Post-quantum security in MCP deployments: what changes in 2026

The number of MCP servers registered in public directories has grown over 340% in the last twelve months. That growth has a direct consequence that few organisations are managing well: the attack surface of Claude integrations has expanded at the same pace, and security teams are now starting to scrutinise the protocol with the same rigour they previously reserved for conventional REST APIs.

An article published this weekend on Security Boulevard addresses precisely this: how to secure MCP infrastructure taking into account not only current threats, but also the post-quantum horizon. It's worth unpacking what's immediately relevant and what is medium-term planning.

What attack vectors does MCP introduce that didn't exist before

MCP is not a conventional API. When an MCP server responds to a tool call, it is interacting directly with the model's reasoning context. This opens vectors that WAFs and conventional OAuth authentication schemes don't cover well:

• Prompt injection through tool responses: a compromised MCP server can inject instructions in the response that the model interprets as part of the legitimate flow.
• Lateral privilege escalation: if a Claude Code agent has access to multiple MCP servers with different privilege levels, a chain of poorly validated calls can cross authorization boundaries without any individual logging system detecting it.
• Passive context exfiltration: unlike an API that returns structured data, a malicious MCP server can receive fragments of the model's active context if the client doesn't apply strict filtering over what is included in each call.

These vectors exist already, with classical encryption algorithms. Post-quantum cryptography enters the picture for a different reason.

Why post-quantum cryptography matters now, not in five years

The argument is "harvest now, decrypt later": actors with sufficient resources can capture encrypted traffic today, including TLS handshakes between Claude clients and MCP servers, and decrypt it when quantum computers with sufficient capability become available. For data with long shelf life (corporate credentials, intellectual property in context, infrastructure configurations), that window is already relevant.

NIST finalised its first post-quantum standards in 2024 (FIPS 203, 204 and 205, based on CRYSTALS-Kyber and CRYSTALS-Dilithium). What the Security Boulevard analysis proposes is that teams deploying MCP servers in production start evaluating now whether their TLS stacks support hybrid classical+post-quantum negotiation, which is the recommended transition mode while compatibility is not universal.

What's actionable today for teams using Claude Code and MCP

Without waiting for a complete post-quantum strategy, there are measures that reduce immediate risk:

1. Mutual authentication on all internal MCP servers. mTLS with short-lived certificates is the reasonable minimum for servers handling sensitive data. Configuring it in `claude_desktop_config.json` or in the Claude Code environment requires no changes to the protocol.
2. Audit hooks in PreToolUse and PostToolUse. Claude Code hooks allow you to intercept each tool call and log metadata (server, tool invoked, response size) without touching the content. This is the most natural point to build an audit trail.
3. Least privilege principle per server. Each MCP server should have a declared and reviewed scope of permissions. If a database query server doesn't need write access, it shouldn't be able to do so even if the client requests it.
4. Review the origin of third-party plugins and skills. The Claude Code marketplace doesn't yet have a public standardised security audit process. Before installing a third-party plugin in an environment with access to internal systems, it's worth reviewing the source code if available.

For whom this is urgent and for whom it isn't

If you're deploying MCP servers in a personal or prototyping environment, most of these considerations are excessive for now. The Security Boulevard analysis is aimed at engineering teams bringing Claude Code and MCP servers to corporate environments with regulated data, or building agent infrastructure for end customers.

For those teams, the combination of a young protocol (MCP has less than two years of mass adoption), an execution model with real agency over external systems, and a gradually narrowing quantum threat window is sufficient reason to include MCP security in this year's security roadmap, not next year's.

---

From our perspective, we see a clear pattern: MCP adoption velocity is outpacing the maturity of available security guidance. Articles like this starting to appear is a positive signal, though the industry still needs protocol-specific audit tools, not adaptations of generic frameworks.