Designing the Future of Agentic AI: Cato Engineering Details a New Practical, Secure, and Scalable MCP Server Framework 

Some of you may remember the early days of security, when setting up a firewall or antivirus felt like enough. It was simple and gave us a sense of control. But over time, we learned that security is a moving target. What once felt sufficient quickly became just the starting point. 

In today’s agentic AI era, many treat their Model Context Protocol (MCP) setups the same way. If it’s running and returning results, it feels good enough. But the AI landscape is evolving rapidly. Security, scalability, and observability are now essential, and many MCP architectures lack these essential qualities. 

To meet these demands, we designed an MCP architecture that fixes these problems – secure and scalable MCP Server-as-a-Service (MCPSaaS). MCPSaaS pioneers a framework purpose-built for the next generation of autonomous systems. This is a not a product, but an approach engineering can follow to address significant security and scalability limitations in the way AI agents communicate and access data. 

The Evolution of Agentic AI Architecture 

Over the past year, the integration of agentic AI tools has accelerated dramatically. We’ve moved from manual function mappings and fragile plugin APIs to standardized, protocol-driven interfaces. MCP helped streamline this evolution, beginning with local execution and expanding to remote communication over HTTP. Now, streamable communication and early patterns of multi-users are changing how agents interact with their environment. We illustrate this evolution in Figure 1 below. 

Figure 1. MCP evolution timeline 

Challenges with Local MCP Setups 

Although local MCP setups might seem attractive due to their low setup complexity, they often introduce significant challenges over time: 

• Require manual installation on each machine. 
• Tool updates or bug fixes need to be communicated to users and may require rebuilding. 
• Without automatic updates, security patching becomes a major concern for CISOs. 
• Basic authentication mechanisms are insufficient for modern security standards. 
• Credentials may be stored in plaintext or unencrypted formats. 
• Monitoring and controlling MCP usage is difficult, as communication occurs through inter-process channels. 
• Stale MCP server processes consume unnecessary system resources. 

 Industry players have begun addressing these gaps.  

• Anthropic’s Desktop Extensions improve local agent-tool interaction on desktops. 
• Docker’s MCP Gateway introduces a secure, container-native transport layer for agent communication.  
• Google’s GenAI Toolbox offers a framework for safe, efficient access to databases and external tools.  

These innovations are steps in the right direction, but fully resolving MCP’s operational challenges requires a scalable architecture designed from the ground up for security, manageability, and future readiness.  

Introducing Secure and Scalable MCPSaaS Framework 

Our new framework is built to meet those needs and to support the demands of agentic AI in real-world production environments. This next-generation, scalable and secure MCPSaaS framework is built from the ground up to deliver enterprise-grade security, seamless scalability, and a significantly improved user experience. 

This new framework includes: 

• Streamable HTTP transport, replacing the deprecated SSE protocol for more flexible, modern communication. 

• Scalable containerized runtime that adapts to system load and supports high availability. 

• OAuth 2.1-based authorization, aligned with MCP standards for secure identity control. 

• High-performance session caching to reduce latency and increase responsiveness. 

• Encrypted, in-memory storage of user tokens, accessed only at runtime from a secure encrypted vault. 

• Isolated MCP client tokens that provide access only to the MCP layer, never to the underlying resources. 

• High resiliency with secure stateful session storage 
  Each container runs in stateful mode, storing session and token data in an encrypted, in-memory store (e.g., Redis with in-VM encryption). In case of failover, peer containers replicate state to ensure seamless session recovery and maintain data consistency. 

• Strong User isolation by design, Redis keys are uniquely generated per User using a combination of the MCP Session ID and a hash of the MCP internal token. These keys are created as part of the OAuth 2.1 flow, ensuring that sessions remain securely isolated. Each user receives an internal bearer token scoped only to their session, while the resource server bearer remains securely stored. 

This framework is the result of deep architectural planning, secure design principles, and our commitment to operational excellence. It demanded expertise, discipline, and a clear vision for how AI should safely scale in the enterprise. We believe this is the foundation that will support the next wave of secure, agentic automation. As shown in Figure 2, this new framework supports the next generation of intelligent, secure automation. 

Figure 1. Modern Agentic AI—Cato’s secure and scalable MCPSaaS framework  

Building and Using Secure and Scalable MCPSaaS Internally 

Across Cato, teams in research and development (R&D), operations, and project management office (PMO) rely on AI agents powered by both internal and third-party MCP servers. These agents connect through a range of clients, including desktop tools, AI coding assistants, and frameworks like LangChain, LangGraph, Microsoft AutoGen, and Google ADK. Running this architecture allows us to scale usage efficiently, maintain version consistency, and avoid the pain of manual installations. 

To further support these efforts, we established a shared monorepo for all MCP server development. This centralized approach ensures strong security, alignment with evolving MCP standards, and high development velocity. It also gave rise to an internal development guild that continues to drive innovation, streamline integrations, and expand automation across teams. 

Designing and embracing this new framework was the natural next step. As our internal use of AI agents grew, we encountered the same challenges many organizations face, such as scalability, version control, and secure access. Shifting to a centralized, multi-user framework allows us to solve these issues and build infrastructure that reflects the same standards we deliver in the Cato SASE Cloud Platform.

A Framework for the Future of Agentic AI Communications  

We recognize that many organizations are facing similar challenges when it comes to integrating Agentic AI securely, with full visibility and a smooth user experience. The new framework represents a significant step forward. It addresses today’s challenges while building a foundation for AI agents to operate effectively, securely, and at scale across users, teams, and environments, enabling enterprises to safely and confidently embrace the next era of AI.