Tool-by-tool, auth boundary, output bounds, audit surface. Three days, written report, remediation list ordered by exploitability. The review you do before the MCP server crosses your prod boundary, not after.
Internal-team-built MCP server, or one you're considering open-sourcing. You want a second pair of eyes before someone else's agent starts calling it.
Vendor or open-source server you're about to wire into a Copilot Studio agent, a Claude Desktop config, or a production agent runtime. You want a posture read before the credential gets minted.
Your AppSec team flagged MCP as a new attack surface and wants a written assessment of one specific server before sign-off.
What identity is the server acting as? What does the client trust the server to do? Is there a credential boundary or is it just shared-secret-in-config?
Each exposed tool, one by one. Input validation, scope, side-effect class, idempotency, output-bound. Which tools should be tagged write, which should require approval, which should not exist.
How credentials get into the server — env vars, OAuth, OBO, federated. Where they live at rest. Whether they leak through tool outputs or error paths.
Can the server hand back something the client wasn't supposed to see? Path traversal in resource reads, error messages that leak schema, oversize responses that DoS the client.
Is every tool call logged? Do logs include enough to reconstruct an incident? Do they exclude what they should exclude (full PII payloads, credentials)?
Each finding maps to the OWASP category it sits under. The report's appendix doubles as your team's checklist for the next server.
Per-tool findings · per-category OWASP mapping · severity-ordered remediation list · examples of correct patterns from the public MCP server boundaries essay.
If you want a live walkthrough of the findings with the implementing engineer. Included at no extra cost — book within 30 days of delivery.
Not a pen test. I read the code, the manifest, and the auth flow — I don't fuzz or attempt exploitation. If you need offensive security testing, this isn't that engagement. If you need an architectural review before pen test, this is exactly that.