Your MCP server, stress-tested the way we audit.
MCP servers and AI integrations expose a new attack surface. We audit yours the same way we audit our own, across five categories — auth and token handling, scope and tier enforcement, injection, secret and infrastructure leak discipline, and abuse and rate-limiting — delivered as a PASS/FAIL report with severity-ranked fixes and a re-test.
An MCP server is not a web app. It is a typed, tool-shaped surface that an AI assistant can call at the speed of inference, with arguments the model chose, against a state the model partially observes. That combination — speed, model-chosen arguments, partial observability — is exactly the shape of attack surface the older threat models did not cover. The same audit report you have been using for a REST API will miss the things that actually go wrong here.
So we do not run a generic web-app audit. We run an MCP-shaped one, organised around the failure modes we have seen in our own connectors: tokens that travel further than they should, scopes that quietly widen, prompts and paths that get interpreted where they should only be matched, secrets that leak through logs and error paths, and traffic patterns a hostile agent can drive at will. Each category is tested in isolation and in combination.
You get a PASS/FAIL verdict per category, with severity-ranked findings, a concrete fix list, and a re-test once those fixes are in. The audit is a closed loop, not a one-shot document.
Five categories, the way we audit our own.
Auth & token handling
How identities and tokens are issued, scoped, rotated and revoked. Where tokens sit at rest, in transit, and in logs. Whether the surface can be exercised anonymously, by a stale token, or by a token borrowed from a sibling tool.
Scope & tier enforcement
Whether each tool enforces the scope it advertises, whether tiers are honoured on the server side (not only the client), and whether a low-tier token can be coaxed into a high-tier action through argument shape, encoding, or sequencing.
Injection (prompt, SQL, path)
Prompt-injection paths through tool arguments and tool outputs. SQL injection through any path a model can influence. Path traversal through any argument that ends up touching a filesystem. The point is not to enumerate payloads; the point is to confirm the boundary holds.
Secret & infrastructure leak discipline
Whether secrets, internal hostnames, environment variables, stack traces, vendor identifiers and customer identifiers can be made to surface in tool outputs, error messages, telemetry, or response headers. The discipline is the product.
Abuse, DoS & rate-limiting
How the surface behaves under hostile load, repeated retries, oversized arguments, and adversarial sequencing. Whether rate limits are present, sensible, and per-identity, and whether the surface fails closed when a limit is hit.
Re-test on fix
Once the severity-ranked fixes are in, we re-run the relevant tests and update the report. The audit closes when the report closes, and you have a dated record of what was found, what was changed, and what was verified.
Request the audit.
A scoping consultation is the entry point. In it we agree the surface area in scope — which connectors, which environments, which data classes — and from that we set the fixed audit price. Source access, where required, is agreed up front and protected under the engagement.
- Scoping consultation (EUR 500). A focused session to agree the surface, the evidence we will see, and the engagement terms.
- Fixed-scope audit. The five-category assessment above, run against the agreed surface and reported as PASS / FAIL with severity-ranked findings.
- Re-test on fix. Once fixes are in, we re-run the relevant tests and close the report. You keep the dated record.