August 6, 2025 5m read

Designing the Future of Agentic AI: Cato Engineering Details a New Practical, Secure, and Scalable MCP Server Framework 

Guy Waizel
Zvi Fried
Guy Waizel , Zvi Fried

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

Some of you may remember the early days of security, when setting up a firewall or antivirus felt like enough. It was simple and gave us a sense of control. But over time, we learned that security is a moving target. What once felt sufficient quickly became just the starting point. 

In today’s agentic AI era, many treat their Model Context Protocol (MCP) setups the same way. If it’s running and returning results, it feels good enough. But the AI landscape is evolving rapidly. Security, scalability, and observability are now essential, and many MCP architectures lack these essential qualities. 

To meet these demands, we designed an MCP architecture that fixes these problems – secure and scalable MCP Server-as-a-Service (MCPSaaS). MCPSaaS pioneers a framework purpose-built for the next generation of autonomous systems. This is a not a product, but an approach engineering can follow to address significant security and scalability limitations in the way AI agents communicate and access data. 

The Evolution of Agentic AI Architecture 

Over the past year, the integration of agentic AI tools has accelerated dramatically. We’ve moved from manual function mappings and fragile plugin APIs to standardized, protocol-driven interfaces. MCP helped streamline this evolution, beginning with local execution and expanding to remote communication over HTTP. Now, streamable communication and early patterns of multi-users are changing how agents interact with their environment. We illustrate this evolution in Figure 1 below. 

Figure 1. MCP evolution timeline 

Challenges with Local MCP Setups 

Although local MCP setups might seem attractive due to their low setup complexity, they often introduce significant challenges over time: 

  • Require manual installation on each machine. 
  • Tool updates or bug fixes need to be communicated to users and may require rebuilding. 
  • Without automatic updates, security patching becomes a major concern for CISOs. 
  • Basic authentication mechanisms are insufficient for modern security standards. 
  • Credentials may be stored in plaintext or unencrypted formats. 
  • Monitoring and controlling MCP usage is difficult, as communication occurs through inter-process channels. 
  • Stale MCP server processes consume unnecessary system resources. 

 Industry players have begun addressing these gaps.  

  • Anthropic’s Desktop Extensions improve local agent-tool interaction on desktops. 
  • Docker’s MCP Gateway introduces a secure, container-native transport layer for agent communication.  
  • Google’s GenAI Toolbox offers a framework for safe, efficient access to databases and external tools.  

These innovations are steps in the right direction, but fully resolving MCP’s operational challenges requires a scalable architecture designed from the ground up for security, manageability, and future readiness.  

Introducing Secure and Scalable MCPSaaS Framework 

Our new framework is built to meet those needs and to support the demands of agentic AI in real-world production environments. This next-generation, scalable and secure MCPSaaS framework is built from the ground up to deliver enterprise-grade security, seamless scalability, and a significantly improved user experience. 

This new framework includes: 

  • Streamable HTTP transport, replacing the deprecated SSE protocol for more flexible, modern communication. 
  • Scalable containerized runtime that adapts to system load and supports high availability. 
  • OAuth 2.1-based authorization, aligned with MCP standards for secure identity control. 
  • High-performance session caching to reduce latency and increase responsiveness. 
  • Encrypted, in-memory storage of user tokens, accessed only at runtime from a secure encrypted vault. 
  • Isolated MCP client tokens that provide access only to the MCP layer, never to the underlying resources. 
  • High resiliency with secure stateful session storage 
    Each container runs in stateful mode, storing session and token data in an encrypted, in-memory store (e.g., Redis with in-VM encryption). In case of failover, peer containers replicate state to ensure seamless session recovery and maintain data consistency. 
  • Strong User isolation by design, Redis keys are uniquely generated per User using a combination of the MCP Session ID and a hash of the MCP internal token. These keys are created as part of the OAuth 2.1 flow, ensuring that sessions remain securely isolated. Each user receives an internal bearer token scoped only to their session, while the resource server bearer remains securely stored. 

This framework is the result of deep architectural planning, secure design principles, and our commitment to operational excellence. It demanded expertise, discipline, and a clear vision for how AI should safely scale in the enterprise. We believe this is the foundation that will support the next wave of secure, agentic automation. As shown in Figure 2, this new framework supports the next generation of intelligent, secure automation. 

architecture_diagram

Figure 1. Modern Agentic AI—Cato’s secure and scalable MCPSaaS framework  

Building and Using Secure and Scalable MCPSaaS Internally 

Across Cato, teams in research and development (R&D), operations, and project management office (PMO) rely on AI agents powered by both internal and third-party MCP servers. These agents connect through a range of clients, including desktop tools, AI coding assistants, and frameworks like LangChain, LangGraph, Microsoft AutoGen, and Google ADK. Running this architecture allows us to scale usage efficiently, maintain version consistency, and avoid the pain of manual installations. 

To further support these efforts, we established a shared monorepo for all MCP server development. This centralized approach ensures strong security, alignment with evolving MCP standards, and high development velocity. It also gave rise to an internal development guild that continues to drive innovation, streamline integrations, and expand automation across teams. 

Designing and embracing this new framework was the natural next step. As our internal use of AI agents grew, we encountered the same challenges many organizations face, such as scalability, version control, and secure access. Shifting to a centralized, multi-user framework allows us to solve these issues and build infrastructure that reflects the same standards we deliver in the Cato SASE Cloud Platform.

A Framework for the Future of Agentic AI Communications  

We recognize that many organizations are facing similar challenges when it comes to integrating Agentic AI securely, with full visibility and a smooth user experience. The new framework represents a significant step forward. It addresses today’s challenges while building a foundation for AI agents to operate effectively, securely, and at scale across users, teams, and environments, enabling enterprises to safely and confidently embrace the next era of AI. 

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Guy Waizel

Guy Waizel

Tech Evangelist

Guy Waizel is a Tech Evangelist at Cato Networks and member of Cato CTRL. As part of his role, Guy collaborates closely with Cato's researchers, developers, and tech teams to bridge and evangelize tech by researching, writing, presenting, and sharing key insights, innovations, and solutions with the broader tech and cybersecurity community. Prior to joining Cato in 2025, Guy led and evangelized security efforts at Commvault, advising CISOs and CIOs on the company’s entire security portfolio. Guy also worked at TrapX Security (acquired by Commvault) in various hands-on and leadership roles, including support, incident response, forensic investigations, and product development. Guy also held key roles at tech startups acquired by Philips, Stanley Healthcare, and Verint. Guy has more than 25 years of experience spanning across cybersecurity, IT, and AI. Guy is in the final stages of his PhD thesis research at Alexandru Ioan Cuza University, focused on the intersection of cloud adoption, cybersecurity, and AI. Guy holds a MBA from Netanya Academic College, a B.S. in technology management from Holon Institute of Technology, and multiple cybersecurity certifications.

Read More
Zvi Fried

Zvi Fried

Staff Automation Engineer

Zvi Fried is a Staff Automation Engineer at Cato Networks, responsible for developing state-of-the-art Agentic AI systems that drive seamless IT security transformation. With over a decade of leadership experience in Israel's cybersecurity industry, Zvi has successfully led large-scale automation projects with significant organizational impact. His expertise lies at the intersection of automation and intelligence, delivering innovative, practical solutions to complex engineering challenges. Prior to joining Cato, Zvi served as Automation Technology Leader at Orca Security and previously held a similar role at Check Point Software Technologies.

Read More