Your AI coding agents have access to everything.
What's your governance plan?

BitSalt researches and builds tooling for platform and security teams governing AI agents in production developer environments.

Get the MCP Threat Model Read the blog

The problem

AI coding agents are now connected to your file system, your CI/CD, your cloud APIs, your Slack, your databases — through MCP servers that most organizations configured in an afternoon. The attack surface is real: 24,000+ secrets were found exposed in MCP configurations in early 2026. The governance tooling doesn't exist yet. That's what we're building.

From the blog

All posts →

MCP Security Threat Model · Part 1

How 24,000 Secrets Ended Up in MCP Configurations

The credential exposure problem in MCP isn't a bug in the protocol. It's what happens when you move fast and bolt security on later. Here's what actually happened and why it keeps happening.

Apr 6, 2026 · 9 min read

The MCP Security Threat Model

A complete framework for understanding the attack surface of MCP-enabled AI agents in developer environments — 8 threat categories, attack scenarios, mitigations, and a security checklist.

Also delivered as a post series — no email required to read the individual posts. Read the series →

Your AI coding agents have access to everything.What's your governance plan?

The problem

From the blog

How 24,000 Secrets Ended Up in MCP Configurations

The MCP Security Threat Model

Your AI coding agents have access to everything.
What's your governance plan?