Zscaler CSPM MCP server
Zscaler Cloud Security Posture Management (CSPM) provides continuous visibility and automated remediation of cloud infrastructure security issues. An MCP server for CSPM allows AI agents to assess cloud posture, detect misconfigurations, manage compliance frameworks, and remediate security risks across AWS, Azure, and GCP without needing direct console access.
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Authentication
Zscaler CSPM uses OAuth 2.0 with client credentials flow. The base URL is https://api.cspm.zscaler.com and the token endpoint is https://api.cspm.zscaler.com/auth/token. Generate API credentials from Settings > API Management in the CSPM console, then note your tenant ID. The credentials are used to obtain OAuth tokens for authentication.
Available tools
The tools enable cloud asset discovery, security posture assessment, compliance management, auto-remediation, and analytics. They help you identify and fix cloud misconfigurations, ensure compliance with frameworks like PCI DSS and HIPAA, and optimize cloud security costs.
| Tool | Description |
|---|---|
| Resource Inventory | List cloud resources, find untagged assets, identify public S3 buckets, find orphaned resources |
| Cross-Cloud Visibility | Compare AWS vs Azure assets, show multi-cloud inventory, track resource growth |
| Misconfiguration Detection | Find security group issues, check encryption status, identify open databases, detect weak IAM policies |
| Risk Scoring | Calculate risk scores, show high-risk resources, track trends, compare accounts |
| Vulnerability Assessment | Scan for vulnerabilities, check patch status, find exposed services, assess attack surface |
| Compliance Frameworks | Check PCI DSS, HIPAA, SOC 2, GDPR compliance across resources |
| Policy Violations | Show violations, track non-compliant resources, detect drift, alert on changes |
| Auto-Remediation | Fix security groups, enable encryption, update IAM policies, configure logging |
| Remediation Workflows | Create playbooks, schedule fixes, test changes, track status |
| Network Analysis | Map topology, find exposed endpoints, check segmentation, analyze traffic |
| IAM Analysis | Find overprivileged users, check MFA status, review permissions, detect dormant accounts |
| Access Reviews | Audit access rights, track privilege usage, monitor key rotation |
| Secrets Management | Find exposed secrets, check key rotation, monitor API keys, validate certificates |
| Cost Optimization | Find unused resources, identify oversized instances, optimize storage |
| Container Scanning | Scan images, check Kubernetes configs, review pod security, monitor registries |
Tips
Test remediation in a non-production environment before applying fixes to production to ensure no disruptions.
Enable rollback capability for all auto-remediation actions.
Maintain approval workflows for critical changes.
Track and document all compliance exceptions.
Schedule regular compliance assessments to validate ongoing security posture.
Use cost optimization insights to reduce cloud spending while improving security posture.
Cequence AI Gateway