Zscaler CSPM MCP Server
Create a powerful Model Context Protocol (MCP) server for Zscaler Cloud Security Posture Management (CSPM) in minutes with our AI Gateway. This guide walks you through setting up seamless cloud security posture integration with enterprise-grade security and instant OAuth authentication.
About Zscaler CSPM API
Zscaler CSPM provides comprehensive visibility and control over cloud infrastructure security posture. It continuously monitors cloud environments for misconfigurations, compliance violations, and security risks across multiple cloud providers.
Key Capabilities
- Multi-Cloud Support: AWS, Azure, GCP coverage
- Continuous Monitoring: Real-time posture assessment
- Compliance Management: Framework compliance tracking
- Risk Assessment: Automated risk scoring
- Auto-Remediation: Policy-driven fixes
- Configuration Analysis: Misconfiguration detection
- Asset Inventory: Complete cloud visibility
- Threat Detection: Cloud-native threat hunting
API Features
- Assessment API: Security posture evaluation
- Compliance API: Framework compliance
- Remediation API: Automated fixes
- OAuth 2.0: Secure authentication
- Inventory API: Asset management
- Policy API: Custom policies
- Reports API: Compliance reporting
- Integration API: Third-party tools
What You Can Do with Zscaler CSPM MCP Server
The MCP server transforms CSPM API into a natural language interface, enabling AI agents to:
Cloud Asset Discovery
-
Resource Inventory
- "Show all cloud resources"
- "List untagged assets"
- "Find public S3 buckets"
- "Identify orphaned resources"
-
Cross-Cloud Visibility
- "Compare AWS vs Azure assets"
- "Show multi-cloud inventory"
- "Track resource growth"
- "Monitor cloud spend"
-
Asset Classification
- "Classify by data sensitivity"
- "Tag production resources"
- "Identify critical assets"
- "Map resource dependencies"
Security Posture Assessment
-
Misconfiguration Detection
- "Find security group issues"
- "Check encryption status"
- "Identify open databases"
- "Detect weak IAM policies"
-
Risk Scoring
- "Calculate cloud risk score"
- "Show high-risk resources"
- "Track risk trends"
- "Compare account risks"
-
Vulnerability Assessment
- "Scan for vulnerabilities"
- "Check patch status"
- "Find exposed services"
- "Assess attack surface"
Compliance Management
-
Framework Compliance
- "Check PCI DSS compliance"
- "Assess HIPAA requirements"
- "Verify SOC 2 controls"
- "Track GDPR compliance"
-
Policy Violations
- "Show policy violations"
- "Track non-compliant resources"
- "Monitor drift detection"
- "Alert on violations"
-
Audit Preparation
- "Generate audit reports"
- "Collect evidence"
- "Document controls"
- "Track remediation"
Auto-Remediation
-
Automated Fixes
- "Fix security group rules"
- "Enable encryption"
- "Update IAM policies"
- "Configure logging"
-
Remediation Workflows
- "Create fix playbooks"
- "Schedule remediations"
- "Test before applying"
- "Track fix status"
-
Safe Remediation
- "Preview changes"
- "Rollback capability"
- "Change approval"
- "Impact analysis"
Network Security
-
Network Analysis
- "Map network topology"
- "Find exposed endpoints"
- "Check segmentation"
- "Analyze traffic flows"
-
Access Control
- "Review security groups"
- "Check NACLs"
- "Validate firewall rules"
- "Monitor access patterns"
-
Zero Trust Assessment
- "Evaluate zero trust posture"
- "Check microsegmentation"
- "Assess least privilege"
- "Monitor lateral movement"
Identity & Access
-
IAM Analysis
- "Find overprivileged users"
- "Check MFA status"
- "Review role permissions"
- "Detect dormant accounts"
-
Access Reviews
- "Audit access rights"
- "Track privilege usage"
- "Monitor key rotation"
- "Check cross-account roles"
-
Secrets Management
- "Find exposed secrets"
- "Check key rotation"
- "Monitor API keys"
- "Validate certificates"
Cost Optimization
-
Resource Optimization
- "Find unused resources"
- "Identify oversized instances"
- "Track idle resources"
- "Optimize storage"
-
Cost Analysis
- "Show cost by security risk"
- "Track remediation savings"
- "Compare cloud costs"
- "Forecast security spend"
-
Waste Reduction
- "Delete orphaned snapshots"
- "Remove unused IPs"
- "Clean up old images"
- "Optimize reservations"
Container Security
-
Container Scanning
- "Scan container images"
- "Check Kubernetes configs"
- "Review pod security"
- "Monitor registries"
-
Runtime Protection
- "Monitor container behavior"
- "Detect anomalies"
- "Check resource limits"
- "Validate policies"
-
Supply Chain
- "Verify image sources"
- "Check dependencies"
- "Track vulnerabilities"
- "Monitor CI/CD"
Prerequisites
- Access to Cequence AI Gateway
- Zscaler CSPM subscription
- API credentials
- Cloud accounts connected
Step 1: Generate CSPM API Credentials
1.1 Access CSPM Console
- Log in to Zscaler CSPM
- Navigate to Settings > API Management
- Click Create API Key
1.2 Configure API Key
- Enter details:
- Key Name: "AI Gateway CSPM MCP"
- Description: "Cloud security posture integration"
- Role: Select appropriate role
1.3 Set Permissions
Select permissions:
- Read: All resources
- Write: Remediation actions
- Execute: Policy enforcement
- Report: Generate reports
1.4 Save Credentials
- Click Create
- Copy API Key ID
- Copy API Secret
- Note Tenant ID
Step 2-4: Standard Setup
Follow standard steps to access AI Gateway, find Zscaler CSPM API, and create MCP server.
Step 5: Configure API Endpoints
- Base URL:
https://api.cspm.zscaler.com - Select endpoints:
- Assessment endpoints
- Compliance endpoints
- Remediation endpoints
- Inventory endpoints
- Click Next
Step 6: MCP Server Configuration
- Name: "Zscaler CSPM"
- Description: "Cloud security posture management"
- Configure production mode
- Click Next
Step 7: Configure Authentication
- Authentication Type: OAuth 2.0
- Token URL:
https://api.cspm.zscaler.com/auth/token - Grant Type:
client_credentials - Enter API credentials
- Add Tenant ID header
Available Zscaler CSPM API Scopes
Security Assessment
-
Posture Management
- Security assessment
- Risk scoring
- Misconfiguration detection
- Vulnerability scanning
-
Compliance
- Framework assessment
- Policy evaluation
- Audit support
- Evidence collection
Remediation & Policy
-
Auto-Remediation
- Automated fixes
- Remediation workflows
- Change management
- Rollback support
-
Policy Engine
- Custom policies
- Policy assignment
- Enforcement rules
- Exception handling
Inventory & Analytics
-
Asset Management
- Resource inventory
- Asset classification
- Dependency mapping
- Cost tracking
-
Analytics
- Trend analysis
- Risk analytics
- Compliance metrics
- Cost optimization
Recommended Scope Combinations
For Security Teams:
Security Assessment (Read)
Compliance (Read)
Remediation (Read/Write)
Inventory (Read)
Analytics (Read)
For Cloud Architects:
Security Assessment (Read)
Compliance (Read)
Remediation (Read/Write)
Policy Engine (Read/Write)
Inventory (Read/Write)
Analytics (Read)
Step 8-10: Complete Setup
Configure security, choose deployment, and deploy.
Using Your Zscaler CSPM MCP Server
With Claude Desktop
{
"servers": {
"zscaler-cspm": {
"url": "your-mcp-server-url",
"auth": {
"type": "oauth2",
"client_id": "your-api-key-id",
"client_secret": "your-api-secret",
"tenant_id": "your-tenant-id"
}
}
}
}
Natural Language Commands
- "Show all public S3 buckets with sensitive data"
- "Check PCI compliance for production environment"
- "Fix all critical security group violations"
- "Generate SOC 2 compliance report"
- "Find cloud resources without encryption"
API Integration Example
// Initialize MCP client
const mcpClient = new MCPClient({
serverUrl: 'your-mcp-server-url',
auth: {
type: 'oauth2',
clientId: 'your-api-key-id',
clientSecret: 'your-api-secret',
tenantId: 'your-tenant-id'
}
});
// Cloud asset discovery
const cloudInventory = await mcpClient.zscaler.cspm.getCloudInventory({
providers: ['AWS', 'Azure', 'GCP'],
resourceTypes: ['compute', 'storage', 'database', 'network'],
filters: {
tags: { environment: 'production' },
regions: ['us-east-1', 'us-west-2', 'eu-west-1']
}
});
console.log(`Total Cloud Resources: ${cloudInventory.totalResources}`);
console.log("\nResource Breakdown:");
for (const provider of cloudInventory.providers) {
console.log(`\n${provider.name}:`);
console.log(` Total: ${provider.resourceCount}`);
console.log(` Compute: ${provider.breakdown.compute}`);
console.log(` Storage: ${provider.breakdown.storage}`);
console.log(` Database: ${provider.breakdown.database}`);
console.log(` Network: ${provider.breakdown.network}`);
}
// Security posture assessment
const postureAssessment = await mcpClient.zscaler.cspm.assessSecurityPosture({
scope: 'organization',
categories: [
'identity_access',
'data_protection',
'network_security',
'logging_monitoring',
'vulnerability_management'
]
});
console.log(`\nOverall Security Score: ${postureAssessment.overallScore}/100`);
console.log("\nCategory Scores:");
for (const category of postureAssessment.categories) {
console.log(`${category.name}: ${category.score}/100`);
console.log(` Critical Issues: ${category.criticalIssues}`);
console.log(` High Risk Items: ${category.highRiskItems}`);
}
// Misconfiguration detection
const misconfigurations = await mcpClient.zscaler.cspm.detectMisconfigurations({
severity: ['critical', 'high'],
categories: [
'public_access',
'encryption',
'authentication',
'network_exposure'
]
});
console.log(`\nCritical Misconfigurations: ${misconfigurations.critical.length}`);
for (const issue of misconfigurations.critical.slice(0, 5)) {
console.log(`\n${issue.title}`);
console.log(`Resource: ${issue.resourceId}`);
console.log(`Type: ${issue.resourceType}`);
console.log(`Risk: ${issue.riskDescription}`);
console.log(`Fix: ${issue.remediationSteps}`);
}
// Compliance assessment
const complianceCheck = await mcpClient.zscaler.cspm.checkCompliance({
frameworks: ['PCI-DSS', 'HIPAA', 'SOC2', 'ISO27001'],
scope: {
accounts: ['production-aws', 'production-azure'],
regions: 'all'
}
});
for (const framework of complianceCheck.frameworks) {
console.log(`\n${framework.name} Compliance:`);
console.log(` Score: ${framework.complianceScore}%`);
console.log(` Passed Controls: ${framework.passedControls}/${framework.totalControls}`);
console.log(` Critical Failures: ${framework.criticalFailures}`);
// Show top failures
console.log(" Top Failed Controls:");
for (const control of framework.failedControls.slice(0, 3)) {
console.log(` - ${control.id}: ${control.description}`);
console.log(` Affected Resources: ${control.affectedResources}`);
}
}
// Auto-remediation
const remediationPlan = await mcpClient.zscaler.cspm.createRemediationPlan({
issues: misconfigurations.critical.map(i => i.id),
strategy: 'safe_mode', // Test changes before applying
schedule: 'maintenance_window'
});
console.log(`\nRemediation Plan Created:`);
console.log(`Total Fixes: ${remediationPlan.totalFixes}`);
console.log(`Estimated Time: ${remediationPlan.estimatedTime} minutes`);
console.log(`Risk Level: ${remediationPlan.riskLevel}`);
// Execute remediation with approval
if (remediationPlan.requiresApproval) {
const approval = await requestApproval(remediationPlan);
if (approval.approved) {
const execution = await mcpClient.zscaler.cspm.executeRemediation({
planId: remediationPlan.id,
mode: 'gradual', // Fix in batches
rollbackEnabled: true
});
// Monitor progress
const progress = await monitorRemediationProgress(execution.id);
}
}
// Network security analysis
const networkAnalysis = await mcpClient.zscaler.cspm.analyzeNetworkSecurity({
focus: ['internet_exposure', 'segmentation', 'access_control'],
includeDataFlow: true
});
console.log("\nExposed Resources:");
for (const exposure of networkAnalysis.internetExposure) {
console.log(`${exposure.resourceName}:`);
console.log(` Type: ${exposure.resourceType}`);
console.log(` Ports: ${exposure.openPorts.join(', ')}`);
console.log(` Risk: ${exposure.riskLevel}`);
if (exposure.hasPublicIP && exposure.riskLevel === 'high') {
// Create urgent remediation
await createUrgentFix(exposure);
}
}
// IAM risk assessment
const iamRisks = await mcpClient.zscaler.cspm.assessIAMRisks({
checkTypes: [
'excessive_permissions',
'inactive_users',
'missing_mfa',
'access_keys_age',
'cross_account_roles'
]
});
console.log("\nIAM Risk Summary:");
console.log(`Overprivileged Users: ${iamRisks.overprivilegedUsers.length}`);
console.log(`Inactive Accounts: ${iamRisks.inactiveAccounts.length}`);
console.log(`No MFA: ${iamRisks.noMFA.length}`);
console.log(`Old Access Keys: ${iamRisks.oldAccessKeys.length}`);
// Container security scanning
const containerScan = await mcpClient.zscaler.cspm.scanContainers({
registries: ['ecr', 'acr', 'gcr'],
scanType: 'full',
includeRuntime: true
});
console.log("\nContainer Security:");
console.log(`Images Scanned: ${containerScan.totalImages}`);
console.log(`Vulnerable Images: ${containerScan.vulnerableImages}`);
console.log(`Critical CVEs: ${containerScan.criticalCVEs}`);
for (const image of containerScan.highRiskImages) {
console.log(`\nImage: ${image.name}:${image.tag}`);
console.log(` CVEs: ${image.cveCount}`);
console.log(` Critical: ${image.criticalCount}`);
console.log(` Base Image: ${image.baseImage}`);
}
// Cost optimization with security
const costOptimization = await mcpClient.zscaler.cspm.optimizeCosts({
focus: 'security_waste', // Unused resources with security risks
analyzeBy: ['resource_type', 'account', 'region']
});
console.log("\nSecurity-Related Cost Waste:");
console.log(`Monthly Waste: $${costOptimization.monthlyWaste}`);
console.log("\nTop Opportunities:");
for (const opportunity of costOptimization.opportunities) {
console.log(`- ${opportunity.description}`);
console.log(` Savings: $${opportunity.monthlySavings}`);
console.log(` Risk Reduction: ${opportunity.riskReduction}`);
console.log(` Action: ${opportunity.recommendedAction}`);
}
// Continuous compliance monitoring
const complianceMonitor = await mcpClient.zscaler.cspm.enableContinuousCompliance({
frameworks: ['PCI-DSS', 'SOC2'],
alerting: {
channels: ['email', 'slack', 'webhook'],
severity: ['critical', 'high'],
realtime: true
},
autoRemediate: {
enabled: true,
approvalRequired: true,
safeModeOnly: true
}
});
// Generate executive report
const executiveReport = await mcpClient.zscaler.cspm.generateReport({
type: 'executive_summary',
period: {
start: '2025-01-01',
end: '2025-01-31'
},
sections: [
'security_posture_overview',
'compliance_status',
'risk_trends',
'remediation_progress',
'cost_impact',
'recommendations'
],
format: 'pdf',
branding: true
});
// Real-time threat detection
const threatMonitor = await mcpClient.zscaler.cspm.startThreatMonitoring({
detectionTypes: [
'suspicious_api_calls',
'unusual_network_traffic',
'configuration_drift',
'privilege_escalation'
]
});
threatMonitor.on('threat_detected', async (threat) => {
console.log(`THREAT DETECTED: ${threat.type}`);
console.log(`Severity: ${threat.severity}`);
console.log(`Resource: ${threat.affectedResource}`);
console.log(`Details: ${threat.description}`);
if (threat.severity === 'critical') {
// Auto-respond to critical threats
await respondToThreat(threat);
}
});
Common Use Cases
Security Posture Management
- Continuous assessment
- Risk scoring
- Misconfiguration detection
- Vulnerability management
Compliance Automation
- Multi-framework compliance
- Automated evidence collection
- Audit preparation
- Continuous monitoring
Cloud Security
- Multi-cloud visibility
- Resource inventory
- Network security
- Identity management
Cost Optimization
- Security-driven savings
- Resource optimization
- Waste reduction
- Budget management
Security Best Practices
-
API Security:
- Secure API credentials
- Use least privilege
- Monitor API activity
- Regular key rotation
-
Remediation Safety:
- Test before production
- Enable rollback
- Gradual deployment
- Change approval
-
Compliance:
- Regular assessments
- Document changes
- Maintain evidence
- Track exceptions
Troubleshooting
Common Issues
-
Discovery Problems
- Verify cloud credentials
- Check API permissions
- Review network access
- Validate regions
-
Assessment Accuracy
- Update cloud metadata
- Sync resource tags
- Refresh inventory
- Calibrate policies
-
Remediation Failures
- Check permissions
- Verify resource state
- Review dependencies
- Test in sandbox
Getting Help
- Documentation: AI Gateway Docs
- Support: support@cequence.ai
- Zscaler Support: help.zscaler.com
Copyright © 2025 Cequence Security.