AIPM-for-MCP Audit
11-vector adversarial audit-as-deliverable for Model Context Protocol servers.
What you get. A signed report scoring an MCP server across 11 attack vectors, with reproducible evidence, a remediation checklist, and a public-or-private leaderboard slot.
Same methodology we apply to Jeevesus — our own server gets audited and graded alongside everyone else.
Why This Exists
MCP servers ship with a level of trust normally reserved for first-party plugins: they speak to the model, return content the model treats as authoritative, and increasingly handle privileged operations. The current ecosystem has no equivalent of an SBOM, no CVE process, no threat-model expectation. That is a gap.
AIPM-for-MCP mirrors what we already do for AI brand perception — 1,200+ AIPM website audits to date — and applies the same discipline to MCP servers: an external, reproducible, model-aware adversarial audit, scored on a public rubric.
The 11 Vectors
| # | Vector | What we test |
|---|---|---|
| 1 | Tool integrity | Static vs. dynamic tool list; can the server change its tool surface mid-session? |
| 2 | Tool poisoning | Are tool descriptions sanitized before reaching the model? Can a malicious upstream inject instructions via descriptions? |
| 3 | Prompt injection | Are tool outputs sanitized? Do we see model-control markers, jailbreak preambles, or hidden instructions slipping through? |
| 4 | Auth surface | What headers/tokens are accepted? Are unauthenticated calls rejected or downgraded silently? Are keys ever echoed back? |
| 5 | Authorization scope | Does a low-tier key reach high-tier data? Are admin tools gated separately from user tools? |
| 6 | Data egress | What data leaves the server in tool results? Any PII, secrets, raw IPs, or logs leaking via error messages? |
| 7 | Rate limiting & abuse | Per-key, per-IP, per-tool limits. Behavior under burst. Cost-amplification primitives (e.g., expensive tools without quota). |
| 8 | Audit & observability | Is every tool call logged? Are logs joinable across sessions in ways that re-identify users? |
| 9 | Supply chain | Source provenance, package signing, registry history, update channel integrity, “rug-pull” exposure. |
| 10 | Network posture | TLS-only? Egress tools that fetch arbitrary URLs? SSRF reachability into private networks? |
| 11 | Resilience to TPA rotation | If a third-party API behind a tool changes hands or returns malicious content, what is the blast radius on the model and the user? |
The rubric is the customer-facing distillation of DugganUSA’s internal MCP threat model. The full internal threat model is held in our private compliance repo and is not redistributed.
Scoring Rubric
Each vector is scored 0–10, with weights reflecting blast-radius:
critical (×3) — vectors 1, 2, 3, 5, 11
high (×2) — vectors 4, 6, 9, 10
standard (×1) — vectors 7, 8
Composite score: weighted average, rounded to one decimal, mapped to a letter grade:
| Grade | Composite | Meaning |
|---|---|---|
| A+ | 9.5–10.0 | Reference-grade. Safe to deploy without compensating controls. |
| A | 9.0–9.4 | Production-ready with standard SOC oversight. |
| B | 8.0–8.9 | Acceptable with documented compensating controls. |
| C | 7.0–7.9 | Use only in sandboxed/research contexts. |
| D | 6.0–6.9 | Not recommended. Specific blockers in the report. |
| F | < 6.0 | Do not deploy. Material risk to model or user. |
A single 0 on any critical vector caps the composite at C, regardless of the rest of the score. A vector cannot be averaged away.
Methodology
Every audit follows the same five-phase loop. Reproducibility is the deliverable — the steps are published with every report.
- Discovery. Pull the server’s manifest, registry record, source (where public), and any vendor-published threat model. Snapshot the tool list at audit start.
- Static analysis. Inspect tool descriptions, schema, and any package source for the 11 vectors. Map declared behavior against advertised behavior.
- Adversarial probes. Run a suite of red-team probes covering injection in descriptions and outputs, scope escalation, egress fuzzing, rate-limit bypass, and TPA-rotation simulation. Probe inputs and expected behavior are open.
- Composite scoring. Apply the rubric. Document evidence per vector with reproducible commands or transcripts.
- Disclosure. 30-day responsible-disclosure window for any critical finding before the score and report go public. Vendor gets the report, evidence, and remediation checklist on day 0.
Deliverables
A standard AIPM-for-MCP engagement produces:
- Composite score + letter grade with per-vector breakdown
- Evidence pack — probe inputs, server responses, transcripts, hashes
- Remediation checklist prioritized by blast-radius
- Re-audit token — one free re-run within 90 days after remediation
- Leaderboard slot — public if you opt in, private if you don’t
The leaderboard is the same shape as the AIPM brand-perception leaderboard customers already know. Vendors who score A+ on the public leaderboard are directly comparable to Jeevesus, the reference implementation.
How to Request an Audit
| Tier | What you get |
|---|---|
| Pro ($99/mo) | Self-serve audit on a single MCP server, public-leaderboard scoring, standard rubric. |
| Enterprise ($995/mo) | Up to 10 servers, private-leaderboard option, custom probes, written executive summary, re-audit support. |
| Custom | White-glove engagement with on-site disclosure coordination. Email [email protected]. |
Audit requests register at analytics.dugganusa.com/stix/register and are scheduled in the order received.
See Also
- Jeevesus MCP Server — the reference implementation we benchmark against
- MCP Threat-Intel Feed — daily rug-pull and TPA-rotation alerts across the registry
- MedusAIPM Beta Documentation — the AIPM website-audit methodology this is modeled after
📋 Last Updated: 2026-05-02 🛡️ Security.DugganUSA.com — Wu-Tang Financial: Share everything, hoard nothing