CyberArk Privilege Cloud MCP Server
Manage privileged access via CyberArk — audit secure safes, checkout vaulted account passwords, monitor users, and terminate sessions directly from any AI agent.
Ask AI about this MCP Server
Vinkius supports streamable HTTP and SSE.
* Every MCP server runs on Vinkius-managed infrastructure inside AWS - a purpose-built runtime with per-request V8 isolates, Ed25519 signed audit chains, and sub-40ms cold starts optimized for native MCP execution. See our infrastructure
What is the CyberArk MCP Server?
The CyberArk MCP Server gives AI agents like Claude, ChatGPT, and Cursor direct access to CyberArk via 10 tools. Manage privileged access via CyberArk — audit secure safes, checkout vaulted account passwords, monitor users, and terminate sessions directly from any AI agent. Powered by the Vinkius - no API keys, no infrastructure, connect in under 2 minutes.
Built-in capabilities (10)
Tools for your AI Agents to operate CyberArk
Ask your AI agent "List all privileged accounts for address '10.0.0.1'" and get the answer without opening a single dashboard. With 10 tools connected to real CyberArk data, your agents reason over live information, cross-reference it with other MCP servers, and deliver insights you would spend hours assembling manually.
Works with Claude, ChatGPT, Cursor, and any MCP-compatible client. Powered by the Vinkius - your credentials never touch the AI model, every request is auditable. Connect in under two minutes.
Why teams choose Vinkius
One subscription gives you access to thousands of MCP servers - and you can deploy your own to the Vinkius Edge. Your AI agents only access the data you authorize, with DLP that blocks sensitive information from ever reaching the model, kill switch for instant shutdown, and up to 60% token savings. Enterprise-grade infrastructure and security, zero maintenance.
Build your own MCP Server with our secure development framework →Vinkius works with every AI agent you already use
…and any MCP-compatible client
CyberArk Privilege Cloud MCP Server capabilities
10 toolsRequires precise mapping to an underlying Platform ID (e.g., WinDesktopLocal, UnixSSH) which dictates how CyberArk rotates and verifies the credential moving forward. Provision a new privileged account into a Vault Safe
Requires high authorization. Used during system decommissioning so the CPM stops attempting failed password rotations. Delete a privileged account from the CyberArk Vault
Necessary before rotating or interacting with an account. Get detailed properties for a specific vaulted account
Get details and metadata for a specific PAM Safe
These represent highly sensitive credentials (Root, Administrator, Service Accounts). Includes the bounding platform, Safe allocation, address, and rotational status. Use the search string to narrow targets. Search and list privileged accounts vaulted in CyberArk
Permissions to Safes are canonically granted to Groups rather than individual users to enforce RBAC best practices. Used to verify PAM logical access architectures. List CyberArk Vault User Groups
Safes are the fundamental logical containers separating credentials physically and logically. Required to locate where specific critical tier-0 credentials or local admin passwords reside. List all secure Safes in CyberArk Privileged Access Manager
Identifies active vault administrators, auditors, and human end-users consuming PSM (Privileged Session Manager) sessions. List all CyberArk users (local and synchronized)
Highly audited endpoint triggering SIEM alerts. A justification reason is mandatory. After retrieval, exclusive access platforms may lock the credential until check-in or auto-rotation. Retrieve the clear-text password for an account (check-out)
Used as an active incident response mechanism if a SOC analyst or anomalous behavior engine detects unauthorized actions mid-session. Forcibly terminate an active Privileged Session (PSM/PSMP)
What the CyberArk Privilege Cloud MCP Server unlocks
Connect your CyberArk Privilege Cloud account to any AI agent and take full control of your identity security and privileged access management through natural conversation.
What you can do
- Safe Orchestration — List secure Safes and retrieve intricate settings including retention periods and assigned Central Policy Managers (CPM)
- Privileged Account Management — Enumerate vaulted credentials (Root, Administrator, Service Accounts) and audit rotational statuses and address mappings
- Password Retrieval (Check-out) — Pull actual secrets from the Vault with mandatory audited justifications, allowing the agent to securely retrieve credentials for incident response
- Identity Oversight — List internal and LDAP-mapped directory users and groups to verify PAM logical access architectures and RBAC rules
- Session Control — Forcibly terminate active PSM/PSMP privileged sessions instantly as an active incident response mechanism
- Vault Onboarding — Provision new privileged accounts into secure Safes by mapping them to specific platform IDs for automated rotation lifecycle management
How it works
1. Subscribe to this server
2. Enter your CyberArk Subdomain and your Bearer access_token (generated via a Service User client_credentials flow)
3. Start managing your privileged access from Claude, Cursor, or any MCP-compatible client
Who is this for?
- Security Analysts & SOC — monitor privileged account status and terminate suspicious sessions in real-time
- IT Administrators — onboard new service accounts and manage safe configurations without navigating the PVWA interface
- Auditors & Compliance — list users, groups, and account properties to verify organizational security policies
- DevOps Engineers — retrieve temporary credentials for automated maintenance tasks with full audit logging
Frequently asked questions about the CyberArk Privilege Cloud MCP Server
Can my agent retrieve a privileged password for an emergency maintenance task?
Yes. Use the 'retrieve_password' tool. You must provide the account ID and a justification reason. The agent pulls the secret from the Vault, and the action is fully audited in CyberArk's system logs for compliance.
How do I terminate a suspicious active session via the agent?
Provide the session ID to the 'terminate_session' tool. The agent will dispatch an instant interrupt signal to the CyberArk platform, killing the live SSH or RDP session immediately to prevent unauthorized actions.
Is it possible to add new service accounts to a Safe through chat?
Absolutely. Use the 'add_account' tool. You'll need to specify the account name, address, username, platform ID, and the destination Safe. Your agent will onboard the credential and link it to the CPM for automated rotation.
More in this category
ClearSale
5 toolsManage e-commerce fraud prevention via ClearSale — submit orders for analysis, monitor fraud scores, and track status updates directly from any AI agent.
Black Duck (Synopsys)
10 toolsSecure your open source supply chain via Black Duck — list projects, versions, and vulnerabilities directly from any AI agent.
Doppler
12 toolsManage secrets and environment variables via Doppler — list projects, audit secrets, and track activity logs from any AI agent.
You might also like
OpenRouteService
10 toolsPlan routes and analyze spatial data via OpenRouteService — calculate directions, isochrones, distance matrices, VRP optimization, and geocoding from any AI agent.
Runway ML
10 toolsEmpower your AI with Runway ML's advanced video generation capabilities to seamlessly create, animate, and interpolate high-quality clips using Gen-3 and Gen-4 Turbo models directly from chat.
Xweather Renewable
12 toolsAccess weather forecasts, solar irradiance, and renewable energy farm data via Vaisala Xweather API for wind and solar assessment.
Connect CyberArk Privilege Cloud with your favorite client
Step-by-step setup guides for every MCP-compatible client and framework:
Anthropic's native desktop app for Claude with built-in MCP support.
AI-first code editor with integrated LLM-powered coding assistance.
GitHub Copilot in VS Code with Agent mode and MCP support.
Purpose-built IDE for agentic AI coding workflows.
Autonomous AI coding agent that runs inside VS Code.
Anthropic's agentic CLI for terminal-first development.
Python SDK for building production-grade OpenAI agent workflows.
Google's framework for building production AI agents.
Type-safe agent development for Python with first-class MCP support.
TypeScript toolkit for building AI-powered web applications.
TypeScript-native agent framework for modern web stacks.
Python framework for orchestrating collaborative AI agent crews.
Leading Python framework for composable LLM applications.
Data-aware AI agent framework for structured and unstructured sources.
Microsoft's framework for multi-agent collaborative conversations.
Give your AI agents the power of CyberArk MCP Server
Production-grade CyberArk Privilege Cloud MCP Server. Verified, monitored, and maintained by Vinkius. Ready for your AI agents — connect and start using immediately.