Docker Bets Big on AI Agents With MCP Catalog, Dynamic Tool Discovery, and a 270-Server Ecosystem
Docker has embedded the Model Context Protocol into Docker Hub and Desktop, growing its MCP Catalog to 270-plus servers and shipping experimental Dynamic MCP for agents that discover tools at runtime.
Docker has spent the past year methodically inserting itself into the AI agent infrastructure stack. What began as a beta MCP Catalog in April 2025 has grown into a multi-layered platform that now spans discovery, runtime management, credential handling, and — most recently — experimental support for agents that find and wire up their own tools on the fly.
The cumulative result is a bet that the containerization company can become to AI agent tooling what Docker Hub became to application images: a default registry and runtime layer that developers reach for without thinking.
From 100 Servers to 270-Plus
Docker first announced the MCP Catalog and Toolkit in April 2025 alongside more than ten launch partners including Stripe, Elastic, Grafana Labs, Heroku, and Pulumi, GlobeNewsWire reported. At launch, the catalog hosted roughly 100 verified MCP servers packaged as container images and integrated into Docker Hub.
By the time Docker Desktop 4.50 shipped in late November 2025, the catalog had more than doubled to over 270 servers, including support for more than 60 remote servers with built-in OAuth authentication for services such as Notion and Linear. The MCP Toolkit, integrated directly into Docker Desktop, provides a management interface for setting up, running, and connecting containerized MCP servers to AI agents.
Mark Cavage, Docker’s President and COO, framed the problem in practical terms when the platform launched: “Building functional AI applications shouldn’t feel radically different from building any other app,” he said, noting that “the old challenges of packaging, versioning, and authentication come back fast” once teams move past prototyping.
Dynamic MCP: Agents That Wire Themselves
The most technically ambitious addition arrived with Docker Desktop 4.50: experimental Dynamic MCP support. Rather than requiring developers to manually configure which MCP servers an agent can access, Dynamic MCP allows agents to search the MCP Catalog at runtime, pull only the tools they need, and generate code to compose multi-tool workflows — all within a sandboxed container environment.
The feature introduces two core primitives. Smart Search lets an agent query the catalog for servers matching a task description. Tool Composition then enables the agent to assemble discovered servers into a coherent pipeline without human intervention. Docker frames the approach as reducing both token usage and context window bloat, since agents load only the tools relevant to their current task rather than maintaining a static inventory of every available capability.
The implications extend beyond convenience. In a static MCP configuration, adding a new data source or API integration requires a developer to update configuration files, restart processes, and verify credential flows. Dynamic MCP shifts that burden to the agent layer, which raises both productivity potential and security questions about what tools an agent can autonomously provision, as InfoQ noted in its coverage of the Docker Desktop 4.50 release.
Enterprise Security: The Unresolved Tension
Docker’s enterprise controls for MCP include Registry Access Management and Image Access Management — the same governance mechanisms enterprises already use to restrict which container images developers can pull. The toolkit also integrates secret storage into Docker Desktop, so MCP servers can authenticate to external services without exposing API keys in plaintext configuration files.
But the broader MCP ecosystem faces scrutiny. A VentureBeat investigation found that enterprise MCP adoption is outpacing the security controls available to govern it. The article highlighted concerns about agents operating with broad tool access, insufficient audit trails for tool invocations, and the difficulty of applying least-privilege principles when an agent’s toolset changes dynamically.
Docker’s sandboxed execution model — each MCP server runs in its own isolated container — addresses part of this concern. If a compromised MCP server attempts lateral movement, container boundaries limit the blast radius. But the Dynamic MCP feature complicates the picture: an agent that can autonomously discover and mount new tools expands its own attack surface in ways that static configurations do not.
The Competitive Landscape
Docker is not the only company building MCP infrastructure. Anthropic, which originally developed the Model Context Protocol, maintains its own reference implementations. Google launched managed MCP servers in December 2025 to make its cloud services agent-ready. And a growing ecosystem of standalone MCP server providers — from database connectors to code execution environments — has emerged outside any single platform.
Docker’s advantage lies in distribution. Docker Hub already hosts over 14 million container images and serves as the default registry for most containerized development workflows. By embedding the MCP Catalog into Hub and the Toolkit into Desktop, Docker positions MCP server discovery alongside image pulls — a workflow most developers already perform daily.
The company also supports one-click connections from Docker Desktop to multiple MCP clients including Claude Code, Codex, VS Code, Cursor, Windsurf, and Goose. This multi-client approach avoids the platform lock-in that would come from tying MCP management to a single AI provider.
What Docker Desktop 4.50 Shipped Beyond MCP
The same release that introduced Dynamic MCP also delivered several non-AI features significant to enterprise users. Docker Debug, previously a paid feature, became free for all users. Built-in Dockerfile debugging arrived for VS Code and Cursor, allowing developers to step through container build processes directly in their editor. An Enforce Local Port Bindings feature prevents container services from being inadvertently exposed across a local network during development.
On the governance side, Docker Desktop 4.50 added centralized proxy management via macOS configuration profiles and PAC file support on both macOS and Windows, addressing a persistent pain point for enterprise IT teams managing Docker deployments behind corporate proxies.
The Strategic Question
Docker’s MCP push reflects a broader recognition that the container runtime layer is well-positioned to become the execution substrate for AI agents. Containers already solve the dependency isolation, reproducibility, and security boundary problems that MCP servers need. The question is whether Docker can capture the standardization benefits of being the default MCP registry before the ecosystem fragments into provider-specific solutions.
The company’s track record suggests the strategy is viable. Docker Hub became the default image registry not by being the only option, but by being the most convenient one at the moment developers needed to share container images. If MCP servers follow a similar adoption curve — from bespoke integrations to standardized, shareable packages — Docker’s head start in catalog size and tooling integration could prove difficult to replicate.