New · mcp.brickgrc.com

Let your AI agent
run your audit.

Drive every BrickGRC capability from Claude Desktop, ChatGPT, Cursor, or any MCP-compatible host. Your agent orchestrates the audit lifecycle: install templates, upload evidence, trigger scoring, export reports. BrickGRC's installed AI engine does the actual scoring server-side, under your audit log.

EU-resident hosting OAuth 2.1 + PKCE Personal API keys 52 tools, every brick
Connect in 60 seconds Book a Demo
What your agent can do

Every capability of the platform,
callable as a tool.

If you can do it in BrickGRC, your AI agent can do it through MCP. 52 tools covering the full audit lifecycle, from template install to final report.

Browse & build engagements

List templates, install framework bricks (single or multi-framework), spin up new engagements, update them, close them. The agent owns the lifecycle.

Trigger scoring & manage state

Queue maturity-scoring jobs (BrickGRC's installed AI engine runs them server-side under your audit log and BYO key), fetch results, apply state transitions, override risk, snapshot gap analyses. Async jobs surface with explicit status.

Upload & auto-link evidence

Upload documents over the wire (path or base64), trigger AI auto-linking against controls, rescan the document set, read or replace content in place.

Export audit-ready reports

Final audit report, evidence bundle, gap-analysis snapshot, remediation snapshot. All returned as single-use signed download URLs, scoped to your engagement.

Configure custom templates

Build your own framework brick programmatically: create templates, state flows, transitions, controls. Compose them into engagements end-to-end.

Projects, risk & employees

Manage engagement projects, override risk scores, match employees to controls, suggest control statuses. The operational layer your agent needs to actually finish the audit.

Open standard

Built on Model Context Protocol.

MCP is the open standard for agent tool use, adopted by every major host. Connect once. Every MCP client connects to BrickGRC the same way.

Claude Desktop
ChatGPT Connectors
Cursor
Continue.dev
Any MCP client
Connect in 60 seconds

Two ways to authenticate.

Pick the flow that fits your team.

OAuth (recommended): sign in once through your normal BrickGRC login. Your agent gets scoped, revocable access.

Personal API key: mint a token in the app, paste it into your host's config. Static and simple.

What you get

A one-time consent flow through your normal BrickGRC login (Google, Microsoft, SAML, SSO and 2FA all work). Your agent gets a scoped, revocable token that respects your RBAC role.

Host config

// add this entry to your MCP host's config { "mcpServers": { "brickgrc": { "url": "https://mcp.brickgrc.com/mcp" } } }

Then

  1. Restart your MCP host
  2. In its connector settings, open BrickGRC and click Connect
  3. Sign in with your BrickGRC account, approve the scope, done

Mint a key

  1. Open app.brickgrc.com and go to API Keys
  2. Click Create new key, name it (for example, "Claude Desktop on MacBook")
  3. Copy the zpl_ token (shown once, save it in a password manager)

Host config

{ "mcpServers": { "brickgrc": { "url": "https://mcp.brickgrc.com/mcp", "headers": { "Authorization": "Bearer zpl_your_key_here" } } } }
Security

Sensible defaults. Hard to misuse.

The same security model that protects your BrickGRC account protects every agent connection. Revoke a key, kill an agent.

OAuth 2.1 + PKCE

Authorisation Code with S256 PKCE. No paste-your-key flow on supported hosts. Your agent runs through your real BrickGRC login.

Hashed at rest

Personal keys SHA-256 hashed; OAuth-issued keys AES-256-GCM encrypted server-side. Plaintext never touches disk.

Scoped to your role

Every agent action runs through the same RBAC permissions your user has in the UI. An agent can't escalate beyond what you can do.

Per-key rate limits

Default 120 requests/min per key, tunable. Stops a runaway agent from burning your AI budget overnight.

One-click revocation

Revoke a key in the BrickGRC UI; every active session for that key is cut within seconds, OAuth tokens included.

EU-resident hosting

Frankfurt, like the rest of BrickGRC. No data leaves the EU. GDPR + Schrems II clean.

Full tool catalog

52 tools, eleven groups.

A full inventory of what your agent can call. Each tool is a thin wrapper around the same BrickGRC API your UI uses. Same RBAC, same audit log, same data.

52
Tools available
across the full audit lifecycle
BROWSING · 5
list_engagements · get_engagement · list_milestone_controls · update_engagement · delete_engagement
TEMPLATES & BRICKS · 4
browse_template_store · install_template · list_templates · create_engagement
SCORING · 6
get_control_score · list_cached_scores · rescore_engagement · rescore_controls · score_status · rescore_controls_status
EVIDENCE · 5
list_engagement_documents · upload_evidence · auto_link_evidence_for_document · rescan_engagement_documents · get_gap_analysis_snapshot
CONTROL STATE · 3
get_control_state_flow · list_control_actions · apply_control_action
SNAPSHOTS & CLOSING · 5
take_gap_analysis_snapshot · take_remediation_snapshot · close_engagement · reopen_engagement · close_job_status
REPORTS · 2
download_final_report · download_evidence_bundle
INTELLIGENCE · 5
read_document_content · replace_document · get_executive_summary · get_remediation_tip · admin_override_score
CUSTOM TEMPLATES · 7
create_template · update_template · delete_template · create_state_flow · add_state_to_flow · add_transition_to_flow · configure_template
PROJECTS & RISK · 7
list_projects · create_project · get_risk_summary · override_risk_score · match_employees_to_controls · suggest_control_statuses · apply_control_statuses
IMPORT · 3
export_engagement_scaffold · validate_engagement_import · create_engagement_from_json

Ready to let your agent do the audit?

It takes 60 seconds. Sign in to BrickGRC, connect through your AI host, and watch your agent run the full lifecycle, from brick install to final report.

Get a personal key Book a 15-min demo