Every engagement ships with a written deliverable and a firm price. You get a security engineer who reads the code, not a partner who reads the statement of work.
We don't do open-ended retainers. Each engagement is fixed-scope and fixed-fee, with a written deliverable that's yours to keep.
Teams deciding whether they need an engagement at all.
A written summary of the top three risks we saw, sent within 24 hours. Honest answer on whether an Audit or Sprint makes sense.
A deck, a discovery call, or a commitment to hire us.
Teams with one MCP surface shipping within a quarter who need an external review before it goes wide.
A written report with ranked findings, reproductions, and concrete remediations. A 45-minute fix-planning call with your team. A signed statement of scope.
Mergers, multi-product audits, or red-team engagements. For those, talk to us about a Sprint.
Teams that know what's broken and need a senior engineer to ship the fix, end-to-end.
Merged code: authorization layer, logging, CI checks, and a living threat-model document your team can extend. One engineer, full-time, until it's done.
Open-ended retainers. Every Sprint is scoped, priced, and dated up front.
The shape is stable. The depth scales — an Audit compresses phases 5–6 into recommendations; a Sprint ships them.
We map every tool, resource, prompt, and integration the agent can reach. No inventory, no engagement — this is where most teams discover they own more surface than they thought.
A short, written document: who's the adversary, what are they after, and where are they likely to get in. We keep it small enough to read in a sitting and alive enough to update as the product moves.
Senior engineers read the code. Tool handlers, authorization layers, session plumbing, logging paths. Probe runs in parallel to catch mechanical regressions.
We test the assumptions — authorization boundaries, prompt injection surfaces, cross-tenant paths. Reproducible, ranked, written up.
Every finding ships with a remediation. For Sprints we go further: we ship the fix, with your team, in your repo.
You leave with a threat model your engineers maintain, invariants enforced in CI, and an authorization layer that's documented, tested, and yours.
We publish case studies only when the client wants them published. Most don't, which is the right call — a public write-up of internal MCP architecture is itself a risk.
Replaced a per-tool allowlist with a policy layer grounded in the caller's session principal.
Treated every PR body as untrusted input. Rewired the write-tools behind a fresh-confirmation invariant.
Staged a launch-block with three remediations. Shipped in one Sprint, cleared for release.
── We’ll provide referenceable clients on request, under NDA.
We’d rather talk about your architecture than sell you a service you don’t need.