Connect Drata to Claude: Manage Security Reports and User Roles

Integrating compliance platforms with LLMs shifts security operations from manual auditing to natural language investigations. If your team uses ChatGPT, check out our guide on connecting Drata to ChatGPT, or if you are building autonomous systems, read about connecting Drata to AI Agents.

This guide covers how to connect Drata to Claude using Truto's SuperAI MCP Server. We will walk through configuring the MCP server, passing it to Claude, and executing real-world compliance workflows.

The Engineering Reality of the Drata API

Building an integration with Drata is rarely a simple CRUD exercise. The API is built for strict auditing and compliance tracking, which introduces several specific challenges for automated systems and LLM function calling:

Deeply Nested Evidence Models: Drata's data structures are heavy. A simple user record does not just return basic identity fields - it returns nested arrays of background checks, document signatures, identity providers, and role histories. LLMs can easily exceed context limits if you dump raw, unpaginated Drata arrays into the prompt.
Imprecise Cursor Behavior: Paginating through thousands of compliance records often requires strict cursor management. If your agent attempts to manipulate or decode the nextCursor value, the API will reject the request. The cursor must be passed back exactly as received.
Strict Rate Limits: Drata imposes strict rate limits to protect against bulk evidence scraping. Truto does not retry, throttle, or apply backoff on rate limit errors. When the Drata API returns an HTTP 429, Truto passes that error directly to the caller. Truto normalizes the upstream rate limit info into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF spec. The caller (or your AI agent framework) is fully responsible for retry and backoff logic.

How to Create the Drata MCP Server

Truto automatically generates Model Context Protocol (MCP) tools from the underlying Drata integration. You can provision an MCP server scoped to a single integrated Drata account via the Truto UI or programmatically via the API.

Method 1: Via the Truto UI

Log into your Truto environment and navigate to the integrated account page for your Drata connection.
Select the MCP Servers tab.
Click Create MCP Server.
Configure your filters (e.g., restrict to read methods only for safe auditing) and set an optional expiration date.
Copy the generated secure MCP server URL.

Method 2: Via the API

You can dynamically provision MCP servers for your end users using the Truto API. This is ideal when embedding Claude-powered workflows directly into your own SaaS application.

POST /integrated-account/:id/mcp
Authorization: Bearer <YOUR_TRUTO_API_TOKEN>
Content-Type: application/json
 
{
  "name": "Claude Drata Auditor",
  "config": {
    "methods": ["read"]
  },
  "expires_at": "2026-12-31T23:59:59Z"
}

The API securely hashes the token and returns a ready-to-use URL:

{
  "id": "mcp_abc123",
  "name": "Claude Drata Auditor",
  "config": { "methods": ["read"] },
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f6..."
}

Connecting to Claude

Once you have the Truto MCP URL, you can connect it to Claude using either the visual interface or the desktop configuration file.

Via the Claude UI (Web/Desktop)

Open Claude and navigate to Settings > Connectors.
Click Add custom connector.
Paste your Truto MCP Server URL.
Click Add. Claude will automatically ping the /mcp/:token endpoint, initialize the JSON-RPC 2.0 handshake, and load the Drata tools.

Via Manual Configuration File

If you manage Claude Desktop via claude_desktop_config.json, you can configure it to use a remote SSE bridge or proxy script that connects to Truto's remote HTTP endpoint. Truto's endpoint natively speaks JSON-RPC 2.0.

{
  "mcpServers": {
    "drata-auditor": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/proxy",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}

Tool Inventory

Truto derives the Drata toolset dynamically. Tools map directly to the underlying REST resources, keeping execution close to the native API.

Hero Tools

These are the high-value endpoints used most frequently in compliance and IT ops workflows.

1. `list_all_drata_users`

Description: Lists all users in the Drata environment. Returns rich identity data including id, email, roles, backgroundChecks, drataTermsAgreedAt, and documents.
Contextual Notes: Use this to sweep the organization for un-onboarded employees or missing background checks. Ensure the LLM knows to respect the next_cursor parameter if the returned list is truncated.
Example Prompt: "Pull a list of all users and find anyone who hasn't agreed to the Drata terms yet."

2. `get_single_drata_user_by_id`

Description: Fetches full, deep details of a specific Drata user by their ID.
Contextual Notes: Because the list endpoint can be heavy, it is often best to have the LLM fetch a summary list of users, and then iterate through flagged accounts using this tool to inspect their specific background check objects.
Example Prompt: "Get the full compliance and identity profile for user ID 10425."

For the complete tool inventory and full schema details, visit the Drata integration page.

Workflows in Action

Here is how these tools look in practice when utilized by specific IT and Security personas.

Use Case 1: Automating the Employee Compliance Audit (IT Admin)

"Claude, check our Drata account for any users who have not completed their background checks or agreed to the required security policies. Give me a summary of their names and emails."

Step-by-step execution:

Claude calls list_all_drata_users with no initial cursor.
The Truto Proxy API queries Drata and returns the paginated JSON array of users.
Claude inspects the backgroundChecks and drataTermsAgreedAt arrays within each user object.
If a next_cursor is present, Claude calls list_all_drata_users again, passing the cursor exactly as received.
Claude aggregates the filtered list and responds with a neat Markdown table of non-compliant employees.

Use Case 2: Extracting the Executive Security Report (Security Lead)

"Fetch the latest company compliance info and summarize our overall security report details and entitlement status for the executive team."

Step-by-step execution:

Claude calls list_all_drata_company_info.
The Truto proxy routes the request and returns the complex company metadata object.
Claude processes the securityReport details, training/compliance status, and active connections.
Claude writes a high-level summary paragraph highlighting any missing entitlements or lapsed connections, suitable for an executive Slack channel.

Security and Access Control

Exposing a compliance platform like Drata to an LLM requires strict governance. Truto MCP servers operate with zero data retention and include several robust security primitives:

Method Filtering: Restrict the server to safe operations. By setting config.methods: ["read"], the MCP server will only expose GET/LIST tools, preventing Claude from accidentally modifying compliance states.
Tag Filtering: Group and isolate tools using config.tags. You can create an MCP server that only exposes tools tagged with users or reports.
Require API Token Auth: By setting require_api_token_auth: true, possession of the MCP URL is no longer enough. The connecting client must also supply a valid Truto API token via a Bearer header, adding a strict second layer of identity verification.
Ephemeral Servers (expires_at): Grant temporary auditor access. When you set an expires_at timestamp, Truto automatically invalidates the token and schedules a cleanup task to hard-delete the credentials from the database.

FAQ

Does Truto automatically handle Drata rate limits?

No. Truto does not retry, throttle, or apply backoff on rate limit errors. It passes HTTP 429s directly to the caller and normalizes rate limit headers. The LLM framework or calling agent must handle retries.

Can I prevent Claude from modifying Drata compliance data?

Yes. When creating the Truto MCP server, you can apply method filtering by setting config.methods to ["read"]. This ensures Claude only has access to GET and LIST endpoints.

How are MCP tools generated for Drata?

Truto dynamically derives the tools from the integration's documented API resources. There is no manual mapping required - the query and body schemas are automatically translated into JSON-RPC 2.0 tool definitions.

What is an MCP Server? The 2026 Architecture Guide for SaaS PMs

An MCP server is a standardized bridge between AI models and your SaaS APIs. Learn how the architecture works, why remote deployment wins, and whether to build or buy.

Sidharth Verma · April 2, 2026 · 14 min read

AI & Agents/Engineering

Understanding MCP Server Security Risks and Ways to Mitigate Them

A comprehensive guide to MCP security: understand key threats, examples, and effective strategies to secure your AI integrations.

Uday Gajavalli · October 24, 2025 · 8 min read

AI & Agents/Engineering/Security

How to Architect a Multi-Tenant MCP Server for Enterprise B2B SaaS

Architect a multi-tenant MCP server for enterprise B2B SaaS with patterns for Oracle NetSuite, SAP, cryptographic URL scoping, and OAuth management.

Nachi Raman · May 6, 2026 · 20 min read

AI & Agents

Connect FloQast to Claude: Audit Compliance Controls and Programs

Learn how to connect FloQast to Claude using a secure MCP server. Automate compliance control audits, track month-end checklists, and analyze reconciliations.

Uday Gajavalli · June 8, 2026 · 9 min read

AI & Agents

Connect Vanta to Claude: Manage Risks, Vendors, and Vulnerabilities

Learn how to connect Vanta to Claude using a managed MCP server. Automate vulnerability tracking, vendor risk management, and compliance workflows with AI agents.

Uday Gajavalli · June 9, 2026 · 9 min read