Alex Schose

Alex Schose

Independent security review for AI-agent products — isolation below the protocol, governance above the agent.

Isolation layer — the qrexec gate this practice ships and reviews against.

qmcp.SpawnAIManagedQube      *  mcp-control      @adminvm         allow
qmcp.LifecycleAIManaged      *  mcp-control      @adminvm         allow
qmcp.AttachDeviceAIManaged   *  mcp-control      @adminvm         allow
qmcp.GetPropertyAIManaged    *  mcp-control      @adminvm         allow
qmcp.RunInAIManaged          *  mcp-control      @tag:ai-managed  allow  user=root
qubes.Filecopy               *  @tag:ai-managed  @tag:ai-managed  allow
*                            *  mcp-control      @anyvm           deny

Governance layer — the universal safety lever every agent reads before any action.

halt_scope: null | non_essential | full
    null            ->  normal operation
    non_essential   ->  revenue + exploratory work pauses
    full            ->  only principal interface + rescue path live

# tripwires declared in cryptographically-signed manifest
constitutional_integrity    ->  halt_scope = full
sovereign_locked_integrity  ->  halt_scope = full
treasury_below_floor        ->  halt_scope = non_essential

Practice

A trust boundary is only worth what you can prove about it. Most security reviews of AI-agent products stop at the protocol — checking that tool descriptions are sanitised, that prompts are pinned, that human-in-the-loop confirmations fire. I work two layers around the protocol: structural isolation below it — where the agent can act — and constitutional governance above it — what the agent is permitted to act on. Both layers compound; most reviews check neither in any structural way.

The practice serves teams shipping agentic products, infrastructure where AI is given real capabilities, and individuals whose work requires a workstation that resists compromise by design rather than by hygiene. Engagements are direct, written, and contained — two weeks, one operator, one report.

Services

AI agent security audit

From €4,000 · fixed-scope single-surface review · written report with reproducible proofs of concept · broader engagements scoped on inquiry.

Trust-boundary review of an MCP server, agent client, or autonomous-agent product. The deliverable answers twelve questions in writing — where the boundary is drawn, what the model can name, how denial differs from absence, what the egress surface allows, where credentials originate, what disposable state looks like, what is loggable and by whom, what the failure mode is when the model is wrong, whether tenants are isolated, what leaves through telemetry, whether authority is graduated, and whether the data the agent parses is safe against hostile input. Each answered with primary-source evidence from the product, not interview transcripts.

Download the twelve-question MCP audit checklist (PDF) · read on the web

AI red-team assessment

Scoped per engagement · adversarial testing · findings, reproductions, and fixes.

Adversarial testing of a model or agent product — how it is talked, primed, or degraded out of its safety posture. Jailbreak and guardrail-bypass assessment, prompt injection, and moderation-architecture review, judged by where the controls sit relative to the conversation that attacks them. The deliverable is the attack and the fix: reproductions of what got through, and the architectural change that closes the gap — not a better-worded refusal.

Sandboxed AI infrastructure

Scoped per engagement · design, implementation, handover.

For teams giving AI agents real capabilities — provisioning, code execution, network reach — and recognising that protocol-layer defence is insufficient. Design and implementation of structural isolation: tag-scoped trust boundaries, dom0-mediated RPC surfaces, default-deny egress, ephemeral compute as the default disposition.

Qubes-based secure workstation

One to three weeks · specification, build, hardening, training.

For journalists, lawyers, researchers, and individuals whose threat model requires compartmentalised computing. A specified Qubes installation with template hygiene, per-domain network policy, disposable browsing, and an operating doctrine the client can sustain after handover. Not a turnkey product. A working system you understand.

Selected work

qubes-mcp

A FastMCP server exposing a tag-scoped Qubes Admin API sandbox. Autonomous agents are given real capability — spawning qubes, running commands, attaching devices, networking through a controlled egress — while the trust boundary is enforced in dom0 by invariant-checking wrappers rather than trusted to the agent. Built and tested in stages; default-deny throughout.

The MCP trust-boundary audit checklist

The twelve questions a trust-boundary review of an MCP or agent product should answer in writing — each with a real, de-identified example of what the failure looks like. Download the PDF, or read it on the web.

Contact

Direct enquiry is preferred. Please include a one-paragraph description of the product or environment, the question you want answered, and any constraint on timing.

Email
alexschose@atomicmail.io
PGP
F4F9 735B E899 60F4 70E6  ADBE 5312 A67E E8CE 816B · public key
Signal
alexschose.888
Invoicing
Polish entity. Bank transfer in EUR or USD. Stablecoin on request.
Location
Remote. No travel surcharge for engagements conducted in writing.