HomeAbout UsPricingContact Us
FrameworksISO, SOC 2, NIST & more, explainedBlogArticles from the security deskDocumentationProduct guides & how-tosAPIBuild on the Platform APIMCP integrationConnect your AI to your workspaceFrequent questionsAnswers, straight
Log inBook a demo
HomeAbout UsPricingContact Us
Resources
FrameworksBlogDocumentationAPIMCP integrationFrequent questions
Log inBook a demo
Ready when you are

Be audit-ready by default.

Start free with two frameworks, twenty policies, and one living picture of your security program.

Get started freeTalk to an expert

Cyber Security Framework as a Service: governance, risk and compliance, run from one living platform.

Compliance insights, monthly. No spam.

Product

PlatformPricingRequest a demoAccess CSFaaS

Resources

FrameworksBlogDocumentationAPIMCP integrationFrequent questions

Company

About usContact usDarkProtect, managed services

Legal

Privacy policyTerms & conditions
© 2026 CSFaaS, All rights reserved.All systems operational
Resources â–¸ MCP integration

Connect your AI to CSFaaS.

Plug Claude Desktop, Claude Code or any MCP client into your workspace and ask GRC questions in plain language. The MCP server holds no database credentials; every tool call runs as you, under the same row-level security as the app.

Create your API keyPrefer raw HTTP? API docs

csfaas mcp · connection

endpoint   https://mcp.csfaas.com/mcp
transport  Streamable HTTP
auth       Authorization: Bearer csfaas_sk_<key_id>_<secret>
access     read-only · runs as you, under RLS
What you can ask

Plain questions, grounded answers

Your AI calls read-only tools against your live workspace and answers from real data, not from a stale export. Ask what you would ask a colleague.

your ai client

connected to csfaas
What are my top 5 risks?
search_riskssort: score · limit: 5

Your highest exposure is RSK_000008, "Unpatched edge VPN", scored 20 of 25. Four more follow, and three of them still have no remediation plan.

Global GRC queries

Ask across the whole program: risks, controls, frameworks, vendors, systems and reviews.

Risk Assessment Assistant

Pull a risk or a demand with its full assessment and let your AI critique scoring, wording and treatment.

Remediation review

Check documents and evidence against remediation plans, their owners and their due dates.

Audit evidence

Walk audit questions, read their threads and verify that evidence answers what the auditor asked.

Security policies

Read policy trees and check what a policy actually commits you to.

Setup guides

Connected in two minutes

Create a key, paste one block into your client, done. Pick your client below.

0

Create your API key in Settings â–¸ API & MCP. It is shown once; keys look like csfaas_sk_<key_id>_<secret>.

Run this once in your terminal, then start a session and ask away.

terminal

claude mcp add --transport http csfaas https://mcp.csfaas.com/mcp --header "Authorization: Bearer csfaas_sk_YOUR_KEY"

Replace csfaas_sk_YOUR_KEY with the key you created in step 0, then ask your first question.

Tools reference

Five suites, all read-only

Everything the server exposes to your AI. Expand a suite to see its tools. Each returns the same rows, and only the rows, you can see in the product.

15 tools · reference
READ

whoami

Who the key belongs to, their workspace and role

READ

search_risks

Search the risk register by text, score or status

READ

search_controls

Search the control library, including evidence gaps

READ

list_frameworks

Deployed frameworks with their versions

READ

framework_statistics

Implementation statistics for a framework

READ

list_third_parties

Vendors with tiering and risk posture

READ

list_systems

Systems and assets with their classification

READ

list_reviews

Periodicity reviews, owners and due dates

READ

search_catalog_controls

Search the control and threat catalogs

READ

get_risk

One risk with its full assessment and treatment

READ

get_demand

One risk demand with status and assessments

READ

read_evidence

Read an evidence record or linked document

READ

list_audit_questions

Questions of an audit campaign

READ

get_audit_question_thread

One audit question with its full thread

READ

list_policies

Policies with their current version and state

Empty means out of scope

An empty result means nothing in your authorized scope. Row-level security filters invisible records out; it does not raise an error, and your AI should not treat it as one.

Trust & FAQ

Safe by construction

The server is a thin, credential-less gate in front of the same authorization layer the app uses. Here is what that means in practice.

Read-only, version 1

Your AI can read, reason and propose. It cannot change anything: the server exposes no write tools.

Your permissions, exactly

Every tool call is authorized by the same PostgreSQL row-level security as your session in the app. Different role, different answers.

Instant revocation

Revoke the key in Settings â–¸ API & MCP and the connection dies immediately. No cache, no grace window.

Any MCP client

Streamable HTTP with one Bearer header. Claude Desktop, Claude Code, or any client that speaks MCP.

401

Invalid or revoked key

The Bearer token is missing, malformed or was revoked. Create a fresh key in Settings â–¸ API & MCP and reconnect.

403

No access

The key owner lacks permission for this resource, or a workspace admin disabled API and MCP access.

429

Rate limited

Too many tool calls in a short window. Your client should back off and retry; steady conversations never hit it.

No. Version 1 is read-only. Your AI can read, reason and propose; applying a change is always done by a person, in the app.

No. It holds no database credentials and keeps no copy of your data. Your key resolves to a short-lived, workspace-pinned token, and the database authorizes every read.

An empty result means nothing in your authorized scope. Row-level security filters invisible records out; it does not raise an error.

Any MCP client that supports Streamable HTTP with custom headers: Claude Desktop, Claude Code, and most agent frameworks. The generic mcp.json block covers the rest.

Ask your program anything

Your GRC data, one question away

Create a key in Settings â–¸ API & MCP, paste one block into your client, and ask your first question in under two minutes. Included in every plan, at no extra cost.

Create your API keyRead the API reference