Why MCP is quietly eating the enterprise SaaS stack

For most of the last decade, the joke about enterprise software was that nothing ever changed except the price. Then someone wired Claude into Jira.

What started as a developer-tools curiosity — Anthropic's Model Context Protocol, released in late 2024 — has become the connective tissue inside larger and larger companies. The pattern is consistent: a single team adopts an MCP-aware client, points it at three or four internal systems, and within a quarter the rest of the org is asking how to do the same.

The systems on the receiving end weren't designed for this. Most enterprise APIs were built assuming the consumer was either a human in front of a UI or a known integration with a service account. Agent-mediated access blurs both.

The shape of the new traffic

If you've been running a public-facing or even internal-only web property for the last six months, you have probably already noticed three things in your access logs.

• Reads outpace writes by an order of magnitude. Agents skim documentation, ticketing systems and dashboards far more aggressively than humans do.
• Sessions are short and bursty. A reasoning agent will fire 30 to 200 requests in a tight window, then go quiet for hours.
• User-Agent strings are honest, until they aren't. The serious vendors identify themselves; everything downstream of them increasingly does not.

"We saw a single OAuth token issue six thousand requests in an afternoon. It wasn't a bug. It was working as designed. We just didn't have a design for that." — Platform lead, Fortune 100 bank

Three actors, one socket

The question security teams keep asking is no longer whether agentic traffic is hitting their systems — every WAF log we've seen at scale shows it is — but whether the systems on the other side can tell the difference between an agent acting on a human's behalf, an agent running unattended, and a process pretending to be either.

The short answer, today, is: not really. Existing bot-detection vendors were built around CAPTCHAs and headless-browser fingerprints; both of those signals dissolve the moment a real Chromium driven by a reasoning model sits down at the keyboard. The newer detection surface — behavioural telemetry, click-path entropy, dwell-time distributions — is more promising, but only a handful of teams have the data to know what "agent-shaped" actually looks like in production.

What we do know is that the systems being hit hardest are the ones built without a clear notion of who is on the other end of the request. The fix is not technical paranoia. It is admitting, in 2026, that the consumer of your API might be a person, might be a process, and might be a person through a process — and that the controls you put in front of each of those should be different.