SDLC AI Readiness

Read-only access to your SCM organisation and repositories - a GitHub App, GitHub fine-grained PAT, GitLab project token, or Azure DevOps PAT scoped to the minimum required read permissions and time-limited to the assessment window. We optionally also read CI configuration files. We never clone your source code, never export secrets or environment variables, and never call write APIs. The assessment works against organisation, repository, pipeline, and dev-environment configuration plus metadata only.

All the major ones: GitHub Copilot (including Copilot Workspace and Copilot agent mode), Cursor, Anthropic Claude Code, Continue, Cline, Aider, Tabnine, and custom or in-house agents. We specifically review your MCP (Model Context Protocol) server posture - what an MCP server is allowed to read, write, and execute, and whether the trust boundaries match the data each server can reach.

Every finding in the report is mapped to a specific NIST AI RMF function (Govern / Map / Measure / Manage), the relevant OWASP LLM Top 10 risks (LLM01 prompt injection, LLM02 sensitive information disclosure, LLM06 excessive agency, etc.), and ISO/IEC 42001 controls. Where the EU AI Act applies, we flag the obligations triggered by your use case and map findings to SOC 2 CC8.1 and ISO 27001 SDLC controls so the report drops directly into governance review.

A SAST tool finds vulnerabilities in code; a generic security audit reviews static infrastructure. This assessment reviews the readiness of your SDLC for autonomous and semi-autonomous AI agents - what permissions an agent should have, where prompt-injection and data-exfiltration vectors live in your pipeline, how AI-generated PRs flow through review, what your acceptable-use and IP / licence policy needs to look like, and how to roll out at scale without burning developer trust.

No. The assessment is fully read-only and runs against configuration metadata, not your pipelines or production systems. Nothing we do can trigger a build, modify a workflow, install an MCP server, or block a deploy. You can run the audit during normal business hours with zero risk to delivery.

Yes - most of our highest-impact engagements are with teams about to start. The Crawl / Walk / Run maturity model and 30/60/90 day pilot plan are explicitly designed for teams at zero adoption, telling you which teams to start with, which guardrails to ship before access is opened, and the eval and quality metrics to track from day one.

Each is reviewed as a first-class risk: prompt injection via tool descriptions, MCP responses, and source files; data exfiltration via overly permissive agent scopes, autonomous outbound calls, and cross-repo or cross-account access; IP and licence risk via training-data attribution policy, acceptable-use rules, and the agent's response to copyleft or restricted code. Every risk has a concrete mitigation in the roadmap.

Typical turnaround is 1-2 business days from the moment read-only access is granted, plus a 45-minute live findings walkthrough at a time that suits your team. Larger estates spanning many organisations or hundreds of repositories can take a little longer; we confirm the timeline as soon as we see the scope.