Before you begin
- A Vanta account with admin access.
- One of: Claude Code, Cursor, Codex (Desktop or CLI), or Perplexity.
- At least one Vanta integration connected — ideally a Cloud Provider (AWS, GCP, or Azure) for failing resources and a Version Control (GitHub, GitLab, or Bitbucket) for the IaC that manages them.
Connect your AI tool to the Vanta MCP server
Vanta hosts a separate MCP server per region — use the URL that matches your instance:
The examples below use the US URL — swap for your region if needed.
| Region | MCP URL |
|---|---|
| United States | https://mcp.vanta.com/mcp |
| Europe | https://mcp.eu.vanta.com/mcp |
| Australia | https://mcp.aus.vanta.com/mcp |
- Claude Code (plugin)
- Claude Code
- Cursor
- Codex Desktop
- Codex CLI
- Perplexity
In Claude Code, run these in order:Then run
/mcp, select Vanta, pick your region, and click Allow to finish OAuth.Don't see 'Vanta' in the /mcp list?
Don't see 'Vanta' in the /mcp list?
Run
/reload-plugins again and wait a few seconds. If it still doesn’t appear, re-run the install command.The OAuth page didn't open?
The OAuth page didn't open?
Open the authorization URL printed in the terminal yourself. If it’s expired, run
/mcp → Vanta → Reconnect.List your highest-priority failing tests
In your tool’s chat, ask:Pick a HIGH-severity test ID to use in the next step.
0 failing tests returned?
0 failing tests returned?
Either everything’s passing, or your OAuth token expired. Re-authorize:
/mcp → Vanta → Reconnect (Claude Code), re-trigger OAuth in Cursor or Perplexity settings, click Authenticate in Codex Desktop, or run codex mcp login vanta.Inspect the failing resources for one test
Ask which specific resources are failing the test you picked:Replace You now know exactly what to fix.
TEST ID with the ID from Step 2. Example output for github-repo-require-pr-reviews:I see resources I don't recognize?
I see resources I don't recognize?
Check the integration field (GitHub org, AWS account ID, GCP project, etc.). If your company has multiple orgs or cloud accounts, focus on the one you own.
Generate a remediation plan
Ask for the fix:The assistant pulls the failing resources from Vanta and returns a multi-option plan — typically a CLI command for the fastest fix, console steps for environments where the resource isn’t managed by IaC, and an IaC snippet you can commit to prevent recurrence:The assistant won’t run CLI commands that mutate live resources on its own — it’ll surface them and ask first. Pick the option that fits your environment and apply it.
(Optional) Open a draft pull request
This step applies only if using the Claude Code Vanta plugin.
My resources aren't in code?
My resources aren't in code?
Stick with the plan from Step 4 — run the CLI, apply the UI steps, or hand it to the team that owns the resource.
Plugin couldn't find Terraform files?
Plugin couldn't find Terraform files?
It searches
.tf files in the root and common subfolders (infra/, terraform/, ops/). Point it elsewhere: “The Terraform files are in platform/infra/aws/.”Plugin couldn't find the failing resource in this repo?
Plugin couldn't find the failing resource in this repo?
The resource probably lives in a different account / project / repo. Use Step 4’s CLI or UI option instead, or re-run from inside the repo that manages it.
I use CloudFormation or CDK, not Terraform?
I use CloudFormation or CDK, not Terraform?
The plugin supports all three. Tell it which framework you use and it’ll adjust the diff.
Congratulations
You’re connected to the Vanta MCP server and you’ve used it to surface failing tests, inspect failing resources, and generate a remediation plan — with an optional draft PR if you’re using the Claude Code plugin. From here:- Remediate more tests — re-run Step 2 (or
/vanta:list-tests) and repeat the flow. - Explore other compliance data — ask your assistant about controls, vendors, vulnerabilities, or frameworks in plain English.
- Learn more about the MCP — see the Vanta MCP server reference.
More things to try
Review your SOC 2 control coverage
Review your SOC 2 control coverage
Triage a vulnerability by severity
Triage a vulnerability by severity
Find tests failing across multiple frameworks
Find tests failing across multiple frameworks
Check who owns a control
Check who owns a control
Next steps
Vanta MCP server
Full reference for connecting MCP clients to Vanta.
Query failing tests via API
Pull test results programmatically — useful for CI and dashboards.
Triage vulnerabilities
Surface vulnerable assets with approaching SLA deadlines.
Manage Vanta via API
Get an API token and automate your Vanta account with code.