Yotam Perkal
Yotam Perkal leads security research at Pluto Security, a next-generation AI security and governance platform designed to protect the rapidly emerging ecosystem of AI builders, low-code/no-code tools, and agentic applications. His work focuses on securing AI-native development environments and building scalable methods for detecting, validating, and mitigating risks in AI-driven software workflows.
Previously, Yotam led the Threat Research team at Zscaler, headed the Vulnerability Research team at Rezilion, and held multiple roles within PayPal’s security organization across vulnerability management, threat intelligence, and insider threat.
Yotam is an active participant in several cross-industry working groups dealing with AI security, vulnerability management, and supply chain security.
Session
Model Context Protocol (MCP) servers are rapidly becoming the integration layer between AI agents and real-world systems. They connect models to ticketing platforms, source control, CI/CD pipelines, internal APIs, and local files, often running with production credentials and network reach.
Despite this, MCP servers are frequently deployed as “developer tooling,” bound to 0.0.0.0, and rarely threat-modeled as infrastructure.
In this talk, we present offensive research into the MCP ecosystem and demonstrate how classic vulnerability classes become significantly more impactful when placed inside agent-driven automation layers.
Through real-world case studies, including critical vulnerabilities affecting a widely deployed Atlassian MCP server (4M+ downloads), we show how network-reachable services can be coerced into outbound pivoting, filesystem control, and full remote code execution.