# Drata MCP for AI Agents MCP

> Drata lets you automate continuous compliance monitoring directly through your AI agent. Use it to audit security policies, track personnel onboarding statuses, verify cloud asset encryption, and assess readiness for frameworks like SOC 2 or HIPAA without leaving conversation mode.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** compliance-automation, security-audits, evidence-collection, soc2, iso27001, risk-management

## Description

Managing compliance and security often means jumping between dashboards—a tedious process that slows down audits and increases risk. This MCP connects your Drata account to any compatible AI agent, letting you manage continuous compliance through natural language. You stop clicking tabs and start asking questions.

Need to know if a specific employee completed their mandatory annual training? Just ask your agent. Need the current pass/fail status of an AWS S3 bucket against our encryption policy? Ask it. The system pulls that data, synthesizes it, and gives you a clear answer immediately. Furthermore, since Vinkius hosts this MCP, you get access to Drata's entire catalog of monitoring tools right from your single connection point in any AI client.

It’s about transforming complex audit evidence—like tracking policy acknowledgments or reviewing vendor risk scores—into conversational data points. You get a real-time security posture assessment without ever needing to manually navigate the compliance dashboard.

## Tools

### drata_get_control
Investigates a specific compliance control's status, providing details on test evidence and the underlying risk language for auditors.

### drata_get_person
Retrieves an employee’s complete compliance profile, including training completion, background check clearance date, and device enrollment status.

### drata_get_policy
Gathers detailed information about a specific policy, showing its renewal dates, who needs to acknowledge it, and the current version history.

### drata_list_assets
Generates an inventory of cloud infrastructure assets, detailing their compliance status, encryption state, and associated region.

### drata_list_controls
Lists all defined security requirements (e.g., 'MFA must be enabled') and reports on their current pass/fail status across mapped frameworks.

### drata_list_frameworks
Provides a high-level overview of active compliance frameworks, including overall readiness scores and percentage completion for board reporting.

### drata_list_personnel
Lists all tracked personnel, summarizing their security training status, device compliance, background check clearance, and policy acceptance rates.

### drata_list_policies
Outputs a list of all corporate policies, detailing the last review date, next required renewal date, and employee acknowledgment completion rate.

### drata_list_tests
Shows real-time automated monitoring results for specific technical requirements across AWS, Okta, or GitHub, noting any immediate failures.

### drata_list_vendors
Tracks all third-party vendors, providing their data risk classification, security questionnaire status, and required report review dates.

## Prompt Examples

**Prompt:** 
```
What are the top 3 failing controls right now?
```

**Response:** 
```
**Compliance Status Report**

We currently have 3 critical controls flagged as non-compliant:

*   ❌ **MFA for IdP Users:** Required, but two groups are missing enforcement.
*   ❌ **Encrypted Backups:** Found in the `us-west-2` region. Manual verification needed.
*   ❌ **Vulnerability Scanning:** Last run failed on the staging environment (ID: 456).

Would you like me to retrieve detailed test evidence for any of these?
```

**Prompt:** 
```
Give me a summary of our overall readiness scores.
```

**Response:** 
```
**Framework Readiness Snapshot**

You are currently tracking two major frameworks:

*   🥈 **SOC 2 Type II:** 85% Complete (Target: Q4 2024). Needs focus on vendor risk management.
*   🥇 **ISO 27001:** 72% Complete (Target: Q1 2025). Policy acknowledgment rates are the biggest gap.

Overall, we're in a good position, but policy gaps and asset encryption need immediate attention.
```

**Prompt:** 
```
Who needs to complete their mandatory training?
```

**Response:** 
```
**Personnel Compliance Gaps**

The following 5 users have overdue Security Awareness Training (SAT) or pending acknowledgments:

| Name | Role | Gap Type | Due Date |
| :--- | :--- | :--- | :--- |
| Jane Smith | Dev Op | SAT Overdue | Today |
| Tom Baker | HR Ops | AUP Missing | 03/15/2024 |
| Alex Kim | Contractor | Background Check | N/A (Failed) |

Please send an automated reminder to these users?
```

## Capabilities

### Review control status and test evidence
Get detailed pass/fail states for specific controls, including which automated tests provide evidence or if manual uploads are required.

### Check employee compliance records
Pull an individual's current onboarding state: background check status, security training completion, and device enrollment details.

### Audit policy readiness and renewal dates
Retrieve the status of key policies to see who needs to acknowledge them, when they are due for review, and the current version history.

### Verify cloud infrastructure compliance
List all monitored cloud assets (like RDS or EC2) and check their adherence to defined security controls, including encryption status.

### Assess overall framework readiness scores
View high-level progress across multiple frameworks (SOC 2, HIPAA), showing the percentage of passing controls and the target audit date.

### Manage third-party vendor risk inventory
Examine a list of vendors to track their data risk classification, security questionnaire status, and last SOC 2 review date.

## Use Cases

### Investigating a missing security training record
An HR manager needs to know if John Doe completed his mandatory annual compliance module. Instead of checking the LMS and then the directory, they ask their agent, which uses `drata_get_person` to confirm the specific training date.

### Preparing for an external audit review
A Compliance Officer needs a summary of all policies that haven't been reviewed in two years. They ask their agent, which uses `drata_list_policies` to flag the overdue documentation and gives them a prioritized checklist.

### Responding to an alert about unencrypted data
A Security Engineer gets an alert that some EC2 instances might be non-compliant. They ask their agent, which uses `drata_list_assets` to pinpoint the exact resources lacking required encryption at rest.

### Assessing third-party vendor risk quickly
The procurement team needs a quick security posture check on a new vendor. They ask their agent, which uses `drata_list_vendors` to retrieve the vendor's data risk classification and whether they have submitted recent SOC 2 reports.

## Benefits

- Instead of manually cross-referencing multiple dashboards, your agent compiles comprehensive reports on failing controls using the `drata_list_controls` tool.
- You instantly check an employee's full record with `drata_get_person`, confirming if they are compliant regarding training and device enrollment in one prompt.
- Drastically simplify audit readiness. By running checks across all policies via `drata_list_policies`, you know exactly which documents need a review before the next quarter ends.
- Eliminate manual asset reviews. The `drata_list_assets` tool gives an immediate picture of infrastructure compliance, showing if resources are unencrypted or improperly placed.
- Get executive-level summaries using `drata_list_frameworks`, providing readiness scores for SOC 2 and ISO 27001 without digging into raw data sheets.

## How It Works

The bottom line is that you manage your entire security audit workflow conversationally, using the power of your AI client.

1. First, subscribe to this MCP on Vinkius. Then, provide your Drata Public API Key from your Drata Dashboard settings.
2. Next, connect the MCP credentials to your preferred AI client (Claude, Cursor, etc.).
3. Finally, ask your agent a natural language compliance question—for example, 'Which personnel have overdue training?' and get an immediate, structured answer.

## Frequently Asked Questions

**How can the Drata MCP help me audit policies?**
The Drata MCP lists all official corporate policies. It tells you which ones are due for review, who is responsible for updating them, and what percentage of employees have acknowledged the latest version.

**Does Drata MCP check if my cloud resources are secure?**
Yes. You can list all monitored infrastructure assets, checking their compliance status against controls like encryption-at-rest and network boundary adherence instantly.

**What kind of personnel data can I get with Drata MCP?**
You can retrieve a full profile on any person. This includes their mandatory security training completion dates, background check clearance status, and whether their device is properly managed by MDM.

**Can I use the Drata MCP to assess vendor risk?**
Yes. It provides a clear inventory of all third parties, detailing their data risk classification (Critical/High/Medium) and when they last submitted required security reports.