The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for MCP Dev Summit North America to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration..
IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
Sign up or log in to add sessions to your schedule and sync them to your phone or calendar.
Building your first MCP agent is exciting. Building a platform where dozens of teams can safely deploy their own agents is a different beast entirely. This talk will share lessons learned scaling an MCP powered agent platform from a single prototype to a multi-tenant platform supporting diverse agent workloads.
A survivor of at least 1 AI winter, Diamond leads Datadog's AI Skunkworks group. He joined Datadog through the acquisition of Augmend, the DevOps AI assistant startup he co‑founded.
Diamond has over 15 years of AI experience building assistants and developer platforms, from the early days of Microsoft Cortana and Amazon Alexa to open-source work on PyTorch at Meta. Today he focuses on “unhobbling” enterprise agents: durable control flow, strong evaland... Read More →
Building your first MCP agent is exciting. Building a platform where dozens of teams can safely deploy their own agents is a different beast entirely. This talk will share lessons learned scaling an MCP powered agent platform from a single prototype to a multi-tenant platform supporting diverse agent workloads.
Core Maintainer of MCP and Co-founder & CEO, MouseCat
Nicholas Aldridge is a Core Maintainer of MCP and the Co-founder and CEO of MouseCat, which builds AI agents for fraud investigation. He spent 6.5 years as a Principal Engineer at AWS AI, where he helped launch and lead Amazon Bedrock Knowledge Bases, Agents, and AgentCore. He also... Read More →
Over the 2025 holiday break, I built MARVIN, an AI assistant that connects to my email, calendar, Jira, Confluence, and meeting notes through MCP servers. The most surprising lessons came from teaching a non-technical friend in marketing to use it. Within a day, she took a task that typically required 4+ hours and completed it in 30 minutes.
In this talk, I'll share practical insights from building and deploying MCP-powered agents in real workflows:
- Architecture decisions: How I structured MCP servers for Gmail, Google Calendar, Jira, and other integrations, and where I got it wrong - The "junior intern" pattern: Why treating AI agents like trainable assistants drives real usage - The naming problem: Why "MCP" is a terrible name for mainstream adoption and what we should call it instead - Curiosity over mandates: Why top-down AI adoption fails, and what ground-up adoption looks like
I'll walk through 25 minutes of hard-won lessons from building something real, watching people use it, and iterating based on what actually worked.
Sterling Chin is a Founding Developer Advocate, where he focuses on AI-powered API development and the intersection of agents and APIs. At Postman, he lead the team that shipped 7 new products in 2.5 years including Postman's first AI Assistant, and now spends his time helping developers... Read More →
MCP launched a revolution in peoples expectations of what Generative AI could achieve. Since then, MCP has been supplemented by other protocols, techniques and extensions.
At Hugging Face we have 1000s of AI Applications deployed, using MCP for interconnectivity, as well as supporting Remote MCP via Inference Providers.
This experience based session explores how inference, compute and storage workloads are shifting in an agentic world, and how MCP supports us in a rapidly changing environment.
We will: - Contrast how ACP and Open Responses work within our MCP infrastructure and our experience deploying them. - Explore how Skills, and Code Generation fit, the impact future models will have on the landscape - and why things that may seem obvious in hindsight weren't. - Discuss the value of multi-model environments and how subagent patterns are critical for certain tasks. - Report on the trends we see in shifting Agentic and Inference workloads, and MCPs continued role in supporting them - Examine our unique multimodal demands - and what needs we and our community have to support mixed content.
Shaun Smith leads Open Source MCP at Hugging Face, and is an MCP Steering Committee member serving as a Community Moderator and within the Transports Working Group.
As MCP adoption accelerates across platforms, the risks of giving LLMs tool access are growing quickly. This session explores the real threat surface of MCP systems: prompt injection, tool poisoning, unsafe permissions, supply-chain “rug pulls,” cross-tool escalation, and data-exfiltration risks that arise when agents can call arbitrary tools. Building on Microsoft's recent work hardening MCP on Windows, we outline a practical reference architecture for secure deployments: signed and verified tool manifests, unique server identities, scoped capabilities, sandboxed execution, authenticated connections, governance via registries, audit logging, and runtime anomaly detection. Attendees will leave with a blueprint for running MCP in production: what to lock down, how to operate it safely, and how enterprises can integrate MCP into existing security, IAM, and compliance frameworks. This talk equips developers, architects, and security teams to build safer agentic systems and contribute to a more secure MCP ecosystem.
Peter Smulovics is a Distinguished Engineer at Morgan Stanley with 15+ years at the firm and 30+ in the industry. A 2× Microsoft MVP and co-creator of C#, he serves as Vice Chair of FINOS (Linux Foundation) Technical Oversight Committee and leads Open Source Readiness. He focuses... Read More →
Most MCP integrations power chat: an agent responds to a prompt. But MCP can power continuous loops — agents that run on schedule, find issues, and ship fixes without human prompting.
This talk covers how to build MCP servers for autonomous operations. The core pattern: Detect → Analyze → Propose → Execute → Report. Each loop queries MCP resources, processes data, and takes action based on its trust level.
I'll show three examples from e-commerce: (1) a learnings database — optimization patterns exposed as MCP resources that agents query to diagnose codebases; (2) CDN observability — requests, bandwidth, cache rates as queryable resources for finding performance issues; (3) conversion analytics — pageview and conversion data that agents correlate to propose content changes.
The key design question: when can agents act autonomously vs. require human approval? I'll present a trust framework where loops graduate from report-only → PR with review → auto-merge based on accuracy over time.
Takeaways: how to structure domain expertise as MCP resources, architecture for connecting observability to agents, and patterns for safe autonomous execution.
Co-founder & CEO of decocms.com, an open-source framework for building and deploying MCP-based Internal AI Platforms. Previously spent 9 years at VTEX through its NYSE IPO, where he led the first version of the Store Framework and VTEX IO Developer Platform. Based in Rio de Janeiro... Read More →
The impulse to rewrite the auth stack for AI agents is strong, but we cannot design away the fundamental relationships standards protect. This session explores how MCP is reshaping OAuth—not abandoning it—to meet the ecosystem's unique challenges:
The "Unregistered Client" Problem: Traditional OAuth requires pre-registration. MCP breaks this. We’ll see how Client ID Metadata Documents (CIMD) allow agents to bring their own identities to arbitrary servers, how it improves on Dynamic Client Registration, and how to mitigate the risks of unregistered clients.
Separation of Concerns: Why your MCP server shouldn't be your Authorization Server. We’ll cover how Protected Resource Metadata (RFC 9728) enables dynamic auth server discovery, keeping agents lightweight and security boundaries clean.
Enterprise-Managed Authorization: To stop "click-through fatigue," we’ll introduce the Identity Assertion Authorization Grant. This moves consent to the enterprise policy layer, enabling secure, scalable adoption.
Join me to secure the agent ecosystem—from discovery to governance—not by reinventing the wheel, but by making incremental improvements to the way it turns.
Aaron Parecki is Director of Identity Standards at Okta, and active in multiple standards development organizations including IETF, OpenID Foundation, W3C, and MCP. He is an editor of OAuth 2.1 along with several other OAuth specifications, and has been influential in shaping how... Read More →
MCP servers often begin as simple side projects. You build a quick integration, get a basic connection working, and show a demo. But as users begin to rely on your tool, the stakes change. In this talk, we share the lessons learned from taking multiple of MCP servers from initial Proofs of Concept to robust production standards, supporting tens of thousands of developers across open-source and enterprise environments. These are the real-world realities of treating your MCP server as a shipping product.
Roy Derks is a lifelong software developer, author and public speaker from the Netherlands. Currently chasing his dreams in Silicon Valley, California. Roy's mission is to make the world a better place through technology by inspiring developers all over the world, more specifically... Read More →
Sr. Product Manager, Gen AI, HashiCorp, an IBM company
Gautam is a passionate technologist who thrives on solving DevOps puzzles and building meaningful solutions. He's all about automating stuff, streamlining workflows, and building scalable systems. Through his talks, Gautam shares practical insights and inspires others to dive into... Read More →
Creative assembly tasks - where agents compose pieces into coherent wholes - present unique challenges: tracking progress across turns, validating outputs, and recovering when something doesn't fit. This talk shares patterns for multi-turn workflows, illustrated through avatar generation where an agent assembles clothing into cohesive outfits. Pattern 1: Session Memory - Track selections, failed searches, and partial progress across turns. Know what's in the cart before suggesting more. Pattern 2: Composite Tools - Combine operations (search + fetch thumbnails) into single tools that reduce round-trips and give agents richer context. Pattern 3: Pre-flight Validation - Check compatibility before expensive operations. Catch conflicts early (clashing items, missing pieces) rather than failing at generation. Pattern 4: Validate-and-Retry Loops - Use VLM scoring on outputs, track best-of-N attempts, and guide agents toward improvements when quality falls short. Avatar generation makes these patterns concrete - "getting dressed" is intuitive - but they apply broadly to document assembly, configuration builders, and any workflow composing parts into wholes.
Rohan Gangaraju is a Senior Machine Learning Engineer on the Economy ML team at Roblox, where he works on building recommendation systems for virtual economy and avatar marketplace. He holds a CS degree from UMass Amherst.
Jason Ding is a Software Engineer at Roblox, where he drives Avatar Generation efforts focused on ML powered avatar creation. He holds degrees in Electrical Engineering and Computer Science (EECS) and Business from UC Berkeley through the M.E.T. program.
MCP is becoming stateless in one of the largest changes to the protocol since its launch.
This change simplifies the deployment of robust servers, making MCP ready for the next wave of scaled usage driven by agents and use cases like MCP Apps.
This session led by members of the Transports Working Group: - Explores the upcoming changes - and sharing real data from Google and Hugging Face on the motivation behind them. - Details the latest approaches on handling serverless Elicitation, Sampling and Sessions. - Introduces the application and infrastructure patterns that can take advantage of the stateless protocol.
We'll also update on the latest roadmap status and expected migration timelines and approach
Shaun Smith leads Open Source MCP at Hugging Face, and is an MCP Steering Committee member serving as a Community Moderator and within the Transports Working Group.
Kurtis Van Gent is a MCP Core Maintainer and leads the MCP Transports Working Group. By day, he leads AI Ecosystems + Integrations for Google Cloud Databases and helped create MCP Toolbox for Databases.
To implement "Zero Trust", authorization must be enforced consistently across every layer: inside the agent, in the cloud (like MCP gateways and services), and down to the database. Each layer needs its own dynamic authorization decision engine, yet those decisions must remain aligned and explainable.
As AI agents become first-class actors in enterprise systems, traditional security models start to strain. This session examines how agentic workflows challenge today’s delegation mechanisms, especially when agents act autonomously, chain operations, or cross trust boundaries. We’ll explore where OAuth works well and where it falls short.
The session argues for centralized policy management using Cedar, decoupled from application code to prevent policy drift. It will introduce emerging governance models like GovOps, which treat policies, schemas, and authorization logic as managed assets with lifecycle controls and automated compliance. Attendees will leave with a practical ideas for secure agent delegation and governing agentic systems at scale.
The discussion frame is two narratives: a 15th century myth and a 2025 Apple TV mini-series based Martha Wells' books.
Mike is the founder of cybersecurity software vendor Gluu, BD of the Linux Foundation Janssen Project, and twice a week hosts the livestream Identerati Office Hours. He is also author of "Securing the Perimeter" (Apress 2018) about open source digital identity. His podcast "Open Source... Read More →
MCP Apps open a new world of possibilities for interactions in AI chats. While SEP-1865 defines how they work, this talk is about how to build them well.
We'll share the patterns emerging from real MCP Apps development: understanding the data flow between servers, apps, and models — including the interplay of tool inputs and results (streamed or complete), when to use structuredContent versus _meta, how model context updates propagate, how to create tools visible to your app only, etc.
Beyond the protocol mechanics, we'll cover practical concerns: building apps that work across hosts, handling authenticated data at scale, managing state persistence, and keeping heavy visualizations performant. We'll also walk through the common pitfalls — the silent failures and subtle bugs that waste hours — and the debugging workflows and tools that surface them.
You'll leave with tricks and patterns you can apply immediately and a mental model for reasoning about MCP Apps architecture.
Co-author of the MCP Apps extension, Olivier joined the MCP team at Anthropic in 2025, after working at Google (mostly AdSense) for 13 years. In recent years, he contributed to OSS projects such as OpenSCAD & llama.cpp, and is particularly excited by tool calling as the next interoperability... Read More →
Remember when the mobile app stores launched? The first wave of apps were glorified websites, until someone made you tilt your phone to "drink" a virtual beer. That novelty unlocked the iPhone's true potential: apps that felt native to the device. Today, we're at a similar inflection point with ChatGPT Apps and MCP integrations.
After building dozens of AI-powered applications, we’ve identified some interaction patterns that truly shine and those that fall flat.
This talk explores what makes ChatGPT (& MCP) apps fundamentally different from traditional software.
We'll examine novel use cases like adaptive gaming where models seamlessly adopt complex roles, analytics tools that merge interactive visualizations with conversational insights, and SaaS integrations that surface the right features at the right time.
You’ll learn how to design for this new paradigm: what to expose, how users move through AI-native workflows, and what doesn’t work. Your product now lives inside the highest-distribution AI platform. The real question isn’t whether to build for it, but how to make apps that feel truly revolutionary.
Co-founder of Alpic, seasoned infrastructure builders with deep experience in distributed systems, serverless architecture, and developer platforms. Previously, built Streamroot, a video delivery startup acquired by a major US telco, and now focused on making agent-native apps easy... Read More →
As the MCP specification evolves, so do the subtle behavioral differences between implementations that undermine the protocol's core promise: compatibility without coordination. How do you ensure a client built with the Python SDK behaves identically to one built with TypeScript, C#, or Go?
This talk introduces MCP's conformance testing infrastructure. Real SDK implementations run against scenarios that analyze their behavior and assess conformance. Each scenario exercises a specific protocol interaction from OAuth flows and Client ID Metadata Documents to resource metadata discovery, verifying that every SDK handles it correctly.
I'll cover how we built this, what we found when we ran it across SDKs, and how it's changed the way we develop and ship spec changes. You'll learn how conformance testing prevents entire categories of bugs, accelerates code generation of new implementations, increases security guarantees by simulating attacks, and enables evidence-based SDK tiering. I'll also cover how you can get involved: writing new scenarios, running tests against implementations, and helping close the gap between spec and reality.
Paul Carleton is a Core Maintainer of the Model Context Protocol and Auth Nerd at Anthropic, where he leads auth implementations across Anthropic's clients and the TypeScript and Python SDKs. He drives MCP conformance testing efforts to ensure consistent behavior across the ecosy... Read More →
The Model Context Protocol (MCP) has standardized how we connect models to data, but the security layer remains a work in progress. Currently, MCP implements authorization via standard OAuth scopes.
While this works for handling coarse-grained tool access, it presents challenges for finer grained permissions.
To solve this, we must move toward intent-based authorization—a model where agents are authorized to perform actions based on the specific context of a task, rather than a pre-approved list of capabilities.
This presentation will dissect the consequences of the current OAuth model on agent design and present ideas of how to address them. We will discuss how to implement dynamic authorization that allows agents to be helpful without being intrusive, ensuring that security scales alongside intelligence.
MCPs unlock agent data access, but that's only the first step towards building agents that can work autonomously. How do we build a complete system where multiple agents work together, maintain state across sessions, and the whole thing runs reliably every day.
I use agents that work with 10+ connections daily for both personal and work use cases: health MCPs/APIs (Strava, Apple Health), productivity tools (Calendar, Linear), business systems (Attio CRM, email), and developer tools (GitHub). This talk shares effective architectural patterns that emerged from actually using this system.
We'll cover MCP composition (Virtual MCPs) and how to orchestrate multiple agents with memory. We show how state management using Git as agent memory is effective, as it provides versioning and rollback. We treat CLAUDE.md files as behavioral memory in the same system. Finally, we cover security concerns and best practices to manage agents that have access to sensitive and/or untrusted data.
Jiquan Ngiam was a senior staff researcher at Google Brain and founding team member at Coursera, where he helped build Andrew Ng's online machine learning course from the ground up. He co-authored pioneering work in multimodal deep learning at Stanford. Currently co-founder and... Read More →
The AI agent ecosystem is fragmenting into competing paradigms, each promising to be the future of how AI systems interact with the world. Skills are simple markdown local workflows using scripts, MCP provides structured tool access across platforms, and Code Mode solves Context bloat problems by executing MCP Tools as code. Most people think these are competing paradigms. They are not.
This talk cuts through the hype and developer frustration to examine what these approaches actually enable, how they overlap, and how do they complete each other.
**Key Learnings**
- Clear mental model explaining the concepts behind Skills, MCP, and Code Mode: what each actually does vs. marketing claims - How these paradigms complement rather than compete: practical patterns for combining them (Skills in MCP Servers!) - Decision framework: when to reach for each approach based on your use case, and a map of in which MCP Client each concept is already implemented - Where the ecosystem is heading and how to future-proof your architectural choices
Nikolay Rodionov is a cofounder and COO at Alpic, an AI infrastructure startup for MCP, and creator of Skybridge, an open-source framework to build MCP Apps. He previously founded Streamroot, a P2P video delivery technology that powered multiple Super Bowl streaming events before... Read More →
AI agents are rapidly becoming the primary consumers of technical documentation. At Apollo GraphQL, our traffic data shows agents on pace to become our #1 traffic source, prompting a shift in how we write, structure, and serve docs. We now have two distinct audiences that read differently: AI needs patterns, not paragraphs. Connecting sentences that help humans are now wasted tokens.
As the sole documentation engineer at Apollo, I’ve spent the past year building MCP tooling for our docs. This talk covers what worked, what failed, how we tested, and what surprised us.
I’ll walk through the evolution from serving AI full pages to chunked retrieval strategies that balance completeness with token usage. You’ll see how we used AI tooling to restructure docs for AI readability and exposed them as MCP tools agents are compelled to use.
To measure progress, we built an evaluation suite: a sandboxed runner that executes end-user prompts against our MCP server, builds an application, seals the output, then passes it to a second model for scoring against a reference solution and rubric. I’ll demo this live and share how it produced stable metrics in a non-deterministic AI world.
Daniel Abdelsamed is a Staff Software Engineer at Apollo, where he has spent the last four years architecting and scaling the company’s documentation platforms. With nearly a decade of experience in TypeScript and application design, he focuses on building durable, developer-friendly... Read More →
In November 2025 the Model Context Protocol introduced Tasks, which deliver first-class async semantics, something that is both excellent, and hard. Tasks define long-running operations with explicit client/server coordination, TTLs, and lifecycle states. They require durable state beyond ephemeral connections and require developers address distributed-systems concerns like stable task identity, rediscovery via tasks/list, mismatched sync/async expectations, and failures across retries and restarts.
This talk digs into all of those concerns through real implementations. We’ll examine what the spec requires, and what it intentionally leaves open (i.e. how durability is achieved), as well as what happens when clients or servers restart mid-task. We’ll talk about how to do idempotency right, and how those choices shape polling, backpressure, and error handling. We’ll also cover how to best do human-in-the-loop when the Task has input_required, all while avoiding any tight coupling between the client and server.
You’ll come away with concrete practices for building robust async MCP clients and servers, and a clearer mental model of the distributed systems issues the spec encodes.
Cornelia has spent a career at the forefront of technological innovation, starting with image processing algorithm development, moving to web-centric computing in the late 1990s, and then more than a decade working in cloud-native software and DevOps platforms. As a Developer Advocate... Read More →
Tool sprawl is a common failure mode for enterprise agents: the more tools an agent can reach, the less predictable it becomes—driving hallucinations, higher token costs, and larger security blast radius. Scaling agents safely requires specialization enforced by capability boundaries, not just better prompts.
This talk explores MCP best practices through a managed implementation where MCP servers are declared as explicit collections of tools and treated as governed objects. Specialization comes from two independent boundaries: (1) the MCP server definition limits the tool surface an agent can even access, and (2) RBAC still applies inside that server—so a user can only invoke tools they’re authorized to use, even if they can access the server that contains them.
Together, these boundaries reduce sprawl while improving operability: agents become easier to reason about, costs drop because fewer tools are in play, and least privilege is enforced with practical, role-aligned granularity.
Josh is a developer advocate for Snowflake, previously at TruEra (recently acquired by Snowflake). He is also a maintainer of open-source TruLens, a library to systematically track and evaluate LLM based applications.
Josh has delivered tech talks and workshops to thousands of developers at events including PyData, Global AI Conference, NYC Dev Day, LLMs and the Generative AI Revolution, AI developer meetups including AI Camp and Unstructured SF Meetup... Read More →
MCP adoption is growing, but most agent integrations still treat tools as a prompt-time API, burning context tokens on tool definitions, re-copying intermediate results, and losing accuracy along the way. This improper use also leads to unfair criticism of MCP itself.
To address this problem, Cloudflare proposed MCP “code mode”: instead of prompt-time JSON tool calls, the model generates small programs that call tools via an API and run in a sandbox. This dramatically reduces overhead while improving accuracy in chained tool use. An alternative approach recently implemented by Cursor and Anthropic uses dynamic tool discovery to load only the relevant tools into context.
In this talk, we’ll introduce 𝚖𝚌𝚙𝚌 (https://github.com/apify/mcpc), a new open-source universal CLI client for MCP that brings both code mode and dynamic tool discovery to where they shine: the terminal. With persistent sessions, JSON output for scripting, and an MCP proxy for sandboxing, mcpc is an invaluable tool for AI engineers. We’ll live-demo a practical workflow that invokes multiple MCP servers in parallel, filters and transforms results locally, and then turns the interaction into reusable scripts.
Jan Curn is the founder and CEO of Apify (https://apify.com), the world's largest marketplace of web data extraction and automation tools, powering (not only) AI agents with up-to-date data. He has a lifelong passion for software engineering, which earned him an MSc and a PhD in computer... Read More →
You can write a perfect MCP server (clean code, typed schemas, 100% code coverage), yet agent interactions still fail. This is the probabilistic gap: your server is deterministic, but its user (the agent) is stochastic.
Standard “Agent Evals” are often the wrong tool to fix this. They judge the final outcome (was the answer good?), not the process. They struggle to provide useful insights into how the agent understands and uses your MCP server, instead focusing on providing insights into the agent itself.
In this session, we introduce mcpchecker, an open source framework for MCP server evaluations. We will show how to build integration tests specifically for the agent-MCP server interface, allowing you to isolate and debug these interactions.
Stop guessing why agents fail. Learn to test your server’s semantic interface and prove that agents can actually understand it.
I am a Software Engineer at Red Hat, where I work on Applied AI projects with a focus on MCP and Agents. I also work on Serverless with the Knative community.
I am a CNCF ambassador, where I present about new and exciting technologies in the AI/Serverless as well as mentor new contributors... Read More →
WESLEY CHUN, MSCS, is a Google Developer Expert (GDE) in Google Cloud (GCP) & Google Workspace (GWS), author of Prentice Hall's bestselling "Core Python" series (corepython.com), co-author of "Python Web Development with Django", and has written for Linux Journal & CNET. He's currently... Read More →
So you found an MCP server on npm that does exactly what you need. You run npx and... now what? One reason people skip security verification for MCP servers is that it's genuinely hard to know what you're actually running. The package works, so why question it?
Here's the thing: MCP servers are getting access to your files, your APIs, your credentials. We should probably know what's in them before we hand over the keys.
In this talk, we'll dig into using OCI containers as the packaging standard for MCP servers - not because containers are trendy, but because they unlock supply chain security constructs that npm and PyPI simply don't have. We'll walk through building repackaging pipelines that verify source packages, run MCP-specific security scans, and produce attestations with Sigstore. Real pipelines, real commands, real output.
Note that this won't solve every trust problem - but it gets us a lot closer to "I know what I'm running" than the current state of affairs.
Juan Antonio "Ozz" Osorio is a Mexican software engineer living in Finland. His background spans security for OpenStack, Kubernetes, and bare metal environments. Currently at Stacklok, he founded the ToolHive project and has been building MCP infrastructure, including supply chain... Read More →
Since its inception, we've talked about MCP from the perspective of Clients and Servers. This session focuses on an interesting paradigm taking advantage of the intentional asymmetry of the MCP spec - what if a Client was also a Server? What happens when we break out of a singular client-server pair and into multiple? What can this idea tell us about the future of MCP?
This session will cover the concept of an "MCP Agent" - a Client that is also a Server. We'll construct a system design for this MCP Agent to other servers and MCP agents and touch on several key considerations including auth and scalability.
Participants are expected to have an introductory knowledge of MCP, the mechanics of how Clients and Servers interact with each other, and a general interest in agent-to-agent communication!
Rohit is an AI Product Manager at Descope, where he leads the MCP Auth and Agentic Identity efforts. Previously, he worked in Microsoft's Developer Division across products like the Azure SDKs and VS Code before launching the Azure MCP Server.
Shadow IT is back - but this time it's AI-powered. Employees are configuring MCP servers directly in Cursor, Claude Desktop, and VS Code, creating a blind spot that traditional security tools miss. These shadow MCPs operate outside centralized control, enabling data exfiltration, supply chain attacks, and compliance violations.
This talk exposes the shadow MCP problem and presents a comprehensive detection and response framework:
- Why shadow MCPs are uniquely dangerous (AI amplifies access, automates actions, no audit trail) - Discovery techniques: IDE config scanning, MDM integration, network detection patterns - Classification: distinguishing managed vs shadow servers across device fleets - Response playbooks: triage, investigation, remediation by risk level
I'll share real vulnerability examples from official MCPs (GitHub, Asana, Supabase, Postmark) and demonstrate automated detection through IDE hooks (Cursor, Claude Code) and MDM platforms (SimpleMDM, Jamf).
Attendees will leave with practical techniques for gaining visibility into shadow MCP usage and a framework for bringing unauthorized integrations under organizational control.
Aidan is a founding product engineer at Runlayer. Previously he's worked at Glean on scalable connector and crawler infrastructure and at YouTube on recommendations serving infrastructure... Read More →
Alexander Frazer is a Founding Security Engineer at Runlayer, specializing in generative AI and cybersecurity. With 15+ years of experience, he focuses on AI security challenges and MCP implementations. Previously he has led creation and evaluation of AI-driven security triage systems... Read More →
Developing MCP servers against the APIs you depend on can feel risky, especially when those servers interact with real-world data in production services. When integrating AI into the enterprise, you're often better off starting in a sandbox, but not all 3rd-party APIs offer sandboxes, let alone MCP-compatible ones. No problem: OpenAPI, Microcks, and Bruno are here to help.
At Naftiko, we've been delivering HTTP and MCP sandboxes for common 3rd-party APIs like GitHub, Jira, Notion, and Figma. Our approach uses OpenAPI specifications published to GitHub, open-source Microcks to deliver mock REST APIs and MCP servers, and Bruno as an HTTP client to explore the sandbox. We'll share how we design OpenAPI specs with use-case-driven, business-aligned examples that can be easily forked and mocked on-premise using Microcks, providing a safer development approach for anyone building with MCP and integrating it into LLMs, copilots, and agentic automation.
Join us for a hands-on, practical journey through how OpenAPI, Microcks, GitHub, and Bruno can help you reduce the risk of AI integration with 3rd-party, and internal APIs.
Here's the thing about being a security company: you can't ship a vulnerable MCP server. For us, getting pwned isn’t just embarrassing - it gets us on the front page of Hacker News. Our customers trust us to protect them from nation-state attackers, well-funded adversaries (and the odd teenager attacking for lolz.)
At the same time, the MCP ecosystem is still maturing. Hardening standards for sophisticated attackers don't exist yet. And with high-profile supply chain attacks now targeting agents, attackers are actively exploiting the trust developers place in their toolchains. Last year, a flaw in mcp-remote turned into a remote code execution nightmare, exposing over 400,000 developers. That's the reality we're building in.
When it came to our MCP server, we built it using the same rigor we use to protect the world's largest companies. This talk covers the threat model we designed against, gaps in MCP's current design that required workarounds, and ultimately how we built an MCP server trusted by enterprise customers, and hardened against even the most novel attacks. If we can secure it here, you can secure it anywhere.
I build security products. I'm a Senior Product Manager at Semgrep, a high-growth cybersecurity startup. I lead the teams responsible for Semgrep Code (SAST) and Secrets detection products.
I recently graduated from Harvard University with degrees in Computer Science and Physics. In my free time, you can find me geeking about the latest in security / developer tooling, running in San Francisco's Golden Gate Park, or enjoying local theater... Read More →
Katrina is a software engineer at Semgrep. She is on the Semgrep Analysis Foundations Team, the team that owns and maintains the core static analysis functionality of the Semgrep tool. She is currently working on Semgrep's MCP server.
Everyone in this room is building MCP integrations. Almost nobody knows how well they're delivering value. Outcomes are inherently non-deterministic: the same user request can produce completely different results depending on how the agent interprets user intent. Building an effective MCP server isn't just about handling tool calls, it's about spinning a data flywheel where every interaction teaches you what's working, what's failing, and what your users actually need.
The teams that figure this out compound user value over time. MCP has an XY problem. Almost everyone at this summit is focused on the Y. Let's talk about the X.
Prathmesh Patel is leading MCPJam: an open-source developer platform helping thousands test, evaluate, and ship their MCP apps and servers. He's a former Technical Lead at Asana who owned Asana's MCP server, REST API, and OAuth AS. He also led Asana's prototyping and development of... Read More →
The Model Context Protocol (MCP) is rapidly emerging as a foundational standard for building agentic AI systems that interact with tools, data sources, and services in a consistent and interoperable way. However, adopting MCP effectively requires more than basic integration—it demands thoughtful design choices around security, scalability, observability, and reliability.
This session presents practical best practices for implementing MCP in real-world agentic AI applications. It covers how to structure MCP servers and tools, manage context boundaries, handle permissions and sensitive data, and design resilient agent workflows. The talk also explores patterns for prompt engineering, tool invocation, state management, and error handling when using MCP in cloud-native environments.
Attendees will leave with concrete guidance on how to use MCP to move from experimental agents to production-ready systems that are secure, maintainable, and scalable.
As AI agents become more capable, their biggest limitation is no longer reasoning — it’s context. Without access to procedural knowledge and domain-specific understanding, agents struggle to perform real work reliably. In this talk, we’ll explore how Skills address this gap by giving agents on-demand access to company-, team-, and user-specific context.
We’ll look at how Skills can be combined with MCP servers to build safer, more reliable agents, and walk through a real-world example of managing a Postgres database. Using evals, we’ll compare agent performance with and without Postgres-specific Skills, showing how MCP enables secure database access while dramatically improving outcomes.
I’m an AI Tooling Engineer at Supabase, part of the team maintaining all AI initiatives including our MCP server, AI assistant, and Skills. I’ve been involved with the MCP protocol since its early days, contributing to its SDKs and projects like Skybridge. I’ve spoken at MCP... Read More →
What if your workflow engine wasn't just a consumer of MCP servers, but was itself built entirely on the MCP protocol? This talk explores a novel architecture that uses MCP's newest primitives to create a production-ready workflow orchestration system. We'll demonstrate how MCP's task framework provides natural workflow step management, while sampling enables intelligent decision-making at each stage. You'll see how dynamic tool definition works at both workflow and step levels, allowing workflows to adapt their capabilities on the fly. We'll also cover practical challenges like handling OAuth authentication flows mid-execution and coordinating multiple MCP servers within a single workflow. Through a real-world case study you'll see how MCP's composability transforms workflow design. Rather than building yet another workflow engine that happens to use MCP tools, we'll show how treating MCP as the foundation protocol unlocks new patterns for distributed, intelligent automation. Attendees will leave with a deeper understanding of the MCP specification and how the capabilities can be composed to create production-ready workflow applications.
Donnie Adams is a Software Architect at Obot AI, where he builds enterprise MCP infrastructure including the Obot MCP Gateway and agent orchestration systems. His work focuses on MCP gateway architecture, OAuth integration, and distributed AI systems. He specializes in building production-grade... Read More →
Model Context Protocol (MCP) enables standardized AI agents, but real adoption depends on how MCP servers operate in production—not just how the protocol is defined.
This session provides a high-level, practitioner perspective on running MCP in enterprise environments. It covers how MCP servers fit into existing platforms, with a focus on observability, security, distributed tracking of agent behavior, and resiliency. Rather than diving deep into implementation details, the talk shares lessons learned from real deployments and common pitfalls teams face when moving MCP from experimentation to production.
AVP IT Architecture (Head of Enterprise Reusable Services & Tech Standards)), GM Financial
Amar Deep Singh is a distinguished software architect and author with extensive experience in microservices and cloud computing. He is the author of "Building and Delivering Microservices on AWS," a comprehensive guide that explores software architecture patterns and the deployment... Read More →
Neelabh Tripathi is a seasoned IT professional with over 18 years of expertise in cloud computing, enterprise architecture, and microservices. He has worked with some of the world’s leading organizations, where he played pivotal roles in driving digital transformation and innov... Read More →
As MCP adoption grows, power users are connecting multiple servers for various workloads. This creates a challenge: in naive implementations, preloading all tool and resource definitions into the context window can add 50k+ tokens before the agent even starts working. Evaluating our agentic coding users at Warp, we found that ~90% of tasks don't use the MCP context available, and those that do only use few tools.
This led us to question whether MCP context needs to be statically front-loaded. So, we built a model-agnostic MCP search subagent that reduces token usage by 26% for MCP-using tasks and 10% when MCP context is available but unused. All in a model-agnostic implementation.
Attendees will leave with: • A concrete architecture for dynamic MCP tool/resource discovery • Evaluation strategies for ensuring search doesn't degrade agent quality • A look into our model-agnostic implementation to adopt in any agentic coding harness
Kevin is one of Warp's earliest engineers, scaling Warp's AI features from prototype to over a hundred thousand daily users. He currently serves as a Tech Lead for Warp's Code product.
The next wave of MCP servers face the same challenge: discoverability. If an LLM doesn't know when to invoke your tool, it doesn't exist. This will compound - ChatGPT has ~80 apps today, but as more LLMs launch app stores and MCP adoption accelerates, there will be millions.
Drawing from research optimizing ChatGPT apps since launch, this talk reveals metadata patterns that determine whether AI systems surface your tools - principles that apply directly to MCP server development.
What I'll cover: - Two-channel discovery: How static search (registries i.e. ChatGPT's App Store) and dynamic invocation (LLM tool selection) require different optimization strategies.
- How LLMs read metadata: How tool names, descriptions, and parameters shape invocation decisions.
- The golden prompt set: Testing methodology using direct, indirect, and negative prompts to measure recall and precision.
- What converts: Fixed templates, workflow handoffs, context preservation vs anti-patterns that fail.
- Measuring success: Citation tracking, false positive monitoring, and iteration loops that compound discoverability gains.
Vincent McLeese is the Product and Tech Lead at Ghost Team, an MCP Apps agency. He leads the development of appsdiscoverability.com, a platform devloper by Ghost Team to help mcp apps become more discoverable. A multiple founder with a background in tech strategy from Accenture, Vinc... Read More →
The Nov 2025 release of MCP introduced a new client capability: URL Elicitation. This capability is game-changing for MCP servers that interact with external systems. But don't just take our word for it... Hear it straight from the author of the spec!
In this talk, Nate (lead author of URL Elicitation) will break down the "what" and "why" of this new addition to the protocol. You'll learn about: - Why it's a mistake to reuse or "pass through" OAuth tokens from one server to another - The confused deputy problem and other common pitfalls to watch out for - How URL Elicitation unlocks a secure way for MCP servers to call external services that use OAuth or API keys, require payments, or gather sensitive information - The correct security patterns for any remote MCP server project today
No need to be a security expert to attend! Nate will break down the problems and solutions in clear, relatable language, and provide crucial guidance for anyone building MCP servers in 2026 and beyond.
Nate Barbettini is a leading voice in security and AI. At Arcade.dev, he's building the MCP runtime that helps enterprises deploy multi-user AI agents that take actions across any system. As an active MCP contributor, Nate is focused on security-critical work, authoring URL Elicitation... Read More →
As MCP adoption grows, teams are facing a new set of challenges: session management across fleets, policy enforcement for agents and users, and operating MCP traffic at scale.
We’ll explore how proxies currently handle stateful MCP sessions, how stateless designs dramatically simplify scaling and operations, and how proxies like Envoy can enforce authorization, tool safety, and policy without becoming bottlenecks. The discussion will also look ahead to emerging MCP proposals, including stateless transports, async tasks, and server discovery, and why alignment between protocol evolution and proxy implementations matters for the ecosystem.
Attendees will leave with concrete architectural insights, practical lessons learned, and a clearer picture of where MCP traffic handling is headed and how to build for it now.
Boteng is a Senior Envoy Maintainer and Software Engineer at Google, working on Envoy for various products with an emphasis on data plane, reliability, and security.
Erica Hughberg is a technical leader, software engineer, and community advocate passionate about helping engineering teams develop scalable, secure, and user-focused application platforms. As a maintainer of Envoy AI Gateway, she concentrates on features that enable organizations... Read More →
Natural language is becoming a universal interface. Connecting that interface to enterprise systems requires more than protocols. It requires active, thoughtful, and sustained work.
This talk shares Nordstrom's journey enabling MCP and AI agents across the organization: building secure MCP server standards, navigating OAuth and token management for agent workflows, and creating governance frameworks that let teams experiment while ensuring supportability. We'll cover practical challenges and solutions that make the C in MCP reliable, accurate and secure: knowledge feedback loops, layered access management, and evaluation techniques that make "one-to-many" enablement possible.
Beyond the technical, we'll also touch on the human systems work: coordinating across teams when AI initiatives emerge organically, building documentation that drives the right patterns from the start, and patiently creating the organizational foundations that let others follow and build on what you've started.
Ola Hungerford is a Principal Engineer at Nordstrom and a maintainer and community moderator for the Model Context Protocol. She leads AI enablement initiatives while contributing to MCP's specification, developer tooling, documentation, and community governance. Ola comes from a... Read More →
I work on the AI Enablement team at Nordstrom, focusing on platform engineering for MCP and AI agents. My past background in security grounds my decision-making, allowing me to balance safe architecture with a passion for AI productivity. I build infrastructure that empowers internal... Read More →
Major AI players (Cloudflare, Anthropic, Docker) advocate "Code Mode" - having LLMs generate wrapper MCP servers to orchestrate tools, drastically reducing context usage. However, executing LLM-generated code introduces security risks and compliance challenges.
mcpGraph provides Code Mode benefits without code execution risks. It's a YAML-based DSL for declarative MCP tool orchestration using directed graphs. Tools are defined as graphs with MCP nodes, JSONata transforms, and JSON Logic conditionals, all inspectable and auditable, and exposed to agents as MCP tools themselves.
We'll cover and demo three MCP servers: mcpGraph (the core engine), mcpGraphToolkit (agent development tools for building/testing/deploying graphs, with associated agent skills), and mcpGraphUX (visual inspection and debugging).
This approach delivers Code Mode efficiency while maintaining security, observability, and compliance—no arbitrary code execution required.
mcpGraph is open source and available at: https://github.com/TeamSparkAI/mcpGraph
The presentation will be largely based on this document (and referenced videos): https://github.com/TeamSparkAI/mcpGraph/blob/main/docs/no-code-code-mode.md
Serial founder, CTO at scale, and always a hands-on builder. Creator of MCP Tool Vault and the open source projects tsAgent and mcpGraph. Maintainer of MCP Registry and MCP Inspector. Background in security, including as CTO of OneLogin and Censys.
The AI hype cycle promised full automation. Reality delivered hallucinations and agents that guess when they should ask. The MCP spec offers a different vision—humans in control through rich, interactive collaboration rather than micromanaging every step.
This talk explores how recent MCP primitives transform the protocol from text-in-text-out tool-calling into interactive human-agent workflows. We'll cover elicitations that let servers ask clarifying questions with structured forms, async tasks that pause for human decisions and resume seamlessly, and MCP Apps that render interactive UIs—charts, dashboards, confirmations—in sandboxed iframes. Each makes feedback loops faster and agent interactions richer.
Using VS Code's implementation as reference, we'll demonstrate patterns for adaptive autonomy, progressive input gathering, and bidirectional workflows where servers drive the conversation. You'll leave with concrete patterns for building MCP integrations that treat collaboration as a feature, not a fallback.
Harald Kirschner is a Principal Product Manager at Microsoft, building AI coding experiences in VS Code and GitHub Copilot for 40+ million developers. Before Microsoft, he led Firefox DevTools at Mozilla and helped ship Firefox Quantum. His engineering roots (MooTools, early web... Read More →
Goose serves as a real-world proving ground for new MCP capabilities before they're widely adopted. In this talk, you'll learn how to use advanced and early versions of MCP features that go beyond basic tool calling—with practical examples from production.
You'll see:
* Code mode MCP: handling massive tool catalogs without overwhelming context windows * MCP Apps: rich user experiences for MCP servers that go beyond chat * How ACP (Agent Client Protocol) can complement and interoperate with an MCP-aware agent, and how we use it in goose
The audience will learn from our experience building goose how they can use and contribute to emerging MCP features.
Alex is a core maintainer of goose, and maintainer of the Rust SDK for the Model Context Protocol. Alongside teammates at Block he built and contributed goose as a founding project of the Agentic AI Foundation. He lives in Connecticut in the US with his wonderful family.
With the recent specification update, MCP moved away from using DCR as the default in favor of Client ID Metadata Documents (CIMD). It's a new approach to client registration already adopted by such projects like Bluesky, and now making its way to the MCP ecosystem. CIMD is significantly easier to use than DCR while providing the same security guarantees and a much more flexible approach to client governance. In this session, you will learn about the transition from DCR to CIMD, how you should design your MCP servers (and MCP clients) around this new requirement, and what the future holds for broader CIMD adoption.
Den is an avid reverse engineer, passionate about APIs, protocols, and security. He leads MCP technical programs at Anthropic and prior to that built authentication and authorization libraries used by millions of developers around the globe. You can learn more about his work on h... Read More →
As MCP adoption grows, teams quickly discover that scaling from a single MCP server to a multi-server ecosystem introduces new architectural, operational, and governance challenges. Patterns that work for standalone MCP implementations often break down when MCP becomes a shared platform capability across multiple domains, teams, and clients.
In this talk, we share practical lessons from building and operating an MCP server ecosystem at infrastructure scale at Equinix. What began as a single MCP server evolved into multiple coordinated MCP servers spanning networking and infrastructure domains, each with distinct tools, lifecycles, and operational constraints.
Attendees will learn: 1. How MCP architecture changes when scaling from one server to an ecosystem 2. Design patterns to avoid tight coupling and fragmentation across MCP servers 3. Practical approaches to tool discovery, versioning, and backward compatibility 4. Operational lessons for reliability, rate limiting, and failure isolation 5. Governance best practices for ownership, change management, and ecosystem growth
Vaibhav Tupe is a distinguished Technology Advisory Board Member and Engineering Leader specializing in cybersecurity, cloud, and AI-ready data center infrastructure. With over 13 years of experience, he currently serves as a Technology Leader at Equinix USA, where he drives high-performance... Read More →
While it is now considered a best practice for agent skills to leverage MCP servers, there is still no widely accepted approach for how those MCP servers should be distributed, versioned, and shared as dependencies.
This talk presents a practical pattern for using OCI artifacts as a distribution mechanism for MCP servers and configurations that agent skills depend on, enabling reproducible, shareable, and composable agent capabilities.
We’ll walk through creating an agent skill that can build and run an MCP project as a containerized service, then publish supporting artifacts such as the MCP server’s configuration.
Rather than bundling dependencies directly, the agent skill references an OCI artifact by OCI ref, pulls it at runtime, and activates the required MCP servers automatically. This ensures that when prompts expect specific MCP servers to be available, they already are.
By treating OCI as a universal distribution layer for agent tooling metadata and configurations, this approach makes agent skills easier to share, reproduce, and evolve across teams and environments.
Bobby House is a senior software engineer at Docker that enjoys building products for engineers. His recent work centers on integrating MCP into enterprise environments by enabling organizations to publish and manage private catalogs of MCP servers as OCI artifacts.
Most MCP servers work like snapshots - ask for context, get a response, done. But what happens when your code changes while the AI is working? Or system metrics spike during deployment? Your agent has stale data.
I've been building streaming MCP servers that push live updates to AI agents. Think file watchers notifying code changes, system monitors streaming metrics, or database triggers sending updates as they happen.
I'll walk through building a live log monitoring MCP server from scratch. We'll extend the basic MCP protocol to handle streaming data using WebSockets, implement event subscriptions, and keep agents synchronized with rapidly changing data.
The demo shows an AI agent monitoring application logs in real-time, detecting anomalies and suggesting fixes as errors occur - not minutes later when someone checks the logs.
This isn't theoretical - I'm using similar patterns in production for DevOps monitoring and trading systems. I'll share the code, discuss gotchas, and show how streaming MCP opens up new use cases.
You'll leave with practical patterns for building reactive MCP servers that keep your AI agents always current.
GenAI/Data Driven individual who has 15+ years of experience. Proven experience with AWS Data Analytics/GenAI services, Cloudera Hadoop, Hortonworks Hadoop and Mapr Hadoop. Achieved customer wins over Amazon Q , Bedrock, Amazon Managed Kafka, Amazon Data Firehose, Kinesis Streams... Read More →
MCP deployments increasingly involve multiple authorization servers / identity providers across tools, registries, gateways, and enterprise environments. That flexibility introduces a classic but under-discussed class of failures: mix up attacks. A mix-up attack is where a client or intermediary confuses which issuer/authorization server it’s interacting with and misroutes sign-in artifacts, such as tokens, to the wrong party, potentially a malicious one.
This talk gives a clear threat model for mix-up in MCP-style topologies (client↔server↔auth server), then focuses on practical mitigations being discussed in the Auth Mix-Up Attack Prevention WG. I’ll also cover what’s realistic to adopt today in SDKs and servers versus what should be standardized in the MCP Core spec or another standard like OAuth.
Emily Lauber is a Senior Product Manager at Microsoft focused on identity, authentication, and developer platforms. She works at the intersection of cloud security, browser-based auth, and standards, helping shape how modern apps and agents securely authenticate and access resources... Read More →
MCP makes it easy for AI agents to connect to tools, but authorization hasn't kept up. Users connecting an MCP client to a dozen MCP servers face a dozen separate OAuth flows, one for each server, each with its own login and token lifecycle. If we have Single Sign-On, why are users signing in so many times? It's not just a UX problem. Enterprise environments can quickly run into governance issues with unmanaged or scattered permissions. Security teams can't answer basic questions about which agent can access which system under what policy. Every agent-to-server connection is another point-to-point relationship with no central visibility. Cross-App Access (XAA), built on the Identity Assertion JWT Authorization Grant (ID-JAG), solves both problems. By leveraging the existing trust between the MCP client, MCP server, and the organization's Identity Provider, the IdP can broker token exchanges from the user's initial login. Agents gain access to everything the admin has approved with one sign-in. No additional user interaction required. The IdP becomes the policy decision point for approving, scoping, and auditing delegated access across MCP integrations. In this session, Paul Carleton (Anthropic) and Max Gerber (Twilio) explain the technical underpinnings that enable enterprise admins to enforce policies about which users, clients, and servers can interact. They'll also demo an MCP client completing an XAA flow from beginning to end to obtain access tokens securely and silently. Attendees will leave understanding how Cross-App Access works and how to integrate with it.
Max Gerber is the software engineering lead for agent and AI identity at Twilio, where he works on core identity SDKs and APIs including OAuth, SAML, SSO, and RBAC. He previously led identity initiatives at Stytch and served as a lead engineer on MuleSoft’s IAM team during its integration... Read More →
Paul Carleton is a Core Maintainer of the Model Context Protocol and Auth Nerd at Anthropic, where he leads auth implementations across Anthropic's clients and the TypeScript and Python SDKs. He drives MCP conformance testing efforts to ensure consistent behavior across the ecosy... Read More →
When the backend can reason, what does that mean for the frontend? Let's look at how to build UIs that support reasoning and adapt to any task.
The way we interact with software is changing. LLM-powered applications, with human-in-the-loop, are handling repetitive tasks that used to require forms and workflows. But bolting a chatbot onto your existing UI isn't enough - extracting structured data from natural language is fragile, adding frustration and friction for users.
In this talk, we'll explore how tool-calling and protocols like MCP provide deterministic contracts with non-deterministic systems, what human-in-the-loop looks like when the UI adapts to the task at hand rather than forcing users through fixed workflows.
Adam is a multi-disciplinary developer with over 20 years of experience building products that help people learn and grow. Currently Manager of Developer Education at Neo4j, he leads the team behind GraphAcademy - Neo4j's free learning platform.
MCP standardized how agents connect to tools and context, but enterprise deployments need control between the model and the data. Today, MCP lacks a standard way to apply these controls, leading to a fragmented landscape of bespoke sidecars and proxies that shifts the M×N integration problem from the data layer to the middleware layer. This session is a Protocol-in-Depth walkthrough of SEP-1763 (Interceptors), which proposes a protocol-native framework to intercept, validate, and transform messages across the MCP lifecycle, elevating middleware to a first-class capability alongside core MCP concepts. We will cover the concrete protocol semantics implementers need to align on: capability negotiation, hook points and invocation models, deterministic ordering/composition, enforcement semantics, error handling and observability. We motivate the proposal with Bloomberg’s production experience in adopting interceptors to build agents in a regulated financial environment, sharing lessons on what must be standardized for interoperability. To ground the design, we map the proposed semantics to AWS Bedrock AgentCore Gateway Interceptors and OpenAI Guardrails’ staged validation guidance.
Kurt Degiorgio is a Senior Engineer at Bloomberg, working on building platforms for Generative AI. With 14 years of experience, his background includes Monzo, Diffblue and GFI Software (of TeamViewer fame), covering a wide technical spectrum—from developing network drivers to building... Read More →
Cannis Chan is a Technical Product Manager in the Office of the CTO at Bloomberg, building infrastructure platforms for AI products. With 10 years in B2B and Enterprise (AutogenAI, Deutsche Bank, Ondat/Akamai), she specializes in navigating complex products through pre- and post-product... Read More →
While frontier models achieve impressive scores on benchmarks like MCP Atlas (62.3%) and SWE-bench (62.1%), these metrics don't answer the critical question: "Will this agent work for OUR specific use-case?"This talk presents a practical framework for building custom agent evaluation systems tailored to your organization's needs. We'll cover the complete lifecycle: data collection and categorization, open-source instrumentation patterns, and production monitoring for long-term performance tracking. You'll learn to construct evaluation datasets reflecting actual workloads, implement testing harnesses mirroring production constraints, and establish monitoring pipelines that catch degradations early.We'll demonstrate techniques for measuring agent reliability across accuracy, latency, cost, and safety dimensions while accounting for real-world variables: prompt engineering, data quality, MCP tool availability, and model selection. Attendees will leave with actionable strategies to build confidence in production deployments and create feedback loops for continuous improvement.
Gaurav Saxena is an engineering leader in the field of platform and cloud engineering with over 20 years of experience in the software industry. His technical expertise includes Stream-based architectures, Kubernetes, Service Mesh, Software Supply Chain Security, and Observabilit... Read More →
Security in the MCP ecosystem has primarily followed a "Henhouse Model": building a perimeter to manage who enters with which keys. While we’ve become adept at granting agents the access they need to be productive, a new challenge is emerging. Because agents often operate with the user’s broad privileges, it is no longer just about managing entry; it is about ensuring that an agent's actions remain consistently aligned with the user’s intent.
While sandboxing is vital for isolation, it cannot "undo" the real world. When an agent uses an MCP tool to send an email, modify a calendar, or trigger a financial API, it steps through a "one-way door." Unlike local code, these actions lack a git revert.
We believe the most sustainable path forward is to move the primary authorization boundary to the Host. In this session, we propose an architectural approach that shifts outbound security to the application layer. By centering protection where context is richest, we can simplify server development and provide a more reliable way to manage the unpredictable nature of autonomous workflows.
Lorenzo Verna (Math & CS) is Co-Founder & CPO at Denied.dev. A former CTO and founder with 3 startups and 2 exits, he has 15+ years building and scaling software products and AI platforms. His current work focuses on securing agentic systems, including MCP tool execution and policy... Read More →
Pietro, CEO and Co-founder of Denied, previously served as the first employee of a mid-size Italian venture studio. During his time there, he ultimately headed R&D and contributed to the successful development of several ventures. Having thoroughly explored the field of Auth, he is... Read More →
MCPwned weaponizes a widely overlooked MCP-spec weakness, browser-based DNS rebinding, against SSE & streaming-HTTP MCP servers to exfiltrate data and escalate access. This skeleton key vulnerability hacks your locally running MCP server, just by getting you to visit a malicious website.
Jonathan Leitschuh is an open source software security researcher and self-described Vulnerability Janitor. He was the inaugural Dan Kaminsky Fellow at HUMAN Security and later led research for OpenSSF’s Alpha-Omega project. He is best known for his 2019 Zoom zero-day disclosure... Read More →
As MCPs are adopted at scale, certain patterns start to emerge: 1. Increase in wrong tool calls 2. increase in token usage, semantic loss 3. agents skipping the required tool call sequence.
For high stakes domains such as finance and infrastructure, this leads to reliability and compliance risk.
This talk presents a new MCP server design pattern for addressing this class of problems called: "progressive tool exposure". Rather than assuming static tools, the MCP server actively controls which tools are visible to the agent at each point in execution. This framework ensures, tools are refreshed, scoped, and changed as the agent progresses through an MCP workflow. This allows the server to direct the agent’s action space, guide execution order, and enforce "runbooks" without changing server/ agent capability. This design pattern also tracks state ensuring backtracking of tool calls reverts the server side state, making agent behaviour as transactional on the MCP server.
We show how such practices reduce invalid tool calls, lower inference costs, and improve determinism for tool heavy systems.
Founder of Concierge AI. Ex-Uber building MCP systems at scale. Concierge AI manages 400+ public MCP deployments, Arnav focuses on MCP tool complexity and researches token overhead reduction at scale.
Picture your MCP server exposing your database to an overeager LLM that tries to "optimize" your schemas at 3 AM. Sinful? Absolutely. As MCP becomes the standard for connecting LLMs to real systems, teams are speedrunning mistakes like this—causing memory leaks, runaway polling, and permission scopes so wide they make the sudo commands executed in production look cautious.
This session breaks down the seven deadly sins developers must be aware about MCP: gluttony (resource abuse), sloth (lazy errors), wrath (aggressive polling), greed (permission overreach), pride (overengineering), envy (tool sprawl), and lust (unsafe exposure). Each of these sins can turn a powerful protocol like MCP into a recipe for disaster.
By examining each sin, its patterns, and its symptoms, you'll learn how to spot and avoid them, along with the technical practices that make MCP deployments reliable. Come learn how to ship with absolution. Instead of yet another pager alert.
Ricardo leads the developer relations team at Redis. He built a successful career in DevRel working for companies such as AWS, Elastic, and Confluent. He spent two decades working as a software engineer, instructor, and solution architect before diving into the world of developer... Read More →
Imagine being on-call at 3 AM: alerts fire, you scramble between the incident, monitoring dashboards, Slack, runbooks, and ticketing systems. Each tool switch drains cognitive capacity during your highest-stress moments.
Current reality: On-call engineers navigate 5-10 tools under pressure. Managers manually coordinate team responses. Stakeholders interrupt for updates. Result: burnout, delayed resolution, human error.
MCP-powered future: Natural language handles coordination, knowledge retrieval, and status updates. Responders focus on solving problems, not navigating tools. Managers orchestrate responses conversationally. Stakeholders self-serve information.
Attendees learn production patterns for building MCP servers that reduce human fatigue in critical operations: safety mechanisms for high-stakes automation, balancing AI assistance with human oversight, context preservation across operations, and testing strategies for mission-critical workflows.
Develop custom reports that help each customer identify and monitor the metrics most relevant to their operations. Gather technical and functional requirements, working closely with the product team to translate customer needs into concrete improvements.
Originally from Argentina and based in Chile, I'm a Product Manager on the Forward Deployed Engineering (FDE) team at PagerDuty. With a background in Mechanical Engineering and Business Analytics, I live at the intersection of technology, data, and real-world customer implementations... Read More →
MCP made agents portable. But it also made them fragile—every tool call lives or dies by its network connection, and long-running work has been a liability we've all been working around in different (incompatible) ways.
SEP 1686 introduces native task orchestration to the protocol. This talk covers what's changing, why it matters, and what it unlocks for anyone building serious MCP infrastructure.
I'll walk through the design decisions, demonstrate the new primitives in FastMCP, and share what we've learned from helping teams scale MCP Tasks.
If you've ever wished MCP would just let you run real workloads without holding your breath, this one's for you.
Adam Azzam, Ph.D. is VP of Product at Prefect, where he leads product development for their open source automation and context platform. He is a maintainer of FastMCP.
Before joining Prefect, Adam co-founded Openrole AI, where he served as CTO building an AI career co-pilot. He was previously Director of Product at Insight Data Science (YC S11). Adam holds a PhD in Mathematics from UCLA... Read More →
As MCP evolves from local developer workflows to shared, remote infrastructure, new security & identity challenges emerge. Patterns that work for single-user, local MCP setups often break down when MCP servers become gateways serving thousands of users, agents, and tools. This session explores the architectural patterns required to deploy MCP securely in enterprise environments. We’ll examine common failure modes such as data overexposure, unsafe bulk operations, topic-based disclosure, and weak audit controls, and map them to practical MCP-level mitigations including least-privilege access, tool-level guardrails, and privacy-aware logging. A focus of the talk is the “4-Legged” Identity Challenge: when a user interacts with a web app, which calls an agent, which then calls a remote MCP server. This model is not natively handled by standard OAuth flows. We’ll cover approaches such as token exchange, pre-provisioned trust, and interactive authorization, and discuss how emerging MCP capabilities like protected resource metadata support scalable identity discovery. Attendees will leave with a blueprint for moving from local MCP development to secure, production-ready MCP deployments.
Paulina Xu is the CEO of Agentic Fabriq, where she is building a centralized hub for agent identity, OAuth-based authentication, permissioning, and auditability, enabling organizations to safely manage what agents can access and do across tools, applications, and teams. Prior to founding... Read More →
Effective context engineering via MCP servers requires understanding how host agents weave the server's responses into their context as conversations unfold.
Context flows through more channels than tool definitions alone: initial instructions, the tool set itself (explicit tools vs. generic execution tools), tool names and parameters, descriptions, response content, structure and length, error feedback, "skill-loading" tools, resources, and sub-agent delegation.
Each mechanism involves trade-offs. Eager loading of context risks bloat; lazy loading adds tool calls. Rich tool responses help agents self-correct but consume tokens. Sub-agents compartmentalize complexity, but limited client support for elicitation creates friction.
Getting this balance right means staying conscious of how much context you're injecting, when, and at what cost (e.g. in # of tool calls to achieve a goal)—a balancing act that's hard without a clear picture of what's happening inside the host agent's context window.
This talk aims at providing a framework for thinking about these decisions—grounded in concrete examples from building the MotherDuck MCP Server.
Till Döhmen is AI Lead at MotherDuck, where he focuses on building agentic experiences for data analytics. He designed and built the MotherDuck MCP Server, enabling AI agents to query and analyze data through Claude, Cursor, and other MCP clients. Till is also a final-year PhD candidate... Read More →
Many MCP servers aren't public - they're internal enterprise deployments where security, compliance, and safety aren't optional. Yet MCP currently lacks standardized middleware patterns, forcing teams into shared libraries and bespoke solutions that recreate the NxM problem.
Context middleware lets us intercept, inspect, and transform MCP traffic at trust boundaries. Just as tools were key to end-user MCP adoption, standardized middleware can unlock it for regulated industries: PII redaction, audit logging, prompt injection defense, hallucination detection - all without vendor lock-in or security gaps.
For the emerging gateway and proxy ecosystem, this opens new market opportunities: standardized integration points that transform MCP infrastructure into a composable, enterprise-grade platform.
This talk presents a working implementation as used at a major financial institution, including demos of attack prevention and real-world findings. You'll leave understanding the architecture, the extension, the trust boundary considerations, and how to start building context-aware middleware today.
Peder architects AI systems and spearheads AI adoption at Saxo Bank as Principal Developer. He is a contributor to the C# MCP SDK and an MCP maintainer for the Financial Services Interest Group. He specializes in integrating cutting-edge AI capabilities with bespoke assistants and... Read More →
MCP enables agent composition, but leaves security, policy, and governance enforcement to individual implementations. This results in inconsistent controls and security gaps across agents, tools, and environments, pushing platform-specific logic into otherwise portable MCP systems.
This talk presents a hook-based extension pattern for MCP, inspired by the Linux Security Modules (LSM) extensibility model and implemented in open source as part of the ContextForge MCP Gateway. Using standardized pre- and post-execution hooks, the gateway intercepts MCP interactions such as prompt handling, tool invocation, and data transformation. These hooks enable composable security modules—including prompt injection detection, PII redaction, and policy-based access control (OPA/Cedar)—without modifying agent or MCP server logic. By externalizing enforcement into reusable modules, this approach avoids extensibility lock-in and enables interoperability with existing security frameworks.
We show how developers can author MCP extensions and apply consistent controls across agent stacks, focusing on design patterns and interoperability for production-ready MCP systems.
Ian Molloy is a Principal Research Scientists and Department Head of the Security Department at IBM's Thomas J. Watson Research Center, a large and diverse team working across working in cryptography, cloud, AI and Security Intelligence. His primary research interest is in automating... Read More →
Dr. Fred Araujo is a Principal Research Scientist and Manager at IBM Research, where he leads research on the security of AI agents and middleware. His work spans protocol security, access control, systems security, and program analysis, and has influenced several IBM and Red Hat... Read More →
