A MCP Audit
Request an audit
Independent MCP security audits

Is your MCP server safe to connect an AI agent to?

MCP lets AI agents call external tools — file systems, databases, APIs, even shells. That power is the risk: one poisoned tool description or one over-privileged tool can turn a helpful agent into a path to data exfiltration or remote code execution. Most teams ship MCP servers without ever security-testing them.

Request an audit See sample reports
Sample finding server: memory
Scan SQL injection (CWE-89) — flagged automatically
Verified No database. It stores to a flat JSONL file — nothing to inject. False positive.
Verified grade A

An automated scan is only half the job.

Scanners raise alarms. Some are real, some aren't. We verify every finding by hand, so what you get is signal — not noise.

What we check

Six checks, one report

Every MCP server is examined across six classes of weakness — then each finding is reviewed by hand before it reaches you.

PRIV

Over-privileged tools

What each tool can really do — files, network, code execution, databases, credentials, environment — and where it's more powerful than it needs to be.

INJECT

Prompt injection

Whether tools that handle text can be steered by instructions injected into the content they process.

POISON

Tool & resource poisoning

Hidden, model-directed instructions and invisible Unicode tricks buried in tool metadata.

LEAK

Secret & credential leakage

API keys, tokens, and private keys exposed in tool output. Always redacted in our report.

AMP

Resource amplification

Tools whose output size a caller can blow up without limit.

SCORE

Risk score & priorities

Every finding rolled into a 0–100 risk score and an A–F grade, mapped to CWE, with a clear "fix this first" list.

Aligned with the OWASP MCP Top 10 and the NSA's MCP security guidance — the emerging industry baselines for securing the MCP servers behind AI agents.

Process

How it works

01 — Request

Send your server

Email your MCP server details — a URL or a launch command — and confirm you're authorized to test it.

02 — Scan

We run the checks

All six checks run safely against your server. Destructive actions are never triggered.

03 — Report

You get the verdict

A clear PDF with every finding, its severity, and how to fix it — plus a short call if you want one.

One report, written for two audiences

You don't get a raw scanner dump. You get a single report that speaks to both the people who fix the problem and the people who decide it matters.

For your engineers

Findings, CWE references, and concrete fixes they can act on directly.

For your leadership

A plain-language summary they can read in two minutes: what's exposed, how serious it is, and what to fix first.

Sample audits

Even official servers vary wildly

We audited seven official MCP reference servers, then reviewed every finding by hand. Grades ran from A to F — and the clearest case for human review is right here: two servers, the same automated alert, opposite verdicts.

Same automated alert · opposite verdicts
memoryA
⚑ SQL injection · CWE-89

Checked by hand: there's no database — it stores to a flat JSONL file. Nothing to inject.

False positive
postgresD
⚑ SQL injection · CWE-89

Checked by hand: a query tool sends raw SQL straight to a live database. Real and exploitable.

True positive
An automated scanner would have mis-graded one of these. The difference between "looks scary" and "is actually dangerous" is a human reading the code.
F
Filesystem
Real exposure · config-dependent

Broad file read/write across many tools. Real exposure, but bounded by the server's allow-listed directories — so safety depends on how it's configured.

C
Everything
Real, fixable issue

A tool exposes environment variables — where API keys often live. A real, fixable issue, plus low-risk file-read and network access.

A
Fetch
Low risk · by design

Makes outbound network requests by design (CWE-918, SSRF) — low risk. The fix is simple: give it a host allow-list.

A
Sequential Thinking
Clean

The single tool touches no files, network, or code. This is what a low-risk server looks like.

A
Time
Clean

Two harmless tools, with no file, network, or code access.

Pricing

Straightforward, fixed scope

Starter
$499

One MCP server. All six checks. PDF report. Email Q&A for 7 days.

Request Starter
ProMost popular
$1,499

Up to three servers. PDF + machine-readable report. Re-scan after 30 days. Prioritized fix guidance.

Request Pro
Continuous monitoring
$299/mo

One server, scanned every week, with email alerts on new findings.

Start monitoring

Prices in USD. Payment by secure PayPal invoice once scope is confirmed. Custom scope? Just email us.

Why MCP Audit

Built to give you signal

Runs fully offline

Your server and its data are never sent to a third-party classification service.

Broad coverage

Six classes of issues, not just one.

Mapped to CWE

Findings reference the industry-standard weakness IDs your team already tracks.

Secrets redacted

We never store or expose your credentials.

FAQ

Common questions

Is the scan safe to run against my server?

Yes. The passive checks only read your server's metadata. The active checks run under strict safety limits and never trigger destructive tools.

Do you store my data?

No. We scan, report, and hand the results to you. Any secrets found are redacted in the report.

What do you need from me?

How to reach your MCP server — a URL or a launch command — and written confirmation that you own it or are authorized to test it.

Whose servers will you scan?

Only servers you own or are explicitly authorized to test.

Who's behind it

An independent practice

MCP Audit is run by Alexander Gaisinski, an independent security researcher focused on AI-agent infrastructure and the MCP servers behind it. Every audit is run and verified personally — no black-box scoring, no outsourced review.

Request an audit See sample reports