Agent Security

Your agents are in production. Their security review isn't.

Fixed-scope security review for companies running AI agents and MCP servers in production — mapped to the OWASP Agentic AI Top 10, AISVS 1.0, and NIST AI RMF. Built for 100–1,000-person engineering organizations where agents already hold credentials and call tools.

Why agents need their own review

The exposure is structural, not hypothetical

Agents hold real credentials, call real tools, and act without a human in the loop. The protocol layer most stacks are built on ships with four gaps you inherit on day one:

Auth is delegated to the transport

The MCP specification leaves authentication to the transport layer. Your agent stack inherits whatever the connection provides — nothing in the protocol checks who is calling.

No per-tool authorization

A connected agent can typically call every tool a server exposes. There is no standard mechanism to scope an agent to the two tools it actually needs.

No standard agent identity

There is no built-in way to attest which agent — or which version of it — performed an action. Identity and attestation are bolt-ons, if they exist at all.

No standard audit-log format

When something goes wrong, there is no protocol-level record of what your agents did. Reconstructing agent actions after an incident is archaeology.

The regulatory clock runs alongside the technical one. The Colorado AI Act has been live since February 2026 for high-risk AI systems making consequential decisions, other states are following, and EU AI Act Annex III obligations land December 2, 2027. SOC 2 and HIPAA scope is already reaching agent deployments through customer due-diligence questionnaires.

What independent audits found

The tooling is noisy. The exposure is real.

~78%

false-positive rate on MCP tool-description scans

Source: An independent audit found ~78% of YARA detections on MCP tool descriptions were false positives (AppSec Santa audit, April 2026).

71%

of audited public MCP servers graded F — zero received an A

Source: AgentsID 100-package audit, 2026. Every vendor-maintained tool-exposing server in the sample failed.

~5%

of MCP servers carried tool-poisoning patterns

Source: Hasan et al., academic study of 1,899 servers, 2025.

Read those together: free scanners flag everything, most of it isn't real, and some of what's real is severe. The scarce skill isn't running the scan — it's knowing which findings matter. That judgment layer is what we sell.

Start here

Agent Security Snapshot

$1,500 flat · 5 business days

Know which of your AI agent security risks are real — in five days. You send configs and repo access; we run chained scans in an isolated sandbox, throw out the false positives, and hand you the exposures that actually matter, mapped to the OWASP Agentic AI Top 10, with a 30-minute readout.

100% fee credit

The full $1,500 credits toward the Agent Security Assessment if you upgrade within 30 days — so the Assessment is effectively $7,000, and your environment is already mapped. The credit doesn't combine with founding-slot pricing; one concession per engagement.

Scope cap — and why it exists

Up to 10 MCP servers or one agent repo with its config, on one agent platform. The cap is what makes a fixed price and a 5-day SLA honest. Bigger environment? Skip straight to the Assessment.

The flagship

Agent Security Assessment

$8,500 fixed

2 founding-client slots at $5,500 while we build the public track record

The full-depth engagement: everything the Snapshot triages, plus the runtime and architecture layers a config review can't reach. Snapshot credit applies within 30 days (founding-slot pricing already carries the discount — the two don't stack).

What the Assessment covers

  • Full agent and MCP inventory with trust-boundary map — the inventory → scope → gate → log spine, mapped to OWASP ASI01–ASI10
  • Runtime and architecture review the Snapshot can't reach: prompt-injection susceptibility, trust-boundary design, agent identity and attestation posture
  • Tool-authorization and credential-scope analysis across your deployment
  • Findings assessed against OWASP Agentic AI Top 10, AISVS 1.0, and NIST AI RMF
  • Prioritized remediation roadmap with severity and effort estimates
  • Executive readout for leadership, audit, or insurance conversations

Payment: 100% at engagement-letter signing via Stripe invoice. Refunds: 100% up to 48 hours before kickoff, 50% inside 48 hours, none after kickoff.

Scope an Assessment

A 20-minute intro call — bring what you're running: agents, servers, harness.

After the baseline

Point-in-time reviews go stale. Here's what comes next.

Agent stacks change weekly — new tools, new servers, new CVEs. Two continuations are available to Snapshot and Assessment clients as delivery capacity opens:

Agent Watch

$950–$1,500/mo · monitoring subscription

Monthly re-scan diffed against your Snapshot baseline, CVE/advisory watch for your stack, drift alerts, and a one-page human-triaged note each month with a quarterly readout. Requires a completed Snapshot — it isthe baseline. Static and config surface only; every monthly note states what monitoring can't see (runtime, architecture, identity), so Watch feeds the Assessment rather than replacing it.

Agent Security Retainer

$9,500 Growth / $16,000 Scale per month · fractional architect

A fractional security architect embedded with your team: design reviews on agentic features, pre-launch security gates, incident on-call, and insurer/audit support. For organizations shipping agent surface area continuously, where a point-in-time review can't keep up with the roadmap.

Agent identity is an attestation problem. That's our home turf.

Peter Kwidzinski

Peter Kwidzinski

Founder, Shadow AI Labs

Fellow-Level Security Architect

Two decades in platform security at semiconductor leaders Intel and AMD — confidential computing, hardware attestation, secure boot.

Founding contributor to Caliptra

The open-source hardware root of trust now used across the cloud-and-silicon industry.

Least-privilege authorization, identity, attestation, audit trails — the problems agent deployments are hitting now are the problems hardware root-of-trust work has spent a decade solving. Reviews are run against the OWASP Agentic AI Top 10 and AISVS 1.0, and every finding ships defensible: no inflated severities, no scare-count reporting. New to these frameworks? The plain-language explainer covers both — and which to assess against first.

Common questions, answered directly

We already ran a free scanner. Why pay for a review?
Because the scan is the commodity and the triage is the work. An independent audit found ~78% of YARA detections on MCP tool descriptions were false positives (AppSec Santa, April 2026). A raw scanner run hands you a wall of findings you can't act on. We run the same class of tooling, then classify every finding — confirmed material, low, false positive, or designed behavior — and give you the short list that's real, with a fix path.
What's the difference between the Snapshot and the Assessment?
The Snapshot ($1,500, 5 business days) is a fixed-scope triage of your static and config surface: MCP server configs, agent repo, tool-authorization posture, credential exposure. The Assessment ($8,500) adds the layers a config review can't reach — runtime behavior, prompt-injection susceptibility, trust-boundary architecture, and agent identity/attestation — plus a prioritized remediation roadmap. Most teams start with the Snapshot.
How does the $1,500 credit work?
100% of the Snapshot fee credits toward the Agent Security Assessment if you upgrade within 30 days — the Assessment is effectively $7,000 at that point, and your environment is already mapped. The credit does not combine with founding-slot pricing; one concession per engagement.
Do you need access to our production environment?
No — and we won't accept it. Reviews run on non-production artifacts only: config files, repo access, staging materials. Everything is scanned inside a disposable, isolated sandbox with no credentials and restricted egress, and the sandbox is destroyed after the engagement.
Do you fix what you find?
The Snapshot and Assessment tell you what's exposed, why it matters, and the direction of the fix — with the roadmap prioritized by severity and effort. Implemented remediation (hardened configs, gateway deployment, architecture changes) is scoped separately as Agent Security Implementation, quoted from your Assessment findings.
What if we have more than 10 MCP servers?
The Snapshot's scope cap — 10 MCP servers or one agent repo — is a qualification filter, not a hard ceiling on working together. If your environment is bigger, the honest move is to skip the Snapshot and scope the Assessment directly. Tell us what you're running and we'll quote it.
What are the payment terms?
Snapshot: $1,500 flat, paid upfront via Stripe payment link. Payment schedules the engagement; artifact intake begins only after a mutual NDA and engagement terms are signed. Assessment: $8,500 (or a founding slot at $5,500), 100% at engagement-letter signing via Stripe invoice; refunds run 100% up to 48 hours before kickoff, 50% inside 48 hours, none after kickoff.

Baseline in five days. Depth when you need it.

Start with the Snapshot and know which of your agent exposures are real — or scope the full Assessment directly. Either way, the first artifact you get is a prioritized list, not a wall of red.