MCP Is Already in the Internet’s Reconnaissance Playbook
A twoweek log sample found valid MCP initialization probes, AI assistant config probes, and credentialfile checks hitting a host that ran none of them.
A small web server that did not run an MCP service, an AI assistant, or a local LLM endpoint still received correctly formed MCP initialization requests.
That is the signal.
In a SANS Internet Storm Center diary, Manuel Humberto Santander Pelaez examined 14 days of Apache and ModSecurity logs from one anonymized, low-traffic host. Mixed into the familiar background noise were roughly 200 requests aimed at MCP handshakes, LLM APIs, AI assistant configuration files, and related secrets. The MCP handshake category alone came from 49 source IP addresses.
AI infrastructure has entered the commodity reconnaissance layer. Scanners are no longer waiting for defenders to finish debating how MCP should be governed. They are already testing where it may have been exposed.
The sample is narrow but concrete: one host, 14 days, roughly 200 AI-focused requests, and 49 source IPs in the MCP-handshake category. Observation does not mean compromise.
The Probe Spoke MCP, Not Just HTTP
Most internet scanning is shallow. A bot requests a familiar path, records the status code, and moves on.
The MCP requests in the SANS logs went further. The POST probes carried valid JSON-RPC 2.0 bodies performing the protocol’s `initialize` operation. In other words, the scanner was not merely guessing that an `/mcp` path might exist. It was prepared to speak enough of the protocol to recognize a server that answered.
That distinction matters because it separates keyword-based discovery from service-aware reconnaissance. A correct initialization request can determine whether the endpoint behaves like an MCP server. It does not prove that tools were enumerated, data was reached, or any action was executed on the observed host.
The host in this sample did not run MCP. The logs captured the knock, not an entry.
The solid path is what the logs support. Tool discovery and access to connected systems are conditional risks if an MCP service is exposed without effective authentication and authorization.
The Prize Is the Permission Graph
An MCP server is valuable because it connects a model to useful things: files, databases, internal APIs, ticketing systems, and operational tools. That same convenience can concentrate permissions behind a machine-readable interface.
If an internet-facing server accepts unauthenticated clients, the problem is not simply that an AI endpoint is visible. The endpoint may expose a catalog of tools and data sources, with whatever authority the service account behind it possesses.
This is why MCP exposure deserves a different mental model from a forgotten status page. The relevant asset is the permission graph behind the server. A lightly protected bridge can inherit the reach of every system connected to it.
The SANS evidence does not show that outcome. It shows that scanners understand the first protocol step needed to look for it.
Secret Hunting Has Learned the AI Toolchain
The same logs contained probes for current AI assistant configuration and credential-file locations. The requested material covered MCP configuration, editor and assistant settings, cloud credentials, Kubernetes-related files, and other application secrets.
The source also observed HEAD requests aimed at credential files. HEAD normally checks whether a resource exists without retrieving its body. Used at scale, that is an efficient way to identify a promising path before attempting a fuller request.
That behavior suggests a maintained reconnaissance wordlist built around how modern developer tools store state. It does not identify who assembled it, how many operators used it, or whether any requested file was present.
The logs included GET requests for configuration material and HEAD checks for credential-file existence. The figure uses sanitized categories rather than reproducing sensitive paths.
One Host Is a Signal, Not a Census
The limits of the observation are important.
This was one anonymized server over two weeks. Forty-nine source IPs do not equal 49 people, groups, or campaigns. Shared scanners, relays, cloud hosts, duplicate jobs, and reused infrastructure can all inflate apparent diversity. The source was studying reconnaissance traffic, not investigating a confirmed breach.
There is also no evidence in the supplied logs that an AI configuration file existed, that a credential was returned, or that an MCP tool was successfully invoked.
So the defensible conclusion is narrower than “the internet is attacking MCP at scale.” The evidence shows that protocol-aware MCP discovery and AI-tool secret hunting are already present in ordinary web noise—even on a host with no AI service to find.
That is enough to change the order of operations. Exposure review should come before rollout excitement, not after the first alert.
Make Accidental Exposure Boring
The useful response is not a panic-driven secret rotation across every AI project. It is a disciplined exposure check.
Inventory internet-reachable MCP and local-LLM endpoints, including temporary development systems and forgotten test routes.
Require authentication, then enforce authorization at the tool and data-source layer. A logged-in client should not inherit every capability behind the server.
Keep assistant settings, MCP configuration, credentials, and home-directory artifacts out of web roots, container images, static bundles, and deployment packages.
Log protocol initialization attempts and sensitive-path probes at the edge. Preserve request method, response status, source context, and rate so analysts can separate scanning from successful access.
Validate before rotating. A probe that received a denial or not-found response is different from evidence that protected content was served.
Start with inventory and access control, remove developer artifacts from deployment paths, then use logs to validate whether any exposure actually occurred.
The Scan Is Ahead of the Inventory
MCP security is often discussed as an architecture problem for teams building agents. The SANS logs show the other side: external scanners are treating it as an exposure class.
The most consequential detail is not the request count. It is the combination of a valid protocol handshake, current configuration targets, and efficient existence checks. Together, those artifacts show reconnaissance adapting to the AI development stack.
If an organization cannot list its public MCP endpoints and the permissions behind them, it is already behind the people—or automation—looking for them.






