── Writing

Research, writeups, and field notes.

We publish when we have something to say — not on a cadence. If you want new pieces in your inbox, mail hi@gated.sh.

── Anchor piece

ESSAYApril 9, 2026·22 min read

The MCP Security Threat Model — Top 10 Risks Teams Miss

A working threat model for MCP servers, distilled from two dozen engagements. Not a checklist. The ten failure modes we see shipped to production, ranked by how much they cost to fix after launch.

Read the essay→

── Archive

ESSAYMarch 24, 20269 min read
Prompt injection is the confused deputy problem, wearing a different hat
The academic name for what your agent is doing when it acts on instructions inside a user's document. Once you see the pattern, the mitigations stop looking exotic.
FIELD NOTEMarch 5, 20266 min read
Tool-description drift, and why Probe flags it as medium severity
The docstring is the contract the model reads. When it drifts from the tool's real behavior, the agent will happily reach for fields that no one meant to expose.
WRITEUPFebruary 17, 202614 min read
Seven invariants your MCP authorization layer should enforce
A short list of properties we test for on every Sprint. If you can't state and enforce these, you don't have an authorization layer — you have a pile of if-statements.
FIELD NOTEJanuary 28, 20267 min read
What a good MCP audit log actually contains
Fields we add on every engagement, and why. The log you want after an incident is not the log most MCP servers emit by default.

Research, writeups, and field notes.

The MCP Security Threat Model — Top 10 Risks Teams Miss

Prompt injection is the confused deputy problem, wearing a different hat

Tool-description drift, and why Probe flags it as medium severity

Seven invariants your MCP authorization layer should enforce

What a good MCP audit log actually contains