This feature is currently available with early access.
If you would like to access the feature, fill out this form and a Drata team member will be in touch with you regarding next steps.
Use this procedure to configure OAuth for the MCP in Drata.
Required Drata roles: Admin
Configure an OAuth configuration
Go to Settings.
Select MCP Configuration.
You must be an administrator in Drata to access this page.
Enter a name for the OAuth configuration.
Enter a description of the configuration.
Set an expiration date for the configuration.
Select the scopes you want to configure.
After you configure the scopes, follow the setup instructions for your specific MCP client.
Drata provides a remote hosted MCP server at:
US:
https://mcp.drata.com/mcp/EU:
https://mcp-euc1.drata.com/mcp/APAC:
https://mcp-apse2.drata.com/mcp/
⚠️ Important note: End users can access only the intersection of the OAuth scopes you configure and the permissions granted by their assigned roles. Users cannot access anything beyond what their roles inside the application allow while using the Drata MCP.
OAuth scopes
The following table describes each available OAuth scope and the roles that can use it.
OAuth Scope | Description | Allowed Roles |
read:risk | View Risks in Risk Registers | Admin, Risk Manager, Risk Register Owner, Workspace Administrator |
read:controls | View Controls list | Admin, Control Manager, DevOps Engineer, Risk Manager, Risk Register Owner, Information Security Lead, Workspace Administrator |
read:control | View Control details and requirements | Admin, Control Manager, DevOps Engineer, Information Security Lead, Workspace Administrator |
read:policy | View Policies | Admin, Policy Manager, Information Security Lead, Workspace Administrator |
read:workspace | View Workspaces | Admin |
read:risk-registers | View Risk Registers | Admin, Risk Manager |
read:assigned-policies | View User Assigned Policies | Admin, Control Manager, DevOps Engineer, Employee, Internal Auditor, Knowledge Base, People Ops, Policy Manager, Reviewer, Risk Manager, Information Security Lead, Trust Center Manager, Trust Center Reviewer, Workspace Administrator |
read:monitor-test | View Monitoring Tests | Admin, Control Manager, DevOps Engineer, Information Security Lead, Workspace Administrator |
MCP client setup instructions
Best Practices for Using the Drata MCP Server
1. Mention Drata by Name
Always include "Drata" in your prompts. This helps the AI model correctly route your request to the Drata MCP tools rather than relying on its built-in knowledge.
Prompt example |
|
✅ "Which controls are missing evidence in Drata?" | ❌ "Which controls are missing evidence?" |
2. Be Specific with Your Requests
The more specific your prompt, the better the results. Include details like framework names, time ranges, risk categories, or team names when relevant.
Prompt example |
|
✅ "Create a report of risks created in the last 6 months that don't have a treatment plan in Drata" | ❌ "Show me risks" |
3. Use Natural Language
You don't need to know Drata's API or data model. Ask questions the way you'd ask a compliance analyst.
Specific Tips
ChatGPT-Specific Tips
Tag @Drata MCP in your message to explicitly invoke the connector
Use Developer Mode for full tool access (read and write)
When ChatGPT prompts for confirmation on write actions, review before approving
Claude-Specific Tips
Toggle the Drata connector on at the start of each conversation using the "+" menu
You can combine Drata with other connectors (e.g., Slack, Notion) in the same conversation for cross-tool workflows
Cursor-Specific Tips
Switch Cursor to Agent mode (Ctrl/Cmd + .) for the best MCP tool integration
Reference Drata tools by name when prompting for precision
Prompt Library
Here are a few example prompts for interaction with the Drata MCP server.
User input to MCP Client |
Am I allowed to use Jira on my phone? |
How often am I required to come into our office to work during the week? |
How often am I required to do security awareness training? |
What is the SLA in our policies for fixing critical vulnerabilities? |
Which controls are missing evidence in Drata? |
What controls in Drata are related to data retention and storage and who are their owners? |
Are there any failing tests for version control systems connected in Drata? |
Create a report of controls that are not ready and tell me what frameworks they are related to |
Create a report of risks that need attention in Drata |
Do we have tests in Drata ensuring data is not publicly accessible? |
Create a report of all failing tests in Drata and rank them by priority |
Who is the owner for our access controls in Drata? |
Create a report of risks created in the last 6 months that don't have a treatment plan |
What risks in Drata are associated with background checks and security training for personnel? |
What risks don't have a treatment plan in Drata and who are their owners? |
I am monitoring a risk regarding our cloud infrastructure. What risks in Drata are currently related to this? |
My engineering team is handling an incident related to our application. What are the incident response steps that I should be aware of in Drata based on our policies and controls? |
My team is purchasing a new tool to use internally. What is our vendor management process in Drata based on our policies and controls? |
I'm reviewing a contract for a new vendor. Do we have any existing risks recorded regarding third-party data handling? |
Security Reminders
Drata's MCP server uses OAuth authentication — your credentials are never shared with the AI client
The AI client can only access data you have permissions for in Drata
You can revoke access at any time from your Drata account or from the AI client's connector settings