Connect Secureframe to Claude: Monitor Controls and Vendor Risks

If you need to connect Secureframe to Claude to automate compliance checks, monitor infrastructure controls, or assess third-party vendor risks, you need a Model Context Protocol (MCP) server. This server acts as the translation layer between Claude's function calls and Secureframe's REST API. You can either spend weeks building and maintaining this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL.

If your team uses ChatGPT, check out our guide on connecting Secureframe to ChatGPT or explore our broader architectural overview on connecting Secureframe to AI Agents.

Giving a Large Language Model (LLM) access to a Governance, Risk, and Compliance (GRC) platform like Secureframe is an engineering challenge. You have to handle OAuth 2.0 token lifecycles, translate complex Lucene-based search queries, and manage strictly enforced rate limits. Every time Secureframe updates an endpoint or deprecates a field, you have to update your server code, redeploy, and test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Secureframe, connect it natively to Claude, and execute complex security and compliance workflows using natural language.

The Engineering Reality of the Secureframe API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against a deeply relational GRC API is painful.

If you decide to build a custom MCP server for Secureframe, you own the entire API lifecycle. Here are the specific challenges you will face:

Complex Lucene Query Syntax Unlike simple REST APIs that filter via basic query parameters (?status=active), Secureframe relies heavily on Lucene query syntax for searching resources like Controls, Vendors, and Cloud Resources. An LLM cannot reliably guess the exact Lucene syntax required by Secureframe's backend. Your MCP server must provide precise JSON Schema definitions with explicit instructions on how to format the q parameter, or the model will generate invalid requests.

Immutable Audit Artifacts GRC platforms enforce strict audit trails. In Secureframe, Framework Asset Scopes are immutable. If an LLM attempts to update an asset's scope status by issuing a PUT or PATCH request, the Secureframe API will reject it. To change a scope, the system must create an entirely new Framework Asset Scope record to supersede the old one. If you build this manually, you have to write custom prompt instructions to teach Claude this state-machine logic.

Strict Rate Limits and Backoff Handling Secureframe protects its infrastructure with strict rate limits. When you query massive compliance datasets, you will hit these limits. It is critical to understand that Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream Secureframe API returns an HTTP 429 (Too Many Requests), Truto passes that error directly back to the caller. However, Truto does normalize the upstream rate limit information into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF specification. The caller (Claude or your agentic framework) is entirely responsible for reading these headers and implementing the appropriate retry and exponential backoff logic.

Deeply Nested Relationship Graphs Compliance data is inherently relational. A single security Control maps to multiple Framework Requirements, which are verified by Tests, which are satisfied by Evidence. Secureframe handles this via relationship sideloading using include parameters. Parsing these sprawling JSON responses and passing them back to Claude without blowing up the model's context window requires careful schema curation.

Instead of building this translation layer from scratch, Truto dynamically generates these tools from its existing integration definitions, exposing Secureframe's endpoints as ready-to-use, context-optimized MCP tools.

How to Generate a Secureframe MCP Server

Truto creates MCP servers dynamically based on the underlying API documentation and integration configurations. You can generate a Secureframe MCP server in two ways: via the Truto dashboard or programmatically via the API.

Method 1: Via the Truto UI

For teams who want to move quickly without writing code, the Truto dashboard provides a point-and-click interface for generating server URLs.

1. Log into your Truto account and navigate to the integrated account page for your Secureframe connection.
2. Click the MCP Servers tab.
3. Click Create MCP Server.
4. Configure the server settings. You can name the server, apply tag filters, and restrict allowed HTTP methods (e.g., read-only).
5. Click Create and copy the generated MCP server URL (e.g., https://api.truto.one/mcp/a1b2c3d4...).

Method 2: Via the Truto API

For platform engineers embedding AI capabilities into their own SaaS products, MCP servers can be generated programmatically. The API validates the configuration, generates a secure, hashed token, stores it in a distributed key-value store, and returns a ready-to-use URL.

Make a POST request to the /integrated-account/:id/mcp endpoint:

curl -X POST https://api.truto.one/api/integrated-account/YOUR_ACCOUNT_ID/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Secureframe Compliance Read-Only",
    "config": {
      "methods": ["read"]
    },
    "expires_at": "2026-12-31T23:59:59Z"
  }'

The response returns the database record along with the secure endpoint URL:

{
  "id": "mcp_srv_89xyz",
  "name": "Secureframe Compliance Read-Only",
  "config": { 
    "methods": ["read"] 
  },
  "expires_at": "2026-12-31T23:59:59.000Z",
  "url": "https://api.truto.one/mcp/f8e9d0c1b2a3..."
}

This URL is fully self-contained. It encodes the tenant routing and authentication data required to communicate with Secureframe.

Connecting the MCP Server to Claude

Once you have your MCP server URL, connecting it to Claude takes less than a minute. You can do this via the Claude interface or by modifying the desktop configuration file.

Method A: Via the Claude UI

If you are using Claude Desktop or Claude for Enterprise:

1. Open Claude and navigate to Settings.
2. Select Integrations (or Connectors depending on your plan tier).
3. Click Add MCP Server.
4. Paste the Truto MCP URL generated in the previous step.
5. Click Add.

Claude will immediately perform a handshake with the Truto server, execute the initialize protocol, and request the available tools.

Method B: Via Manual Configuration File

If you prefer managing configurations as code or are building automated deployments for Claude Desktop, you can add the server directly to your claude_desktop_config.json file. Truto's hosted MCP servers communicate over HTTP using Server-Sent Events (SSE).

{
  "mcpServers": {
    "secureframe-compliance": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/f8e9d0c1b2a3..."
      ]
    }
  }
}

Restart Claude Desktop. The model will automatically discover the Secureframe tools and make them available for natural language prompting.

Secureframe Hero Tools for Claude

Truto automatically generates highly descriptive, snake_case tool names derived from Secureframe's API resources. Here are six high-leverage tools available on the Secureframe MCP server.

list_all_secureframe_controls

Retrieves the full list of security controls in Secureframe. This tool supports Lucene syntax filtering via the q parameter and relationship sideloading via the include parameter.

Usage note: This is the primary tool for auditing compliance posture. You can prompt Claude to fetch controls based on their health status or ownership.

"Claude, list all Secureframe controls that currently have a failing health status, and include the associated owner details so we know who to follow up with."

list_all_secureframe_cloud_resources

Fetches a comprehensive list of tracked cloud resources (AWS, GCP, Azure, etc.) connected to Secureframe.

Usage note: Crucial for infrastructure reviews. Claude can query this endpoint to find unmapped resources or resources that have fallen out of audit scope.

"Find all AWS cloud resources in Secureframe that are currently flagged as out of audit scope. Summarize the reasons provided for their exclusion."

list_all_secureframe_tprm_vendors

Lists all Third Party Risk Management (TPRM) Vendors tracked in Secureframe. This replaces older, deprecated vendor endpoints.

Usage note: Use this tool to continuously monitor supply chain risk. It returns the risk levels, archiving status, and ownership for external software vendors.

"Retrieve a list of all active third-party vendors with a 'high' risk level in our Secureframe environment. List their names and the internal owners responsible for them."

create_a_secureframe_test_evidence

Uploads evidence directly to a compliance test in Secureframe. This is a write operation that accepts file payloads.

Usage note: Claude can execute this tool to automatically attach generated reports, logs, or screenshots to specific failing tests to remediate them.

"Take the deployment log summary we just generated and create a new test evidence record for test ID 'tst_98765', attaching the text as the evidence payload."

list_all_secureframe_framework_requirements

Fetches the specific requirements for compliance frameworks (like SOC 2, ISO 27001, HIPAA) and their current enablement and health status.

Usage note: When preparing for an audit, Claude can use this tool to build a gap analysis report by identifying disabled or failing framework requirements.

"List all enabled framework requirements for our SOC 2 audit that are currently failing their health checks, and cross-reference them with the required controls."

create_a_secureframe_cloud_resource_framework_asset_scope

Creates a new framework asset scope for a cloud resource, explicitly setting its audit scope status for a given framework.

Usage note: Because scopes are immutable in Secureframe, this tool is required whenever you need to change a resource's scope. Claude must create a new scope rather than trying to modify an existing one.

"Create a new framework asset scope for cloud resource ID 'res_12345' setting it to be 'in audit scope' for our upcoming ISO 27001 review."

For the complete inventory of available tools, query parameters, and JSON schemas, visit the Secureframe integration page.

Workflows in Action

Connecting Secureframe to Claude enables powerful, multi-step automation. Here is how specific personas can use these tools in real-world scenarios.

Scenario 1: Third-Party Vendor Risk Triage (DevSecOps)

A DevSecOps engineer needs to prepare a summary of supply chain risks before a quarterly security review. Instead of clicking through dozens of pages in the Secureframe UI, they ask Claude to compile the data.

"Analyze our critical third-party vendors. Find all unarchived vendors marked as high risk, and fetch the specific security controls owned by the same individuals managing those vendors."

How Claude executes this:

1. Calls list_all_secureframe_tprm_vendors with a Lucene query parameter q=risk_level:high AND archived:false.
2. Extracts the owner_name and id from the resulting high-risk vendors.
3. Calls list_all_secureframe_controls filtering by those specific owner names to see if the internal owners have failing controls on their plate.
4. Compiles a Markdown report detailing the vendors, their risk profiles, and the overall security hygiene of the internal owners.

sequenceDiagram
  participant User as DevSecOps Engineer
  participant Claude as Claude Desktop
  participant MCP as Truto MCP Server
  participant API as Secureframe API
  
  User->>Claude: "Analyze high risk third-party vendors..."
  Claude->>MCP: Call list_all_secureframe_tprm_vendors
  MCP->>API: GET /v1/tprm_vendors?q=risk_level:high
  API-->>MCP: Returns vendor JSON array
  MCP-->>Claude: Returns normalized tool response
  Claude->>MCP: Call list_all_secureframe_controls<br>(Filtered by vendor owners)
  MCP->>API: GET /v1/controls?q=owner_name:...
  API-->>MCP: Returns controls JSON array
  MCP-->>Claude: Returns normalized tool response
  Claude-->>User: Renders Markdown risk report

Scenario 2: Infrastructure Compliance Audit (Compliance Officer)

A Compliance Officer is investigating why the organization's infrastructure compliance score recently dropped. They need to find out which cloud resources were recently removed from the audit scope and why.

"Find all cloud resources that are currently out of audit scope. For each resource, fetch its framework asset scope history to explain the 'out of audit scope reason' provided when it was removed."

How Claude executes this:

1. Calls list_all_secureframe_cloud_resources using the Lucene query q=in_audit_scope:false.
2. Iterates over the returned resource IDs.
3. Calls list_all_secureframe_cloud_resource_framework_asset_scopes for each resource ID to retrieve the specific immutable scope records.
4. Parses the out_of_audit_scope_reason fields and presents a synthesized summary of why the engineering team excluded these databases and compute instances from the audit boundary.

flowchart TD
  A["User Prompts Claude<br>Find out-of-scope resources"] --> B["Claude Calls Tool<br>list_all_secureframe_cloud_resources"]
  B --> C{"Resources Found?"}
  C -->|Yes| D["Iterate Resource IDs"]
  C -->|No| E["Report: All resources in scope"]
  D --> F["Claude Calls Tool<br>list_all_secureframe_cloud_resource_framework_asset_scopes"]
  F --> G["Extract 'out_of_audit_scope_reason'"]
  G --> H["Synthesize Final Report"]

Security and Access Control

Exposing an enterprise GRC platform to an LLM requires strict security boundaries. Truto's MCP architecture provides multiple layers of security to ensure Claude only accesses what it should.

• Method Filtering: You can restrict a Secureframe MCP server to specific HTTP methods. By setting methods: ["read"], you guarantee that Claude can only execute get and list operations, physically preventing the model from hallucinating a create or update request that might alter your compliance posture.
• Tag Filtering: Integrations in Truto support resource tagging. You can configure an MCP server to only expose tools tagged with "vendor_management" or "infrastructure", limiting the LLM's surface area to specific operational domains.
• Conditional API Token Auth: By enabling require_api_token_auth: true, the MCP server URL alone is no longer enough to execute tools. Claude must also pass a valid Truto API token in the Authorization header. This prevents unauthorized access even if the MCP URL is leaked in internal documentation or logs.
• Automated Expiration: The expires_at configuration sets a hard time-to-live for the server. Truto enforces this using a durable alarm system that purges the cryptographic tokens from the key-value store and database at the exact expiration timestamp, terminating access instantly.

Move Faster Without the Integration Overhead

Connecting Claude to Secureframe unlocks massive operational efficiency for security and compliance teams. But building the underlying integration infrastructure - handling OAuth tokens, writing JSON schemas, implementing Lucene query translation, and dealing with raw HTTP 429 rate limit pass-throughs - drains engineering resources.

Truto's dynamically generated MCP servers remove this boilerplate entirely. By deriving tool definitions directly from integration documentation and enforcing strict security boundaries, Truto allows your team to focus on building agentic workflows rather than maintaining API wrappers.