BlogEngineering
March 3, 2025

How Claude + MCP + Vanta could help auditors

Written by
Dustin Riley
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

At Vanta, we’re always looking to experiment, learn, and stay at the forefront of AI. Recently, we built a proof of concept to explore how auditors could interact more effectively with audits and the data within them. Our experiment used Anthropic’s Claude, the open source MCP (Model Context Protocol), and Vanta’s API to enable users to ask deeper questions of Vanta’s compliance data.

What is MCP?

Since the release of ChatGPT, engineers have been searching for ways to connect large language models (LLMs) with internal or proprietary data. MCP (Model Context Protocol) offers a standardized approach to this problem by defining an open protocol for LLMs to interact with local or remote data sources.

At a high-level, MCP follows a client-server architecture that allows MCP Hosts to connect to local and remote data sources. MCP Hosts, like Claude or Cursor, can leverage an MCP Client to connect to an MCP Server, like the Vanta MCP Server. That MCP Server enables defined capabilities inside of the MCP Host, such as querying Vanta for audits, controls, or evidence.

Image from: https://modelcontextprotocol.io/introduction 

Finding a focus

At Vanta, we’ve recently expanded our REST API, giving customers and auditors the ability to query and modify their Vanta data in whole new ways. We were able to take our REST API documentation and generate an MCP Server programmatically, allowing chatbots like Claude to understand (and use) the Vanta API. We started with a simple task: Getting Claude LLM to list my audits.

Start building

We chose Claude Desktop as our MCP Host, because of its straightforward process to integrate with MCP Servers. Claude Desktop supports modifying a configuration file to pull in MCP Servers from various sources, such as npm packages or local directories.

Here’s an example of our Claude Desktop configuration file:

Taking a deeper look, we can see that the config allows us to define a package, a command to start the server, and arguments to include. If you haven’t configured or used an MCP Server before, I found the best way to debug was to just ask Claude.

Following Claude’s instructions, we now have a running MCP Server in Claude’s Developer settings!

Back to the focus

Over a cup of coffee we have an MCP Server running, but we still have more to learn. Let’s ask Claude what we can do.

The server exposes available capabilities to Claude, and with Claude’s pre-trained context about security and compliance, we get a useful list of different capabilities built into Vanta’s API. This is done through the tools primitive and the tools/list endpoint, defined in the MCP protocol. Each tool exposes a function that can be run on the server. These functions can even be API calls. Since our server contains a “list audits” tool, we’ll try to get Claude to invoke it and get all of the audit engagements with an internal test domain, No Probllama.

Without prompting to pull the data from Vanta; Claude was able to derive my intent from the context of the question and the MCP tools it has available. It wanted to be so sure it was pulling the right No Probllama account that it included Noprobllama Support too. They have a SOC 2 Type II audit that started September 24, 2024 and ended February 1, 2025.

Let’s continue to stretch the capability and see where we can take it. Let’s make Claude find the audit we’re talking about through another description—maybe end date? Then let's find some other data about that audit, like the evidence for it, and let’s add some math for good measure.

Neat! Claude found the correct audit, looked through the evidence, and summed the count. But beyond that, it was nice enough to let me know what was ready for audit, along with some other high-level information. 

Ok, let’s try two more things. Let’s see what kinds of audits we’re performing and try to export some information.

Anything Claude could do before, it can do with Vanta data now, creating visualizations and files quickly.

Conclusion

The rapid advancements in AI, including LLM-based agents, are transforming how we interact with our data. By leveraging MCP, we successfully enabled Claude to query, analyze, and visualize compliance data from Vanta in real time.

This proof of concept demonstrates the potential of AI-augmented audits—reducing manual work and empowering auditors with intelligent, context-aware insights.

Are you interested in exploring what Vanta + MCP could do for your audits? Are you interested in finding novel solutions to our customers’ problems? We’re hiring! Are you interested in learning how MCP and Vanta could help make you and your audit firm more efficient? Reach out to us at partners@vanta.com!

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE
GRC
Turning Chaos Into Clarity: Continuous Security at Scale
Product updates
Vanta Office Hour: Unlock the Power of Vanta AI
GRC
AI and Trust: Navigating Maturity, Influence, and Risk
Compliance
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One
GRC
Turning Chaos Into Clarity: Continuous Security at Scale
Product updates
Vanta Office Hour: Unlock the Power of Vanta AI
GRC
AI and Trust: Navigating Maturity, Influence, and Risk
Compliance
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One

Table of contents

No titles!

Share this article

Share this article

Related Resources

Engineering
Blog

Speeding up the slowest page in the Vanta app by 7x

Learn how we optimized our app, speeding up our slowest page by 7x to deliver a smoother, more efficient user experience.

Engineering
Blog

Building a smarter retrieval system: Lessons from Vanta AI

Discover how Vanta built and optimized a high-scale AI retrieval system to power critical business decisions.

The logo for terraform on a black background.
Engineering
Blog

Engineering at Vanta: How we imported our AWS environment into Terraform

Find out how we resolved a host of issues by importing our AWS environment into Terraform.

Engineering
Blog

The evolution of quality at Vanta

Learn how we elevated our engineering practices to meet growing customer demand and expand into new markets.

Related Resources

Engineering
Blog
How we fixed a session race condition at Vanta

Learn how the team diagnosed performance challenges and improved authentication reliability for seamless client access.

Meet the Vanta MCP Server
Engineering
Blog
Built for the agentic era: Meet the Vanta MCP Server

We’re excited to announce that the Vanta MCP Server in now available via public preview—the first step towards bringing trust management into the emerging Model Context Protocol (MCP) ecosystem.

Engineering
Blog
How we navigated database limits with a growing product

Discover how Vanta rethought its data strategy after nearing MongoDB Atlas storage limits—reducing storage by 30% and building a scalable infrastructure to support rapid product growth.

Engineering
Blog
Unlocking AI innovation with quality hill climbing

Our engineering organization organized a hands-on AI activity centered on evaluating and iterating prompts.

Engineering
Blog
How we standardized error handling at Vanta

In early 2024, our error handling strategy led to vague frontend errors that impacted product quality. Learn how we tackled it.

Engineering
Blog
Seven lessons after seven months in Vanta Engineering

See what it's like stepping into a new role on a fast-moving engineering team at Vanta. Learn key lessons on leadership, impact, and effectiveness.

Engineering
Blog
Speeding up the slowest page in the Vanta app by 7x

Learn how we optimized our app, speeding up our slowest page by 7x to deliver a smoother, more efficient user experience.

Engineering
Blog
The evolution of quality at Vanta

Learn how we elevated our engineering practices to meet growing customer demand and expand into new markets.

Engineering
Blog
Building a smarter retrieval system: Lessons from Vanta AI

Discover how Vanta built and optimized a high-scale AI retrieval system to power critical business decisions.

How to de-risk patching third party software packages
Engineering
Blog
How to de-risk patching third party software packages

Patching a package can be risky. Here are some tips and tricks to make patching a package less risky.

The logo for terraform on a black background.
Engineering
Blog
Engineering at Vanta: How we imported our AWS environment into Terraform

Find out how we resolved a host of issues by importing our AWS environment into Terraform.

Engineering
Blog
3 GraphQL pitfalls and how we avoid them

Vanta's engineering team shares what they've learned from their initial implementation of GraphQL back in 2017 and how GraphQL ended up being the perfect tool for the team.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products