Available for fractional engagements

Security review for teams shipping AI agents and MCP servers

I take on a small number of fractional retainers and focused reviews each quarter — for engineering teams building MCP servers, deploying LLM agents with real tool access, or designing auth and permission boundaries for AI features.

Get in touch See engagement options

What you're hiring

I lead a team at Dropbox focused on AI agent security and the developer tooling that makes secure defaults the easy path. Outside that role, I've spent the last few years inside the MCP and agent security problem from a few different angles — research, vulnerability disclosure, framework design, and shipping production code.

Spoke at CactusCon 2026 on MCP server vulnerabilities with disclosed CVEs, covering over-privilege, prompt injection via tool descriptions, DNS rebinding, and token handling.
Published a prompt-injection defense benchmark — 10,080 tests across 8 models and 6 defense strategies, with the harness open-sourced.
Designed and shipped the MCP OAuth framework used across my own production agents, including PKCE, scoped capability tokens, and proof-of-possession.
Wrote the Dropbox Tech Blog post on Lakera Guard and sat on the Lakera 2025 AI threats panel.

The short version: you're hiring someone who has audited MCP servers, found and disclosed real bugs, written code that other teams now depend on, and thinks about prompt injection as a control-flow problem rather than a content-filtering one.

Engagement options

Most engagements start with a free 30-minute scoping call. From there we land on one of these shapes — usually the retainer for teams shipping multiple AI features, and a one-off review for teams getting ready to launch a single system.

Primary engagement

Fractional security engineering

$150–250 /hr · 5–10 hours per month typical

Ongoing security input for a team that's shipping more AI features than it can independently threat-model. I sit in on design reviews, read PRs touching agent or tool-use surfaces, write up findings the team can act on, and answer the "is this safe?" questions during architecture work rather than after.

Month-to-month, no minimum commitment past the first month. Rate scales with seniority of the work — closer to $150 for code review and threat modeling, closer to $250 for on-call architecture sessions with founders or staff engineers.

Discuss a retainer

Scoped engagement

Focused security review

$1,000 · one week turnaround

A 2–3 hour review of one system — typically an MCP server, an agent's tool surface, or an auth flow for an AI feature. Delivered as a written findings document with prioritized recommendations anchored to specific files and components.

Good for teams getting ready to ship a single feature and wanting an outside set of eyes before launch. Limited to one system; if the scope grows, we step up to the deeper package.

Book a review

Scoped engagement

Architecture deep-dive

$1,500–3,000 · 1–2 weeks

A wider-scope engagement covering a full threat model, auth and permission review, tool authorization analysis, or end-to-end agent workflow review. Includes two working sessions, a written report, and a follow-up call after you've had time to digest it.

Good for teams designing or rebuilding a system that handles real authority — code execution, file access, customer data, or payment flows.

Scope a deep-dive

How an engagement runs

Same shape for both retainers and one-off reviews — the difference is mostly duration and how many cycles we do.

Scope call

30 minutes, free, no obligation. You walk me through what you're building, what you're worried about, and what an outside reviewer would need to be useful. I tell you whether this is a fit and roughly what shape the engagement would take.

Materials review

Code, design docs, threat-model sketches, prior security work — whatever you'd hand to a security reviewer at a larger company. I work asynchronously through it before we talk synchronously, so the working sessions are spent on judgment calls rather than orientation.

Working sessions

Synchronous time with whoever owns the system. We test assumptions, walk through adversarial scenarios, and pull on threads that look promising. This is where most of the value lands — the report just makes it durable.

Written findings

Prioritized recommendations anchored to specific files, components, or workflows, with rationale. Severity, exploitability, and recommended fix for each. Re-readable by people who weren't in the room.

Is this a fit?

Good fit

Building an MCP server, custom or productized, and want it audited before launch.
Shipping LLM-driven agents with real tool access — file I/O, code execution, third-party APIs, customer data.
Designing auth or permission boundaries for AI features (OAuth flows, capability tokens, scoped credentials, just-in-time access).
Threat-modeling tool-use patterns, multi-agent workflows, or RAG/retrieval pipelines before they reach production.
Adopting a vendor security tool (Lakera, prompt firewalls, etc.) and want a sober read on what it actually covers.

Probably not a fit

Pure ML model security — adversarial perturbations, model extraction, training-data poisoning. Different specialty.
Active incident response or breach investigation. Call a DFIR firm; I'll come in after the fire is out.
Compliance certifications (SOC 2, HIPAA, ISO 27001). I can help with security controls, not the audit itself.
Penetration tests against production infrastructure unrelated to AI. There are better firms for that, and I'd refer you.

Have a system in mind?

Send a short note — what you're building, what you're worried about, rough timeline. I'll reply within a couple of days with whether it sounds like a fit and what the next step would be.

Send a message Email directly

Based in the US. Comfortable working with teams in Pacific through Central European time zones. Engagements paid by invoice (Stripe or ACH); SoW available on request.