Audit intake
Prepare the right MCP evidence without exposing secrets.
Use this checklist after purchase or scope approval. Public issue intake should stay sanitized; sensitive materials need an approved secure transfer path.
Include
- Company or project name.
- Audit package purchased or requested.
- Number of MCP servers and environments.
- High-level tool categories and systems touched.
- Target deadline and buyer/security review context.
- Whether live probing, screenshots, or source review are allowed.
Do Not Include
- API keys, tokens, passwords, or cookies.
- Production credentials or private customer data.
- Full private configuration files in public issues.
- Internal hostnames that cannot appear in a report.
- Anything your team would not want in a public repository.
Safe Inputs
- Sanitized Claude Desktop style MCP config.
- Local server command with credentials removed.
- Staging endpoint built for review.
- Tool inventory or docs page.
- Known sensitive systems in high-level terms.
Deliverables
- MCP server and tool inventory.
- A-F grade and risk-ranked findings.
- Evidence and remediation checklist.
- Out-of-scope notes and assumptions.
- Included rescan terms where applicable.