Skip to main content
Start
Now
Principles
Agentic & GenAI
Projects
Writing
About
Resume
Contact Me
Service · Productized

Agent Security Audit

Two weeks. Fixed scope. Fixed price.

A productized agent-security engagement: I run agent-audit-kit over your codebase, write 3-5 custom rules for your stack, walk your audit-trail surface, and hand back a prioritized hardening playbook — plus 30 days of email follow-up. No retainers, no scope-creep, no slide decks.

Duration
14 days delivery
Scope
OWASP Agentic + MCP Top-10
Price
$4,950 USD
Book a kickoff callOr 30-min Topmate consult

What you get

Six deliverables. Fixed scope.

  1. 01

    OWASP Agentic Top-10 + MCP Top-10 coverage report

    Full agent-audit-kit scan over your codebase. Every finding mapped to OWASP family + severity + remediation snippet. SARIF format → drops straight into your code-scanning dashboard.

  2. 02

    Custom rule pack for your stack

    Three to five rules I write specifically for your codebase patterns — your framework, your MCP connectors, your tool surface. You keep the rule pack after the engagement.

  3. 03

    Audit-trail walkthrough

    Live review of your agent's audit-emit channels. Where the trail breaks, what an auditor would ask, what to ship before your SOC 2 / ISO 42001 readiness assessment.

  4. 04

    Prioritized hardening playbook

    Ranked list of the top 10-15 changes ordered by (impact × ease). Each item has a code snippet or a config example. Most teams ship the top 3 within two weeks of receiving the report.

  5. 05

    60-minute walkthrough call

    Recorded session where I walk your team through the findings and answer specific implementation questions. Recording is yours.

  6. 06

    30 days of email follow-up

    Open inbox for the 30 days after delivery. Questions on the report or remediation get answered within one business day.

Timeline

14 days from kickoff to delivery. 30 days of follow-up after.

  1. Day 0

    Kickoff

    60-min call. NDA exchange if needed. You give me read-access to the repo + a short call with whoever owns the agent stack.

  2. Week 1

    Scan + custom rules

    Run agent-audit-kit. Write the custom rules for your stack. Map findings to OWASP families. Start drafting the report.

  3. Week 2

    Audit-trail review + prioritization

    Walk the audit-emit channels. Stress-test reproducibility. Rank findings by impact × ease. Write the playbook.

  4. Day 14

    Delivery + walkthrough

    PDF + SARIF report + custom rule pack + 60-min recorded walkthrough call.

  5. Day 14-44

    Email follow-up window

    Open inbox for 30 days after delivery.

Who this is for

A good fit

  • You ship an agentic / multi-agent system to real users.
  • You use MCP, tool-use, or any sandboxed-execution surface.
  • SOC 2 / ISO 42001 / EU AI Act readiness is on your roadmap.
  • Engineering can act on a prioritized list (vs needing a 100-page deck).

Probably not a fit

  • • Pre-prototype agents not yet shipping to anyone.
  • • Pure RAG / retrieval pipelines without tool-use.
  • • Looking for a 100-page glossy report to wave at compliance.
  • • Need a long-term retainer (this is a one-shot engagement; I can refer).

FAQ

Why $4,950?
Two weeks of focused work + 30 days of follow-up + a custom rule pack you keep. Comparable engagements from security agencies start at $15-25k for less depth and no custom tooling. The price holds for the first 6 clients; review after that.
What if my stack isn't covered by agent-audit-kit?
agent-audit-kit covers Python-first agent frameworks (LangChain, LangGraph, AutoGen, CrewAI, MCP, plain Python). Limited Rust + Go coverage today. If your stack is something I haven't seen, the kickoff call surfaces that and we either scope it in (sometimes for a price adjustment) or you don't sign — no obligation.
Do you sign an NDA?
Yes. Standard mutual NDA, signed before the kickoff call. I do not publish your findings, your code, or your name without explicit written approval.
Can the audit drop into our CI?
Yes. agent-audit-kit ships as a GitHub Action. The custom rule pack I write for you slots into the same Action. You get findings on every PR going forward, not just at audit time.
Can I get a written reference / sample report?
Sample report (redacted) on request after the kickoff call. Written references from prior clients available on request — most prefer not to publish, so I share quietly.

Ready?

Email me a 2-line description of your agent stack. We do a 30-minute kickoff call within 3 business days. If the fit is wrong I'll tell you on the call.

Email meSee the OSS scanner first