A pentest finds bugs. A threat model finds design flaws.
Your agents plan, remember and act. They hold credentials and call tools your last pentest never scoped. I threat-model your multi-agent architecture with CSA MAESTRO, the OWASP Top 10 for Agentic Applications and MITRE ATLAS, then map every finding to the EU AI Act and NIS2. Fixed price. Independent. No tool to sell.
Book a free 30-min Idea Call →Every agent is a non-human identity with keys, permissions and an attack surface.
Agentic systems break the assumptions AppSec reviews are built on. The prompt is an input channel. The tool call is a privilege boundary. The memory is a persistence layer. Goal hijacking, tool misuse, memory poisoning and cross-agent escalation do not show up in a scanner and rarely in a classic pentest.
The incidents are no longer hypothetical. EchoLeak (CVE-2025-32711) exfiltrated data from Microsoft 365 Copilot without a single click. OWASP shipped a dedicated Top 10 for Agentic Applications in December 2025 because the LLM Top 10 no longer covered what agents do. If your agents run in production, this is your current exposure.
What you walk away with.
Methodology you can cite in your next audit. Findings your engineers can ship.
Threat Model of Your Agent Architecture
Scenario-driven attack trees across every agent, tool, memory and orchestration layer. Built along MAESTRO's seven layers, mapped to OWASP ASI01 to ASI10 and MITRE ATLAS techniques.
Non-Human Identity and Permission Review
Which agent holds which credential, which tool grants which privilege, and where scoped identities replace shared API keys.
Report with Remediation Roadmap
Prioritized fixes scored by effort and impact, from quick wins in the system prompt to architectural changes in the orchestration layer.
EU AI Act and NIS2 Mapping
Each finding tied to the regulatory requirement it serves, so the security work counts twice: hardening and compliance evidence.
Optional Continuous Retainer
Re-assessment per release, an updated threat model as you ship new agents, and a standing security contact for your team. EUR 1,500 to 3,000 per month.
Agentic AI Security Assessment
Priced by the complexity of your agent architecture. Includes discovery, threat modeling, EU AI Act and NIS2 mapping, the written report with remediation roadmap, and the executive read-out. Optional continuous retainer from €1,500 to €3,000 per month.
Book a free Idea Call to scope itFrom architecture to a hardened system in three stages.
A focused engagement, typically 2 to 4 weeks from kick-off to read-out.
Architecture Discovery
We map agents, tools, data flows, memory and trust boundaries. Nothing gets modeled that we have not first understood.
Threat Modeling
Attack trees per scenario, worked along MAESTRO's seven layers and checked against OWASP Agentic and MITRE ATLAS.
Roadmap and Read-out
Findings become a prioritized remediation roadmap, walked through with your engineers and your leadership.
I build multi-agent systems. And I take them apart.
The assessment comes from the builder's side, not from an audit checklist. This is work I show on stage and run in production.
Your Agent Is Your New Layer 8
Why autonomous agents behave like a new human layer in your organisation: with all the security consequences that brings.
Securing Agent Identity
How agents get their own identities, scoped permissions and auditable access instead of shared API keys.
A multi-agent crew, built on stage
A multi-agent film crew shown live: specialised agents planning, producing and reviewing against real constraints.
Multi-agent deep dives
Technical deep dives on hybrid multi-agent architecture and platform engineering for enterprise teams, plus hands-on Amazon Bedrock AgentCore workshops.
Up to 100% AWS funded.
As an AWS Community Hero, I navigate the funding process with you, from application to approval. Eligibility is assessed in the first 30 minutes, not added as an afterthought at the end.
PoC Funding
Covers prototype development. Deliverables engineered to meet funding requirements.
Migration Funding
For larger cloud transformation projects. Multi-phase plan structuring and end-to-end application support.
Answers, in writing.
Threat modeling, red teaming or a pentest: which one does my agent architecture need?
In that order. A threat model finds the design flaws and tells you where red teaming and pentesting are worth the money. Running a pentest against an unreviewed agent architecture tests the walls of a house with no locks.
What is MAESTRO threat modeling?
MAESTRO is the Cloud Security Alliance's threat-modeling framework for agentic AI: seven layers from foundation model to agent ecosystem. It is the most complete lens for multi-agent systems available today, and the assessment applies it end to end.
What is the OWASP Top 10 for Agentic Applications?
The OWASP GenAI Security Project's ranking of agentic risks, released in December 2025: from ASI01 Agent Goal Hijack to ASI10 Rogue Agents. The report maps every finding to these IDs so your team can track them in familiar terms.
Which stacks do you assess?
Amazon Bedrock and AgentCore, CrewAI, LangGraph and LangChain, plus custom orchestration. I build on these stacks myself. The assessment does not depend on any specific vendor.
What does an agentic AI security assessment cost?
EUR 12,000 to 18,000 fixed, depending on the complexity of the architecture. The continuous retainer runs EUR 1,500 to 3,000 per month. Both prices are on this page on purpose: comparable engagements are quoted at USD 35,000 and up.

Linda Mohamed
An independent practice for organisations that want their AI agents assessed by the person who builds them. AWS Community Hero, speaker at AWS Community Days in Istanbul and Athens 2026, and builder of production multi-agent systems on Amazon Bedrock, CrewAI and LangGraph. Based in Vienna, Austria. Remote or on-site, English or German.
Book a free 30-min Idea Call →Begin with a 30-minute Idea Call.
Before the assessment, we have a short conversation to confirm fit. No commitment. No slides. The same opening conversation that precedes every paid engagement.
- Confirm the scope of your agent architecture
- Check where the EU AI Act and NIS2 apply to you
- Decide whether the one-time assessment or the retainer fits best
- Get the intake brief and a calendar slot
Typically respond within one business day. Vienna, Austria · serving clients across the EU · [email protected]