Loading…
April 2-3, 2026
New York, NY
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for MCP Dev Summit North America to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration..

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
Audience: Yes clear filter
arrow_back View All Dates
Friday, April 3
 

11:30am EDT

RPC > MCP: Turning a Decade of APIs Into Agentic Tools - Ze'ev Klapow, HubSpot
Friday April 3, 2026 11:30am - 11:55am EDT
Juilliard Complex (5th Floor)
At HubSpot, we recognized that any RPC with a schema is already a tool definition, so we built our AI tooling infrastructure on top of our existing RPC framework instead of starting from scratch. Engineering teams can now expose any API to internal agents, public MCP clients, and customer-facing AI products with just two annotations, enabling rapid development and tool reuse across all of our AI systems. This talk covers the architecture, the tradeoffs, and how this approach let us ship agentic capabilities faster than we ever expected.
Speakers
avatar for Ze'ev Klapow

Ze'ev Klapow

Distinguished Software Engineer, HubSpot
Ze'ev Klapow is a Principal Software Engineer at HubSpot, where he has spent 13 years building infrastructure. He currently leads efforts to bring AI tooling to HubSpot engineers and designed the unified agent infrastructure that powers both internal and customer-facing AI produc... Read More →
slides pdf
Friday April 3, 2026 11:30am - 11:55am EDT
Juilliard Complex (5th Floor)
  Apps and Agents
  • Audience Experience Level Any
  • Session Slides Yes

11:30am EDT

Code Mode Without the Code - Bob Dickinson, TeamSpark
Friday April 3, 2026 11:30am - 11:55am EDT
Astor Ballroom (7th Floor)
Major AI players (Cloudflare, Anthropic, Docker) advocate "Code Mode" - having LLMs generate wrapper MCP servers to orchestrate tools, drastically reducing context usage. However, executing LLM-generated code introduces security risks and compliance challenges.

mcpGraph provides Code Mode benefits without code execution risks. It's a YAML-based DSL for declarative MCP tool orchestration using directed graphs. Tools are defined as graphs with MCP nodes, JSONata transforms, and JSON Logic conditionals, all inspectable and auditable, and exposed to agents as MCP tools themselves.

We'll cover and demo three MCP servers: mcpGraph (the core engine), mcpGraphToolkit (agent development tools for building/testing/deploying graphs, with associated agent skills), and mcpGraphUX (visual inspection and debugging).

This approach delivers Code Mode efficiency while maintaining security, observability, and compliance—no arbitrary code execution required.

mcpGraph is open source and available at: https://github.com/TeamSparkAI/mcpGraph

The presentation will be largely based on this document (and referenced videos): https://github.com/TeamSparkAI/mcpGraph/blob/main/docs/no-code-code-mode.md
Speakers
avatar for Bob Dickinson

Bob Dickinson

Founder, TeamSpark
Serial founder, CTO at scale, and always a hands-on builder. Creator of MCP Tool Vault and the open source projects tsAgent and mcpGraph. Maintainer of MCP Registry and MCP Inspector. Background in security, including as CTO of OneLogin and Censys.
Code Mode without the Code pdf
Friday April 3, 2026 11:30am - 11:55am EDT
Astor Ballroom (7th Floor)
  MCP Best Practices

11:30am EDT

Human in the Loop, Agent in the Flow - Harald Kirschner & Connor Peet, Microsoft
Friday April 3, 2026 11:30am - 11:55am EDT
Broadway Ballroom South (6th Floor)
The AI hype cycle promised full automation. Reality delivered hallucinations and agents that guess when they should ask. The MCP spec offers a different vision—humans in control through rich, interactive collaboration rather than micromanaging every step.

This talk explores how recent MCP primitives transform the protocol from text-in-text-out tool-calling into interactive human-agent workflows. We'll cover elicitations that let servers ask clarifying questions with structured forms, async tasks that pause for human decisions and resume seamlessly, and MCP Apps that render interactive UIs—charts, dashboards, confirmations—in sandboxed iframes. Each makes feedback loops faster and agent interactions richer.

Using VS Code's implementation as reference, we'll demonstrate patterns for adaptive autonomy, progressive input gathering, and bidirectional workflows where servers drive the conversation. You'll leave with concrete patterns for building MCP integrations that treat collaboration as a feature, not a fallback.
Speakers
avatar for Harald Kirschner

Harald Kirschner

Principal PM, Microsoft
Harald Kirschner is a Principal Product Manager at Microsoft, building AI coding experiences in VS Code and GitHub Copilot for 40+ million developers. Before Microsoft, he led Firefox DevTools at Mozilla and helped ship Firefox Quantum. His engineering roots (MooTools, early web... Read More →
avatar for Connor Peet

Connor Peet

Principal Software Engineer, Microsoft
Connor is a principal software engineer working on VS Code since 2019.
mcp vscode human in the loop url
Friday April 3, 2026 11:30am - 11:55am EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices

12:00pm EDT

From One MCP Server To an Ecosystem: When MCP Stops Being a Server and Becomes a Platform - Vaibhav Tupe, Equinix
Friday April 3, 2026 12:00pm - 12:25pm EDT
Juilliard Complex (5th Floor)
As MCP adoption grows, teams quickly discover that scaling from a single MCP server to a multi-server ecosystem introduces new architectural, operational, and governance challenges. Patterns that work for standalone MCP implementations often break down when MCP becomes a shared platform capability across multiple domains, teams, and clients.

In this talk, we share practical lessons from building and operating an MCP server ecosystem at infrastructure scale at Equinix. What began as a single MCP server evolved into multiple coordinated MCP servers spanning networking and infrastructure domains, each with distinct tools, lifecycles, and operational constraints.

Attendees will learn:
1. How MCP architecture changes when scaling from one server to an ecosystem
2. Design patterns to avoid tight coupling and fragmentation across MCP servers
3. Practical approaches to tool discovery, versioning, and backward compatibility
4. Operational lessons for reliability, rate limiting, and failure isolation
5. Governance best practices for ownership, change management, and ecosystem growth
Speakers
avatar for Vaibhav Tupe

Vaibhav Tupe

Tech Lead - Principal Engineer, Equinix
Vaibhav Tupe is a distinguished Technology Advisory Board Member and Engineering Leader specializing in cybersecurity, cloud, and AI-ready data center infrastructure. With over 13 years of experience, he currently serves as a Technology Leader at Equinix USA, where he drives high-performance... Read More →
MCP DevSummit Final pptx
Friday April 3, 2026 12:00pm - 12:25pm EDT
Juilliard Complex (5th Floor)
  Apps and Agents

12:00pm EDT

Distributing MCP Servers With OCI To Power Agent Skills - Bobby House, Docker
Friday April 3, 2026 12:00pm - 12:25pm EDT
Broadway Ballroom South (6th Floor)
While it is now considered a best practice for agent skills to leverage MCP servers, there is still no widely accepted approach for how those MCP servers should be distributed, versioned, and shared as dependencies.

This talk presents a practical pattern for using OCI artifacts as a distribution mechanism for MCP servers and configurations that agent skills depend on, enabling reproducible, shareable, and composable agent capabilities.

We’ll walk through creating an agent skill that can build and run an MCP project as a containerized service, then publish supporting artifacts such as the MCP server’s configuration.

Rather than bundling dependencies directly, the agent skill references an OCI artifact by OCI ref, pulls it at runtime, and activates the required MCP servers automatically. This ensures that when prompts expect specific MCP servers to be available, they already are.

By treating OCI as a universal distribution layer for agent tooling metadata and configurations, this approach makes agent skills easier to share, reproduce, and evolve across teams and environments.
Speakers
avatar for Bobby House

Bobby House

Sr Software Engineer, Docker
Bobby House is a senior software engineer at Docker that enjoys building products for engineers. His recent work centers on integrating MCP into enterprise environments by enabling organizations to publish and manage private catalogs of MCP servers as OCI artifacts.
agent skill dependencies pdf
Friday April 3, 2026 12:00pm - 12:25pm EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices

12:00pm EDT

MCP Live: Streaming Context To AI Agents - Harshit Kohli, Amazon Web Services
Friday April 3, 2026 12:00pm - 12:25pm EDT
Astor Ballroom (7th Floor)
Most MCP servers work like snapshots - ask for context, get a response, done. But what happens when your code changes while the AI is working? Or system metrics spike during deployment? Your agent has stale data.

I've been building streaming MCP servers that push live updates to AI agents. Think file watchers notifying code changes, system monitors streaming metrics, or database triggers sending updates as they happen.

I'll walk through building a live log monitoring MCP server from scratch. We'll extend the basic MCP protocol to handle streaming data using WebSockets, implement event subscriptions, and keep agents synchronized with rapidly changing data.

The demo shows an AI agent monitoring application logs in real-time, detecting anomalies and suggesting fixes as errors occur - not minutes later when someone checks the logs.

This isn't theoretical - I'm using similar patterns in production for DevOps monitoring and trading systems. I'll share the code, discuss gotchas, and show how streaming MCP opens up new use cases.

You'll leave with practical patterns for building reactive MCP servers that keep your AI agents always current.
Speakers
avatar for Harshit Kohli

Harshit Kohli

Sr Technical Account Manager, Amazon Web Services
GenAI/Data Driven individual who has 15+ years of experience. Proven experience with AWS Data Analytics/GenAI services, Cloudera Hadoop, Hortonworks Hadoop and Mapr Hadoop. Achieved customer wins over Amazon Q , Bedrock, Amazon Managed Kafka, Amazon Data Firehose, Kinesis Streams... Read More →
HarshitKohli MCP Live Streaming Context pdf
Friday April 3, 2026 12:00pm - 12:25pm EDT
Astor Ballroom (7th Floor)
  MCP Best Practices

12:00pm EDT

Path to V2 for MCP SDKs - Max Isbey, Anthropic
Friday April 3, 2026 12:00pm - 12:25pm EDT
Broadway Ballroom North (6th Floor)

Speakers
avatar for Max Isbey

Max Isbey

Member of Technical Staff, Anthropic
Software Engineer from New Zealand, previously worked at Rocket Lab designing and maintaining telemetry and command systems for rockets and satellites. Now relocated to London and working at Anthropic primarily focused on maintaining the MCP Python SDK.
MCP Summit Talk Max Isbey pdf
Friday April 3, 2026 12:00pm - 12:25pm EDT
Broadway Ballroom North (6th Floor)
  Protocol in Depth
  • Audience Experience Level Any
  • Session Slides Yes

12:00pm EDT

Threat Modeling Authorization in MCP - Sarah Cecchetti, OpenID Foundation
Friday April 3, 2026 12:00pm - 12:25pm EDT
Empire Complex (7th Floor)
This session will describe the work of the AI Threat Modeling working group within the OpenID Foundation. Security considerations in OAuth were a concern before MCP, and MCP's use of OAuth raises additional concerns including malicious elicitation and code execution requests. I will describe MCP attacks which enable attackers to exfiltrate sensitive data, compromise password-protected accounts, and gain remote control of local machines.
Speakers
avatar for Sarah Cecchetti

Sarah Cecchetti

Chair of AI Threat Modeling Working Group, OpenID Foundation
By day, Sarah is Director of Product Management for Semperis, a Series C startup. She also chairs the AI threat modeling group in the OpenID Foundation. Prior to that she spent five years at AWS where she led the open-sourcing of Cedar. She co-founded IDPro and co-authored NIST SP... Read More →
presentation pdf
Friday April 3, 2026 12:00pm - 12:25pm EDT
Empire Complex (7th Floor)
  Security and Operations
  • Audience Experience Level Beginner
  • Session Slides Yes

12:30pm EDT

Challenges in Delivering Unstructured Content Efficiently Over MCP - Kailas Krivanka & Fernando Cerenza, Box
Friday April 3, 2026 12:30pm - 12:55pm EDT
Juilliard Complex (5th Floor)
Delivering unstructured file content over MCP introduces various challenges in performance, efficiency, and security. We will explore the questions that arise when building an MCP server for content management and some of the approaches that can be used to tackle them. As enterprise environments require a more conservative security posture, we’ll also break down strategies for mitigating data exfiltration risks and prompt injection attacks through granular, configurable guardrails.

  • Why large content operations can fail: latency, data corruption
  • Techniques for managing context efficiently and minimizing LLM token usage
  • The benefits of programmatic tool calling for MCP tool composability
  • Tradeoffs between MCP and CLI for content operations
  • Handling safety risks when untrusted content becomes a data exfiltration vector
  • Balancing functionality and security when designing tool guardrails

By starting from first principles and reviewing specific examples attendees will leave with techniques for building MCP servers that process unstructured content efficiently and securely in enterprise environments.

Speakers
avatar for Fernando Cerenza

Fernando Cerenza

Senior Director of Product Management, Box
Fernando Cerenza leads Box’s partner integration ecosystem, where he oversees a vast network of over 1,500 application integrations. He is currently spearheading Box’s AI-focused initiatives, driving development on MCP and A2A to enable advanced agentic AI outcomes and seamless... Read More →
avatar for Kailas Krivanka

Kailas Krivanka

Software Engineer, Box
Kailas Krivanka is a software engineer with expertise in API design, software architecture, and distributed systems. He has worked at Box for 4 years, building scalable systems and solving complex technical challenges including launching the Box MCP server. With experience across... Read More →
MCP Dev Summit slides pdf
Friday April 3, 2026 12:30pm - 12:55pm EDT
Juilliard Complex (5th Floor)
  Apps and Agents
  • Audience Experience Level Beginner
  • Session Slides Yes

12:30pm EDT

The Anatomy of a Meltdown: A Deep-Dive into MCP via Selective Sabotage - Joey Stout, Spacelift
Friday April 3, 2026 12:30pm - 12:55pm EDT
Broadway Ballroom North (6th Floor)
Most technical talks feel like a one-way street: I talk, you listen, and maybe you ask a question at the end if we have time. But the Model Context Protocol (MCP) isn't about one-way communication; it's about creating a living connection between a "brain" (the LLM) and the "world" (your data and tools).

To prove this, we aren't going to look at static slides. Instead, we are going to use a Live Audience Agent.

At the start of the talk, a QR code will go up on the screen. Anyone in the room can scan it and access a simple web interface. You can send in "Live Vibe Checks"—short text snippets, emoji reactions, or "Heckles"—that feed directly into a database. My MCP server is the bridge. It connects my LLM assistant to that live database of your thoughts.

This is a high-stakes demo. If the protocol works, the AI will be my co-speaker, responding to the room's energy in real-time. If I break the protocol, which I plan to do, repeatedly, the AI will lose its connection to you. We're going to perform "Selective Sabotage" to see exactly which parts of the MCP spec keep the lights on.
Speakers
avatar for Joey Stout

Joey Stout

Solutions Architect, Spacelift
Joey Stout is a Solutions Architect at Spacelift.io, CKA-certified, and creator of manifests.io. He specializes in Kubernetes, OpenTofu, and GitOps—and goes by The Outdoor Programmer.

The Anatomy of a Meltdown pdf
Friday April 3, 2026 12:30pm - 12:55pm EDT
Broadway Ballroom North (6th Floor)
  Protocol in Depth
  • Audience Experience Level Any
  • Session Slides Yes

12:30pm EDT

Mix-Up Attacks in MCP: Multi-Issuer Confusion and Mitigations - Emily Lauber, Microsoft
Friday April 3, 2026 12:30pm - 12:55pm EDT
Empire Complex (7th Floor)
MCP deployments increasingly involve multiple authorization servers / identity providers across tools, registries, gateways, and enterprise environments. That flexibility introduces a classic but under-discussed class of failures: mix up attacks. A mix-up attack is where a client or intermediary confuses which issuer/authorization server it’s interacting with and misroutes sign-in artifacts, such as tokens, to the wrong party, potentially a malicious one.

This talk gives a clear threat model for mix-up in MCP-style topologies (client↔server↔auth server), then focuses on practical mitigations being discussed in the Auth Mix-Up Attack Prevention WG. I’ll also cover what’s realistic to adopt today in SDKs and servers versus what should be standardized in the MCP Core spec or another standard like OAuth.
Speakers
avatar for Emily Lauber

Emily Lauber

Senior Product Manager, Microsoft
Emily Lauber is a Senior Product Manager at Microsoft focused on identity, authentication, and developer platforms. She works at the intersection of cloud security, browser-based auth, and standards, helping shape how modern apps and agents securely authenticate and access resources... Read More →
MixUpAttackPrevention MCP pdf
Friday April 3, 2026 12:30pm - 12:55pm EDT
Empire Complex (7th Floor)
  Security and Operations

2:25pm EDT

Progressive Tool Discovery: Using MCP Notifications To Manage Context at Scale - Billy Hickman & Lilia Abaibourova, Amazon
Friday April 3, 2026 2:25pm - 2:50pm EDT
Juilliard Complex (5th Floor)
As MCP adoption grows, a challenge emerges: how do you expose 100’s of tools from a single server without overwhelming agent context windows? This talk introduces an MCP tool discovery mechanism we’ve built that dynamically loads tools. The platform works with a single discovery meta-tool on initialization, server-side state management to track agent context, and leveraging streamed MCP’s notifications/tools/list_changed to push relevant tool sets mid-session. Agents declare their problem context (incident response, monitoring etc) and receive only the tools they need, when they need them. Attendees will learn how this pattern keeps context windows lean while maintaining access to a broad tool ecosystem, with real examples showing how a single MCP server can serve diverse agent use cases without tool overload.
Speakers
avatar for Billy Hickman

Billy Hickman

Sr SDE, Amazon, Prime Video
Sr SDE from Amazon Prime Video. 10+ years experience building highly available, scalable distributed systems.
avatar for Lilia Abaibourova

Lilia Abaibourova

Principal Product Manager, Prime Video, Amazon
Lilia Abaibourova is a product and engineering leader with 15 years of experience building and scaling developer platforms and AI-first tools at Amazon, Peloton, HBO, and Microsoft. At Amazon, she leads AI enablement for Prime Video engineers, delivering agentic assistants for design... Read More →
progressive tool discovery pdf
Friday April 3, 2026 2:25pm - 2:50pm EDT
Juilliard Complex (5th Floor)
  Apps and Agents
  • Audience Experience Level Advanced
  • Session Slides Yes

2:25pm EDT

From Cypher to Conversation: MCP at WestJet - Anton Lysov, WestJet
Friday April 3, 2026 2:25pm - 2:50pm EDT
Astor Ballroom (7th Floor)
At WestJet, our flight schedule is modeled in a Neo4j graph database - airports, routes, aircrafts, seasonal schedules. The data is rich, but accessing it required Cypher expertise most stakeholders don't have.

I built an MCP server to change that. By creating a proxy layer connecting Claude to our Neo4j database, I enabled non-technical colleagues to query complex flight relationships using natural language. No Cypher. No waiting for developers. Just questions and answers.

This talk covers the journey from idea to working pilot: why I chose MCP, how I architected a proxy server wrapping the Neo4j MCP server, and what I learned deploying it internally. I'll give a live demo showing how analysts can explore our flight network conversationally.

This isn't a top-down initiative. It's about individual ownership - recognizing potential in data your team already maintains and using MCP to unlock value for people who couldn't access it before.
Whether you're exploring MCP for enterprise data or graph databases, this talk offers a practical, beginner-friendly blueprint.
Speakers
avatar for Anton Lysov

Anton Lysov

Software Developer, WestJet
Anton Lysov is a Software Developer at WestJet, working on backend systems that power westjet.com, mobile apps, and services used by teams across the organization. Before WestJet, he was one of the first hires at Rafflebox, helping build a platform that raised over $500M CAD for nonprofits... Read More →
slides pdf
Friday April 3, 2026 2:25pm - 2:50pm EDT
Astor Ballroom (7th Floor)
  MCP Best Practices
  • Audience Experience Level Beginner
  • Session Slides Yes

2:25pm EDT

The Tool Abstraction Problem: Lessons Learned Building 1000+ MCP Tools - Sam Partee, Arcade.dev
Friday April 3, 2026 2:25pm - 2:50pm EDT
Broadway Ballroom South (6th Floor)
Before MCP, Arcade was building tools for LLM agents. We've shipped over 1,000 tools—first as native Arcade tools with our own protocol and eventually adopting MCP. The main lesson: the hard part isn't writing the code, it's finding the right abstraction.

Most MCP tools today are thin wrappers around APIs. `GET /users/{id}` becomes `get_user(id)`. But this creates a mismatch—LLMs reason about tasks ("find the customer who complained last week"), not endpoints. The question is: where should tools sit on the abstraction spectrum?

**Too low-level:** The agent needs to chain together many calls. Each step is a chance to fail, and the model has to maintain context across all of them. You're asking the LLM to be a programmer at runtime.

**Too high-level:** You end up enumerating every possible task as its own tool. This defeats the point of having a general-purpose agent and your tool schema balloons, eating context and degrading selection accuracy.


In this talk:

- The common pitfalls we see in MCP tool design
- Our design philosophy for optimized tools
- Multiple real-world use cases and the tools that work for them
- Outlook on future tool development
Speakers
avatar for Sam Partee

Sam Partee

CTO and Co-founder, Arcade.dev
Sam is the CTO and co-founder of Arcade.dev. Before starting Arcade, Sam lead the led the applied AI team at Redis responsible for the vector database offering. He is a avid OSS developer and has contributed on projects like Langchain, LlamaIndex, Chapel, DeterminedAI, and others... Read More →
MCP Dev Summit pptx
Friday April 3, 2026 2:25pm - 2:50pm EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices
  • Audience Experience Level Advanced
  • Session Slides Yes

2:55pm EDT

The MCP Gateway Pattern: Aggregation, Composition, and Beyond - Juan Antonio Osorio, Stacklok
Friday April 3, 2026 2:55pm - 3:20pm EDT
Broadway Ballroom South (6th Floor)
Here's a scenario that might sound familiar: you've got ten MCP servers, which means ten client connections, ten auth flows, and ten different places where things can break. One reason teams end up in this mess is that each MCP server solves a real problem - so you add another one, and another, and suddenly you've got MCP sprawl.

Enter the MCP Gateway pattern.

In this talk, we'll walk through an architecture that aggregates multiple MCP backends behind a single unified interface. We'll cover the fun problems this creates - what happens when two backends expose tools with the same name? and show how declarative workflow composition lets you orchestrate multi-step operations across backends without writing custom wrapper code.

We'll demo a gateway unifying several backends and executing a workflow defined entirely in YAML. No magic, just patterns you can apply to your own infrastructure.

With this in mind, you'll leave with practical approaches to taming MCP sprawl while keeping your security policies consistent across the board.
Speakers
avatar for Juan A. Osorio

Juan A. Osorio

Principal Engineer, Stacklok
Juan Antonio "Ozz" Osorio is a Mexican software engineer living in Finland. His background spans security for OpenStack, Kubernetes, and bare metal environments. Currently at Stacklok, he founded the ToolHive project and has been building MCP infrastructure, including supply chain... Read More →
Presentation 10 MCP Servers pdf
Friday April 3, 2026 2:55pm - 3:20pm EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices
  • Audience Experience Level Advanced
  • Session Slides Yes

2:55pm EDT

Interceptors for MCP: A Production-Tested Standard for Agentic Middleware - Kurt Degiorgio & Cannis Chan, Bloomberg
Friday April 3, 2026 2:55pm - 3:20pm EDT
Broadway Ballroom North (6th Floor)
MCP standardized how agents connect to tools and context, but enterprise deployments need control between the model and the data. Today, MCP lacks a standard way to apply these controls, leading to a fragmented landscape of bespoke sidecars and proxies that shifts the M×N integration problem from the data layer to the middleware layer.
This session is a Protocol-in-Depth walkthrough of SEP-1763 (Interceptors), which proposes a protocol-native framework to intercept, validate, and transform messages across the MCP lifecycle, elevating middleware to a first-class capability alongside core MCP concepts. We will cover the concrete protocol semantics implementers need to align on: capability negotiation, hook points and invocation models, deterministic ordering/composition, enforcement semantics, error handling and observability.
We motivate the proposal with Bloomberg’s production experience in adopting interceptors to build agents in a regulated financial environment, sharing lessons on what must be standardized for interoperability. To ground the design, we map the proposed semantics to AWS Bedrock AgentCore Gateway Interceptors and OpenAI Guardrails’ staged validation guidance.
Speakers
avatar for Kurt Degiorgio

Kurt Degiorgio

Senior Engineer, Bloomberg
Kurt Degiorgio is a Senior Engineer at Bloomberg, working on building platforms for Generative AI. With 14 years of experience, his background includes Monzo, Diffblue and GFI Software (of TeamViewer fame), covering a wide technical spectrum—from developing network drivers to building... Read More →
avatar for Cannis Chan

Cannis Chan

Technical Product Manager, Bloomberg
Cannis Chan is a Technical Product Manager in the Office of the CTO at Bloomberg, building infrastructure platforms for AI products. With 10 years in B2B and Enterprise (AutogenAI, Deutsche Bank, Ondat/Akamai), she specializes in navigating complex products through pre- and post-product... Read More →
MCP Dev Summit Interceptors pdf
Friday April 3, 2026 2:55pm - 3:20pm EDT
Broadway Ballroom North (6th Floor)
  Protocol in Depth

2:55pm EDT

The Boring Attack That Will Actually Get You - Craig Jellick, Obot AI
Friday April 3, 2026 2:55pm - 3:20pm EDT
Empire Complex (7th Floor)
The MCP security conversation focuses heavily on prompt injection, tool abuse, and session hijacking. These matter. But if you're running a registry of MCP servers, your most likely breach won't be complicated. It will be a compromised server you trusted too quickly.

Supply chain attacks aren't new, and neither are the defenses. But the speed of MCP adoption has outpaced basic hygiene: validation, provenance, versioning, and review processes that mature package ecosystems learned the hard way.

This talk argues that before you harden against novel agent-based attacks, you need to treat your MCP registry like critical infrastructure. We'll cover practical approaches to vetting servers, establishing trust boundaries, detecting drift, and building review workflows that scale.

Prompt injection is a real threat. But the server you added last week without review is a more immediate one.
Speakers
avatar for Craig J

Craig J

VP of Engineering, Obot AI
Craig Jellick is VP of Engineering and co-founder of Obot AI, where they are building an agent platform that helps teams of all technical levels create software, automate work, and ship real tools using AI. Previously, he was a founding engineer and Director of Engineering at Rancher... Read More →
mcp supply chain attacks pdf
Friday April 3, 2026 2:55pm - 3:20pm EDT
Empire Complex (7th Floor)
  Security and Operations
  • Audience Experience Level Any
  • Session Slides Yes

3:25pm EDT

From 60 Minutes To 60 Seconds: Production MCP Workflows for Healthcare Billing - Andrew Espira, Kustode
Friday April 3, 2026 3:25pm - 3:50pm EDT
Juilliard Complex (5th Floor)
Healthcare providers lose 30-60 minutes per insurance claim error, with the industry wasting $250B+ annually on administrative overhead. At Kustode, we built a multi-tenant RCM platform processing thousands of daily EDI transactions (837P claims, 835 remittances, 270/271 eligibility). While we automated the EDI pipes, intelligent workflow orchestration—denial management, prior authorization, claim intervention—remained manual until we integrated MCP.
You'll learn:
- Integrating MCP into existing production systems vs. greenfield builds
- Multi-tenant MCP architecture with PHI isolation and compliance
- Orchestrating long-running workflows (45+ day denial cycles) with state management
- Real workflows: automated denial resolution, prior auth orchestration, intelligent claim intervention
- Security patterns for MCP in regulated environments
- Production metrics: time savings, denial reduction, deployment challenges
- When MCP beats traditional API orchestration
This talk shares production lessons from deploying MCP workflows in a HIPAA-compliant healthcare platform
Speakers
avatar for Andrew Espira

Andrew Espira

Founding Engineer, Kustode
Andrew Espira is a Site Reliability Engineer with over seven years of experience in DevOps, Infrastructure, and Site Reliability Engineering. He specializes in optimizing large-scale system environments, cloud infrastructure, and distributed systems. Andrew is passionate about cloud-native... Read More →
MCP Talk Quest pptx
Friday April 3, 2026 3:25pm - 3:50pm EDT
Juilliard Complex (5th Floor)
  Apps and Agents
  • Audience Experience Level Any
  • Session Slides Yes

3:25pm EDT

Beyond the Sandbox: Security at the Host Layer - Lorenzo Verna & Pietro Valfrè, Denied
Friday April 3, 2026 3:25pm - 3:50pm EDT
Empire Complex (7th Floor)
Security in the MCP ecosystem has primarily followed a "Henhouse Model": building a perimeter to manage who enters with which keys. While we’ve become adept at granting agents the access they need to be productive, a new challenge is emerging. Because agents often operate with the user’s broad privileges, it is no longer just about managing entry; it is about ensuring that an agent's actions remain consistently aligned with the user’s intent.

While sandboxing is vital for isolation, it cannot "undo" the real world. When an agent uses an MCP tool to send an email, modify a calendar, or trigger a financial API, it steps through a "one-way door." Unlike local code, these actions lack a git revert.

We believe the most sustainable path forward is to move the primary authorization boundary to the Host. In this session, we propose an architectural approach that shifts outbound security to the application layer. By centering protection where context is richest, we can simplify server development and provide a more reliable way to manage the unpredictable nature of autonomous workflows.
Speakers
avatar for Lorenzo Verna

Lorenzo Verna

Co-founder and CPO, Denied
Lorenzo Verna (Math & CS) is Co-Founder & CPO at Denied.dev. A former CTO and founder with 3 startups and 2 exits, he has 15+ years building and scaling software products and AI platforms. His current work focuses on securing agentic systems, including MCP tool execution and policy... Read More →
avatar for Pietro Valfrè

Pietro Valfrè

CEO & Co.founder at Denied, Denied
Pietro, CEO and Co-founder of Denied, previously served as the first employee of a mid-size Italian venture studio. During his time there, he ultimately headed R&D and contributed to the successful development of several ventures. Having thoroughly explored the field of Auth, he is... Read More →
denied mcp nyc slides pdf
Friday April 3, 2026 3:25pm - 3:50pm EDT
Empire Complex (7th Floor)
  Security and Operations

4:20pm EDT

From Chaos To Clarity: How MCP Transforms Incident Response - Sebastian Villanelo & Rocío Bayon, PagerDuty
Friday April 3, 2026 4:20pm - 4:45pm EDT
Astor Ballroom (7th Floor)
Imagine being on-call at 3 AM: alerts fire, you scramble between the incident, monitoring dashboards, Slack, runbooks, and ticketing systems. Each tool switch drains cognitive capacity during your highest-stress moments.

Current reality: On-call engineers navigate 5-10 tools under pressure. Managers manually coordinate team responses. Stakeholders interrupt for updates. Result: burnout, delayed resolution, human error.

MCP-powered future: Natural language handles coordination, knowledge retrieval, and status updates. Responders focus on solving problems, not navigating tools. Managers orchestrate responses conversationally. Stakeholders self-serve information.

Attendees learn production patterns for building MCP servers that reduce human fatigue in critical operations: safety mechanisms for high-stakes automation, balancing AI assistance with human oversight, context preservation across operations, and testing strategies for mission-critical workflows.
Speakers
avatar for Sebastian Villanelo

Sebastian Villanelo

Forward Deployment Engineer, PagerDuty
Develop custom reports that help each customer identify and monitor the metrics most relevant to their operations. Gather technical and functional requirements, working closely with the product team to translate customer needs into concrete improvements.
avatar for Rocío Bayon

Rocío Bayon

Product Manager, Forward Deployed Engineering, PagerDuty
Originally from Argentina and based in Chile, I'm a Product Manager on the Forward Deployed Engineering (FDE) team at PagerDuty. With a background in Mechanical Engineering and Business Analytics, I live at the intersection of technology, data, and real-world customer implementations... Read More →
MCP Dev Summit From Chaos to Clarity pdf
Friday April 3, 2026 4:20pm - 4:45pm EDT
Astor Ballroom (7th Floor)
  Security and Operations

4:20pm EDT

Securing the MCP Ecosystem: Production Patterns for Transparency and Trust - Lisa Tagliaferri & Trevor Dunlap, Chainguard
Friday April 3, 2026 4:20pm - 4:45pm EDT
Empire Complex (7th Floor)
Model Context Protocol servers are increasingly granted access to critical infrastructure from observability systems and databases to code repositories. This access introduces new supply chain security challenges for teams operating MCP servers in real-world environments.

In this talk, we share lessons learned from Chainguard’s experience building MCP infrastructure for production. Starting with mcp-grafana, our first hardened MCP server, we reduced known CVEs to 0 at publish time while shrinking image size by 65%. We developed repeatable security patterns for MCP delivery, including automated rebuilds, attack surface minimization, SBOM generation, and SLSA provenance.

We then applied these same patterns to a different use case: a documentation MCP serving over 1,500 container image guides, enabling secure access through AI assistants. These implementations demonstrate how consistent supply chain controls can support both infrastructure-integrated and content-focused MCP servers.

Attendees will learn practical approaches to threat modeling MCP servers. We’ll also share our challenges and failures, along with open-source workflows the community can adopt across the MCP ecosystem.
Speakers
avatar for Lisa Tagliaferri

Lisa Tagliaferri

Senior Directory, Developer Enablement, Chainguard
Lisa Tagliaferri is Senior Director of Developer Enablement at Chainguard and a maintainer of Sigstore’s documentation. The author of “How To Code in Python” and a Linux Foundation course developer, Lisa focuses on helping developers and maintainers adopt CNCF and OpenSSF tooling... Read More →
avatar for Trevor Dunlap

Trevor Dunlap

Senior Software Engineer, Chainguard
Trevor Dunlap is a senior software engineer at Chainguard. He holds a Ph.D. in Computer Science with a focus on automating the enhancement of vulnerability data. Trevor is an advocate for open source software security and enjoys competing on Kaggle.

securing the mcp ecosystem pptx
Friday April 3, 2026 4:20pm - 4:45pm EDT
Empire Complex (7th Floor)
  Security and Operations
  • Audience Experience Level Any
  • Session Slides Yes

4:50pm EDT

Enterprise-Ready MCP: Security Patterns and the "4-Legged" Identity Challenge - Paulina Xu, Agentic Fabriq
Friday April 3, 2026 4:50pm - 5:15pm EDT
Empire Complex (7th Floor)
As MCP evolves from local developer workflows to shared, remote infrastructure, new security & identity challenges emerge. Patterns that work for single-user, local MCP setups often break down when MCP servers become gateways serving thousands of users, agents, and tools. This session explores the architectural patterns required to deploy MCP securely in enterprise environments. We’ll examine common failure modes such as data overexposure, unsafe bulk operations, topic-based disclosure, and weak audit controls, and map them to practical MCP-level mitigations including least-privilege access, tool-level guardrails, and privacy-aware logging. A focus of the talk is the “4-Legged” Identity Challenge: when a user interacts with a web app, which calls an agent, which then calls a remote MCP server. This model is not natively handled by standard OAuth flows. We’ll cover approaches such as token exchange, pre-provisioned trust, and interactive authorization, and discuss how emerging MCP capabilities like protected resource metadata support scalable identity discovery. Attendees will leave with a blueprint for moving from local MCP development to secure, production-ready MCP deployments.
Speakers
avatar for Paulina Xu

Paulina Xu

CEO, Agentic Fabriq
Paulina Xu is the CEO of Agentic Fabriq, where she is building a centralized hub for agent identity, OAuth-based authentication, permissioning, and auditability, enabling organizations to safely manage what agents can access and do across tools, applications, and teams. Prior to founding... Read More →
Agentic Fabriq MCP Dev pdf
Friday April 3, 2026 4:50pm - 5:15pm EDT
Empire Complex (7th Floor)
  Security and Operations

4:50pm EDT

Kubernetes-Native Agent Discovery: A Unified Registry for MCP Servers and Skills - Carlos Santana, AWS
Friday April 3, 2026 4:50pm - 5:15pm EDT
Astor Ballroom (7th Floor)
As AI agents become integral to cloud-native architectures, they need a standardized way to discover capabilities available within Kubernetes clusters. Currently, agents must be pre-configured with MCP server endpoints and skill definitions, creating brittleness in dynamic environments where services scale and evolve continuously.
This talk introduces a Kubernetes-native discovery service: a cluster-scoped registry that exposes both MCP servers and Skills through a unified API. By leveraging Kubernetes primitives like CRDs and proven service discovery patterns, we can make agent capabilities first-class citizens in any cluster.
Attendees will learn how to implement a dynamic registry enabling agents to query available MCP servers by capability, discover registered Skills with their metadata, and handle lifecycle changes gracefully. We'll demonstrate a working implementation showing agents dynamically assembling their toolset based on cluster state.
The registry treats MCP servers and Skills as complementary discovery targets. Whether you're running agents in production or just exploring MCP adoption, this talk provides a blueprint for building discoverable agent infrastructure.
Speakers
avatar for Carlos Santana

Carlos Santana

Sr. Kubernetes Specialist SA, AWS
Senior Specialist Solutions Architect at AWS leading Container solutions in the Worldwide Application Modernization (AppMod). He is experienced in distributed cloud application architecture, emerging technologies, open source, serverless, devops. kubernetes, gitops. He is CNCF Ambassador... Read More →
Kubernetes Native Agent Discovery — MCP Dev Summit 2026 pdf
Friday April 3, 2026 4:50pm - 5:15pm EDT
Astor Ballroom (7th Floor)
  Security and Operations
  • Audience Experience Level Advanced
  • Session Slides Yes

5:20pm EDT

Reflections on Context Engineering Via MCP Servers - Till Döhmen, MotherDuck
Friday April 3, 2026 5:20pm - 5:45pm EDT
Broadway Ballroom South (6th Floor)
Effective context engineering via MCP servers requires understanding how host agents weave the server's responses into their context as conversations unfold.

Context flows through more channels than tool definitions alone: initial instructions, the tool set itself (explicit tools vs. generic execution tools), tool names and parameters, descriptions, response content, structure and length, error feedback, "skill-loading" tools, resources, and sub-agent delegation.

Each mechanism involves trade-offs. Eager loading of context risks bloat; lazy loading adds tool calls. Rich tool responses help agents self-correct but consume tokens. Sub-agents compartmentalize complexity, but limited client support for elicitation creates friction.

Getting this balance right means staying conscious of how much context you're injecting, when, and at what cost (e.g. in # of tool calls to achieve a goal)—a balancing act that's hard without a clear picture of what's happening inside the host agent's context window.

This talk aims at providing a framework for thinking about these decisions—grounded in concrete examples from building the MotherDuck MCP Server.
Speakers
avatar for Till Döhmen

Till Döhmen

AI Lead, MotherDuck
Till Döhmen is AI Lead at MotherDuck, where he focuses on building agentic experiences for data analytics. He designed and built the MotherDuck MCP Server, enabling AI agents to query and analyze data through Claude, Cursor, and other MCP clients. Till is also a final-year PhD candidate... Read More →
Friday April 3, 2026 5:20pm - 5:45pm EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices

5:20pm EDT

Context Middleware for MCP: From Enterprise Needs To Protocol Extension - Peder Holdgaard Pedersen, Saxo Bank
Friday April 3, 2026 5:20pm - 5:45pm EDT
Empire Complex (7th Floor)
Many MCP servers aren't public - they're internal enterprise deployments where security, compliance, and safety aren't optional. Yet MCP currently lacks standardized middleware patterns, forcing teams into shared libraries and bespoke solutions that recreate the NxM problem.

Context middleware lets us intercept, inspect, and transform MCP traffic at trust boundaries. Just as tools were key to end-user MCP adoption, standardized middleware can unlock it for regulated industries: PII redaction, audit logging, prompt injection defense, hallucination detection - all without vendor lock-in or security gaps.

For the emerging gateway and proxy ecosystem, this opens new market opportunities: standardized integration points that transform MCP infrastructure into a composable, enterprise-grade platform.

This talk presents a working implementation as used at a major financial institution, including demos of attack prevention and real-world findings. You'll leave understanding the architecture, the extension, the trust boundary considerations, and how to start building context-aware middleware today.
Speakers
avatar for Peder Holdgaaard Pedersen

Peder Holdgaaard Pedersen

Principal Developer, Saxo Bank
Peder architects AI systems and spearheads AI adoption at Saxo Bank as Principal Developer. He is a contributor to the C# MCP SDK and an MCP maintainer for the Financial Services Interest Group. He specializes in integrating cutting-edge AI capabilities with bespoke assistants and... Read More →
MCP Context Middleware pptx
Friday April 3, 2026 5:20pm - 5:45pm EDT
Empire Complex (7th Floor)
  Security and Operations
 
  • Filter By Date
    Apr 1 - 3, 2026
  • Filter By Venue
    New York, NY, USA
    All
    Astor Ballroom (7th Floor)
    Broadway Ballroom (6th Floor)
    Broadway Ballroom North (6th Floor)
    Broadway Ballroom South (6th Floor)
    Dear Irving on Hudson
    Empire Complex (7th Floor)
    Juilliard Complex (5th Floor)
    Lucky Strike Times Square
    Marquis Ballroom (9th Floor)
    Marquis Ballroom Foyer (9th Floor)
    Marquis Ballroom Salon A + B (9th Floor)
    Marquis Ballroom Salon C (9th Floor)
    North Registration - Fifth Floor Foyer (5th Floor)
    Soho Room (7th Floor)
    Solutions Showcase, Westside Ballroom (5th Floor)
  • Filter By Type
    Apps and Agents
    All
    MCP Best Practices
    Keynote Sessions
    MCP Best Practices
    All
    Apps and Agents
    Protocol in Depth
    Security and Operations
    All
    MCP Best Practices
    Special Events / Exhibits / Breaks
    Sponsor Booth Interactions
    Workshop
  • Audience Experience Level
    Advanced
    Any
    Beginner
    Intermediate
  • Session Slides
    Yes
  • Timezone

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Conference Scheduling Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Filtered by Date - 
Clear filter
Wednesday, April 1
Thursday, April 2
Friday, April 3
Astor Ballroom (7th Floor)
Broadway Ballroom (6th Floor)
Broadway Ballroom North (6th Floor)
Broadway Ballroom South (6th Floor)
Dear Irving on Hudson
Empire Complex (7th Floor)
Juilliard Complex (5th Floor)
Lucky Strike Times Square
Marquis Ballroom (9th Floor)
Marquis Ballroom Foyer (9th Floor)
Marquis Ballroom Salon A + B (9th Floor)
Marquis Ballroom Salon C (9th Floor)
North Registration - Fifth Floor Foyer (5th Floor)
Soho Room (7th Floor)
Solutions Showcase, Westside Ballroom (5th Floor)
  • Apps and Agents
  • Keynote Sessions
  • MCP Best Practices
  • Protocol in Depth
  • Security and Operations
  • Special Events / Exhibits / Breaks
  • Sponsor Booth Interactions
  • Workshop
  • Audience Experience Level
  • Advanced
  • Any
  • Beginner
  • Intermediate
  • Session Slides
  • Yes