Securva
Agent-security · first clients

Land the first audit.

The market just turned in our favor and almost nobody can prove they can do this. We can. Here's exactly who to put the one-pager in front of, in what order, and what to say.

Why now

The timing is the tailwind. This is the "are you exposed?" moment.
88%
of orgs had a confirmed or suspected AI-agent security incident in the past year
14%
of AI agents go live with full security approval, the rest ship blind
40%
of enterprise apps will run AI agents by end of 2026, up from under 5%

Agents that read, write, and execute in repos are exploding into production faster than anyone is securing them, and 92% of security leaders are already worried about it. The demand is here. What almost no one has is proof they can find these bugs. We have published CVEs in the exact tools. That is the whole edge.

Who to hit first

Three tiers. Start at the top, it's the sharpest fit and the most reachable.
Tier 1 · start here

MCP + AI-agent tooling startups

Companies building the agent/MCP infrastructure. They have the exact bug class in their own product, they need a security report to sell to their enterprise customers, they're funded, and you can reach the founder directly. Best odds of a first close.

mcp-use (SDK)ManufactOneCLIKlavis AIKaelio (ktx)HelixDBthe YC MCP cohort
The fit: "You're building on the agent/MCP stack. We found the boundary-escape and credential-leak bugs in the biggest tools in that stack. Let us find yours before your customers' pen-testers do."
Tier 2 · warm doors

Vendors we're already in contact with

The maintainers and companies we've responsibly disclosed to. They likely won't buy (they have security teams), but they are references and testimonials, and a warm door for "want a deeper look?" Use them for credibility, not revenue.

AWS / Amazon QDockerIBMIncus (Stéphane)OpenSearch
The play: ask the ones who accepted our reports for a one-line testimonial or a logo. Social proof for the Tier 1 pitch.
Tier 3 · the volume

Enterprises deploying agents internally

Any dev-heavy company whose engineers run Cursor / cline / Copilot. Huge market (that 40% number), but a colder sell, they don't yet know they're at risk. Reach them with the timed wedge below, not a generic pitch.

The wedge: the day a fresh agent CVE drops, send a same-week "your team runs X, here's what just got found in it, are you exposed?" note. Warm, credible, urgent.

The pitch (ready to send)

Tier 1 founder outreach. Lead with the receipts, keep it short, ask for 15 minutes.
Subject: we found the CVEs in the AI agents your space runs
Hi [name], I run Securva, we do security research on AI coding agents and MCP tools. We've found and responsibly disclosed real, credited CVEs in the biggest tools in this exact space (Amazon Q, File Browser rated High, and others, all verifiable on our disclosures wall).

As you're building [their product] on the agent / MCP stack, the same bug class we keep finding, a single bad repo turning an agent into arbitrary file-write, credential theft, or RCE, is exactly what we audit for. And it's the security report your enterprise customers are going to start asking you for.

Worth 15 minutes to show you what we'd look at? Here's the overview: securva-agent-audit.pages.dev
Kingsley Olukanni, Securva

The play

A simple, honest sequence. Land one, then it snowballs.

Pick 10 Tier-1 targets. Founders you can reach (email / LinkedIn / X). Quality over quantity, this is tailored outreach, not spam.

Send the pitch, personalized one line each (name their product + the bug class it's exposed to). The one-pager + the disclosures wall do the convincing.

Offer a free "taster": one quick finding or a 20-minute exposure walkthrough on a call. Proof beats a proposal.

Land one, scope it, deliver it clean. That first logo + testimonial becomes the credibility for the next ten.

The asset to send: securva-agent-audit.pages.dev
The proof to point at: the disclosures wall
Receipts open the door. The audit closes it. Securva.