Amar Jeer

MCP Servers Are the New Shadow IT: 56 Common Domains We Found Hiding in Plain Sight

April 27, 2026
6
 MIN READ
MCP Servers Are the New Shadow IT: 56 Common Domains We Found Hiding in Plain Sight

Your employees aren’t just using AI to write emails anymore. They’re connecting AI agents directly to your CRM, your codebase, your meeting recordings, your financial data, and your design files. They’re doing it through something called MCP servers, a protocol most security teams have never heard of, let alone monitor.

We ran a detection report across 10,000 devices to see which MCP (Model Context Protocol) servers their employees are connecting to through AI tools like Anthropic’s Claude. The results paint a clear picture: MCP adoption is already widespread, it spans every department, and it touches the most sensitive data in your organization.

What is MCP, and why should you care?

Model Context Protocol (MCP) is an open standard that lets AI assistants connect to external tools and data sources. Think of it as a universal adapter between AI models and your business applications. When an employee connects Claude to their Jira board, HubSpot CRM, or Google Drive through an MCP server, the AI agent gets read (and sometimes write) access to that system.

That’s incredibly productive. It’s also a security blind spot the size of a barn door.

MCP servers let AI agents pull customer records from your CRM, read confidential meeting transcripts, query your production databases, access source code repositories, and interact with cloud infrastructure. All without triggering the alerts your security team has spent years tuning. MCP traffic runs over standard HTTPS to legitimate SaaS domains. It looks like normal web activity. Without purpose-built detection, it’s invisible.

MCP domains detected across customer environments

We identified 56 unique domains serving MCP traffic. The table below shows every domain detected, sorted by connection volume. Domain naming patterns reveal the scale of adoption: vendor-hosted endpoints like mcp.atlassian.com and mcp.slack.com, Claude-native proxies like gmail.mcp.claude.com, and custom deployments on AWS Bedrock AgentCore.

MCP Application Domains
MCP Application Domains

MCP apps by category

What this data tells us

1. MCP adoption is already mainstream

This isn’t a handful of developers experimenting. We found thousands of users across separate organizations actively connecting AI agents to business tools. mcp.atlassian.com alone showed 100+ unique users across multiple tenants.microsoft365.mcp.claude.com, gmail.mcp.claude.com, and gcal.mcp.claude.com each had 150+ users across multiple tenants. These are core productivity tools, used by people in every department, now accessed by AI agents.

2. Every department is affected

The data spans the entire org chart:

•      Sales and marketing: mcp.zoominfo.com, api.apollo.io, mcp.hubspot.com, mcp.gong.io, api.clay.com, mcp.close.com, mcp.klaviyo.com. AI agents pulling contact data, enriching leads, reading call transcripts, and accessing marketing automation. Eight separate CRM and sales tools connected via MCP.

•      Engineering: mcp.docker.com, mcp.datadoghq.com, knowledge-mcp.global.api.aws, api.sonarcloud.io, mcp.cloudflare.com, mcp-registry-sandbox.azure-apicenter.ms. AI agents interacting with container registries, querying monitoring dashboards, and accessing cloud infrastructure APIs.

•      Design and product: mcp.figma.com, mcp.canva.com, mcp.lucid.app, whimsical.com. Designers using AI agents to access design files, including pre-launch product designs and brand assets.

•      Finance: mcp.factset.com (financial data and analytics). AI agents with access to market research, financial models, and investment data.

•      Operations and support: mcp.intercom.com,mcp.api.getguru.com, mcp.zapier.com, mcp.docusign.com. AI agents reading customer support conversations, accessing internal knowledge bases, triggering automations, and interacting with signed agreements.

3. The most sensitive data is already in play

Consider what these MCP connections actually mean in terms of data exposure:

  • mcp.gong.io: AI agents reading recorded sales calls, including pricing discussions, competitive intel, and customer objections.
  • mcp.granola.ai and api.fireflies.ai: AI meeting transcript tools connected via MCP. Every internal discussion, strategy session, and customer call, transcribed and accessible to AI agents.
  • mcp.hubspot.com,mcp.zoominfo.com, api.apollo.io: Customer and prospect data (names, emails, phone numbers, company details, deal stages)flowing through AI agents. That’s PII moving through a channel your security tools don’t see.
  • mcp.docusign.com: An AI agent with access to signed contracts, NDAs, and legal agreements.
  • mcp-server.egnyte.com and mcp.box.com: Cloud content management platforms where companies store everything from HR documents to financial reports. AI agents now have a direct line in.

4. Shadow MCP is the new shadow IT

We also detected community-built and customer-hosted MCP servers that IT teams almost certainly don’t know about. A community-built Cloudflare Worker proxying to Roam Research. A customer-hosted MCP server running on AWS Bedrock AgentCore. An internal MCP endpoint at a customer organization. These aren’t sanctioned enterprise tools. They’re custom integrations employees built themselves to make AI agents more useful. And they’re completely invisible to traditional security controls.

5. Automation multiplies the risk

Zapier generated hundreds of MCP connection events. That’s not a person clicking buttons. That’s automated workflows where AI agents trigger actions across multiple systems without human review. When you combine AI agents with automation platforms, you get autonomous data movement at scale. An AI agent reads a Gong call, enriches the contact in Clay, updates the deal in HubSpot, and drafts a follow-up in Gmail. All in seconds. All without a human in the loop. All through MCP.

How dope.security gives you visibility into MCP server activity

Because dope.security runs an on-device proxy (not a cloud data center), we see traffic at the endpoint before it ever leaves the device. That’s what makes this detection possible.

Our Shadow IT feature identifies every MCP server domain your employees connect to. The same way we detect personal ChatGPT accounts and unsanctioned SaaS apps, we now surface MCP server connections across your organization. You see which MCP servers are being accessed, who’s accessing them, how often, and from which tenants.

No additional agents to install. No separate monitoring tool to configure. No new module to purchase. MCP server detection is part of Shadow IT, which is part of dope.security’s SWG. If you’re already a customer, you already have it. If you’re not, a free trial gets you there.

What CISOs should do right now

You don’t need to block MCP servers. You don’t need to ban AI tools. You need to know what’s happening. The same playbook you applied to SaaS adoption in 2015 and personal ChatGPT accounts in 2023 applies here: visibility first, then governance.

  • Get your own MCP detection report. Run a Shadow IT scan for MCP server domains across your environment. Know which MCP servers your employees are connecting to, which AI tools are initiating those connections, and how much traffic is flowing. This is step one.
  • Share the findings with your team. The report is shareable. Pull it up in your next security review. Show your CISO, your compliance team, your IT leadership. The data speaks for itself.
  • Categorize by risk. Not all MCP connections carry the same risk. An AI agent reading AWS documentation is very different from one reading Gong call recordings or pulling FactSet financial data. Triage by data sensitivity.
  • Start the policy conversation. Once you see what’s connected, you can make informed decisions about which MCP connections to allow, which to monitor, and which to restrict. You can’t have that conversation without the data. Now you have the data.

MCP is the new shadow IT. The first step is seeing it.

Five years ago, security teams scrambled to get visibility into unauthorized SaaS apps. Two years ago, the scramble was personal ChatGPT accounts. Today, it’s MCP servers: AI agents connecting directly to your most sensitive business tools through a protocol your existing security stack wasn’t built to see. Book a demo now to see which MCP servers are active in your environment.

Shadow IT
Shadow IT
AI Security
AI Security
Thought Leadership
Thought Leadership
back to blog Home

Related Posts

Apr 28, 2026
5
 MIN READ

Secure Enterprise Browser: Do You Actually Need One?

Apr 21, 2026
6
 MIN READ

How Rising Data Center Costs Are Driving SASE & SSE Price Increases

Mar 26, 2026
4
 MIN READ

Blocking Personal Claude Accounts: Cloud Application Control for Enterprise Claude Users

Check
Dope Security logo - links to the home page.
It’s not that we’re mad at yesterday’s cybersecurity.  Just disappointed.  So we made it better.  We made it easier.

We made it dope.
sales@dope.security
Call Us
about
Our Story
Our Crew
Newsroom
Events
Partners
compare
Forcepoint
Zscaler
Cisco Umbrella
Netskope
Testimonials
documentation
Support
User Manual
[ DOPE.FOOTER ]
© 2025 dope.security Inc.
Made with
in California
EULAPRIVACYLEGALmanage cookies