Cisco just shipped the first enterprise product that treats MCP servers as a first-class attack surface. At Cisco Live EMEA in Amsterdam on February 10, 2026, the company announced its biggest-ever AI Defense update alongside a new initiative called AgenticOps that embeds agentic AI capabilities across its entire networking, security, and observability portfolio. The headline feature: a runtime MCP gateway that intercepts every call between an AI agent and its tools, inspects intent, and enforces policy in real time.
That matters because MCP is becoming the default integration layer for AI agents, and nobody had a production-grade security control plane for it until now.
What Cisco Actually Shipped at Cisco Live Amsterdam
Cisco’s announcement spans three pillars: AI Defense (security for AI workloads), AgenticOps (agentic AI inside IT operations), and infrastructure upgrades for AI-era networking. Jeetu Patel, Cisco’s President and Chief Product Officer, framed it as building “critical infrastructure our customers need to move fast and adopt AI safely.” Here is what is in each category.
AI Defense expansion brings four new capabilities. AI BOM (Bill of Materials) gives organizations centralized visibility into their AI software assets, including model files, MCP servers, and third-party dependencies. Think of it as an SBOM for AI: you get an inventory of every model and tool your agents use, with vulnerability scanning powered by a Hugging Face partnership. The MCP Catalog discovers and inventories MCP servers across your environment, flagging risks before agents connect to them. Advanced algorithmic red teaming runs adaptive single-turn and multi-turn testing in multiple languages. And real-time agentic guardrails provide continuous monitoring to detect manipulation and unsafe behavior at runtime, with an NVIDIA NeMo Guardrails integration for developer-ready protection.
AgenticOps for Security puts agentic AI inside Cisco Security Cloud Control. Instead of humans triaging firewall alerts, agentic capabilities proactively analyze traffic, capacity, health, and configuration data across your firewall fleet, surface prioritized recommendations, and autonomously remediate issues. The key phrase is “while maintaining security and compliance”: Cisco is positioning this as autonomous remediation within policy guardrails, not unbounded agent action.
AI-Aware SASE adds AI traffic detection and optimization to Cisco’s Secure Access Service Edge. This includes MCP visibility, logging, and policy control that discovers and governs MCP communications with in-path controls. Intent-aware inspection evaluates not just what agentic traffic contains, but why the agent is making a particular call and how it fits the conversation context. That is a meaningful step beyond pattern matching.
Infrastructure gets post-quantum cryptography support across IOS XE 26, the new Cisco 8000 Series Secure Routers, and C9000 Series Smart Switches. Cisco also announced Critical National Services Centers (CNSCs) in the UK, France, and Spain, with Italy coming next, providing air-gapped and sovereign deployment options.
Most security features target general availability in May 2026. AgenticOps for Campus, Branch, and Industrial environments began rolling out in February 2026.
AI Defense Gets an Agentic Upgrade: The MCP Gateway
The centerpiece of the AI Defense update is runtime protection that functions as an MCP gateway. When an AI agent calls an MCP server to use a tool, Cisco AI Defense sits between the agent and the server, intercepting the request. It performs bi-directional inspection, checking both what the agent sends and what the tool returns.
This is the right architectural move. The OWASP Top 10 for Agentic Applications puts tool compromise and supply chain poisoning in the top five risks. Invariant Labs found that 5.5% of MCP servers in the wild contain tool poisoning attacks. A real example: a malicious MCP server that BCC’d an unsanctioned third party on every email sent through the agent. The tool worked exactly as advertised for its primary function. The data exfiltration happened silently on the side.
Cisco’s intent-aware inspection combines rapid on-device detection with cloud-based analysis to evaluate the intent behind agentic messages. This goes beyond static signature matching. When an agent initiates a multi-step workflow, the system tracks the conversation context and flags deviations from expected behavior patterns. If an agent suddenly tries to exfiltrate SSH keys mid-workflow, the gateway catches the intent mismatch even if the individual tool call looks syntactically normal.
The AI BOM feature deserves attention too. It brings the software supply chain security model to AI for the first time at this scale. Every model file, every MCP server, every third-party dependency gets cataloged and scanned. Chirag Mehta, VP and Principal Analyst at Constellation Research, put it well: “With AI BOM and MCP governance plus multi-turn red teaming and real-time guardrails, Cisco AI Defense is targeting the full risk path from the AI supply chain to agentic runtime.”
The caveat: Cisco’s blog post notes that several features “remain in varying stages of development.” This is not vaporware, but some capabilities are further along than others. Enterprises evaluating this should ask for a feature-by-feature availability timeline.
AgenticOps Across the Full Stack
AgenticOps is Cisco’s term for embedding agentic AI into IT operations across networking, security, and observability. This is separate from securing agents (that is AI Defense); AgenticOps is about using agents to run your infrastructure.
Data Center Networks get early detection and intelligent event correlation. Instead of waiting for humans to correlate alerts from multiple switches and routers, agentic AI identifies patterns across the fabric and delivers prescriptive recommendations. Controlled availability is set for June 2026.
Service Provider Networks benefit from agentic capabilities in Crosswork AI that identify, diagnose, and resolve complex multi-vendor issues. Service providers manage some of the most heterogeneous environments on the planet; autonomous diagnostics across Cisco, Juniper, Nokia, and other vendors’ gear is where the ROI gets real.
Campus, Branch, and Industrial environments see the earliest rollout, starting February 2026. The use case here is operational: automated network troubleshooting, capacity planning, and configuration drift detection without requiring a network engineer on site.
Splunk AI Agent Monitoring ties the observability layer together. Generally available from February 25, 2026, it visualizes agent workflows and will integrate with Cisco AI Defense to surface risks like bias, hallucinations, data leakage, and prompt injection. AGNTCY quality metrics, including relevance and hallucination scores, feed directly into the Splunk platform as standard telemetry. This is the piece that closes the loop between AI security (AI Defense) and AI operations (AgenticOps): you protect agents and monitor them through a single pane of glass.
The strategic play is clear. Cisco acquired Splunk for $28 billion in 2024 specifically to unify networking and observability. AgenticOps is the first product that delivers on that promise for the AI era. Mauricio Sanchez, Senior Director at Dell’Oro Group, noted that “Cisco has steadily increased its market share, up roughly 20% since 2023. Vendors that align networking, security, and policy enforcement are increasingly well-positioned.”
What European Enterprises Should Pay Attention To
The sovereignty story is notable. Cisco announced Critical National Services Centers in the UK, France, and Spain (with Italy next). These provide air-gapped, on-premises deployment with cleared personnel and segregated processes. For European organizations subject to DORA, NIS2, or national security requirements, this is the kind of infrastructure commitment that moves Cisco from “possible vendor” to “shortlist.”
The EU AI Act angle is equally relevant. By August 2, 2026, organizations deploying high-risk AI systems, including many agent-based applications, need documented risk management processes, human oversight mechanisms, and technical logging. Cisco’s AI BOM, MCP governance, and runtime guardrails map directly to Articles 9, 12, and 14 of the EU AI Act. Whether a Cisco product alone satisfies compliance is a question for legal counsel, but the capabilities check the right boxes.
Post-quantum cryptography across the networking stack is forward-thinking. Europe’s ENISA has been pushing PQC adoption since 2024, and the BSI (Germany’s Federal Office for Information Security) recommends hybrid classical/PQC encryption for sensitive workloads starting in 2026. Cisco’s full-stack PQC support in IOS XE 26 gets ahead of this curve.
The timeline matters for planning. Security features target general availability in May 2026, three months before the EU AI Act enforcement date. That is tight but workable. Splunk AI Agent Monitoring is generally available February 25. AgenticOps for data centers hits controlled availability in June. European CISOs should map these dates against their compliance timelines now, not in Q3 when the audit pressure hits.
Frequently Asked Questions
What is Cisco AgenticOps?
AgenticOps is Cisco’s initiative to embed agentic AI capabilities across its networking, security, and observability portfolio. It uses AI agents to automate IT operations like network troubleshooting, firewall management, and event correlation across data center, campus, branch, and service provider environments.
What is the Cisco AI Defense MCP gateway?
The MCP gateway is a runtime protection feature in Cisco AI Defense that intercepts calls between AI agents and MCP (Model Context Protocol) servers. It performs bi-directional inspection, evaluates the intent behind agentic messages, and enforces security policy in real time to prevent tool poisoning, data exfiltration, and manipulation.
When will Cisco AI Defense security features be available?
Cisco’s AI Defense security features target general availability in May 2026. Splunk AI Agent Monitoring is generally available from February 25, 2026. AgenticOps for Campus, Branch, and Industrial environments began rolling out in February 2026, while data center features target controlled availability in June 2026.
What is AI BOM (AI Bill of Materials)?
AI BOM is a feature in Cisco AI Defense that provides centralized visibility and governance for AI software assets. It catalogs model files, MCP servers, and third-party dependencies, then scans them for vulnerabilities using a partnership with Hugging Face. It extends the software bill of materials (SBOM) concept to the AI supply chain.
Does Cisco AgenticOps help with EU AI Act compliance?
Cisco’s AI BOM, MCP governance, runtime guardrails, and technical logging capabilities map to Articles 9, 12, and 14 of the EU AI Act, which cover risk management, record-keeping, and human oversight. Whether these features alone satisfy compliance requirements depends on the specific deployment and should be evaluated with legal counsel.