Learn how to connect your enterprise AI tools to compliance scanning. Analyze and secure your cloud infrastructure in natural language via Claude, Cursor, or VS Code.
What if your AI assistant could understand your cloud infrastructure as well as your best DevOps engineer? Not just read your Terraform files, but actually analyze them for security misconfigurations, check compliance against SOC 2 or HIPAA, and suggest battle-tested remediations, all from a simple conversation in your IDE. This is no longer hypothetical. The Model Context Protocol makes it real today.
The explosion of AI-powered development tools has been remarkable. Claude Code, Cursor, GitHub Copilot, and others have transformed how developers write code. But these tools share a critical blind spot: they do not understand your organization's security context. They cannot check whether your S3 bucket configuration meets CIS benchmarks, whether your IAM policies comply with your company's least-privilege requirements, or whether your Kubernetes manifests satisfy PCI-DSS controls.
The Model Context Protocol (MCP) bridges this gap. It is the missing link between AI assistants and specialized security tools, and Complimetric is one of the first platforms to leverage it for Infrastructure-as-Code compliance.
MCP is an open standard created by Anthropic that defines how AI applications communicate with external tools and data sources. Think of it this way: REST APIs standardized how web applications talk to each other. MCP standardizes how AI models talk to specialized tools.
The architecture is straightforward. An MCP client (your AI tool, such as Claude Desktop or Cursor) connects to an MCP server (such as Complimetric) over a secure channel. The server exposes a set of "tools" that the AI can invoke, along with structured descriptions of what each tool does and what parameters it accepts.
MCP Architecture
AI Client MCP Server Backend
(Claude, Cursor) (Complimetric) (Scan Engine)
| | |
|--- tool discovery ------>| |
|<-- available tools ------| |
| | |
|--- scan_infrastructure ->|--- analyze request ---->|
| |<-- scan results --------|
|<-- structured results ---| |
| | |
User sees formatted Security analysis 2000+ rules
compliance report + compliance mapping evaluatedThis differs fundamentally from approaches like ChatGPT plugins or GPT Actions. MCP is a vendor-neutral, open standard. A tool built for Claude works with Cursor, VS Code, and any other MCP-compatible client. There is no lock-in, no proprietary format, and no need to build separate integrations for each AI platform.
MCP connections are also bidirectional and persistent. The server can push updates, maintain context across multiple requests, and enforce security policies at the protocol level. This makes it suitable for enterprise use cases where audit trails and access controls are non-negotiable.
Today, when a developer wants to check whether their Terraform code meets compliance requirements, the workflow typically looks like this:
This feedback loop takes minutes at best, hours in practice. Developers context-switch between tools, lose focus, and often push fixes blindly to "make the pipeline green" without fully understanding the underlying security implications.
With MCP, the workflow collapses to a single step:
Developer: "Is this Terraform configuration compliant with SOC 2?"
Claude (via Complimetric MCP):
Scanned main.tf against SOC 2 controls. Found 3 issues:
1. CRITICAL - S3 bucket 'data-lake' missing encryption at rest
Control: CC6.1 (Logical Access Controls)
Fix: Add server_side_encryption_configuration block with AES256
2. HIGH - CloudTrail not enabled for S3 data events
Control: CC7.2 (System Monitoring)
Fix: Add aws_cloudtrail resource with data_resource for S3
3. MEDIUM - Bucket versioning disabled on 'data-lake'
Control: CC6.7 (Data Protection)
Fix: Add versioning { enabled = true } block
Overall SOC 2 compliance score: 78%
Full report available at: complimetric.com/reports/scan-42a8fThe response arrives in seconds, directly in the developer's IDE. No context switch, no waiting for pipelines, no separate dashboards. The AI understands both the code and the compliance context because Complimetric provides both through MCP.
For organizations where compliance is a business requirement, not just a nice-to-have, this changes the economics fundamentally. A study by the Ponemon Institute found that developers spend an average of 17 hours per week on security-related tasks, much of it on manual checks and remediation cycles. Gartner predicts that by 2027, over 60% of enterprise DevSecOps workflows will incorporate AI-assisted compliance tooling, up from less than 5% in 2024.
Complimetric's MCP server follows a strict read-only philosophy. This is a deliberate architectural decision for enterprise security: the AI can query, analyze, and report, but it cannot modify your repositories, trigger deployments, or change configurations. Your infrastructure remains under your control at all times.
The Complimetric MCP server exposes four primary tools:
scan_infrastructure analyzes Terraform, Kubernetes, or CloudFormation files against your selected compliance framework. You can scan individual files, entire directories, or specific modules.
Prompt: "Scan my main.tf for CIS AWS Foundations Benchmark issues"
→ Complimetric evaluates against 100+ CIS AWS rules
→ Returns issues with severity, CIS control mapping, and remediation codeget_compliance_report generates a structured compliance report for a repository or cloud account. Reports can be scoped to specific frameworks (SOC 2, HIPAA, ISO 27001, PCI-DSS, CIS) and include pass/fail status for each control.
Prompt: "Generate a HIPAA compliance report for our infra-production repo"
→ Complimetric maps all detected issues to HIPAA controls
→ Returns a structured report with compliance score and gap analysissuggest_remediation provides specific, actionable fix suggestions for identified issues. Remediation suggestions include Terraform code patches that can be directly applied.
Prompt: "How do I fix the encryption issue on my RDS instance?"
→ Complimetric returns the exact Terraform block to add
→ Includes explanation of why the fix satisfies the relevant controlsdetect_drift compares your Infrastructure-as-Code definitions against the actual state of your cloud resources. This identifies discrepancies that indicate manual changes, failed deployments, or configuration decay.
Prompt: "Is there any drift between my Terraform and live AWS resources?"
→ Complimetric compares IaC definitions against cloud provider APIs
→ Returns a diff showing exactly what changed and whenEnterprise adoption requires enterprise security. The Complimetric MCP integration implements several layers of protection:
scans:read access cannot trigger new scans. A key with reports:read cannot access raw resource data.A developer is writing Terraform to provision a new EKS cluster in VS Code. Before committing, they ask Claude:
"Scan my eks-cluster.tf for security issues before I push this."
Within seconds, Claude invokes Complimetric's scan_infrastructure tool and returns a list of findings: the cluster's API server endpoint is publicly accessible, pod security policies are not configured, and encryption at rest is not enabled for Kubernetes secrets. Each finding includes the specific Terraform lines to add or modify.
The developer fixes the issues immediately, before the code ever leaves their machine. The CI/CD pipeline passes on first attempt.
A compliance manager is preparing for an upcoming SOC 2 Type II audit. Instead of spending days gathering evidence across multiple tools, they open Claude Desktop and ask:
"Generate a SOC 2 compliance report for our production infrastructure repository. Include trust service criteria coverage and open violations."
Complimetric returns a structured report showing 94% overall compliance, with two open violations in CC6.1 (encryption) and one in CC7.2 (monitoring). The report includes timestamps, resource identifiers, and remediation priority. The compliance manager exports this directly as evidence for the auditor.
After a scan reveals 12 critical issues across a repository, a DevOps engineer uses Cursor with the Complimetric MCP to fix them systematically:
"Fix all the encryption-related issues in our infrastructure repo and show me the changes."
Claude fetches the detailed remediation suggestions from Complimetric, generates the exact Terraform patches, and presents them as a unified diff. The engineer reviews the changes, approves them, and creates a pull request, all within a single session. What would have been half a day of manual work is completed in minutes.
Setting up Complimetric MCP takes less than three minutes. Here is the process:
Sign up at complimetric.com and start a free 14-day trial on the Starter plan, which includes 100 MCP requests per day. Navigate to Settings and generate a new MCP API key with the scopes you need.
Add the Complimetric MCP server to your preferred AI tool. Here is the configuration for Claude Desktop:
{
"mcpServers": {
"complimetric": {
"command": "npx",
"args": ["-y", "@complimetric-ai/mcp-server"],
"env": {
"COMPLIMETRIC_API_KEY": "your-api-key-here"
}
}
}
}For Cursor, add the server in your MCP settings:
{
"mcpServers": {
"complimetric": {
"url": "https://mcp.complimetric.ai/mcp",
"headers": {
"Authorization": "Bearer your-api-key-here"
}
}
}
}Once configured, you can immediately start using natural language prompts to interact with Complimetric through your AI assistant. Here are some prompts to try:
You might wonder how MCP compares to existing integration approaches. Here is a side-by-side comparison:
| Aspect | ChatGPT Plugins / GPT Actions | Custom API Integration | MCP (Model Context Protocol) |
|---|---|---|---|
| Standard | Proprietary (OpenAI) | Varies per tool | Open standard (Anthropic) |
| Client Compatibility | ChatGPT only | Requires custom code | Claude, Cursor, VS Code, any MCP client |
| Bidirectional | No | Depends on implementation | Yes (server can push updates) |
| Context Persistence | Limited | Manual state management | Built-in session management |
| Enterprise Security | Limited scoping | Fully custom | Scoped keys, audit trail, rate limiting |
| Setup Complexity | Medium | High | Low (3-minute configuration) |
The key advantage of MCP is universality. Building one MCP server gives you compatibility with an entire ecosystem of AI tools, now and in the future. As the protocol gains adoption, currently supported by Anthropic, Cursor, Zed, Sourcegraph, and others, the value of MCP integrations compounds.
It is important to be clear about what MCP-powered compliance is and what it is not. The AI does not replace your security team, your compliance processes, or your judgment. It augments them.
Complimetric's MCP integration provides your AI assistant with structured, verified security data from a purpose-built compliance engine evaluating over 2,000 rules across 15+ frameworks. The AI then translates this data into natural language explanations, prioritized action items, and contextual remediation guidance.
The human remains in the loop. The developer decides which fixes to apply. The compliance manager validates the report. The security engineer reviews the architectural implications. What changes is the speed at which they can make informed decisions: from hours of manual investigation to seconds of AI-assisted analysis.
MCP is still in its early adoption phase, but the trajectory is clear. As more enterprise tools implement MCP servers and more AI clients support the protocol, we are moving toward a world where AI assistants can seamlessly orchestrate complex workflows across multiple specialized tools.
For IaC security specifically, this means continuous compliance verification woven into every stage of the development lifecycle, from the first line of Terraform to production monitoring. Not as a separate tool to learn or a dashboard to check, but as a natural part of the conversation between developers and their AI assistants.
The organizations that adopt this workflow early will have a significant advantage: faster audit cycles, fewer compliance gaps, and engineering teams that ship secure infrastructure by default rather than by afterthought.
Complimetric provides an MCP server that connects your AI tools to enterprise-grade IaC security scanning. Scan Terraform, Kubernetes, and CloudFormation configurations for compliance with SOC 2, HIPAA, ISO 27001, PCI-DSS, and CIS benchmarks, directly from Claude, Cursor, or VS Code. Start a free trial with 100 MCP requests/day or create your account to generate an MCP API key.