RegulatorySignals
MCP Server Trust Registry

Get your MCP server assessed in 48 hours

Regulatory Signals is an independent technical evaluation provider. This product is not an accredited certification under ISO/IEC 17065 or ISO/IEC 17021. Evaluation findings are technical assessments, not regulatory endorsements or legal opinions.

10 MCP-specific security rules. Signed assessment report. Public registry listing. Enterprise security teams use our allowlist as the source of truth for approved MCP servers.

Browse registry →

npm or GitHub URL · Badge for your README · Continuous monitoring — coming soon

10 MCP vulnerability rules

OWASP LLM Top 10 (2025) aligned · CWE mapped

mcp-001
Prompt injection sinkCRITICAL

CWE-1336 · LLM01

mcp-002
Command injection / execCRITICAL

CWE-78

mcp-003
SSRF in fetch toolsCRITICAL

CWE-918 · LLM06

mcp-004
Secret leak via envCRITICAL

CWE-200 · LLM02

mcp-005
Capability escalationMEDIUM

CWE-269 · LLM06

mcp-006
Missing rate-limit / timeoutMEDIUM

CWE-400

mcp-007
TOCTOU race in file toolsHIGH

CWE-367

mcp-008
Missing auth on resources/listHIGH

CWE-862 · LLM06

mcp-009
Zombie subprocess on closeHIGH

CWE-404

mcp-010
Unverified manifest signingMEDIUM

CWE-345

What you receive

Everything included in the $499 one-time audit.

Signed certificate

  • HMAC-SHA256 tamper-evident cert JSON
  • Trust grade: Gold / Silver / Bronze / None
  • Security score 0–100
  • Machine-readable /api/mcp-cert/{slug} endpoint
  • Badge embed code for README

Audit findings report

  • All 10 rules checked against your source
  • Per-finding severity: CRITICAL / HIGH / MEDIUM
  • CWE and OWASP LLM Top 10 mapping
  • Remediation guidance per finding
  • Public MCP Trust Registry listing

Pricing

One payment. Results in 48 hours. No subscription.

MCP Server Audit
$499
one-time · delivered in 48 hours

Frequently asked questions

What does an MCP server audit cover?

10 rules covering: prompt injection in tool descriptions (mcp-001), command injection via exec/spawn (mcp-002), SSRF in fetch-style tools (mcp-003), secret leak via env-readback (mcp-004), capability escalation (mcp-005), missing rate-limit/timeout (mcp-006), TOCTOU race in file tools (mcp-007), missing auth on resources/list (mcp-008), zombie subprocess on close (mcp-009), and unverified manifest signing (mcp-010). Mapped to OWASP LLM Top 10 (2025) and CWE.

How long does the MCP audit take?

Source fetch and rule analysis complete in under 10 minutes. You receive a signed certificate JSON and public registry listing within 48 hours after any manual review pass.

What does the signed certificate include?

A tamper-evident HMAC-SHA256 certificate with: MCP server slug, npm package, version audited, security score (0-100), trust grade (gold/silver/bronze/none), issuance date, and a machine-readable endpoint at /api/mcp-cert/{slug} for IDE badge integration.

Will there be continuous monitoring?

Continuous monitoring (auto re-audit on new npm versions, score drift alerts) is on the roadmap. The one-time audit + cert is available now at $499.

Enterprise teams are building allowlists now

Security teams at companies deploying Claude with MCP use our registry to manage approved server lists. Get your server assessed before they build the allowlist without you.

You might also need

Website Compliance Scan

Fingerprint every cookie, tracker, and legal-page gap on your site.

View product
AI System Risk Scan

EU AI Act risk classification from your repo — not from checkboxes.

View product
Repo Audit

Secrets, vulns, OWASP risks, invalid AI model IDs, and false feature claims.

View product
See all 20 products →