Authorization & Cross-Tenant Isolation Review
from $10,000Broken access control is the most common way B2B SaaS leaks data across tenants. It’s a logic bug, and it lives in the code, so the scanners hitting your running app at the surface walk right past it. I read the actual code: the database queries, the access checks, the tenant boundaries. The same bug class shows up everywhere you hand out data now: your APIs, your MCP servers, and the AI agents you’ve given access to it. The review covers all three.
I don’t just flag it. I make one test account reach another customer’s data, then hand you the reproducible steps, the fix, and how to keep it from creeping back as you ship.
Scope: application authorization and tenant isolation, code-level, across APIs, MCP servers, and multi-tenant SaaS. Not cloud or runtime infrastructure.