AI Integration (MCP)

The SCF Controls Platform provides an official Model Context Protocol (MCP) server that lets AI assistants interact with your compliance program using natural language. Browse controls, track implementation, manage evidence, assess risks, and monitor vendors — all through your AI assistant.

npm package: mcp-server-scf

Prerequisites

Before setting up the MCP integration, you need an API key:

Sign in to the SCF Controls Platform
Navigate to Settings > API Keys
Click Generate New Key
Copy the key (it starts with scf_ and is only shown once)

Setup

Add to your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "scf": {
      "command": "npx",
      "args": ["-y", "mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "scf_your_api_key_here",
        "SCF_API_URL": "https://eu.scfcontrolsplatform.app"
      }
    }
  }
}

Restart Claude Desktop after saving.

claude mcp add scf -- npx -y mcp-server-scf

Then set environment variables in your shell profile:

export SCF_API_KEY="scf_your_api_key_here"
export SCF_API_URL="https://eu.scfcontrolsplatform.app"

Add to your MCP config (.cursor/mcp.json or equivalent):

{
  "mcpServers": {
    "scf": {
      "command": "npx",
      "args": ["-y", "mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "scf_your_api_key_here",
        "SCF_API_URL": "https://eu.scfcontrolsplatform.app"
      }
    }
  }
}

{
  "mcpServers": {
    "scf": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "SCF_API_KEY", "markac007/mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "scf_your_api_key_here"
      }
    }
  }
}

Configuration

Variable	Required	Default	Description
`SCF_API_KEY`	Yes	—	Your API key (starts with `scf_`)
`SCF_API_URL`	No	`https://eu.scfcontrolsplatform.app`	Platform API endpoint

What You Can Do

The MCP server provides 38 tools across 7 domains. Once connected, your AI assistant can perform any of these operations on your behalf.

Browse the SCF Catalog

Access the full read-only reference catalog of 1,451 security controls, 354+ compliance frameworks, 272 evidence types, and 5,736 assessment objectives.

Tool	What it does
`list_controls`	Search and filter controls by title, domain, or framework
`get_control`	Get full control details with assessment objectives and evidence items
`list_frameworks`	List all 354+ mapped compliance frameworks
`list_domains`	List compliance domains (Governance, Asset Management, IAC, etc.)
`list_evidence_catalog`	Browse 272 standard evidence types
`list_assessment_objectives`	Browse 5,736 assessment test criteria, optionally filtered by control

Track Control Implementation

Manage which controls are in scope and track their implementation across an 8-state workflow: not_started → in_progress → implemented → ready_for_review → monitored (plus not_applicable, at_risk, deferred).

Tool	What it does
`list_scoped_controls`	View scoped controls with status, domain, and framework filters
`get_scoped_control`	Get detailed status, owner, notes, evidence links, and audit history
`update_scoped_control`	Update status, owner, priority, notes, dates, or maturity level
`get_scoping_stats`	View implementation progress — counts by status, completion percentage
`scope_framework`	Bulk-scope all controls from a framework (e.g., ISO 27001, NIST 800-53)
`batch_update_controls`	Update up to 500 controls in a single transaction

Manage Evidence

Track evidence artifacts that demonstrate control implementation for audit readiness.

Tool	What it does
`list_evidence`	List evidence items tracked against controls
`create_evidence`	Create a new evidence item linked to a control
`get_evidence_maturity`	View maturity scores, automation percentage, and improvement areas
`list_evidence_tasks`	View the evidence collection work queue

Assess Risks

Work with the 5x5 risk matrix — create assessments, track treatment, and view severity summaries.

Tool	What it does
`list_risks`	List risk register entries with scores and treatment status
`get_risk`	Get detailed risk assessment (inherent + residual scores, treatment plan)
`create_risk`	Create a risk assessment with likelihood and impact scores (1-5)
`get_risk_matrix`	Get the 5x5 risk matrix visualisation data
`get_risk_summary`	Get aggregated risk summary by severity and treatment status

Monitor Vendors

Third-party risk management with AI-powered security research, breach detection, and data protection impact assessments.

Tool	What it does
`list_vendors`	List vendors with status and criticality filters
`get_vendor`	Get vendor details, certifications, assessments, and risk scores
`create_vendor`	Add a vendor to the TPRM registry
`trigger_vendor_research`	Run AI-powered security research (HIBP, NVD, breach history)
`get_vendor_research`	Get the latest vendor research results
`trigger_dpsia`	Run a Data Protection Security Impact Assessment

Organisation & Platform

User management, audit trails, work queues, and notifications.

Tool	What it does
`get_current_user`	Get your profile, email, and organisations
`list_organizations`	List organisations you have access to
`get_organization`	Get org details, tier, usage limits, and settings
`list_members`	List organisation members and their roles
`get_work_queue`	Get your prioritised task queue across all organisations
`get_audit_log`	View the field-level change audit trail
`get_notifications`	Get your notifications and alerts

Capabilities & Systems

KSI-aligned capability themes and infrastructure systems inventory.

Tool	What it does
`list_capability_themes`	List the 11 KSI-aligned capability themes
`list_capabilities`	List security capabilities mapped to systems
`list_systems`	List infrastructure systems in your inventory
`create_system`	Add a system to your infrastructure inventory

Example Prompts

Once your MCP connection is active, try asking your AI assistant:

“What NIST 800-53 controls apply to access control?”
“Show me my organisation’s control implementation progress”
“List all critical vendors and their risk scores”
“Create a risk assessment for our cloud migration”
“What evidence do I need for a SOC 2 audit?”
“Show the 5x5 risk matrix for my organisation”
“Scope the ISO 27001 framework for my org”
“Batch update all access control controls to in_progress”
“What’s in my compliance work queue today?”
“Run a DPSIA on our cloud provider vendor”

Security

The MCP server follows security best practices:

No credential exposure — API keys are never logged or included in error messages
HTTPS only — All communication with the platform uses HTTPS
Hashed keys — API keys are SHA-256 hashed server-side
Rate limiting — 100 requests/min (read), 20 requests/min (write)
Multi-tenant isolation — All operations are scoped to your organisation
Supply chain security — npm package published with provenance attestation

Troubleshooting

”Authentication failed” or 401 errors

Verify your API key starts with scf_
Check that the key hasn’t been revoked in Settings > API Keys
Ensure SCF_API_KEY is set in your MCP configuration

”Connection refused” or timeout errors

Check that SCF_API_URL points to https://eu.scfcontrolsplatform.app
Verify your network can reach the platform (no firewall blocking)

Tools not appearing in your AI assistant

Restart your AI client after updating the MCP configuration
Check that npx is available in your PATH (requires Node.js 18+)
For Claude Desktop, verify the JSON config is valid (no trailing commas)

Rate limiting (429 errors)

The platform enforces rate limits of 100 requests/minute for read operations and 20 requests/minute for write operations. If you hit limits, wait a moment and retry.