Who should start with an MCP Risk Review?

Start here when your team is already connecting MCP servers or AI tool clients into real workflows and wants a fast security-minded decision before rollout.

What do I get in the 48-hour review?

You get a narrow review of MCP configs, tool permissions, obvious exposure paths, and a prioritized memo that ends in a clear go, fix, or escalate recommendation.

When does this escalate into a Technical Audit?

Escalate when the risk is broader than MCP configuration or tool permissions, or when the surrounding product architecture and implementation sequence also need deeper review.

MCP Risk Review

48-hour MCP security decision before an avoidable rollout mistake.

Founder-led narrow review for teams already connecting MCP into sensitive AI workflows and wanting a clear go, fix, or escalate decision fast.

Fixed investment: $3K. Typical duration: 48 hours.

Started from: Technical Audit buyer brief. That context will stay attached if you preview the brief, reserve, or request the async lane from here.

Reserve MCP Risk Review Book MCP Risk Review fit call Request async risk review Preview one-page buyer brief

Reserve the narrow lane if the MCP problem is already clear. If direct checkout is not enabled, the reserve path falls back to the fit-call flow. If the risk is broader than one MCP decision, escalate into a Technical Audit instead of forcing this fixed-scope review. Open the mcp-scan proof surface first if you want to inspect the public proof path before you start.

What you get in the 48-hour review

48-hour manual review of MCP configs, tool permissions, and obvious exposure paths
Prioritized remediation memo across secrets, prompt injection, supply chain, and network egress risk
Clear decision: safe to proceed, fix before rollout, or escalate into a deeper Technical Audit

Best fit when

You are already connecting MCP servers or AI tool clients into a real workflow
One bad configuration could leak secrets, over-expand permissions, or create rollout risk
You need a fast human decision before a broader implementation or security project starts

Not fit when

You are not using MCP yet
You need a full application security program instead of a narrow MCP decision
The work already includes broad architecture risk that belongs in a Technical Audit

If the risk is broader than MCP configuration and permissions, move into Technical Audit.

How the 48 hours run

Hour 0: scope lock

Confirm the MCP clients, servers, credential flow, and rollout pressure so the review stays narrow and decision-ready.

Hours 1-24: configuration and exposure review

Inspect MCP configs, tool permissions, obvious secrets exposure, prompt injection paths, supply chain risk, and network egress assumptions.

Hours 24-48: remediation memo and decision

Return a prioritized memo with a clear go, fix, or escalate recommendation and the shortest safe next move.

If the review finds broader risk

The honest next move is a deeper Technical Audit or a full Product Build, depending on whether the problem is clarity-first or implementation-first. This lane exists to stop small MCP mistakes from turning into larger security or delivery failures.

Review Technical Audit Reserve MCP Risk Review