define long-running operations with explicit client/server coordination, TTLs, and lifecycle states. They require durable state beyond ephemeral connections and require developers address distributed-systems concerns like stable task identity, rediscovery via tasks/list, mismatched sync/async expectations, and failures across retries and restarts.
This talk digs into all of those concerns through real implementations. We’ll examine what the spec requires, and what it intentionally leaves open (i.e. how durability is achieved), as well as what happens when clients or servers restart mid-task. We’ll talk about how to do idempotency right, and how those choices shape polling, backpressure, and error handling. We’ll also cover how to best do human-in-the-loop when the Task has input_required, all while avoiding any tight coupling between the client and server.
You’ll come away with concrete practices for building robust async MCP clients and servers, and a clearer mental model of the distributed systems issues the spec encodes.
Cornelia has spent a career at the forefront of technological innovation, starting with image processing algorithm development, moving to web-centric computing in the late 1990s, and then more than a decade working in cloud-native software and DevOps platforms. As a Developer Advocate... Read More →
Tool sprawl is a common failure mode for enterprise agents: the more tools an agent can reach, the less predictable it becomes—driving hallucinations, higher token costs, and larger security blast radius. Scaling agents safely requires specialization enforced by capability boundaries, not just better prompts.
This talk explores MCP best practices through a managed implementation where MCP servers are declared as explicit collections of tools and treated as governed objects. Specialization comes from two independent boundaries: (1) the MCP server definition limits the tool surface an agent can even access, and (2) RBAC still applies inside that server—so a user can only invoke tools they’re authorized to use, even if they can access the server that contains them.
Together, these boundaries reduce sprawl while improving operability: agents become easier to reason about, costs drop because fewer tools are in play, and least privilege is enforced with practical, role-aligned granularity.
Josh is a developer advocate for Snowflake, previously at TruEra (recently acquired by Snowflake). He is also a maintainer of open-source TruLens, a library to systematically track and evaluate LLM based applications.
Josh has delivered tech talks and workshops to thousands of developers at events including PyData, Global AI Conference, NYC Dev Day, LLMs and the Generative AI Revolution, AI developer meetups including AI Camp and Unstructured SF Meetup... Read More →
MCP adoption is growing, but most agent integrations still treat tools as a prompt-time API, burning context tokens on tool definitions, re-copying intermediate results, and losing accuracy along the way. This improper use also leads to unfair criticism of MCP itself.
To address this problem, Cloudflare proposed MCP “code mode”: instead of prompt-time JSON tool calls, the model generates small programs that call tools via an API and run in a sandbox. This dramatically reduces overhead while improving accuracy in chained tool use. An alternative approach recently implemented by Cursor and Anthropic uses dynamic tool discovery to load only the relevant tools into context.
In this talk, we’ll introduce 𝚖𝚌𝚙𝚌 (https://github.com/apify/mcpc), a new open-source universal CLI client for MCP that brings both code mode and dynamic tool discovery to where they shine: the terminal. With persistent sessions, JSON output for scripting, and an MCP proxy for sandboxing, mcpc is an invaluable tool for AI engineers. We’ll live-demo a practical workflow that invokes multiple MCP servers in parallel, filters and transforms results locally, and then turns the interaction into reusable scripts.
Jan Curn is the founder and CEO of Apify (https://apify.com), the world's largest marketplace of web data extraction and automation tools, powering (not only) AI agents with up-to-date data. He has a lifelong passion for software engineering, which earned him an MSc and a PhD in computer... Read More →
You can write a perfect MCP server (clean code, typed schemas, 100% code coverage), yet agent interactions still fail. This is the probabilistic gap: your server is deterministic, but its user (the agent) is stochastic.
Standard “Agent Evals” are often the wrong tool to fix this. They judge the final outcome (was the answer good?), not the process. They struggle to provide useful insights into how the agent understands and uses your MCP server, instead focusing on providing insights into the agent itself.
In this session, we introduce mcpchecker, an open source framework for MCP server evaluations. We will show how to build integration tests specifically for the agent-MCP server interface, allowing you to isolate and debug these interactions.
Stop guessing why agents fail. Learn to test your server’s semantic interface and prove that agents can actually understand it.
I am a Software Engineer at Red Hat, where I work on Applied AI projects with a focus on MCP and Agents. I also work on Serverless with the Knative community.
I am a CNCF ambassador, where I present about new and exciting technologies in the AI/Serverless as well as mentor new contributors... Read More →
WESLEY CHUN, MSCS, is a Google Developer Expert (GDE) in Google Cloud (GCP) & Google Workspace (GWS), author of Prentice Hall's bestselling "Core Python" series (corepython.com), co-author of "Python Web Development with Django", and has written for Linux Journal & CNET. He's currently... Read More →
So you found an MCP server on npm that does exactly what you need. You run npx and... now what? One reason people skip security verification for MCP servers is that it's genuinely hard to know what you're actually running. The package works, so why question it?
Here's the thing: MCP servers are getting access to your files, your APIs, your credentials. We should probably know what's in them before we hand over the keys.
In this talk, we'll dig into using OCI containers as the packaging standard for MCP servers - not because containers are trendy, but because they unlock supply chain security constructs that npm and PyPI simply don't have. We'll walk through building repackaging pipelines that verify source packages, run MCP-specific security scans, and produce attestations with Sigstore. Real pipelines, real commands, real output.
Note that this won't solve every trust problem - but it gets us a lot closer to "I know what I'm running" than the current state of affairs.
Juan Antonio "Ozz" Osorio is a Mexican software engineer living in Finland. His background spans security for OpenStack, Kubernetes, and bare metal environments. Currently at Stacklok, he founded the ToolHive project and has been building MCP infrastructure, including supply chain... Read More →
Since its inception, we've talked about MCP from the perspective of Clients and Servers. This session focuses on an interesting paradigm taking advantage of the intentional asymmetry of the MCP spec - what if a Client was also a Server? What happens when we break out of a singular client-server pair and into multiple? What can this idea tell us about the future of MCP?
This session will cover the concept of an "MCP Agent" - a Client that is also a Server. We'll construct a system design for this MCP Agent to other servers and MCP agents and touch on several key considerations including auth and scalability.
Participants are expected to have an introductory knowledge of MCP, the mechanics of how Clients and Servers interact with each other, and a general interest in agent-to-agent communication!
Rohit is an AI Product Manager at Descope, where he leads the MCP Auth and Agentic Identity efforts. Previously, he worked in Microsoft's Developer Division across products like the Azure SDKs and VS Code before launching the Azure MCP Server.
Shadow IT is back - but this time it's AI-powered. Employees are configuring MCP servers directly in Cursor, Claude Desktop, and VS Code, creating a blind spot that traditional security tools miss. These shadow MCPs operate outside centralized control, enabling data exfiltration, supply chain attacks, and compliance violations.
This talk exposes the shadow MCP problem and presents a comprehensive detection and response framework:
- Why shadow MCPs are uniquely dangerous (AI amplifies access, automates actions, no audit trail) - Discovery techniques: IDE config scanning, MDM integration, network detection patterns - Classification: distinguishing managed vs shadow servers across device fleets - Response playbooks: triage, investigation, remediation by risk level
I'll share real vulnerability examples from official MCPs (GitHub, Asana, Supabase, Postmark) and demonstrate automated detection through IDE hooks (Cursor, Claude Code) and MDM platforms (SimpleMDM, Jamf).
Attendees will leave with practical techniques for gaining visibility into shadow MCP usage and a framework for bringing unauthorized integrations under organizational control.
Aidan is a founding product engineer at Runlayer. Previously he's worked at Glean on scalable connector and crawler infrastructure and at YouTube on recommendations serving infrastructure... Read More →
Alexander Frazer is a Founding Security Engineer at Runlayer, specializing in generative AI and cybersecurity. With 15+ years of experience, he focuses on AI security challenges and MCP implementations. Previously he has led creation and evaluation of AI-driven security triage systems... Read More →
Developing MCP servers against the APIs you depend on can feel risky, especially when those servers interact with real-world data in production services. When integrating AI into the enterprise, you're often better off starting in a sandbox, but not all 3rd-party APIs offer sandboxes, let alone MCP-compatible ones. No problem: OpenAPI, Microcks, and Bruno are here to help.
At Naftiko, we've been delivering HTTP and MCP sandboxes for common 3rd-party APIs like GitHub, Jira, Notion, and Figma. Our approach uses OpenAPI specifications published to GitHub, open-source Microcks to deliver mock REST APIs and MCP servers, and Bruno as an HTTP client to explore the sandbox. We'll share how we design OpenAPI specs with use-case-driven, business-aligned examples that can be easily forked and mocked on-premise using Microcks, providing a safer development approach for anyone building with MCP and integrating it into LLMs, copilots, and agentic automation.
Join us for a hands-on, practical journey through how OpenAPI, Microcks, GitHub, and Bruno can help you reduce the risk of AI integration with 3rd-party, and internal APIs.
Here's the thing about being a security company: you can't ship a vulnerable MCP server. For us, getting pwned isn’t just embarrassing - it gets us on the front page of Hacker News. Our customers trust us to protect them from nation-state attackers, well-funded adversaries (and the odd teenager attacking for lolz.)
At the same time, the MCP ecosystem is still maturing. Hardening standards for sophisticated attackers don't exist yet. And with high-profile supply chain attacks now targeting agents, attackers are actively exploiting the trust developers place in their toolchains. Last year, a flaw in mcp-remote turned into a remote code execution nightmare, exposing over 400,000 developers. That's the reality we're building in.
When it came to our MCP server, we built it using the same rigor we use to protect the world's largest companies. This talk covers the threat model we designed against, gaps in MCP's current design that required workarounds, and ultimately how we built an MCP server trusted by enterprise customers, and hardened against even the most novel attacks. If we can secure it here, you can secure it anywhere.
I build security products. I'm a Senior Product Manager at Semgrep, a high-growth cybersecurity startup. I lead the teams responsible for Semgrep Code (SAST) and Secrets detection products.
I recently graduated from Harvard University with degrees in Computer Science and Physics. In my free time, you can find me geeking about the latest in security / developer tooling, running in San Francisco's Golden Gate Park, or enjoying local theater... Read More →
Katrina is a software engineer at Semgrep. She is on the Semgrep Analysis Foundations Team, the team that owns and maintains the core static analysis functionality of the Semgrep tool. She is currently working on Semgrep's MCP server.
Everyone in this room is building MCP integrations. Almost nobody knows how well they're delivering value. Outcomes are inherently non-deterministic: the same user request can produce completely different results depending on how the agent interprets user intent. Building an effective MCP server isn't just about handling tool calls, it's about spinning a data flywheel where every interaction teaches you what's working, what's failing, and what your users actually need.
The teams that figure this out compound user value over time. MCP has an XY problem. Almost everyone at this summit is focused on the Y. Let's talk about the X.
Prathmesh Patel is leading MCPJam: an open-source developer platform helping thousands test, evaluate, and ship their MCP apps and servers. He's a former Technical Lead at Asana who owned Asana's MCP server, REST API, and OAuth AS. He also led Asana's prototyping and development of... Read More →
The Model Context Protocol (MCP) is rapidly emerging as a foundational standard for building agentic AI systems that interact with tools, data sources, and services in a consistent and interoperable way. However, adopting MCP effectively requires more than basic integration—it demands thoughtful design choices around security, scalability, observability, and reliability.
This session presents practical best practices for implementing MCP in real-world agentic AI applications. It covers how to structure MCP servers and tools, manage context boundaries, handle permissions and sensitive data, and design resilient agent workflows. The talk also explores patterns for prompt engineering, tool invocation, state management, and error handling when using MCP in cloud-native environments.
Attendees will leave with concrete guidance on how to use MCP to move from experimental agents to production-ready systems that are secure, maintainable, and scalable.
As AI agents become more capable, their biggest limitation is no longer reasoning — it’s context. Without access to procedural knowledge and domain-specific understanding, agents struggle to perform real work reliably. In this talk, we’ll explore how Skills address this gap by giving agents on-demand access to company-, team-, and user-specific context.
We’ll look at how Skills can be combined with MCP servers to build safer, more reliable agents, and walk through a real-world example of managing a Postgres database. Using evals, we’ll compare agent performance with and without Postgres-specific Skills, showing how MCP enables secure database access while dramatically improving outcomes.
I’m an AI Tooling Engineer at Supabase, part of the team maintaining all AI initiatives including our MCP server, AI assistant, and Skills. I’ve been involved with the MCP protocol since its early days, contributing to its SDKs and projects like Skybridge. I’ve spoken at MCP... Read More →
What if your workflow engine wasn't just a consumer of MCP servers, but was itself built entirely on the MCP protocol? This talk explores a novel architecture that uses MCP's newest primitives to create a production-ready workflow orchestration system. We'll demonstrate how MCP's task framework provides natural workflow step management, while sampling enables intelligent decision-making at each stage. You'll see how dynamic tool definition works at both workflow and step levels, allowing workflows to adapt their capabilities on the fly. We'll also cover practical challenges like handling OAuth authentication flows mid-execution and coordinating multiple MCP servers within a single workflow. Through a real-world case study you'll see how MCP's composability transforms workflow design. Rather than building yet another workflow engine that happens to use MCP tools, we'll show how treating MCP as the foundation protocol unlocks new patterns for distributed, intelligent automation. Attendees will leave with a deeper understanding of the MCP specification and how the capabilities can be composed to create production-ready workflow applications.
Donnie Adams is a Software Architect at Obot AI, where he builds enterprise MCP infrastructure including the Obot MCP Gateway and agent orchestration systems. His work focuses on MCP gateway architecture, OAuth integration, and distributed AI systems. He specializes in building production-grade... Read More →
Model Context Protocol (MCP) enables standardized AI agents, but real adoption depends on how MCP servers operate in production—not just how the protocol is defined.
This session provides a high-level, practitioner perspective on running MCP in enterprise environments. It covers how MCP servers fit into existing platforms, with a focus on observability, security, distributed tracking of agent behavior, and resiliency. Rather than diving deep into implementation details, the talk shares lessons learned from real deployments and common pitfalls teams face when moving MCP from experimentation to production.
AVP IT Architecture (Head of Enterprise Reusable Services & Tech Standards)), GM Financial
Amar Deep Singh is a distinguished software architect and author with extensive experience in microservices and cloud computing. He is the author of "Building and Delivering Microservices on AWS," a comprehensive guide that explores software architecture patterns and the deployment... Read More →
Neelabh Tripathi is a seasoned IT professional with over 18 years of expertise in cloud computing, enterprise architecture, and microservices. He has worked with some of the world’s leading organizations, where he played pivotal roles in driving digital transformation and innov... Read More →
As MCP adoption grows, power users are connecting multiple servers for various workloads. This creates a challenge: in naive implementations, preloading all tool and resource definitions into the context window can add 50k+ tokens before the agent even starts working. Evaluating our agentic coding users at Warp, we found that ~90% of tasks don't use the MCP context available, and those that do only use few tools.
This led us to question whether MCP context needs to be statically front-loaded. So, we built a model-agnostic MCP search subagent that reduces token usage by 26% for MCP-using tasks and 10% when MCP context is available but unused. All in a model-agnostic implementation.
Attendees will leave with: • A concrete architecture for dynamic MCP tool/resource discovery • Evaluation strategies for ensuring search doesn't degrade agent quality • A look into our model-agnostic implementation to adopt in any agentic coding harness
Kevin is one of Warp's earliest engineers, scaling Warp's AI features from prototype to over a hundred thousand daily users. He currently serves as a Tech Lead for Warp's Code product.
The next wave of MCP servers face the same challenge: discoverability. If an LLM doesn't know when to invoke your tool, it doesn't exist. This will compound - ChatGPT has ~80 apps today, but as more LLMs launch app stores and MCP adoption accelerates, there will be millions.
Drawing from research optimizing ChatGPT apps since launch, this talk reveals metadata patterns that determine whether AI systems surface your tools - principles that apply directly to MCP server development.
What I'll cover: - Two-channel discovery: How static search (registries i.e. ChatGPT's App Store) and dynamic invocation (LLM tool selection) require different optimization strategies.
- How LLMs read metadata: How tool names, descriptions, and parameters shape invocation decisions.
- The golden prompt set: Testing methodology using direct, indirect, and negative prompts to measure recall and precision.
- What converts: Fixed templates, workflow handoffs, context preservation vs anti-patterns that fail.
- Measuring success: Citation tracking, false positive monitoring, and iteration loops that compound discoverability gains.
Vincent McLeese is the Product and Tech Lead at Ghost Team, an MCP Apps agency. He leads the development of appsdiscoverability.com, a platform devloper by Ghost Team to help mcp apps become more discoverable. A multiple founder with a background in tech strategy from Accenture, Vinc... Read More →
The Nov 2025 release of MCP introduced a new client capability: URL Elicitation. This capability is game-changing for MCP servers that interact with external systems. But don't just take our word for it... Hear it straight from the author of the spec!
In this talk, Nate (lead author of URL Elicitation) will break down the "what" and "why" of this new addition to the protocol. You'll learn about: - Why it's a mistake to reuse or "pass through" OAuth tokens from one server to another - The confused deputy problem and other common pitfalls to watch out for - How URL Elicitation unlocks a secure way for MCP servers to call external services that use OAuth or API keys, require payments, or gather sensitive information - The correct security patterns for any remote MCP server project today
No need to be a security expert to attend! Nate will break down the problems and solutions in clear, relatable language, and provide crucial guidance for anyone building MCP servers in 2026 and beyond.
Nate Barbettini is a leading voice in security and AI. At Arcade.dev, he's building the MCP runtime that helps enterprises deploy multi-user AI agents that take actions across any system. As an active MCP contributor, Nate is focused on security-critical work, authoring URL Elicitation... Read More →
As MCP adoption grows, teams are facing a new set of challenges: session management across fleets, policy enforcement for agents and users, and operating MCP traffic at scale.
We’ll explore how proxies currently handle stateful MCP sessions, how stateless designs dramatically simplify scaling and operations, and how proxies like Envoy can enforce authorization, tool safety, and policy without becoming bottlenecks. The discussion will also look ahead to emerging MCP proposals, including stateless transports, async tasks, and server discovery, and why alignment between protocol evolution and proxy implementations matters for the ecosystem.
Attendees will leave with concrete architectural insights, practical lessons learned, and a clearer picture of where MCP traffic handling is headed and how to build for it now.
Boteng is a Senior Envoy Maintainer and Software Engineer at Google, working on Envoy for various products with an emphasis on data plane, reliability, and security.
Erica Hughberg is a technical leader, software engineer, and community advocate passionate about helping engineering teams develop scalable, secure, and user-focused application platforms. As a maintainer of Envoy AI Gateway, she concentrates on features that enable organizations... Read More →
