NA008 - AI and Automation MCP vs CLI with Calvin Remsburg

Posted on March 27, 2026 • 5 min read • 984 words
Podcast   Network-Automation   Ai   Mcp   Cli   Agents   Security   Python   Langraph  
Podcast   Network-Automation   Ai   Mcp   Cli   Agents   Security   Python   Langraph  
Share via
Calvin Remsburg joins to break down MCP vs CLI for AI agents, why the CLI is making a comeback, agent security concerns, and practical advice for network engineers entering the AI automation space
Episode Overview   Episode Guest   Listen to the show on YouTube:   Listen to the show anywhere:   Show notes resources:   What we cover:   What Is MCP, Really?   Why CLI Is Making a Comeback   Agent Architecture Patterns   AI Security for Agents   Advice for Network Engineers   Key Takeaways  
NA008 - AI and Automation MCP vs CLI with Calvin Remsburg
Photo by Steinzi

Network Auto Magic Podcast  

AI and Automation: MCP vs CLI with Calvin Remsburg

Episode Overview  

Steinn and Urs are joined by Calvin Remsburg — network engineer turned AI security specialist at Palo Alto Networks, formerly at Juniper — to break down the MCP vs CLI debate for AI agents, why deterministic tooling is beating probabilistic tool invocation, and what network engineers should be doing right now to stay ahead.

Episode Guest  

  • Calvin Remsburg: Engineer at Palo Alto Networks, formerly at Juniper Networks. Ten years in network automation, shifted focus to AI and AI security four years ago. Deep expertise in agentic frameworks including LangGraph.

Listen to the show on YouTube:  

Listen to the show anywhere:  

Listen now!

Show notes resources:  

  • LangGraph — Framework for building agentic workflows in Python
  • MCP Specification — Model Context Protocol
  • OpenClaw — Open-source agent framework that sparked the CLI-over-MCP movement

What we cover:  

What Is MCP, Really?  

A Protocol, Not Just an API  

  • Think RFC, Not REST: MCP is a JSON-RPC based protocol — like a routing protocol that advertises capabilities from server to client
  • BGP Analogy: Similar to how BGP advertises prefixes to neighbors, MCP servers advertise tool capabilities to clients
  • Dynamic Updates: If capabilities change on the server, clients get pushed updates without re-establishing the connection
  • Three Capability Types: Tools (most common), Resources (documentation), and Prompt Templates (limited adoption so far)

How It Works  

  • Client-Server Model: MCP client connects to a server and receives a series of tool capabilities
  • LLM Decision-Making: Tools and user prompt get combined and sent to the LLM, which decides whether and how to invoke tools
  • The Problem: This is where things break down — the LLM’s tool selection is probabilistic, not deterministic

Why CLI Is Making a Comeback  

The MCP Token Problem  

  • Context Window Saturation: Every tool’s description, input parameters, and output spec gets appended to every prompt — consuming precious input tokens
  • The 20-25 Tool Ceiling: Anecdotal testing shows LLMs start failing when presented with more than ~25 tools — invoking wrong tools or no tools at all
  • Probabilistic vs. Deterministic: MCP tool invocation succeeds roughly 70-75% of the time — not good enough for enterprise operations

Why CLI Wins  

  • Deterministic Execution: CLIs have structured commands with predictable inputs and outputs
  • Authentication Handled: SDKs behind the CLI handle OAuth flows, token refresh, and other complexity the LLM shouldn’t manage
  • 90%+ Token Reduction: Companies like Cloudflare, Y Combinator, and Perplexity report over 90% reduction in input token usage after switching from MCP to CLI
  • 100% Success Rate: Deterministic CLI invocation vs. ~75% with MCP tool selection
  • Skills Over Tools: Instead of advertising tool specs, agents consume markdown skill files and make their own determination of when and how to invoke CLIs

Agent Architecture Patterns  

Orchestrator and Sub-Agents  

  • Divide and Conquer: An orchestrator agent understands intent and delegates to purpose-built sub-agents
  • Context Isolation: Each sub-agent has its own context window and memory — work doesn’t bloat the orchestrator
  • The Intern Model: Delegate a task, get a summary back — don’t ask for every step along the way
  • Inter-Agent Communication Tax: Sub-agents add latency and token cost — life is a series of trade-offs

The Harness  

  • Beyond the LLM: The harness is the runtime environment around the model — increasingly important for agentic operations
  • Automatic Sub-Agents: Products like Claude Code now spawn sub-agents automatically without explicit user invocation

AI Security for Agents  

Natural Language Is the New Attack Vector  

  • SQL Injection’s Successor: Instead of crafted SQL strings, attacks now use natural language prompt injection
  • Intent Detection: How do you determine malicious intent when the attack vector is conversational language?
  • DLP Is Moot: Traditional regex-based pattern matching can’t catch intent or handle encoded payloads

Agent-Specific Risks  

  • BGP Poisoning Analogy: MCP server tool changes propagate to all clients — a compromised server poisons every connected agent
  • Helpful and Naive: Agents are powerful but will follow instructions from poisoned model outputs — including dropping production databases
  • Web Fetch Exploits: Agents with web access can be directed to pull malicious content
  • Guardrails Are Necessary: Input and output scanning services are essential — guardrails in a markdown file alone aren’t sufficient
  • Red Team Your Agents: The only way to validate defenses is offensive testing — red team, guardrail, repeat

Advice for Network Engineers  

Technology to Learn  

  • Python First: Most agentic frameworks (LangGraph, AWS Bedrock Agent Core, GCP Agent Engine) are Python-first
  • LangGraph: Highly recommended for building agentic workflows — reactive or deterministic, ultimate control
  • CrewAI: Another open-source alternative worth exploring
  • Cloud Frameworks: AWS Strands, GCP ADK, Azure Foundry — all building agent runtime environments
  • LLM Gateways: Products like LiteLLM route requests to different models based on policy — important for enterprise

The Human Element  

  • Don’t Sleep on This: AI agents will likely be the most critical skill pickup of your career
  • Start Personal: Automate something you hate doing — meeting notes, documentation, repetitive tasks
  • Human in the Loop: Build trust incrementally — use approval gates before going fully autonomous
  • The Diamond Workforce: The traditional junior-heavy pyramid is becoming a diamond — fewer entry-level roles, large experienced middle, small top

Key Takeaways  

  1. MCP Is a Protocol, Not Magic: Think of it like BGP advertising capabilities — powerful but with real scaling limits
  2. CLI Beats MCP Today: Deterministic execution, 90%+ token savings, and 100% success rates vs. ~75% with MCP
  3. Agent Architecture Matters: Orchestrator + sub-agent patterns solve context bloat through divide and conquer
  4. Security Is Non-Negotiable: Natural language is the new attack vector — guardrails and red teaming are essential
  5. Python Is Your Entry Point: The entire agentic ecosystem is Python-first — network engineers already have a head start
  6. Start Building Now: Find a personal use case, build a simple agent, and grow from there
On this page: