Agent Security Snapshot
Know which of your AI agent security risks are real — in five days.
For teams running AI agents and MCP servers in production. You (or your vendor) connected agents to tools, credentials, and data — off-the-shelf scanners will flag dozens of “issues,” most of them false alarms. We run the scan, throw out the noise, and hand you a prioritized list of what actually puts you at risk. $1,500 flat, and 100% of it credits toward the full Assessment.
The problem
Three facts about agent deployments in 2026
Agents hold credentials and tool access — with no audit trail
Your agents can read data, call APIs, and act autonomously. The protocol layer provides no per-tool authorization, no standard agent identity, and no standard record of what they did.
Free scanners bury you in false positives
An independent audit found ~78% of YARA detections on MCP tool descriptions were false alarms (AppSec Santa, April 2026). The wall of red is real; most of the findings aren't.
Nobody has time to triage 27 findings to locate the 6 that matter
Classifying scanner output takes judgment and hours your team doesn't have. Untriaged reports don't get acted on — they get filed.
What you get
A 6–10 page report that's obviously the work of judgment — plus a live readout
Executive-readable, evidence-backed, and honest about its own limits. Not a raw tool dump.
Executive summary with a posture grade
Overall posture in plain language, plus the count that matters: how many automated findings we reviewed, how many we discarded as noise or designed behavior, and how many material exposures we confirmed.
Material findings table
Only triaged, confirmed findings — each with severity, the affected component, and its OWASP Agentic AI Top 10 mapping.
Top findings in plain English
For each confirmed exposure: what it is, the concrete attack or impact, the evidence, and the direction of the fix.
What we could not determine
An honest list of what a static review can't see — runtime prompt-injection susceptibility, trust-boundary architecture, identity and attestation, live tool-permission behavior. No guessing dressed up as findings.
Prioritized next steps + raw appendix
Remediation order for the confirmed findings, and the full unfiltered tool output as an appendix — so you can see we didn't hide anything, including what we classified as false-positive and why.
How it works
Three steps. Five business days.
Book, sign, send
Payment schedules the engagement; artifact intake starts only after a mutual NDA and engagement terms are signed. You send MCP config files, the agent repo or relevant source, your tool/integration list, and the platform in use — through a secure transfer we set up at intake, never email attachments. Non-production artifacts only.
We scan in isolation, then triage
Chained scanners run inside a disposable sandbox — no credentials mounted, restricted egress, destroyed after the engagement. Your configs never touch shared infrastructure. Then the human pass: every finding classified as confirmed material, low, false positive, or designed behavior.
Report + 30-minute readout, day 5
You get the prioritized report and a live walkthrough of the top findings and next steps. The 5-business-day clock runs from artifact receipt; missing items pause it.
Scope
Fixed scope is the point
The cap is what makes a flat price and a 5-day SLA honest. If your environment exceeds it, we'll say so at intake and quote the Agent Security Assessment instead — no silent scope absorption, no surprise invoices.
In scope
- Up to 10 MCP servers, or one agent repo with its config files
- One agent platform / harness
- Static and configuration surface: tool definitions, auth setup, credential scope, server configs
- Development or staging artifacts
Out of scope
- Production access — never requested, never accepted
- Runtime behavior and live prompt-injection testing (Assessment)
- Trust-boundary and architecture review (Assessment)
- Implemented remediation — we tell you what to fix and in what order; hands-on hardening is scoped separately
Pricing
Flat, fixed, upfront
Agent Security Snapshot
$1,500
flat · 100% upfront · 5 business days from artifact receipt
No hourly billing, no discovery-phase invoices. Payment via Stripe payment link; NDA and engagement terms gate artifact intake.
+ Compliance Mapping add-on
+$1,000
+2 business days
Maps confirmed findings to one framework: HIPAA, SOC 2, or EU AI Act Article 15. We map findings to framework controls; we are not your auditor and this is not a compliance attestation.
100% fee credit toward the Assessment
Upgrade to the $8,500 Agent Security Assessment within 30 days and the full $1,500 credits — the Assessment is effectively $7,000, and we already have your environment mapped. The credit doesn't combine with founding-slot pricing; one concession per engagement.
Judgment you can check, from a practitioner you can name
Reviews are run personally by Peter Kwidzinski — Fellow-Level Security Architect with two decades in platform security at semiconductor leaders Intel and AMD, and a founding contributor to Caliptra, the open-source hardware root of trust. Findings map to the OWASP Agentic AI Top 10 and AISVS 1.0, every severity is defensible, and the raw scanner output ships in your appendix. Overstating findings to sell an upgrade is how you lose the client the ladder depends on — so we don't.
Before you book
Do you access our production environment?
Is our config safe with you?
Is this just a free scanner run with a markup?
What do you need from us?
What happens right after payment?
What if we want the findings fixed, not just found?
Five days from now, you'll know what's real.
$1,500 flat. Sandbox-isolated. Human-triaged. Credited in full if you go deeper.