Services
AI Security Sprint
A focused two-day threat-model walkthrough of one AI agent, MCP integration, or RAG deployment. Fixed price, fast turnaround, a findings memo you can act on this week.
Contributor, OWASP Top 10 for Agentic Applications 2026 · CISSP · PhD · 15+ years enterprise security
What two days covers
One system, examined properly. Not a checklist skim.
A single agent, MCP integration, or RAG pipeline. Data flows, trust boundaries, tool permissions, and the paths an attacker would actually take.
Tool-use boundaries, confused deputy attacks, and the MCP servers your developers connected without anyone threat-modeling them.
Every finding ranked by exploitability and mapped to the OWASP Top 10 for Agentic Applications 2026, so the memo speaks the same language as your auditors.
Concrete, prioritized, and remediation-focused. Something your engineers can start acting on the day after the call.
How it works
Scoping call (30 minutes)
We pick the one system that matters most and confirm the access I need. No NDA required to scope; mutual NDA available before kickoff.
Two working days
A focused threat-model walkthrough of the chosen agent, MCP integration, or RAG pipeline, run against the OWASP Top 10 for Agentic Applications 2026.
Findings memo
An 8–10 page memo: each issue ranked by exploitability, with specific remediation guidance.
Follow-up call
A live walkthrough with your team. If a deeper look is warranted, the Sprint fee is credited toward the full Review.
Pricing
One fixed price. The lowest-commitment way to work with me.
AI Security Sprint
One agent, MCP integration, or RAG pipeline
- Two working days, focused on one system
- Threat-model walkthrough, OWASP ASI01–ASI10
- 8–10 page findings memo
- Findings ranked by exploitability
- One follow-up walkthrough call
- Fee credited toward a full Review
Common questions
Scope and depth. The Sprint is two days on one system and produces a findings memo. The full Agentic AI Security Review is three weeks across your deployment with red teaming, an executive deck, and a remediation roadmap. The Sprint is the fast way to find out whether the Review is worth it.
Yes. If the Sprint surfaces enough to warrant a full Review, the €3,500 is credited against it. You are never paying twice for the same starting work.
Read access or a walkthrough of the one system in scope, plus 30 minutes to brief me. I do not touch production data: staging environments or synthetic data only.
Yes, and it often is. MCP integrations and the tool boundaries around agentic systems are exactly where the Sprint earns its keep.
Mutual NDA available before kickoff. The scoping call itself does not require one.
Start here
Most teams don’t need a three-week engagement to get moving. They need a sharp, expert read on the one system they’re least sure about, and they need it fast.
The AI Security Sprint is that entry point. Two working days, fixed price, one specific target: an agent, an MCP integration, or a RAG pipeline you’re about to ship or have just shipped. You come away with a prioritized findings memo and a clear picture of where the real exposure sits.
Why a Sprint first
Your developers are already connecting to MCP servers outside your identity system. Agents are already calling tools with privileges nobody threat-modeled. The question is rarely whether there’s exposure: it’s where the highest-severity exposure is, and whether it’s worth a full assessment.
The Sprint answers that for €3,500 instead of guessing, or instead of committing to a full Review before you know it’s warranted. It’s designed to tell you whether a full Agentic AI Security Review is worth it — and if it is, the Sprint fee is credited toward it.
What’s included
A threat-model walkthrough of one chosen system, run against the OWASP Top 10 for Agentic Applications 2026 (ASI01 to ASI10). An 8 to 10 page findings memo with each issue ranked by exploitability and mapped to a concrete remediation. One follow-up call to walk your engineering and security teams through it.
How it converts
If the Sprint surfaces enough to warrant a deeper look, the fixed Sprint fee is credited toward a full Agentic AI Security Review. You lose nothing by starting small.
Want to see the deliverable first?
Download a sanitized sample assessment report. No call required.
Sounds like a fit?
A short call is usually enough to figure out whether this is what you need and what it would look like.