The angle that runs through all of them
Read this once, it's why these land.
Half of this list sells the exact promise we specialize in breaking. OneCLI, Manufact, Klavis and Multifactor all sell "your AI agent's credentials and auth are safe with us." We just found and disclosed a bug in Docker's MCP gateway where an agent's OAuth Bearer token got forwarded to an attacker's host on a redirect, the precise failure their products exist to prevent. So the pitch isn't "you might have bugs." It's "you're selling trust, let the person who breaks this for a living prove yours holds." That reframes us from cost to credibility.
How to use:
- Send from kingsley@securva.net (it's fully authenticated now) or your personal Gmail, either works.
- Find the founder on LinkedIn or X (handles noted per pitch), or use the company contact. A LinkedIn DM or a short email both work.
- Send 3 to 5 per day, personalized, not a blast. Quality over volume.
- Every pitch points to securva-agent-audit.pages.dev and your disclosures wall. Those do the convincing.
The pitches
Green = sharpest fit (they sell agent auth/credentials). Amber = strong. Purple = worth a shot.
OneCLI
perfect fit · start here
Credential isolation gateway for AI agents. Founders Guy Ben Aharon + Jonathan Fishner (SF, open source, 2.5k stars).
Why them: their entire promise is "a compromised agent can never leak the real secret." We literally just disclosed the opposite happening in a major MCP gateway. Nobody is a better fit.
Subject: your agents "can never leak credentials", let me test that
Hi Guy, I run Securva, I do security research on AI agents and the MCP stack. OneCLI's whole promise is that a compromised or misbehaving agent can't leak the real secret, and that's exactly the failure mode I hunt. I recently found and disclosed a bug in a major MCP gateway where an agent's OAuth Bearer token got re-sent to an attacker-controlled host on a redirect, the precise thing your network-layer injection is built to stop. I hold real credited CVEs in this space (File Browser, rated High 8.2, plus others on our disclosures wall). Worth 15 minutes to let me pressure-test OneCLI's isolation the way an attacker would? Overview: securva-agent-audit.pages.dev
Contact: withone.ai · github.com/withoneai · find Guy Ben Aharon / Jonathan Fishner on LinkedIn.
Manufact (mcp-use)
perfect fit
MCP cloud platform (auth, secrets, deploy, scale). Founders Luigi Pederzani + Pietro Zullo (YC S25, $6.3M seed). mcp-use SDK used at NVIDIA, IBM, Oracle, Red Hat.
Why them: they own the auth + secrets layer under everyone's MCP servers. That layer is exactly where our bugs live, and they're funded and reachable.
Subject: the MCP bug class we keep finding, aimed at Manufact
Hi Luigi, I run Securva, security research on the MCP stack. Manufact owns the hard part, the auth, secrets and deployment layer under everyone's MCP servers. That's exactly where I keep finding real bugs: a single bad server turning an agent into credential theft or arbitrary file access. I recently disclosed a credential-leak-on-redirect issue in Docker's MCP gateway, and I hold credited CVEs in adjacent tools (File Browser, High 8.2, more on our disclosures wall). As the plumbing that 20% of the US500 builds on, you're the one that has to be right. Worth 15 minutes to show you what I'd look at first? securva-agent-audit.pages.dev
Contact: manufact via ycombinator.com/companies/manufact · find Luigi Pederzani / Pietro Zullo on LinkedIn or X.
Klavis AI
perfect fit
Open-source MCP integrations, managed OAuth across 300+ services, multi-tenant auth. Founders Xiangkai Zeng (ex-Google DeepMind) + Zihao Lin (YC X25, Sequoia-backed). Product: Strata.
Why them: managed OAuth across 300+ integrations with multi-tenancy is one of the largest credential surfaces in the ecosystem. Cross-tenant leak = their nightmare, our specialty.
Subject: managed OAuth across 300+ integrations is a big surface
Hi Xiangkai, I run Securva, security research on AI agents and MCP. Klavis handles managed OAuth and multi-tenant auth across 300+ services, which is a huge, high-value credential surface, and it's exactly what I audit. I recently found and disclosed a bug in a major MCP gateway where a credential header got forwarded to an attacker host on a redirect, the kind of cross-host leak that matters most when you're the OAuth layer for everyone. I hold credited CVEs in this space (File Browser, High 8.2, others on our disclosures wall). 15 minutes to walk you through what I'd test in Strata? securva-agent-audit.pages.dev
Contact: github.com/Klavis-AI · ycombinator.com/companies/klavis-ai · find Xiangkai Zeng on LinkedIn.
Multifactor
perfect fit
Zero-trust authentication, authorization and auditing for AI agents (YC 2025).
Why them: a security company selling trust benefits most from an outside researcher who can say "I tried to break it, here's what held and what didn't." That's a testimonial engine, not just an audit.
Subject: zero-trust for agents, from someone who breaks agent auth
Hi there, I run Securva, security research on AI agents. Multifactor brings zero-trust auth and auditing to agents, which is the exact problem I spend my time breaking from the other side. I keep finding real auth-bypass and credential-leak bugs across the agent and MCP ecosystem (recently a credential-forwarding issue in Docker's MCP gateway, plus credited CVEs including File Browser at High 8.2, more on our disclosures wall). A company selling trust gains a lot from an independent researcher who can vouch, on the record, that it holds. Worth 15 minutes? securva-agent-audit.pages.dev
Contact: find Multifactor on ycombinator.com (YC 2025 batch) · reach the founders via their site / LinkedIn.
Metorial
strong
Makes MCP "enterprise-ready with security built in", serverless MCP runtime (YC 2025).
Why them: they claim "security built in." A claim like that wants an outside receipt, which is precisely what you sell.
Subject: "security built in" for MCP, let me verify that
Hi there, I run Securva, security research on the MCP stack. Metorial makes MCP enterprise-ready with security built in, and your serverless runtime is a genuinely novel surface. "Security built in" is a claim worth an independent receipt, which is what I provide: I recently disclosed a credential-leak bug in Docker's MCP gateway and hold credited CVEs in adjacent tools (File Browser, High 8.2, others on our disclosures wall). 15 minutes to show you the MCP-specific bug classes I'd check on Metorial before your customers' pen-testers do? securva-agent-audit.pages.dev
Contact: metorial via ycombinator.com · find the founders on LinkedIn / X.
Hyperspell
strong
Memory layer for AI agents, unifies context from Gmail, Slack, Notion, Drive (YC 2025).
Why them: a cross-tenant data + auth surface pulling from everyone's email and docs is where IDOR and broken-authorization bugs live. Different bug class, same specialty.
Subject: an agent memory layer touching Gmail and Drive is my wheelhouse
Hi there, I run Securva, security research on AI agents. Hyperspell unifies agent context across Gmail, Slack, Notion and Drive, which is a rich cross-tenant data and auth surface, exactly where authorization and data-isolation bugs hide. That's what I audit. I hold credited CVEs in this space (File Browser, High 8.2, others on our disclosures wall) and recently disclosed a credential-forwarding bug in a major MCP gateway. Worth 15 minutes to walk through where I'd look at cross-user data isolation in Hyperspell? securva-agent-audit.pages.dev
Contact: hyperspell via ycombinator.com · find the founders on LinkedIn.
OpenHands (All Hands AI)
strong
Autonomous coding agent, edits code and runs commands without step-by-step approval. Open source, funded.
Why them: approval-free execution is exactly where the cline bug we just disclosed bites (a repo symlink getting an out-of-workspace write auto-approved). Same class, their product.
Subject: approval-free agents and the auto-approve bug we just disclosed
Hi there, I run Securva, security research on AI coding agents. OpenHands runs commands and edits files without step-by-step approval, which is the power and the risk. I recently found and disclosed a bug in another open-source agent where a repo-shipped symlink got an out-of-workspace file write auto-approved with no prompt, straight to SSH persistence. That whole class matters most in an approval-free agent. I hold credited CVEs across this space (File Browser, High 8.2, more on our disclosures wall). 15 minutes to show you the agent-boundary bugs I'd test in OpenHands? securva-agent-audit.pages.dev
Contact: all-hands.dev · github.com/All-Hands-AI/OpenHands · reach the team via their Slack / site.
HelixDB
worth a shot
Rust graph-vector database, "the memory for AI". Founders Xavier Cochran + George Curtis (YC 2025, ~4k stars).
Why them: softer fit (they're a database, not an agent), but they hold exactly the sensitive retrieved data an attacker wants, so multi-tenant isolation is everything as they scale.
Subject: the database for AI memory, is that memory isolated?
Hi Xavier, I run Securva, security research on AI infrastructure. HelixDB is the memory layer for AI apps, which means it holds exactly the sensitive retrieved data an attacker wants, and multi-tenant isolation becomes everything as you scale. That surface is what I audit. I hold credited CVEs in the AI tooling space (File Browser, High 8.2, others on our disclosures wall). Worth 15 minutes to talk through data-isolation and access-control testing for HelixDB? securva-agent-audit.pages.dev
Contact: helix-db.com · github.com/HelixDB/helix-db · find Xavier Cochran / George Curtis on X.