Authored by: Victoria Mosby Posted on: March 16, 2026 Bring Your Own AI Co-Authored by Victoria Mosby & Jerry Bruns Your board meeting is in two hours. The CISO needs a portfolio risk summary. You know the data is in PlexTrac. Getting it into something presentable? That is going to take the rest of your morning: export from each client, pivot in Excel, build the charts, copy into slides, hope the numbers are still current by the time you present. What if you could just ask? “Show me a risk heatmap across all my clients.” And in seconds, you are looking at an interactive, branded, client-ready dashboard built from your live findings data. Every client. Every severity. Color-coded, sortable, drillable. No exports. No pivot tables. No PowerPoint. That is PlexTrac MCP. An Open Standard, Not Another Walled Garden Model Context Protocol (MCP) is an open standard that gives AI models a direct line into external platforms. Instead of copying data out of PlexTrac and pasting it into a prompt, MCP lets the AI reach in and work with your live findings, assets, risk scores, and remediation timelines in real time. This matters because of what it is not. Most AI integrations in security tooling are closed systems: one chat interface, embedded in one platform, locked to one model. If the vendor’s AI is not good enough, or the interface does not fit your workflow, you are stuck. PlexTrac MCP works differently. Your data stays in PlexTrac. Your AI lives wherever you want it: Claude, ChatGPT, Microsoft Copilot, Cursor, or any other MCP-compatible environment. MCP is an open protocol backed by Anthropic and adopted by OpenAI, Google, and Microsoft. If your team switches models tomorrow, your PlexTrac integration comes with you. No migration, no reconfiguration, no vendor lock-in. And critically: the MCP server is strictly read-only. It cannot create, modify, or delete anything in PlexTrac. There is no write path. This is enforced at the protocol level, not by policy. Every tool is annotated as read-only. Your data is queried, never touched. For security teams evaluating AI integrations, that distinction matters. PlexTrac is a recognized leader in the 2025 Gartner Magic Quadrant for Exposure Assessment Platforms. Other vendors have shipped MCP integrations. We are the first to ship one with built-in, presentation-ready dashboard generation, turning your live security data into client-facing visuals from a single prompt. Access is table stakes. What you can do with that access is what matters. PlexTrack MCP allows you to connect to your favorite popular LLMs like Claude, ChatGPT, Copilot, Cursor, and Gemini to your PlexTrack instance, allowing you to pull read only information from those instances. This will be based off the authorization you have access to, so depending on what profiles you have access to will also determine what you’re able to pull into MCP. With this, we’ll have a number of tools available that you’ll be able to leverage to pull different information from Plexrack to include profile list, information about the different reports and findings, as well as analytical information. This allows you to essentially use your favorite LLM to query Plextracks data pool and then utilize that raw data to contextualize it into different views and outputs to make your life easier. Those outputs could be things like I have here where I’m asking it, hey. What are all the critical report findings associated with my accounting department? Turn that into an executive dashboard that breaks down that information into highlightable air areas. What I get back from Claud in this in this instance is a breakdown of the open criticals, the timing of when those were open, the various categories of what they pertain to, and I also asked it to consolidate recommended remediation, actions across those. This makes for a great executive summary view that we can then, clip from Claude and paste directly into our reports within FlexTrack or utilize in some other form or fashion to create other, extensible outputs. Other things that we can do with that is I can ask it to dig into a specific vulnerability. So let’s see. We will ask it to look at this CVE. Let’s see. Dive deeper into the CVE, provide detailed remediation recommendations and timelines. Also, provide any general resource requirements that there might be. So we can see it is now building out more of that dashboard look specific to the CVE I’ve asked about. It shows us how many instances of it exists across our various reports, which assets are specifically affected by it, as well as breaking down who might have ownership of corrective actions in those, previously mentioned reports. And it is going through and building us our remediation plan. Now, obviously, this information can be copied into our PlexTrack instance, especially for the specific finding, or we might even utilize it in our priorities section where we create a priority specifically around this one CVE instance, especially if it was very prominent, and be able to list out the steps we expect everyone to take. And as we can see there, there was also a help a generator remediation report. So I can click on that, and it’s going to go through that. One other nice thing about the MCP is once the connector is in place, we will be providing some pre built prompts that you can utilize to get the most out of the data that it will have access to. So this will allow you to say, hey, create a dashboard for me for SOC, maybe list the top ten vulnerabilities via the dashboard, create remediation. So this one’s create remediation progress dashboard showing closure, and it will ask you ahead of time, hey, which clients do you want to utilize this for? That way you’re not trying to pull everything at once. So this is just to show you some examples of what you can do with the MCP. Again, it is going to be a read only from the PlexTrack platform, so we will be able to provide all the raw data that you have in your platform to your favorite LLM, and then you can utilize it to provide contextualized prompting for dashboarding analytics, assisting with narrative writing for remediation recommendations, narratives, etcetera. The Time Compression Here is what changes in practice. These are real workflows that teams using PlexTrac run every week. Board meeting prep. Today: export data, open Excel, build pivot tables, copy into slides. Thirty to sixty minutes if you are fast. With MCP: “Generate an executive summary for Acme Corp.” Thirty seconds. A one-page, CISO-ready risk summary built from your live findings data. Cross-client portfolio view. Today: log into PlexTrac, navigate to each client, mentally aggregate, maybe export to a spreadsheet. Hours. With MCP: “Show me a risk heatmap across all clients.” One sentence. One interactive dashboard. Every client, every severity, color-coded by concentration. Compliance audit prep. Today: manually search for OWASP, PCI, and NIST-tagged findings, cross-reference across clients, build a report. Hours of analyst time. With MCP: “Show me our OWASP Top 10 compliance posture.” An interactive dashboard with framework coverage gauges, severity breakdowns, and a filterable detail table. Instantly. Stale scanner findings. Today: no easy way to find CTEM instances that scanners stopped reporting on. With MCP: “Show me stale Qualys findings from the last 30 days.” A scanner gap analysis with risk callouts, delivered in seconds. Retest queue. Today: click through each client, filter by status, compile a list. With MCP: “Which findings are in retest right now?” A cross-client consolidated view, sorted by priority. The pattern is the same every time. A question that used to take minutes or hours now takes seconds, and the answer comes back as something you can present, not something you have to format. Presentation-Ready Dashboards from a Single Prompt The headline capability is dashboard generation. Not charts you have to tweak. Not data you need to style. Fully interactive, white-label-ready visualizations with tooltips, click-to-filter, and drill-down, built from your live PlexTrac data every time you ask. Here is what that looks like. It is Tuesday morning. Your team closed out a round of retests over the weekend, and you have a client status call at 10am. You open your AI tool and type: “Build me a remediation progress dashboard for Acme Corp.” The AI pulls Acme’s current findings from PlexTrac, and a few seconds later you are looking at a dark-mode executive dashboard showing closure rates by severity, a heatmap of monthly remediation activity, progress bars for each severity tier, and a stale findings table flagging anything open longer than 90 days. The retest closures from Saturday are already reflected. You share your screen on the call and walk the client through it live. That same workflow applies across the full range of questions your stakeholders ask. Need a severity breakdown before a board presentation? Ask for a severity dashboard: donut charts, status heatmaps, interactive triage tables. Want to show compliance coverage across frameworks? Ask for a compliance posture view: OWASP, PCI, CMMC, and NIST gauges with severity breakdowns per framework. Preparing for a portfolio review? Ask for a portfolio executive dashboard: KPI cards, per-client severity comparisons, and a risk heatmap across your entire tenant. The built-in visualization catalog covers severity distributions, CVSS breakdowns, asset risk exposure, findings age analysis, project closeout scorecards, CTEM vs. report findings comparisons, affected asset views, and more. Every one of them is designed to be client-facing out of the box. Because the dashboards are generated from live data at the moment you ask, they are never out of date. There is no “let me refresh this export” step. The data is current because the AI is pulling it fresh every time. White-Label Everything For MSSPs and consulting firms delivering PlexTrac-powered output under their own brand, every visual the MCP server generates is white-labelable. Branding text, color palettes, typography, severity color schemes: all of it is driven by server-side templates that can be customized per firm or per client. Replace “Powered by PlexTrac” with your firm’s name. Swap the dark-mode SOC aesthetic for your brand palette. Drop in your fonts. Every dashboard, chart, and visualization the AI generates from that point forward carries your brand, not ours. This is not post-processing. You are not screenshotting a PlexTrac dashboard and pasting a logo on top. The branding is baked into the rendering layer. Whether you are generating a severity dashboard for one client or a portfolio heatmap for your entire book of business, the output is yours to present as your own. Built for Every Role on the Team The MCP server is not just for the person who knows PlexTrac best. It is designed so that anyone with access can ask a question and get a production-quality answer. CISOs and security leadership get board-ready output without asking their team to spend a day building it. Portfolio dashboards, executive summaries, risk heatmaps across all clients: the kind of views that usually require a dedicated analyst and a spreadsheet exercise, delivered in seconds from a single prompt. Pentest leads and report authors get faster deliverables without sacrificing quality. Executive summaries generated from live engagement data. Finding descriptions rewritten for engineering teams. Severity dashboards and project closeout scorecards ready to drop into client deliverables. SOC analysts and vulnerability managers get instant visibility into their own workload. Cross-client views of assigned findings sorted by priority. Consolidated retest queues. Stale scanner instance reports. Findings age histograms that highlight the oldest open criticals. The questions that used to mean clicking through each client one at a time now take one sentence. Compliance and GRC teams get audit-ready output on demand. Framework coverage dashboards for OWASP, PCI, CMMC, and NIST showing open/closed ratios, severity heatmaps by compliance category, and filterable detail tables. The kind of evidence that used to take hours to compile, generated instantly from live tagged findings. MSSPs and consulting firms get the portfolio view they have always wanted. Full-tenant analytics in one command, per-client severity comparisons, white-labeled dashboards they can present to clients as their own. For multi-client operations, this changes the economics of every status call and quarterly review. Conversational Access to Everything in Your Tenant Dashboards are the most visible capability, but the foundation underneath is just as important: direct, natural language access to everything in your PlexTrac tenant. Clients, reports, findings, assets, tags, users, CTEM instances, all queryable without exports, without API scripting, without switching tools. Need to check which findings are assigned to a specific analyst across all clients? Ask. Want to see every open OWASP-tagged finding sorted by severity? Ask. Curious whether Qualys instances have gone stale in the last two weeks? Ask. The AI queries PlexTrac directly and returns structured results. This works across both of PlexTrac’s core data systems. Report Findings and CTEM Finding Instances are both fully accessible, and the MCP handles the routing between them automatically. Whether you are looking at a single engagement or querying across your entire portfolio, the data is there the moment you need it. For teams that have historically relied on exports and spreadsheets to answer ad hoc questions about their security posture, this changes the speed of every conversation. The question and the answer now live in the same workflow. Exposure Management at the Speed of a Question For organizations running a Continuous Threat Exposure Management (CTEM) program, the challenge is visibility at scale. You are ingesting vulnerability data from multiple scanners, consolidating manual and automated results, deduplicating across sources, and trying to maintain a coherent view of your attack surface. The bottleneck is not collecting the data. It is understanding what the data is telling you fast enough to act on it. PlexTrac already centralizes that data and provides the contextual risk scoring to help teams prioritize. MCP makes the entire dataset conversational and visual. Your security leadership wants to know which business units carry the highest concentration of unresolved critical findings from the last 90 days. With MCP, that is a single prompt. The AI queries your live PlexTrac data, filters by severity and time range, cross-references remediation status, and returns both the answer and an interactive dashboard you can present on the spot. Scale that to the questions your team fields every week. Is our remediation rate improving quarter over quarter? Which vulnerability categories keep resurfacing after validation cycles? Are scanner-sourced findings being closed at the same rate as findings from manual assessments? Which instances have not been re-observed in two weeks? Every one of these used to mean analyst time and spreadsheet work. Now they end with a visual you can hand directly to leadership. For teams operating across the full CTEM lifecycle, this is the difference between reporting on exposure after the fact and managing it in something much closer to real time. Get Started The PlexTrac MCP server is available now. If you’re already a PlexTrac customer, MCP is available at no additional cost. Contact your account manager to connect PlexTrac to your preferred AI environment and start querying your exposure data in minutes. If you are evaluating PlexTrac, this is the right time to see what the platform looks like when your AI tools have direct access to your security data. Request a demo and we will show you what your findings look like when your AI can reach them. We are also releasing a series of hands-on workflow guides covering specific use cases, from portfolio dashboards to exposure trend analysis, so your team can get value from day one. Your findings already tell a story. Now your AI can show it. Victoria Mosby Sr. Sales Engineer Victoria Mosby is a cybersecurity nerd who has worn many hats—ranging from GRC and consulting to mobile security and pentesting. She has a soft spot for storytelling, whether she’s breaking down pentest workflows, demystifying compliance risks, or helping teams build stronger security strategies. By day, she’s a Senior Sales & Solutions Engineer at PlexTrac, helping security teams ditch spreadsheets and outdated workflows to work smarter, not harder. By night, she’s probably crocheting spooky plushies, playing D&D, or singing karaoke. She believes cybersecurity should be human, helpful, and just a little bit fun.
Vulnerability Management in the Age of AI: From Data Overload to Decisive Action By Sean Martin and Marco Ciappelli, Co-Founders of ITSPmagazine Between the 300-page pentest PDF and the spreadsheet no one is updating, security teams lose the thread. Findings pile up, priorities blur, and the key question — are we actually getting safer? — goes unanswered. That is the problem Daniel DeCloss set out to solve when... READ ARTICLE
RSA Takeaways on AI, Exposure Management, and Execution As I’m heading back from RSA, I’ve had a little time to decompress and think about what stood out most from the week. Like every RSA, it was full. Booth conversations, customer meetings, partner catchups, walking too much, talking too much, and trying to make sense of where this market is actually headed underneath all... READ ARTICLE
The AI Arms Race – Why Unified Exposure Management is becoming a Boardroom Priority Over the past year, I’ve noticed a shift in the conversations I’m having with security leaders. It’s no longer just about more vulnerabilities or more tools but speed and how difficult it’s becoming to keep up. The cybersecurity landscape is accelerating at an unprecedented rate. We are witnessing the dawn of a new era in... READ ARTICLE