Claude Desktop
Add your Draxis tenant as a Custom Connector in Claude Desktop and chat with your risk register, KRIs, controls, and AI proposal queue from inside Claude.
What you can do
Once connected, Claude Desktop calls Draxis tools directly. Useful read prompts:
- “What are my top 5 risks by current score?”
- “Show me KRIs that are red right now and which controls feed them.”
- “Summarize the AI proposal queue, what's awaiting review?”
- “Which controls have weak effectiveness and cover the most MITRE techniques?”
If you also grant mcp:write on the consent screen, Claude can push evidence and trigger connector runs:
- “Pull yesterday’s CrowdStrike detection summary from my notes file and submit it to the Drop Zone integration named ‘EDR drops’.”
- “Run the Tenable integration now so the latest scan results land before our 3pm review.”
Write tools are scoped on purpose: they ingest evidence and run connectors, but they don’t directly accept proposals, change risk status, or mutate analyst-owned fields. Those still go through the human-review queues in Draxis.
What you'll need
| Claude Desktop | Latest version (Custom Connectors require the recent release stream). |
|---|---|
| Draxis account | An active user on at least one Draxis tenant. Read access (analyst role or higher). |
| Draxis URL | Your tenant URL, e.g. https://app.draxis.ai or your private deployment. |
Setup steps (Dynamic registration, recommended)
- Open Claude Desktop → Settings → Connectors → Add custom connector.
- Enter the connector URL:
https://app.draxis.ai/api/mcp(replace with your deployment if self-hosted). - Claude Desktop will fetch
/.well-known/oauth-protected-resourceand/.well-known/oauth-authorization-serverautomatically. It then registers itself via Dynamic Client Registration (RFC 7591), no client_id or client_secret to copy. - Click Connect. Your browser opens a Draxis sign-in page.
- Sign in with your Draxis credentials and complete MFA if required.
- On the consent screen, pick the tenant you want Claude to access. Review the requested scopes:
mcp:readis sufficient for query-only use; addmcp:writeif you also want Claude to submit evidence to the AI Drop Zone or trigger integration runs. Click Allow access. - You're redirected back to Claude Desktop with the integration enabled. Open a new chat and ask Claude about your risks.
The connection is bound to one Draxis tenant per grant. To connect Claude to a different tenant (e.g. as an MSP analyst with access to multiple), repeat the flow and pick the other tenant on the consent screen, Claude Desktop will list both connectors.
Setup steps (Static credentials, advanced)
If your Draxis admin has issued static OAuth credentials (for example, an MSP rolling out a shared connector to many tenants), use these instead of DCR:
- In Claude Desktop, choose Add custom connector → Advanced.
- Enter the connector URL
https://app.draxis.ai/api/mcpand paste the Client ID and Client secret your admin provided. - Click Connect, sign in, choose your tenant, and authorize as above.
Available tools
Nine read tools (the default mcp:read scope) and two write tools (require mcp:write):
| Tool | Scope | What it does |
|---|---|---|
list_kris | mcp:read | All Key Risk Indicators with current value, status, trend, thresholds. |
get_kri | mcp:read | Single KRI plus the controls that feed it. |
list_controls | mcp:read | All controls with framework, category, current effectiveness, owner. |
list_risks | mcp:read | Custom risks plus tenant-edited catalog risk overrides. |
list_outcomes | mcp:read | Outcome scenarios (the loss endpoints risks roll up into). |
list_vendors | mcp:read | Third-party vendor portfolio with criticality tier and composite risk score. |
get_asset_inventory | mcp:read | Active assets, applications, and employees. |
list_simulations | mcp:read | Recent CRSE Monte Carlo runs with P10/P50/P90 loss totals. |
list_integrations | mcp:read | All KRI sources with vendor, schedule, last-run health. Use this to find the integration id for the two write tools. |
submit_dropzone_artifact | mcp:write | Push text evidence (a vendor export, a CSV, a chat transcript, an incident note) into an AI Drop Zone integration. The extractor pipeline mines it for KRI signals; high-confidence ones auto-accept, the rest queue for human review. |
run_integration | mcp:write | Trigger a manual run of any integration. For a Drop Zone, this materializes accepted extractions into KRIs immediately; for a vendor API connector (CrowdStrike, Okta, Tenable, etc.), it forces an immediate pull instead of waiting for the next scheduled tick. |
Write tools intentionally stop at ingestion. Tools that would directly mutate risks, controls, or analyst-owned fields (accept/reject AI proposals, create custom risks, post KRI values out of band) are deferred so they can route through the AI proposal pipelines that capture human-review signal for model training.
Managing connections
Open Settings → Connected Apps in your Draxis tenant to see every active OAuth grant for your account. Each row shows the client name (Claude Desktop), the bound tenant, last-used timestamp, and a Revoke button. Revoking takes effect within 15 minutes (the access token expires on its normal cycle; the refresh token is killed immediately).
Security notes
- Tenant binding is one-way. A token issued for tenant acme cannot read tenant contoso, even if you have access to both. Each connection is one tenant.
- MFA carries through. If your Draxis tenant requires MFA, the consent flow runs through the standard MFA challenge before issuing the OAuth code.
- Refresh tokens last 30 days. Claude Desktop rotates them automatically; if you don’t use the connector for 30 days, you’ll be asked to reauthorize.
- Auditing. Every tool call is logged to your tenant’s audit log as
MCP_TOOL_CALLED, with the OAuth client_id in the metadata so you can distinguish Claude Desktop traffic from PAT-based scripts.
Troubleshooting
- “Connection failed” in Claude Desktop. Verify the connector URL ends in
/api/mcp, not/api. Check that your Draxis deployment is reachable from your network. - “Invalid token” when Claude calls a tool. The OAuth refresh likely expired. In Claude Desktop → Connectors, click Reconnect on the Draxis row.
- “You do not have access to that tenant” on the consent screen. Your account exists in your home tenant but is missing or disabled in the tenant you tried to pick. Ask your tenant admin to grant access first.
- Claude says it can't see a specific risk / KRI. Make sure you picked the right tenant on the consent screen. Each Claude Desktop connector is bound to one tenant.
- Still stuck? Open a support ticket with the OAuth client_id from Connected Apps and we’ll dig in.
Other LLM clients
Draxis exposes the same MCP server to any client that supports MCP-over-Streamable-HTTP. See setup pages for: Claude Code, ChatGPT Connectors, Cursor, VSCode + Copilot.