The Secureframe MCP Server is now in public beta. It offers read-only, real-time access to your Secureframe compliance data via AI and developer tools that support the Model Context Protocol (MCP).
No more hunting through dashboards—just ask natural-language questions and get instant answers on compliance status, controls, vendors, devices, and more.
Read more about MCP in our Blog!
Key Features
- 11 read-only endpoints, including:
| Tool | Purpose |
| list_controls | Explore controls by framework and health status |
| list_tests | View test results and pass/fail status |
| list_users | Audit personnel status and access |
| list_devices | Review managed devices and security posture |
| list_user_accounts | Inspect user accounts from connected integrations |
| list_tprm_vendors | Identify high-risk vendors |
| list_vendors | Access legacy vendor data |
| list_frameworks | View supported compliance frameworks |
| list_repositories | Understand audit scope across codebases |
| list_integration_connections | Monitor integration status |
| list_repository_framework_scopes | Map repositories to frameworks |
- Lucene-style filtering, so you can query by framework, owner, test status, risk level, etc.
-
Secure and scoped:
- Read-only access only, safeguarding production data.
- Does not permit writes or destructive actions.
Common Use Cases
-
Check failing SOC 2 controls
“Show me failed endpoint‑security controls in SOC 2.” AI returns current failing items and insights on owners and remediation timelines -
Vendor risk analysis
“Which third‑party vendors are high‑risk?” AI surfaces flagged vendors and risk status for quick triage -
Audit prep
“What are our most recent failed ISO 27001 tests?” Instantly fetch test results to streamline audit readiness. -
Access reviews
“List inactive users with system access.” Spot stale accounts and support access clean-up workflows
How It Works
- Connect: Turn on the MCP Server beta in your Secureframe settings.
- Authorize: Grant the MCP Server to interact with AI clients using Model Context Protocol.
- Query: Using tools like Claude, Cursor IDE, or ChatGPT with MCP support, you can run natural language prompts such as “list failing controls” or “show high-risk vendors.”
- Respond: AI fetches live data from the mapped endpoints and presents it conversationally.
Technical Details
- Built on the open MCP standard.
- Offers 11 scoped, read-only endpoints covering controls, tests, devices, users, vendors, frameworks, integrations, and repository mappings
- Supports powerful filters using Lucene query syntax for precision.
- Read-only architecture ensures full safety—no modifications to production data.
Getting Started
- Join the public beta (available now to all customers).
- Connect your MCP server to your preferred AI client.
- Start querying your compliance data conversationally.
- For setup help or troubleshooting, reach out to Secureframe support via Support Portal or email
Best Practices
- Always verify AI output before acting—the data is live, but AI can misinterpret.
- Use scoped filters in prompts (e.g. “SOC 2 only”) to target your requests.
- Treat this as read-only access—no data or configurations can be changed via MCP.
Why It Matters
- Faster insight: Get real-time compliance updates without digging into dashboards.
- AI‑powered workflows: Use your tools—IDE, ChatGPT, Slack—to interact with compliance data naturally.
- Enhanced visibility: Know exactly where you stand without context-switching or manual effort.
Next Steps
- Explore the MCP spec and sample queries.
- Try example prompts like:
- “List all failed SOC 2 endpoint controls.”
- “Show third-party vendors flagged as high‑risk.”
- “Give me the most recent ISO 27001 test failures.”
- Stay tuned for future enhancements like write‑only tasks or deeper integrations.
Need help enabling or using the MCP server? Visit the Secureframe Support Portal or email support@secureframe.com
Comments
0 comments
Article is closed for comments.