# Vanta MCP

> Vanta MCP connects your AI agent directly to your compliance and security data. It lets you audit users, devices, vendors, and vulnerabilities by asking natural questions instead of clicking through complex dashboards. Get a real-time view of your continuous compliance posture across SOC 2, HIPAA, GDPR, and more.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** compliance-automation, security-auditing, vulnerability-management, soc2, risk-assessment, endpoint-security

## Description

Need to prove your company meets specific regulatory standards? This MCP brings your Vanta security monitoring directly into your chat workflow. Instead of spending hours cross-referencing reports or building massive spreadsheets, you just ask your agent questions like, 'Are we ready for the SOC 2 audit?' The agent pulls together all the necessary data—from personnel training records to the latest vulnerability scan results—and gives you a single answer. It’s less about looking at dashboards and more about having a conversation with your compliance status. With Vinkius, connecting this MCP means any AI client can access these deep security metrics on demand. You get immediate visibility into everything from endpoint encryption status to pending policy approvals, turning complex audits into simple Q&A sessions.

## Tools

### vanta_compliance_status
Gets your overall compliance score, showing pass rates, critical alerts, and the audit readiness status across all frameworks.

### vanta_get_test
Drills down into a specific failing test to get detailed information on evidence, linked controls, and remediation guidance.

### vanta_list_computers
Lists all monitored endpoints, providing the OS version, encryption status, antivirus presence, and overall compliance state for each device.

### vanta_list_evidence_requests
Shows outstanding audit evidence requests in Vanta, including who needs to submit documents or screenshots and their deadlines.

### vanta_list_integrations
Lists all connected services, showing if they are syncing correctly, when the last sync was, and any configuration warnings.

### vanta_list_people
Provides a list of personnel detailing their security training completion status, device compliance, access review state, and employment status.

### vanta_list_policies
Lists all internal security policies, tracking their approval status, next review due date, version number, and employee acknowledgment rates.

### vanta_list_risks
Retrieves the full risk register, detailing identified risks with impact scores, likelihoods, calculated scores, and mitigation plans.

### vanta_list_tests
Lists all compliance monitoring tests (SOC 2, HIPAA, etc.), showing their pass/fail status, last run dates, and associated control requirements.

### vanta_list_vulnerabilities
Shows detected security flaws across your infrastructure, including severity level, CVE IDs, affected resources, and the remediation SLA deadline.

## Prompt Examples

**Prompt:** 
```
List pending Trust Center requests for our security documentation.
```

**Response:** 
```
I've retrieved the pending Trust Center requests. You currently have 3 prospects awaiting access: 'sarah@piedpiper.com' requested SOC 2 Type II reports yesterday, and 'admin@hooli.xyz' requested Pen-Test summaries this morning. Would you like me to approve these specific emails for viewing?
```

**Prompt:** 
```
Retrieve the Vanta framework compliance details and mapped status of our organization.
```

**Response:** 
```
I retrieved your Vanta organization details. Your company 'Acme Corp' is currently actively tracking towards SOC 2 Type II and HIPAA frameworks. Your continuous monitoring health score sits firmly at 92%. Would you like a breakdown of any failing domains?
```

**Prompt:** 
```
What subprocessor vendors are we actively syncing in Vanta right now?
```

**Response:** 
```
You have 14 active integrations serving as authorized subprocessors logged in Vanta. Major ones include Amazon Web Services, GitHub, Slack, and Datadog. Three minor vendors are currently unverified and missing full justification descriptions in the system policy context.
```

## Capabilities

### Get overall compliance health
Check your current compliance readiness score and view pass rates across major frameworks like SOC 2 or HIPAA.

### Audit endpoints and devices
List all monitored computers, checking their operating system version, disk encryption status, and antivirus compliance instantly.

### Manage personnel records
Pull lists of employees to check who has overdue security training or whose access reviews are pending completion.

### Track vulnerabilities
Review all detected security flaws, seeing the severity level (Critical/High) and the deadline set for fixing them.

### Review audit evidence status
See which required documents or screenshots are outstanding, who owns them, and when they are due.

### Assess governance risks and policies
List the company's risk register to understand high-impact areas needing attention, or review policy versions for acknowledgment rates.

## Use Cases

### The quarterly audit prep
A Compliance Officer needs to know the current risk picture for the board meeting. They ask their agent to check `vanta_list_risks`. The agent instantly pulls a summary of all identified risks, showing the impact level and the status of required mitigation controls.

### Onboarding/Offboarding compliance
An IT Administrator needs to confirm an employee is properly offboarded. They use `vanta_list_people` to check the user's employment status and ensure their access review was completed, preventing orphaned accounts.

### Handling a security incident
A DevSecOps engineer discovers a vulnerability. Running `vanta_list_vulnerabilities` immediately gives them the CVE ID, the affected resource, and the mandated remediation SLA deadline, letting them prioritize fixes instantly.

### Checking overall readiness
A team lead needs to confirm if they are ready for a new certification. They check `vanta_compliance_status`, which provides an immediate score and highlights exactly which frameworks or controls are failing, guiding their next steps.

## Benefits

- Stop searching dashboards. You can query personnel compliance directly, using the `vanta_list_people` tool to find out instantly who has overdue training or non-compliant devices.
- Drill down deeper than ever before with the `vanta_get_test` tool. Instead of reading a generic failure notice, you get specific remediation guidance linked to the failing control.
- Gain immediate risk visibility by running the `vanta_list_risks` tool. You can summarize board-level security risks and identify high-impact areas needing attention without leaving your chat window.
- Keep track of every compliance requirement using `vanta_list_evidence_requests`. Your agent shows you exactly what evidence is still outstanding and who needs to submit it before the deadline.
- Automate endpoint checks. Use `vanta_list_computers` to quickly verify if new hardware has disk encryption enabled or if its antivirus software is running, which saves hours of manual spot-checking.

## How It Works

The bottom line is you get instant access to deep security posture metrics without ever leaving your chat interface.

1. Subscribe to this MCP in your Vinkius catalog and enter your Vanta Developer API Token.
2. Your AI client connects the tokens and authenticates with Vanta's secure endpoints.
3. You ask a natural language question (e.g., 'What are our outstanding risks?') and receive an immediate, structured answer from the data.

## Frequently Asked Questions

**How do I check my overall compliance score using Vanta MCP?**
You use the `vanta_compliance_status` tool. It provides a single dashboard view of your pass/fail rates and shows if you are ready for major audits like SOC 2 or HIPAA.

**Can I see which employees need training using Vanta MCP?**
Yes, run the `vanta_list_people` tool. It lists all personnel and flags anyone whose security awareness training is overdue for immediate attention.

**What is the best way to check device encryption status with Vanta MCP?**
Use `vanta_list_computers`. This function gives you a clear inventory of all monitored devices and explicitly states if disk encryption or firewall protection is active on each one.

**How do I track pending security risks using Vanta MCP?**
Use `vanta_list_risks`. This tool pulls the full risk register, allowing you to see the impact score and if a mitigation plan has been assigned for each high-risk area.

**Does Vanta MCP help me with vulnerability tracking?**
Yes. The `vanta_list_vulnerabilities` tool lists all detected security flaws, including the CVE ID and most importantly, the mandated remediation SLA deadline for every issue.