Drata MCP. Audit your entire compliance stack via chat.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Drata MCP Server monitors compliance and security by giving your AI agent direct access to your entire governance stack. You can check if a specific employee is trained, list all failing controls, audit policies for renewal dates, or verify cloud asset encryption status—all without leaving your chat client.
This tool connects your AI agent to Drata's full risk and compliance record.
What your AI agents can do
Drata get control
Gets a specific control's pass/fail state, the automated test evidence, and the official risk language used by auditors.
Drata get person
Retrieves a person's full compliance status, including MDM enrollment, training completion, and background check clearance.
Drata get policy
Gets detailed status for one policy, including its renewal date, acknowledgment rates, and owner assignment.
You can run drata_get_control to get a control's pass/fail state, the evidence from automated tests, and the auditor language defining the risk.
Use drata_get_person to check a specific person's onboarding status, including MDM enrollment, training dates, and background check clearance.
Run drata_get_policy to find a policy's renewal date, who acknowledged it, and its version history.
Invoke drata_list_assets to list infrastructure like EC2 or S3 buckets, showing their compliance status and if they're encrypted.
Execute drata_list_controls to list every compliance requirement, showing its status, mapped frameworks, and owner.
Call drata_list_frameworks to list active frameworks (SOC 2, HIPAA, etc.) and get their current readiness scores.
Use drata_list_personnel to get a full roster showing who is non-compliant, who has overdue training, and device compliance status.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
Drata MCP Server: 10 Tools for Compliance & Audit
Use these tools to query, list, and audit every aspect of your organization's compliance posture, from cloud assets to individual employee training records.
019d7589drata get control
Gets a specific control's pass/fail state, the automated test evidence, and the official risk language used by auditors.
019d7589drata get person
Retrieves a person's full compliance status, including MDM enrollment, training completion, and background check clearance.
019d7589drata get policy
Gets detailed status for one policy, including its renewal date, acknowledgment rates, and owner assignment.
019d7589drata list assets
Lists all cloud infrastructure assets (EC2, S3, RDS) and shows their compliance status, encryption, and region.
019d7589drata list controls
Lists every compliance control, showing its status, linked frameworks (SOC 2, HIPAA), and which owner is responsible.
019d7589drata list frameworks
Lists active compliance frameworks (SOC 2, ISO 27001) and provides overall readiness scores and control completion percentages.
019d7589drata list personnel
Lists all tracked personnel, showing security training status, device compliance, and policy acceptance rates.
019d7589drata list policies
Lists all security policies in Drata, detailing the last review date, next review due, and acknowledgment completion rate.
019d7589drata list tests
Lists automated compliance tests, showing which checks are failing, their associated controls, and the last time they ran.
019d7589drata list vendors
Lists third-party vendors, showing their data risk classification, security questionnaire status, and SOC 2 report review status.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Drata, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
Drata MCP Server gives your AI agent direct access to your whole governance stack. You can check if an employee's training is up to date, list every failing control, audit policies for renewal dates, or verify if a cloud asset is encrypted—all without leaving your chat client. This tool connects your agent straight to Drata's full risk and compliance record.
drata_list_frameworks lists active compliance frameworks like SOC 2 or ISO 27001, giving you overall readiness scores and control completion percentages. drata_list_controls lists every compliance requirement, showing its status, mapped frameworks, and the owner responsible. drata_get_control checks a specific control's pass/fail status, the evidence from automated tests, and the official risk language auditors use.
drata_list_personnel gives you a full roster of personnel, showing who's non-compliant, who has overdue training, and device compliance status. drata_get_person audits a specific person's profile, checking their onboarding status, MDM enrollment, training dates, and background check clearance. drata_list_policies lists all security policies in Drata, detailing the last review date, next review due, and acknowledgment completion rate. drata_get_policy finds a policy's renewal date, who acknowledged it, and its version history.
drata_list_assets lists all cloud infrastructure assets—like EC2 or S3 buckets—showing their compliance status, encryption status, and region. drata_list_vendors lists third-party vendors, detailing their data risk classification, security questionnaire status, and SOC 2 report review status. drata_list_tests lists automated compliance tests, showing which checks are failing, their associated controls, and the last time they ran.
How Drata MCP Works
- 1 Subscribe to the server and provide your Drata Public API Key (found in your Drata Dashboard).
- 2 Tell your agent what you need to audit, for example: 'Show me all failing compliance controls.'
- 3 The agent uses the specialized
drata_tools to fetch and compile the status report, delivering the findings directly into your chat window.
The bottom line is, you treat compliance reporting like a chat query, not a dashboard navigation task.
Who Is Drata MCP For?
Compliance Officers, CISOs, and Security Engineers. You're the person who wakes up needing to prove controls are working—not just knowing they exist. You're tired of manually cross-referencing AWS reports with HR records and InfoSec policy documents. This lets you query the entire compliance posture from one place.
Uses the server to run drata_list_controls to find every failing requirement, or drata_list_frameworks to assess overall readiness for an upcoming audit.
Runs drata_list_assets and drata_list_tests to verify if cloud infrastructure (like S3 buckets) are encrypted or if automated monitoring checks are failing in real-time.
Queries drata_list_personnel to quickly identify which employees have incomplete background checks or overdue security training, speeding up onboarding audits.
What Changes When You Connect
- Check asset encryption status instantly. Instead of navigating AWS or GCP consoles, run
drata_list_assetsto see if every EC2 instance or S3 bucket meets your encryption requirements. - Pinpoint employee compliance gaps. Use
drata_list_personnelto get a full roster showing who has overdue security training or missing background checks—no CSV export needed. - Audit policies without manual clicks. Running
drata_get_policyshows the renewal date and acknowledgment rate for a document, immediately highlighting what needs owner attention. - Map compliance readiness.
drata_list_frameworksgives you an immediate score (e.g., 85% Ready for SOC 2), letting you know exactly which framework needs the most focus. - Track real-time failures.
drata_list_testspulls data on automated checks (like 'MFA enforced in Okta'), telling you exactly which technical controls are failing right now. - Manage vendor risk.
drata_list_vendorssummarizes your supply chain's security posture, providing data risk classifications and the status of vendor questionnaires.
Real-World Use Cases
Pre-Audit Readiness Check
A Compliance Officer needs to know if the company is ready for an ISO 27001 audit. They prompt their agent: 'What's our overall readiness?' The agent runs drata_list_frameworks and drata_list_controls to generate a summary, pointing out the top three failing controls and the policies that need immediate review.
Onboarding a New Contractor
The Ops Manager needs to verify a new contractor's access. They ask the agent to check the person's status. The agent calls drata_get_person and reports back that the background check cleared, but the Acceptable Use Policy acknowledgment is pending. The process is solved in one query.
Cloud Misconfiguration Review
A Security Engineer suspects some assets aren't encrypted. They ask the agent to check the infrastructure. The agent calls drata_list_assets and immediately identifies all S3 buckets or RDS databases that lack encryption-at-rest, giving them a list of resources to fix.
Policy Gap Analysis
A CISO wants to see which policies are approaching their review date. They query the agent: 'What policies need attention this quarter?' The agent uses drata_list_policies to list upcoming reviews, helping the CISO assign owners before a deadline hits.
The Tradeoffs
Checking one thing at a time
Manually jumping between the AWS console, the HR portal, and the InfoSec wiki to piece together one employee's compliance picture. This takes hours and relies on perfect data entry.
→
Use drata_get_person to check an employee's status, or drata_get_control to investigate why a specific requirement is failing. The agent handles the cross-referencing.
Assuming data is current
Trusting an old spreadsheet of asset owners or policy dates because the data hasn't been updated in weeks. The compliance picture is immediately wrong.
→
Run drata_list_assets or drata_list_policies to get the real-time, current status from the source of truth. Don't trust memory.
Ignoring related risks
Finding a failing control but not knowing which assets or personnel are affected. You fix the control, but the underlying vulnerability remains.
→
First, use drata_list_controls to find the failing requirement. Then, use drata_list_assets to see which resources are linked to that control. This gives you the full scope.
When It Fits, When It Doesn't
Use this if your primary job is auditing, governance, or risk assessment. Specifically, if you need to answer questions like: 'Are we compliant with HIPAA?' or 'Which assets lack encryption?' You need a single source of truth for the entire compliance stack.
Don't use this if you just need to track a single, simple piece of information (e.g., 'What is John's phone number?'). For simple data lookups, a direct API call is faster. But if the data point is tied to a governance requirement (e.g., 'Is John's phone number recorded in the MDM system?'), this MCP Server is required. It treats compliance as a graph problem, not a database table.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Drata. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Gathering compliance evidence used to be a nightmare of logins and spreadsheets.
Before this, auditing a single policy failure meant a journey across five different platforms: the AWS console for asset details, the HR system for employee status, the ticketing system for remediation tickets, the policy wiki for the rule text, and a spreadsheet to track ownership. You spent half the day just gathering the data, not analyzing it.
Now, your agent runs the required tools—like `drata_get_control` or `drata_list_assets`—and delivers the full context: the failure, the evidence, and the policy definition, all in one response. You get the answer, not the data dump.
Drata MCP Server: Audit Compliance & Security
You no longer need to manually pull reports on personnel training status, policy renewal dates, and cloud asset compliance. The agent runs `drata_list_personnel` and `drata_list_policies` to give you a consolidated view of who needs training and what needs review.
What's different now is the shift from reactive reporting to conversational auditing. You ask a question, and the agent executes the complex, multi-step checks necessary to give you a definitive, actionable answer.
Common Questions About Drata MCP
How do I use `drata_list_controls` to find out what controls are failing? +
The agent runs drata_list_controls and returns a list of all requirements. You can then ask the agent to filter that list by 'failing' status, and it will provide the names and associated frameworks.
Can `drata_get_person` tell me if an employee is compliant? +
Yes. drata_get_person checks multiple sources—MDM enrollment, background checks, and training completion—and reports back a single, clear compliance status for that employee.
What is the difference between `drata_list_assets` and `drata_list_controls`? +
drata_list_assets shows the current state of your infrastructure (e.g., 'S3 bucket is unencrypted'). drata_list_controls shows the required rule (e.g., 'Encryption at rest is required').
How do I check if a policy is due for renewal using `drata_get_policy`? +
Just ask the agent to check a specific policy. The tool will return the policy's renewal date and the acknowledgment completion rate, letting you know exactly when to act.
Does `drata_list_vendors` track vendor risk? +
Yes, drata_list_vendors lists third-party vendors and includes their data risk classification, security questionnaire status, and SOC 2 report review status.
How do I use `drata_list_frameworks` to see our overall compliance readiness? +
The tool provides a high-level view of your compliance posture. It lists active frameworks (like SOC 2 or ISO 27001) and gives you a readiness score and the percentage of controls that are passing.
What information does `drata_get_control` give me about a specific failing control? +
It gives you the pass/fail status, the automated test evidence, and the explicit auditor language. This helps you understand exactly why a control is failing and what evidence is required.
When should I use `drata_list_tests` versus `drata_list_controls`? +
Use drata_list_tests for real-time automated monitoring. It shows specific checks failing across services like AWS or Okta. Use drata_list_controls for the defined technical and administrative requirements themselves.
Can my agent check if specific employees have finished their security training? +
Yes. Use the 'list_personnel' or 'get_personnel_status' tools. The agent retrieves the onboarding state, including Security Awareness Training completion and background check clearance for any tracked individual.
How do I monitor which compliance controls are currently failing? +
Use the 'list_controls' tool to see all controls and 'get_control' for specific details. The agent will fetch exact evaluation states and automated test results to identify failing requirements and their risk logic.
Can I see my SOC 2 readiness score through natural conversation? +
Absolutely. Use the 'list_frameworks' tool. Your agent will pull the top-level standard boundaries and provide overall readiness scores and aggregated control completion percentages for frameworks like SOC 2.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Amazon EventBridge Bus
Event-driven architecture for AI agents — scoped event dispatching strictly limited to one EventBus for zero-trust security.
Okta
Equip your AI agent with Okta Identity Cloud to manage users, groups, and seamless authentication effortlessly.
Trend Micro
Equip your AI agent with Vision One telemetry to investigate threats, audit endpoint activities, and manage security alerts natively.
You might also like
Sitecore
Manage your Sitecore CMS via AI agents — create, search, and update content items, templates, layouts, and workflows directly from your chat.
Collect
Enable your AI agent to manage data collection campaigns, send requests, and track submissions via the Collect API.
Calibre-Web
Browse and manage your Calibre-Web library via OPDS and Kobo sync — access catalogs, specific shelves, and device metadata directly.