Audit intake

Prepare the right MCP evidence without exposing secrets.

Use this checklist after purchase or scope approval. Public issue intake should stay sanitized; sensitive materials need an approved secure transfer path.

Start sanitized intake View report format

Include

  • Company or project name.
  • Audit package purchased or requested.
  • Number of MCP servers and environments.
  • High-level tool categories and systems touched.
  • Target deadline and buyer/security review context.
  • Whether live probing, screenshots, or source review are allowed.

Do Not Include

  • API keys, tokens, passwords, or cookies.
  • Production credentials or private customer data.
  • Full private configuration files in public issues.
  • Internal hostnames that cannot appear in a report.
  • Anything your team would not want in a public repository.

Safe Inputs

  • Sanitized Claude Desktop style MCP config.
  • Local server command with credentials removed.
  • Staging endpoint built for review.
  • Tool inventory or docs page.
  • Known sensitive systems in high-level terms.

Deliverables

  • MCP server and tool inventory.
  • A-F grade and risk-ranked findings.
  • Evidence and remediation checklist.
  • Out-of-scope notes and assumptions.
  • Included rescan terms where applicable.