MCP Narrative Collapse: Three Takes from Perplexity, YC, and the Indie-Hacker World
In 72 hours, the AI infrastructure community went from "MCP is the future" to "MCP sucks honestly." Perplexity's CTO says they are moving off it internally. Garry Tan at YC posted the eulogy. Pieter Levels declared it dead. Here is what actually shifted, why the Ox Security disclosure was the trigger, and what it means for agent-layer security going forward.
TL;DR
Three public statements in 72 hours, all from people whose infrastructure opinions move capital:
- •**Denis Yarats, CTO of Perplexity** — confirmed Perplexity is moving off MCP internally.
- •**Garry Tan, president of Y Combinator** — posted "MCP sucks honestly" on X, reaching the YC founder network.
- •**Pieter Levels**, the indie-hacker world's de facto voice — declared MCP "dead."
All three came after Ox Security's [2026-04-16 disclosure](https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/) of a systemic STDIO design flaw affecting ~200,000 servers, and Anthropic's decision not to patch it. This post is not a takedown. It is a record of the moment the infrastructure consensus cracked — and a note on what shipping detection standards means when the protocol itself is in question.
The three takes
**Perplexity CTO Denis Yarats — enterprise engineering talking**. Perplexity is one of the heaviest AI agent consumers in production. When their CTO publicly says they are moving off MCP, that is a procurement decision made by people who ship to 100M+ users. It is not a tweet. It is a budget line.
**Garry Tan, YC president — capital allocator talking**. YC has backed dozens of agent-infrastructure startups in the past 12 months. "MCP sucks honestly" from the top of YC reaches every portfolio company simultaneously. Founders who were preparing Series A decks with MCP as the substrate are now preparing explanations of why they are still on it.
**Pieter Levels — indie-hacker voice talking**. This is the long tail of independent AI builders. When Levels declares a technology dead, it does not actually die, but the narrative weight shifts. Indie hackers default to "move fast, don't bet on the loser."
What actually changed (and what did not)
MCP as a protocol did not change this week. The installed base is still 150M+ downloads. The number of production integrations is still increasing. Claude Desktop still ships it. What changed is the **trust allocation** — the assumption that "Anthropic will fix protocol-level flaws" got broken on 2026-04-16 when Anthropic publicly said a systemic STDIO issue was "expected behavior."
That is a protocol governance failure, not a technical failure. And it is irreversible, because a vendor that has declined to patch once will be expected to decline again.
What this means for agent-layer security
Two things follow:
**1. The detection layer is now a first-class contract, not a nice-to-have.** When the protocol vendor is no longer the backstop, the defender has to enumerate every known attack class explicitly. This is what [Agent Threat Rules (ATR)](https://github.com/Agent-Threat-Rule/agent-threat-rules) has been doing for 6 months — 113 open-source detection rules as of this week, 99.6% precision on the PINT adversarial benchmark, 100% recall on structured SKILL.md content, shipped in production by Cisco AI Defense and Microsoft's Agent Governance Toolkit.
**2. Protocol-agnostic detection wins.** Whatever replaces MCP (or survives alongside it) will have the same attack surface — prompt injection, skill compromise, credential exfiltration through agent context, fork impersonation. These attack classes are about the agent model, not the transport. Rules that bind to the MCP wire format die when MCP dies. Rules that bind to the semantic attack class (like ours) outlive transport changes.
Our read
We do not think MCP is dead. We think the market just re-priced MCP from "assumed-safe standard" to "legacy protocol with known design flaws that needs compensating controls." Those compensating controls are detection rules. Which means the infrastructure shift happening this week is, for agent-layer detection, a category tailwind.
If you are building on MCP: do not panic-migrate. Put detection at the boundary and keep shipping. `npx agent-threat-rules scan <path>` takes under a minute.
If you are migrating off MCP: note that the successor will inherit the same attack model. Invest your security budget in detection rules that bind to the semantic class of threat, not the transport.
Sources
- •Ox Security disclosure — [The Mother of All AI Supply Chains](https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/) (2026-04-16)
- •Community roundup — [Was MCP a Mistake?](https://www.aiengineering.report/p/was-mcp-a-mistake-the-internet-weighs) (AI Engineering Report, 2026-04-18)
- •Mainstream press — [AI agent fever comes with lurking security threats](https://startupnews.fyi/2026/04/19/ai-agent-fever-comes-with-lurking-security-threats/) (2026-04-19)
- •ATR paper — [doi.org/10.5281/zenodo.19178002](https://doi.org/10.5281/zenodo.19178002)
---
*Previous post on this thread: [Anthropic Won't Patch](/blog/anthropic-wont-patch-mcp-stdio-flaw).*