Zscaler CSPM MCP Server
Create a powerful Model Context Protocol (MCP) server for Zscaler Cloud Security Posture Management (CSPM) in minutes with our AI Gateway. This guide walks you through setting up seamless cloud security posture integration with enterprise-grade security and instant OAuth authentication.
About Zscaler CSPM API
Zscaler CSPM provides comprehensive visibility and control over cloud infrastructure security posture. It continuously monitors cloud environments for misconfigurations, compliance violations, and security risks across multiple cloud providers.
Key Capabilities
- Multi-Cloud Support: AWS, Azure, GCP coverage
- Continuous Monitoring: Real-time posture assessment
- Compliance Management: Framework compliance tracking
- Risk Assessment: Automated risk scoring
- Auto-Remediation: Policy-driven fixes
- Configuration Analysis: Misconfiguration detection
- Asset Inventory: Complete cloud visibility
- Threat Detection: Cloud-native threat hunting
API Features
- Assessment API: Security posture evaluation
- Compliance API: Framework compliance
- Remediation API: Automated fixes
- OAuth 2.0: Secure authentication
- Inventory API: Asset management
- Policy API: Custom policies
- Reports API: Compliance reporting
- Integration API: Third-party tools
What You Can Do with Zscaler CSPM MCP Server
The MCP server transforms CSPM API into a natural language interface, enabling AI agents to:
Cloud Asset Discovery
-
Resource Inventory
- "Show all cloud resources"
- "List untagged assets"
- "Find public S3 buckets"
- "Identify orphaned resources"
-
Cross-Cloud Visibility
- "Compare AWS vs Azure assets"
- "Show multi-cloud inventory"
- "Track resource growth"
- "Monitor cloud spend"
-
Asset Classification
- "Classify by data sensitivity"
- "Tag production resources"
- "Identify critical assets"
- "Map resource dependencies"
Security Posture Assessment
-
Misconfiguration Detection
- "Find security group issues"
- "Check encryption status"
- "Identify open databases"
- "Detect weak IAM policies"
-
Risk Scoring
- "Calculate cloud risk score"
- "Show high-risk resources"
- "Track risk trends"
- "Compare account risks"
-
Vulnerability Assessment
- "Scan for vulnerabilities"
- "Check patch status"
- "Find exposed services"
- "Assess attack surface"
Compliance Management
-
Framework Compliance
- "Check PCI DSS compliance"
- "Assess HIPAA requirements"
- "Verify SOC 2 controls"
- "Track GDPR compliance"
-
Policy Violations
- "Show policy violations"
- "Track non-compliant resources"
- "Monitor drift detection"
- "Alert on violations"
-
Audit Preparation
- "Generate audit reports"
- "Collect evidence"
- "Document controls"
- "Track remediation"
Auto-Remediation
-
Automated Fixes
- "Fix security group rules"
- "Enable encryption"
- "Update IAM policies"
- "Configure logging"
-
Remediation Workflows
- "Create fix playbooks"
- "Schedule remediations"
- "Test before applying"
- "Track fix status"
-
Safe Remediation
- "Preview changes"
- "Rollback capability"
- "Change approval"
- "Impact analysis"
Network Security
-
Network Analysis
- "Map network topology"
- "Find exposed endpoints"
- "Check segmentation"
- "Analyze traffic flows"
-
Access Control
- "Review security groups"
- "Check NACLs"
- "Validate firewall rules"
- "Monitor access patterns"
-
Zero Trust Assessment
- "Evaluate zero trust posture"
- "Check microsegmentation"
- "Assess least privilege"
- "Monitor lateral movement"
Identity & Access
-
IAM Analysis
- "Find overprivileged users"
- "Check MFA status"
- "Review role permissions"
- "Detect dormant accounts"
-
Access Reviews
- "Audit access rights"
- "Track privilege usage"
- "Monitor key rotation"
- "Check cross-account roles"
-
Secrets Management
- "Find exposed secrets"
- "Check key rotation"
- "Monitor API keys"
- "Validate certificates"
Cost Optimization
-
Resource Optimization
- "Find unused resources"
- "Identify oversized instances"
- "Track idle resources"
- "Optimize storage"
-
Cost Analysis
- "Show cost by security risk"
- "Track remediation savings"
- "Compare cloud costs"
- "Forecast security spend"
-
Waste Reduction
- "Delete orphaned snapshots"
- "Remove unused IPs"
- "Clean up old images"
- "Optimize reservations"
Container Security
-
Container Scanning
- "Scan container images"
- "Check Kubernetes configs"
- "Review pod security"
- "Monitor registries"
-
Runtime Protection
- "Monitor container behavior"
- "Detect anomalies"
- "Check resource limits"
- "Validate policies"
-
Supply Chain
- "Verify image sources"
- "Check dependencies"
- "Track vulnerabilities"
- "Monitor CI/CD"
Prerequisites
- Access to Cequence AI Gateway
- Zscaler CSPM subscription
- API credentials
- Cloud accounts connected
Step 1: Generate CSPM API Credentials
1.1 Access CSPM Console
- Log in to Zscaler CSPM
- Navigate to Settings > API Management
- Click Create API Key
1.2 Configure API Key
- Enter details:
- Key Name: "AI Gateway CSPM MCP"
- Description: "Cloud security posture integration"
- Role: Select appropriate role
1.3 Set Permissions
Select permissions:
- Read: All resources
- Write: Remediation actions
- Execute: Policy enforcement
- Report: Generate reports
1.4 Save Credentials
- Click Create
- Copy API Key ID
- Copy API Secret
- Note Tenant ID
Step 2-4: Standard Setup
Follow standard steps to access AI Gateway, find Zscaler CSPM API, and create MCP server.
Step 5: Configure API Endpoints
- Base URL:
https://api.cspm.zscaler.com - Select endpoints:
- Assessment endpoints
- Compliance endpoints
- Remediation endpoints
- Inventory endpoints
- Click Next
Step 6: MCP Server Configuration
- Name: "Zscaler CSPM"
- Description: "Cloud security posture management"
- Configure production mode
- Click Next
Step 7: Configure Authentication
- Authentication Type: OAuth 2.0
- Token URL:
https://api.cspm.zscaler.com/auth/token - Grant Type:
client_credentials - Enter API credentials
- Add Tenant ID header
Available Zscaler CSPM API Scopes
Security Assessment
-
Posture Management
- Security assessment
- Risk scoring
- Misconfiguration detection
- Vulnerability scanning
-
Compliance
- Framework assessment
- Policy evaluation
- Audit support
- Evidence collection
Remediation & Policy
-
Auto-Remediation
- Automated fixes
- Remediation workflows
- Change management
- Rollback support
-
Policy Engine
- Custom policies
- Policy assignment
- Enforcement rules
- Exception handling
Inventory & Analytics
-
Asset Management
- Resource inventory
- Asset classification
- Dependency mapping
- Cost tracking
-
Analytics
- Trend analysis
- Risk analytics
- Compliance metrics
- Cost optimization
Recommended Scope Combinations
For Security Teams:
Security Assessment (Read)
Compliance (Read)
Remediation (Read/Write)
Inventory (Read)
Analytics (Read)
For Cloud Architects:
Security Assessment (Read)
Compliance (Read)
Remediation (Read/Write)
Policy Engine (Read/Write)
Inventory (Read/Write)
Analytics (Read)
Step 8-10: Complete Setup
Configure security, choose deployment, and deploy.
Using Your Zscaler CSPM MCP Server
Setup Instructions:
Natural Language Commands
- "Show all public S3 buckets with sensitive data"
- "Check PCI compliance for production environment"
- "Fix all critical security group violations"
- "Generate SOC 2 compliance report"
- "Find cloud resources without encryption"
Common Use Cases
Security Posture Management
- Continuous assessment
- Risk scoring
- Misconfiguration detection
- Vulnerability management
Compliance Automation
- Multi-framework compliance
- Automated evidence collection
- Audit preparation
- Continuous monitoring
Cloud Security
- Multi-cloud visibility
- Resource inventory
- Network security
- Identity management
Cost Optimization
- Security-driven savings
- Resource optimization
- Waste reduction
- Budget management
Security Best Practices
-
API Security:
- Secure API credentials
- Use least privilege
- Monitor API activity
- Regular key rotation
-
Remediation Safety:
- Test before production
- Enable rollback
- Gradual deployment
- Change approval
-
Compliance:
- Regular assessments
- Document changes
- Maintain evidence
- Track exceptions
Troubleshooting
Common Issues
-
Discovery Problems
- Verify cloud credentials
- Check API permissions
- Review network access
- Validate regions
-
Assessment Accuracy
- Update cloud metadata
- Sync resource tags
- Refresh inventory
- Calibrate policies
-
Remediation Failures
- Check permissions
- Verify resource state
- Review dependencies
- Test in sandbox
Getting Help
- Documentation: AI Gateway Docs
- Support: support@cequence.ai
- Zscaler Support: help.zscaler.com
Copyright © 2026 Cequence Security.