Upgrading from AWS Command Line Interface (AWS CLI) v1 to AWS CLI v2 can be challenging and time-consuming due to changes introduced in AWS CLI v2 that can potentially break your existing workflows. If you don’t properly address breaking changes in your scripts or workflows, then executing these workflows after upgrading to AWS CLI v2 may result in unintended consequences, such as failing commands or misconfiguring resources in your AWS account.
AWS CLI v1’s upgrade debug mode helps you identify and resolve these issues before upgrading, for a safer and seamless transition. This mode detects usage of features in AWS CLI v1 that have been updated with breaking changes in AWS CLI v2, and outputs a warning for each detection.
In this post, we’ll walk you through using AWS CLI v1’s upgrade debug mode to identify potential breaking changes, resolve compatibility issues, and safely transition your workflows to v2.
Getting Started
You’ll start by verifying you have the correct version of AWS CLI v1 to use upgrade debug mode, then you’ll use this mode to test commands in AWS CLI v1 for usage of features that were updated with breaking changes in AWS CLI v2. Then, you’ll review the AWS CLI v2 breaking changes list in the Migration guide for the AWS CLI version 2 to manually verify whether your workflows may be broken by upgrading. Finally, you’ll follow guidance to mitigate breaking your workflows and safely upgrade to AWS CLI v2.
AWS CLI v1
The following steps walk you through using upgrade debug mode to identify potential breaking changes in your existing AWS CLI v1 usage, resolve compatibility issues, and safely transition to AWS CLI v2.
Step 1: Verify you are using AWS CLI v1 version 1.44.0 or higher.
We released the upgrade debug mode feature to the AWS CLI in version 1.44.0.
Using AWS CLI v1, run aws --version, and verify that the AWS CLI version is 1.44.0 or higher.
If the version is older than 1.44.0, see our Developer Guide for instructions to update to a later version.
Step 2: Test your AWS CLI v1 usage with AWS CLI upgrade debug mode
Set the AWS_CLI_UPGRADE_DEBUG_MODE environment variable to true to detect usage of features broken in AWS CLI v2. Alternatively, you can enable this functionality at the command-level using the --v2-debug command line option. If you are upgrading the AWS CLI in existing scripts or workflows to use v2, we recommend testing each AWS CLI command used with this functionality enabled before upgrading them to use AWS CLI v2.
We recommend performing this step in the same environment that you will upgrade to use AWS CLI v2, since the execution environment determines whether commands will experience breaking changes.
For example, suppose you have a script that executes the AWS CLI command below:
Execute the command with the AWS_CLI_UPGRADE_DEBUG_MODE set to true—or with the --v2-debug flag—and check the output for the text “AWS CLI v2 UPGRADE WARNING”. Example output with the environment variable configured is shown below:
$ aws secretsmanager update-secret --secret-id SECRET-NAME \
--secret-binary file://BINARY-SECRET.json
AWS CLI v2 UPGRADE WARNING: When specifying a blob-type parameter, AWS CLI v2 will
assume the parameter value is base64-encoded. This is different from v1 behavior,
where the AWS CLI will automatically encode the value to base64. To retain v1
behavior in AWS CLI v2, set the `cli_binary_format` configuration variable to
`raw-in-base64-out`. See
https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration-changes.html#cliv2-migration-binaryparam.
{
"ARN": "ARN",
"Name": "SECRET-NAME",
"VersionId": "VERSION-ID"
}
Step 3: Use the warnings to prepare for AWS CLI v2
If breaking changes were detected in step 2, the warnings provide guidance for preparing for the AWS CLI v2 upgrade. Some breaking changes can be mitigated prior to upgrading to AWS CLI v2 by modifying the command or execution environment; the warnings identified in step 2 include links to our AWS CLI v2 breaking changes list that details options to mitigate the breakage.
In the previous example, the warning explains that AWS CLI v2 will assume that the contents of BINARY-SECRET.json will be encoded in base64.
Following the instructions in the warning, you’ll configure the cli_binary_format variable to raw-in-base64-out in the configuration file. Even though cli_binary_format is not a valid configuration setting in AWS CLI v1, it prepares your environment for AWS CLI v2 by configuring AWS CLI v2 to retain the same behavior as AWS CLI v1.
You’ll configure cli_binary_format according to the instructions using the following command:
aws configure set cli_binary_format raw-in-base64-out
Step 4: Verify resolution of warnings
For breaking changes mitigated in step 3, you’ll re-run the command to verify the warning is no longer printed.
Proceeding with the example, you configured the cli_binary_format variable to raw-in-base64-out in step 3. You’ll now re-run the command to verify the mitigation warning is resolved:
The warning is no longer printed, signaling that this command is now compatible with AWS CLI v2.
If you used the --v2-debug argument instead of the AWS_CLI_UPGRADE_DEBUG_MODE environment variable in step 2, remember to remove the flag from the command before upgrading to version 2.
Step 5: Manually review for breaking changes
After using upgrade debug mode to automatically detect usage of features that were updated with breaking changes, you will now manually review your AWS CLI usage by reviewing our breaking changes list and AWS CLI v2 Migration Guide.
Step 6: Upgrade to AWS CLI v2
After preparing for the breaking changes identified in the previous steps, you will now upgrade to AWS CLI v2 following the installation guide.
Limitations
The upgrade debug mode feature does not currently support every breaking change introduced with AWS CLI v2, and has false positive cases where it issues a warning even if no breaking changes are actually present.
Additionally, some of the detection depends on API responses, as well as the execution environment running the AWS CLI. For this reason, we recommend running this feature against an AWS account and execution environment that reflect your production workflows as close as possible.
The Gemini Code Assist team has introduced a suite of updates focused on streamlining the core coding workflow through high-velocity tools like Agent Mode with Auto Approve and Inline Diff Views. These enhancements, along with new features for precise context management and custom commands, aim to transform the AI from a general assistant into a highly tailored, seamless collaborator that adapts to your specific development style.
Look who's back! After we completed 2024, XSS managed to get itself ranked as the #1 top threat of the year. I wrote about that, and at the end of the blog post I said "Let's make sure that XSS isn't #1 in 2025!"... Well, I have some bad news...
Looking at the data
I wrote a whole bunch in that previous blog post about what the CVE program is and what CWE means, so if you want the background, you should definitely head there and read that post first. Here, I want to take a look at the data and see how things are going. Looking at the list of the Top 25 threat in 2025, and then downloading all of the raw data, we can produce some details on the top threats.
CWE ID
Vulnerabilities Caused
CWE-79
7,303
CWE-89
3,758
CWE-862
2,190
CWE-352
1,682
CWE-22
967
CWE-121
827
CWE-284
796
CWE-78
748
CWE-434
744
CWE-120
732
CWE-200
703
CWE-125
653
CWE-416
642
CWE-502
619
CWE-77
550
CWE-20
516
CWE-122
513
CWE-787
500
CWE-918
483
CWE-476
478
CWE-94
468
CWE-863
409
CWE-639
362
CWE-306
356
CWE-770
317
Total
43,473
Sadly, as we can see, we still have quite a lot of work to do on this front as XSS (CWE-79) continues to absolutely dominate the rankings! Not only was it the top threat, nothing else even came close.
Looking further back
Given that the entire archive of the Top 25 is available, I thought I'd take a look at how XSS performed over all the years we have data, back as far as 2010(!), and it's not filling me with confidence.
Year
XSS Rank
2026
#1 (so far!)
2025
#1
2024
#1
2023
#2
2022
#2
2021
#2
2020
#1
2019
#2
2011
#4
2010
#1
As far back as the data goes, we have seen that XSS is consistently a top ranked threat, never having the left the Top 4!
Detecting and Mitigating XSS
Regular readers will know by now that Content Security Policy provides for an effective mechanism to protect against XSS. Our sole purpose at Report URI is to help organisations deploy a strong CSP to their website and to monitor for signs of trouble should they arise. We have a whole heap of resources to get you started, so head on over to start a free trial and reach out if you need any support getting going.
I have my fingers crossed that we might be able to do something to stop XSS becoming the #1 Top Threat of 2026, but given it already has twice the number of vulnerabilities than its closest competitor, we'd best get started on making some progress soon!
Google has introduced Finish Changes and Outlines for Gemini Code Assist in IntelliJ and VS Code to reduce developer friction and eliminate the need for long, manual prompting. Finish Changes acts as an AI pair programmer that completes code, implements pseudocode, and applies refactoring patterns by observing your current edits and context. Meanwhile, Outlines improves code comprehension by generating interactive, high-level English summaries interleaved directly within the source code to help engineers navigate and understand complex files.
If you run an online business, it’s pretty important that customers receive your emails. Even if you use a robust email marketing plugin, messages like order confirmations or password resets may be blocked or fail to arrive in people’s inboxes.
This is where SMTP (Simple Mail Transfer Protocol) plugins come in handy. These tools are designed to authenticate emails and verify their source, ensuring that messages arrive safely at the intended destination.
In this guide, we’ll explore the best WordPress SMTP plugins for your website. We’ll also discuss what to look for in an SMTP tool and share essential configuration tips to help you get started. So, let’s dive right in.
Why you may need an SMTP plugin for WordPress
By default, WordPress sends emails using a basic PHP function called wp_mail(). While this usually gets the job done, it has several limitations. These include:
No authentication: Emails sent via PHP mail may lack proper authentication headers.
Poor deliverability: Messages are more likely to land in spam folders or get blocked.
Host conflicts: Hosting providers may disable PHP mail to prevent abuse and improve security.
No visibility: There’s no record of error messages or confirmations that your emails were sent.
An SMTP plugin prevents these issues by routing your WordPress emails through an authenticated mail server or delivery service. As the website owner, you won’t have to rely on your web server’s basic mail function — the SMTP plugin lets you connect to trusted providers like Gmail, SendGrid, and Amazon SES.
What to look for in a WordPress SMTP plugin
While all SMTP plugins promise better email delivery, the results can vary widely from one tool to another. Plus, each plugin offers different levels of control and configuration, so you’ll want to choose wisely.
Let’s look at the most important criteria to consider when selecting a WordPress SMTP plugin.
Reliability and deliverability
The main purpose of an SMTP plugin is to improve email deliverability. It helps emails reach inboxes instead of spam folders.
A high-quality SMTP plugin should support authenticated SMTP connections. This shows receiving mail servers that your website is authorized to send emails on your domain.
Authentication is one of the factors that email providers like Gmail use to determine whether the source is trustworthy. So, you’ll want to look for plugins that support modern encryption methods such as SSL and TLS. The plugin should also let you authenticate using credentials, API keys, or OAuth.
Compatibility with email providers
Not every SMTP plugin works well with every email provider. Some enable you to connect to virtually any SMTP service as long as you have the correct credentials, while others are optimized for specific providers like Gmail, Outlook, SendGrid, or Amazon SES.
Before choosing a plugin, consider which email service you’re currently using (or would like to use), whether you plan to switch providers in the future, and if you need support for multiple providers.
A flexible plugin gives you the freedom to change providers without having to switch plugins. On the other hand, provider-specific plugins may offer deeper integrations or easier setup.
Ease of setup
Configuring an SMTP plugin can be difficult if you’re not familiar with email servers, ports, and encryption protocols. A good WordPress SMTP plugin does most of the work for you.
Look for a beginner-friendly plugin that offers step-by-step setup wizards and preconfigured settings for popular email providers. The plugin should also make it easy to update credentials, switch providers, or troubleshoot problems.
Email logging and debugging
You may not be aware that your emails are failing to send until you receive a message from a customer telling you that they never received an order confirmation. That’s why email logging is one of the most valuable features an SMTP plugin can offer.
Email logs help you see which emails were sent from your site, and whether they were successfully delivered. With logs, you’ll also be able to confirm timestamps and recipients, and diagnose recurring issues. Some plugins will also offer delivery status tracking and resend options for failed emails.
Support for transactional emails
Transactional emails are messages triggered by user actions like account creation, password resets, and orders. These emails are time-sensitive and important, so if you run an online business, your SMTP plugin must handle transactional emails quickly, even during traffic spikes.
Some plugins are better optimized for transactional email workflows. They ensure that high-priority messages are sent immediately and not delayed by bulk sending.
Security features
Your emails may include sensitive data like login credentials, personal information, and payment details. A good SMTP plugin should prioritize security with features like:
Secure connections using SSL or TLS
Support for modern authentication methods (OAuth, API keys)
Protection against credential exposure
Additionally, plugins that ensure proper email authentication (like SPF, DKIM, and DMARC) help protect your domain from spoofing and phishing attempts.
Pricing and scalability
There are both free and premium SMTP plugins. When evaluating cost, consider the following:
Whether the free version is sufficient for your current email volume and needs
What essential features are locked behind paid plans
Whether email sending limits could become a problem in the future
A free plugin may work well for a small shop, but as your business grows, you’ll need a solution that offers higher sending limits, better monitoring, and priority support. To be safe, choose a plugin that can scale with your site.
The six best SMTP plugins for WordPress (expert picks)
Now, here are the top picks for the best WordPress SMTP plugins, based on reliability, features, and ease of use.
MailPoet is a popular WordPress email plugin known primarily for its email marketing capabilities. It’s designed by Automattic, the people behind WordPress.com, WooCommerce, and Jetpack.
MailPoet combines newsletters, automated emails, and transactional email delivery. It also comes with an automated SMTP solution for WordPress that lets you deliver emails through your preferred service.
Key features of MailPoet:
Built-in SMTP and email delivery service
The ability to reroute all WordPress emails via third-party SMTP services or MailPoet’s own email delivery service
Free email delivery for up to 5,000 emails per month
Email analytics and tracking
Seamless integration with WooCommerce
Email templates and automation workflows, like abandoned cart reminders
Pros of MailPoet:
It combines SMTP functionality with full email marketing tools, so you won’t need to set up an additional plugin for your emails.
There’s no need to configure an external SMTP tool if you use MailPoet’s built-in delivery service.
Cons of MailPoet:
Paid plans are required for higher sending volumes and advanced features.
Ease of use:
MailPoet is very beginner-friendly. Once you install and enable the plugin on your site, it will instantly start sending your emails through its SMTP service. Plus, you still have the flexibility to connect to an external SMTP service.
Best suited for:
WordPress site owners who want both transactional emails and newsletters.
Businesses that want reliable delivery without complex SMTP setup.
Anyone looking for an all-in-one email solution.
Pricing:
The free plan includes up to 5,000 emails per month
Paid plans scale based on subscriber count. For example, the Business plan starts at $20/month for 1,500 subscribers.
WP Mail SMTP is one of the most popular WordPress SMTP plugins. It integrates with Mailgun, Brevo, SendLayer, Zoho, AWS, and other email service providers.
Key features of WP Mail SMTP:
Support for major SMTP providers
Email logging and reports
Open and click tracking
Email failure alerts
Conditional logic that allows email sending through different providers
Pros of WP Mail SMTP:
It gives you a lot of flexibility over SMTP configuration and which services to use.
It offers backup connections with a secondary email provider, in case something goes wrong with the primary service.
Cons of WP Mail SMTP:
The advanced features and configuration can be overwhelming for non-technical users.
Ease of use:
WP Mail SMTP has a guided setup wizard and a clean interface, but you’ll need some technical knowledge to set up more advanced configurations like conditional logic.
Best suited for:
Medium to large-sized websites that want more control over SMTP configuration and in-depth reports on deliverability.
Pricing:
A free version is available, but it does not come with access to email logging and alerts.
SMTP Mailer is a lightweight, no-frills WordPress plugin designed specifically for SMTP email delivery. It works well with Contact Form 7, Jetpack, Formidable Forms, and other form plugins.
Key features of SMTP Mailer:
Simple SMTP configuration
Support for SSL/TLS encryption
An email testing tool
Pros of SMTP Mailer:
It’s completely free and easy to configure for basic needs.
Cons of SMTP Mailer:
It has limited features and minimal support compared to premium plugins.
Email logging is only available as an add-on.
Ease of use:
SMTP Mailer is straightforward to use, but requires a basic understanding of SMTP credentials.
Best suited for:
Owners of small websites who want a free, simple SMTP solution without the need for advanced features.
Post SMTP is a feature-rich SMTP plugin that’s ideal for website owners who want detailed diagnostics and advanced email delivery options. It’s a complete SMTP Solution with email logging, alerts, a backup SMTP server, and a mobile app.
Key features of Post SMTP:
Advanced email logging and reporting
A chrome extension for real-time email failure alerts
Fallback SMTP servers
OAuth 2.0 support for Gmail and other email providers
Detailed error diagnostics
A built-in spam score checker that evaluates your domain reputation
Support for Outlook, Gmail, Amazon SES, Zoho, and other services
Pros of Post SMTP:
It offers excellent debugging tools.
It supports complex setups, making it ideal for websites that handle large volumes of emails.
The mobile app enables you to monitor and manage your WordPress emails on the go.
Cons of Post SMTP:
The interface can feel overwhelming for those who are new to SMTP.
Ease of use:
Post SMTP is more complex than beginner plugins, but once you understand the interface, you’ll have a powerful setup.
Best suited for:
Developers and advanced users who work on websites with complex email requirements.
Website owners who want detailed delivery insights and instant alerts.
As the name suggests, Easy WP SMTP is a WordPress plugin that makes SMTP setup an easy and straightforward process. It’s ideal for small blogs, personal websites, and basic business sites.
Despite being a beginner-friendly tool, it offers various integrations, including SendLayer, Amazon SES, Gmail, Mailgun, Mailjet, Outlook, Brevo, and more.
Key features of Easy WP SMTP:
Basic SMTP configuration
Support for popular transactional mailers
Backup connections
Email notifications via email, Slack, Microsoft Teams, and more
Smart conditional routing that enables you to send different types of emails through various mailers
Pros of Easy WP SMTP:
It’s designed with beginners in mind, so it’s a user-friendly tool with minimal configuration.
Cons of Easy WP SMTP:
Most of its features are only available with the premium version.
Ease of use:
Easy WP SMTP comes with a setup wizard that helps you configure your SMTP solution in minutes. It also offers a fast and easy Gmail integration.
Best suited for:
Owners of small websites or stores who favor simplicity over advanced features.
Gmail SMTP is a niche WordPress plugin created specifically to connect WordPress with Google’s email infrastructure. It enables you to send WordPress emails through Gmail or Google Workspace SMTP servers.
The plugin uses the OAuth 2.0 protocol to authorize access to the Gmail API. This means that you won’t have to enter any username or password to set up the SMTP.
Key features of Gmail SMTP:
Gmail SMTP integration
OAuth authentication
Support for TLS encryption
The ability to test email functionality
Pros of Gmail SMTP:
It provides reliable Gmail delivery and serves as a secure solution for Google Workspace users.
Cons of Gmail SMTP:
It’s limited to Gmail.
It isn’t suitable for high-volume sending, as Gmail’s sending limits apply.
Ease of use:
The plugin requires Google API setup for OAuth, which can be difficult if you’re unfamiliar with the protocol.
Best suited for:
Small businesses using Google Workspace and websites with low-volume email sending.
Pricing:
This is a free plugin.
A comparison of the top SMTP plugins on WordPress
Best for
Email logs
Built-in delivery service
Ease of use
Free plan
MailPoet
Email marketing and transactional emails
Yes
Yes
Very easy
Yes
WP Mail SMTP
Medium to large websites that want more control over SMTP configuration
Yes
No
Moderate
Yes
SMTP Mailer
Small websites that want a basic solution
Available as an add-on
No
Easy
Yes
Post SMTP
Websites with complex email requirements.
Yes
No
Moderate
Yes
Easy WP SMTP
Small websites with minimal configuration needs
Yes
No
Very easy
Yes
Gmail SMTP
Small businesses that use Google Workspace
Available as an add-on
No
Moderate
Yes
SMTP plugin configuration tips for WordPress
Once you select the right SMTP plugin, you’ll need to make sure that you set it up correctly. The plugin can fail to deliver emails if your configuration is incomplete or your domain isn’t properly authenticated.
Here’s what you’ll need to do:
Use proper authentication records
To maximize deliverability and protect your domain’s reputation, configure the following DNS authentication records. These records tell receiving mail servers that your emails are officially authorized by your website.
SPF (Sender Policy Framework)
SPF defines which mail servers are allowed to send emails on behalf of your domain. When an email is received, the recipient’s server checks the SPF record to verify that the sending server is authorized.
When setting up your SPF record, include all services that send emails for your domain (SMTP providers, email marketing tools, hosting providers). Also, avoid creating multiple SPF records. You should only have one per domain.
If your SPF record is missing or misconfigured, receiving servers may mark your emails as spam or reject them.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to each of your emails. This signature enables receiving servers to verify that the message hasn’t been altered in transit and that it originated from your domain.
DKIM setup typically involves generating a DKIM key pair in your email service or SMTP provider. Then, you’ll need to add a public DKIM key as a DNS record for your domain and enable DKIM signing in your SMTP or email delivery service.
DKIM significantly improves trust. It’s a requirement for reliable email delivery, especially for transactional emails.
DMARC builds on SPF and DKIM by telling receiving servers how to handle emails that fail authentication checks. It also enables reporting, so you can see how your domain is being used (or misused) for email.
With a DMARC policy, you can specify whether unauthenticated emails should be monitored, quarantined, or rejected. You’ll also receive reports about authentication failures.
Match your “From” address
Your “From” email address should always match the domain you’re sending from (for example, hello@yourdomain.com). Using free email addresses like Gmail or Yahoo as the sender can trigger spam filters, even if SMTP authentication is technically correct.
Be sure to do the following:
Use a domain-based email address for all WordPress emails (e.g., support@mystore.com, info@mystore.com, orders@mystore.com).
Match the “From” address with the domain used in your SPF and DKIM records.
Force the “From” address in your SMTP plugin to prevent overrides by themes or other plugins
Consistency between your sending domain, SMTP server, and authentication records is important for building trust with receiving mail servers.
Test your emails
After configuring your SMTP plugin, send a test email to your personal address to confirm that everything is working as expected. Most SMTP plugins include a built-in test feature that sends a message using your current settings.
When testing, try to send emails to multiple providers (Gmail, Outlook, Yahoo). Also, check both the inbox and spam folders, and retest anytime you change SMTP credentials, DNS records, or email providers.
Regular testing helps you catch problems before they affect real users.
When to use an SMTP plugin vs. a dedicated email marketing plugin
SMTP plugins are primarily designed to ensure the safe delivery of WordPress emails. They replace WordPress’s default PHP mail function with authenticated SMTP sending, and therefore improve deliverability for emails like password resets, contact form notifications, and WooCommerce order confirmations.
However, SMTP plugins generally don’t handle marketing emails like newsletters. They route emails through a secure server, but they don’t help you manage ongoing email communication with your audience.
Meanwhile, a dedicated email marketing plugin is designed to help you manage both transactional and marketing emails within WordPress. Some plugins like MailPoet even have a built-in SMTP service. For example, you can use MailPoet to improve email deliverability as well as create newsletters, manage subscribers, set up automated workflows, and track engagement.
This can be especially useful for sites that rely heavily on email, like WooCommerce stores, membership sites, or content-driven businesses. Using a single tool for both SMTP and marketing emails will simplify your workflow.
So, if your email needs are limited to system notifications like password resets, an SMTP plugin may be enough. However, if email plays a larger role in your business, a dedicated email marketing plugin with built-in SMTP functionality is a better solution.
Frequently asked questions
Do you still have questions about SMTP plugins for WordPress? Let’s answer them.
Can I send WordPress emails without an SMTP plugin?
Yes, but it’s not recommended if successful email delivery is important for your business. Many hosts block or limit PHP mail, which means your customers won’t receive your emails.
How does an SMTP plugin improve email deliverability in WordPress?
An SMTP plugin authenticates your emails, uses trusted mail servers, and reduces spam filtering. As a result, receiving mail servers are much less likely to block your messages.
Do I need an SMTP plugin if I’m using a managed WordPress host?
Managed hosts improve performance and security, but unsuccessful email delivery may still be an issue without SMTP.
How do I choose the best SMTP plugin for my WordPress site?
Consider your email volume, technical skill level, and whether you need marketing features.
Which SMTP plugin is best for WooCommerce transactional emails?
Choose a solution that’s designed to handle transactional emails reliably, even in large volumes. MailPoet is a robust tool for online businesses, as it was built by the same people behind WordPress.com. You can also use MailPoet for marketing campaigns and newsletters.
What’s the difference between a transactional email plugin and an SMTP plugin?
SMTP plugins route emails, while transactional email plugins send automated messages like order confirmations. Ideally, you’ll use a plugin that combines both services, like MailPoet, so you can streamline your workflow and manage everything from one place.
What information do I need to configure a WordPress SMTP plugin?
You’ll typically need an SMTP host, port number, encryption type, username and password, and API credentials.
How do I test if my SMTP plugin is working correctly in WordPress?
Most plugins have a test email feature, so you can send messages from your website to your personal address to confirm delivery.
It’s hard to find a team today that isn’t talking about agents. For most organizations, this isn’t a “someday” project anymore. Building agents is a strategic priority for 95% of respondents that we surveyed across the globe with 800+ developers and decision makers in our latest State of Agentic AI research. The shift is happening fast: agent adoption has moved beyond experiments and demos into something closer to early operational maturity. 60% of organizations already report having AI agents in production, though a third of those remain in early stages.
Agent adoption today is driven by a pragmatic focus on productivity, efficiency, and operational transformation, not revenue growth or cost reduction. Early adoption is concentrated in internal, productivity-focused use cases, especially across software, infrastructure, and operations. The feedback loops are fast, and the risks are easier to control.
So what’s holding back agent scaling? Friction shows up and nearly all roads lead to the same place: AI agent security.
AI agent security isn’t one issue it’s the constraint
When teams talk about what’s holding them back, AI agent security rises to the top. In the same survey, 40% of respondents cite security as their top blocker when building agents. The reason it hits so hard is that it’s not confined to a single layer of the stack. It shows up everywhere, and it compounds as deployments grow.
For starters, when it comes to infrastructure, as organizations expand agent deployments, teams emphasize the need for secure sandboxing and runtime isolation, even for internal agents.
At the operations layer, complexity becomes a security problem. Once you have more tools, more integrations, and more orchestration logic, it gets harder to see what’s happening end-to-end and harder to control it. Our latest research data reflects that sprawl: over a third of respondents report challenges coordinating multiple tools, and a comparable share say integrations introduce security or compliance risk. That’s a classic pattern: operational complexity creates blind spots, and blind spots become exposure.
45% of organizations say the biggest challenge is ensuring tools are secure, trusted, and enterprise-ready.
And at the governance layer, enterprises want something simple: consistency. They want guardrails, policy enforcement, and auditability that work across teams and workflows. But current tooling isn’t meeting that bar yet. In fact, 45% of organizations say the biggest challenge is ensuring tools are secure, trusted, and enterprise-ready. That’s not a minor complaint: it’s the difference between “we can try this” and “we can scale this.”
MCP is popular but not ready for enterprise
Many teams are adopting Model Context Protocol (MCP) because it gives agents a standardized way to connect to tools, data, and external systems, making agents more useful and customized. Among respondents further along in their agent journey, 85% say they’re familiar with MCP and two-thirds say they actively use it across personal and professional projects.
Research data suggests that most teams are operating in what could be described as “leap-of-faith mode” when it comes to MCP, adopting the protocol without security guarantees and operational controls they would demand from mature enterprise infrastructure.
But the security story hasn’t caught up yet. Teams adopt MCP because it works, but they do so without the security guarantees and operational controls they would expect from mature enterprise infrastructure. For teams earlier in their agentic journey: 46% of them identify security and compliance as the top challenge with MCP.
Organizations are increasingly watching for threats like prompt injection and tool poisoning, along with the more foundational issues of access control, credentials, and authentication. The immaturity and security challenges of current MCP tooling make for a fragile foundation at this stage of agentic adoption.
Conclusion and recommendations
Ai agent security is what sets the speed limit for agentic AI in the enterprise. Organizations aren’t lacking interest, they’re lacking confidence that today’s tooling is enterprise-ready, that access controls can be enforced reliably, and that agents can be kept safely isolated from sensitive systems.
The path forward is clear. Unlocking agents’ full potential will require new platforms built for enterprise scale, with secure-by-default foundations, strong governance, and policy enforcement that’s integrated, not bolted on.
Download the full Agentic AI report for more insights and recommendations on how to scale agents for enterprise.
Join us on March 25, 2026, for a webinar where we’ll walk through the key findings and the strategies that can help you prioritize what comes next.
Log in
