The service
The AI-Native Security Review
A focused, hands-on review of the attack surface your AI agents and MCP servers add, the part traditional appsec and pentests weren’t built to reason about.
Scope
What we test
Specifically the AI-added surface, not a generic checklist re-run with an AI label.
- MCP server tool exposure and per-invocation authorization
- Agent tool-invocation boundaries and human-in-the-loop gaps
- Prompt-injection paths that reach a real tool call
- Over-broad tool scopes and excessive capability
- Secrets and data reachable from agent context
- Confused-deputy and privilege-escalation chains
Methodology
Scan → Findings → Fix guidance
- 01 —
Scan
We map your MCP servers and agent tool surface from configuration and a scoped test environment, then probe authorization boundaries the way an attacker-steered agent would. No standing production access required.
- 02 —
Findings
Each exposure is written up with a severity, the context it is reachable from, evidence, and a plain explanation of why it matters, ranked so you know what to address first.
- 03 —
Fix guidance
Every finding ships with concrete remediation mapped to your intended trust boundary: scope reductions, authorization checks, and guardrails that fit how your system is actually built.
The chain we look for
How one injected instruction becomes an action
An example privilege-escalation chain — the injection propagates down the stack until it reaches a real, privileged action.
- 1Ingress
Untrusted input
Prompt injection: attacker-controlled instructions arrive inside external content the agent ingests, such as a web page, email, PDF, or another tool’s output.
- 2Context
Agent context
The model cannot reliably separate attacker text from legitimate instructions, so it acts on the injected command. This is the classic confused-deputy problem.
- 3Attack surface
MCP server
Tools are exposed to the agent without per-invocation authorization or human-in-the-loop approval, so any instruction the agent follows can call them.
- 4Capability
Over-broad tool
A reachable tool (e.g. shell.exec, fs.write, http.fetch) grants far more capability than the task needs. That excess scope is the attacker’s leverage.
- 5Impact
Impact
The injected instruction drives a privileged action: data exfiltration, unauthorized writes, or remote code execution in the tool’s context.
Illustrative chain, not a specific target. Each stage is an exposure class REDHEXX probes for.
Deliverables
What you get
- A ranked findings report: every exposure with severity and evidence
- Remediation guidance mapped to your trust boundary, per finding
- A live readout to walk through the findings and priorities
- A re-check on the highest-severity fixes once you have addressed them
Who it’s for
A narrow fit, on purpose
- Pre-Series A, AI-native SaaS teams shipping MCP servers or agents
- Founders and CTOs heading into enterprise procurement or security review
- Teams who added an agent’s ability to act faster than they reviewed it
See it against your own stack.
Join the waitlist for early access as we onboard design partners.