TLDR - Some examples of what people are achieving with Claude Code + DefectDojo Pro:

• OWASP Top 10 Compliance Report
• SAST Tool Effectiveness Assessment
• Traditional Pen Test Report

For the last decade, "Shift Left" has been the mantra of AppSec. We built plugins, CI/CD gates, and IDE extensions to bring security closer to developers. But despite these efforts, a major friction point remained: Context Switching.

To fix a vulnerability, a developer typically has to leave their terminal, log into a dashboard (like DefectDojo), search for a finding, read the description, and then tab back to their code to attempt a fix. It disrupts flow and slows down remediation.

By combining Claude Code with DefectDojo’s Model Context Protocol (MCP), you can finally achieve the "single pane of glass" dream—directly inside your terminal.

Here is how DefectDojo's MCP powers the next generation of agentic security workflows, and what you can achieve with it today.

The "USB-C" for Security Data

At its core, the Model Context Protocol (MCP) is a standardized way for AI models to connect to external data sources. Think of it as a "USB-C port" for AI: instead of building a custom, brittle API integration for every new LLM, you build one MCP server that any MCP-compliant client (like Claude Code or Claude Desktop) can use.

DefectDojo’s MCP provides your vulnerability data as a set of tools that Claude can "call" on demand. Instead of hallucinating a response, Claude asks DefectDojo for the hard facts.

What You Can Achieve: The Agentic Workflow

When you connect Claude Code to DefectDojo, you aren't just querying a database; you are hiring an AI security engineer that lives in your terminal. Here are three powerful workflows this unlocks:

1. Context-Aware Remediation (No More Alt-Tab)

Developers often ask, "Is this code safe?" or "What should I fix first?" Previously, answering this required a context switch. With the DefectDojo MCP, a developer working in a repo can simply type:

> Claude, are there any active critical vulnerabilities for this service?

Claude Code will:

1. Recognize the intent.
2. Call the get_findings tool on the DefectDojo server.
3. Filter specifically for status: ["Active"] and severity: ["Critical"].
4. Return the live data directly in the terminal.

The Achievement: Security data becomes a natural part of the coding conversation, not a separate destination.

2. Intelligent Triage & Deduplication

One of the biggest challenges in AppSec is Alert Fatigue. A single bad commit might trigger 50 alerts across SAST, DAST, and Container scanners.

Using the Pro MCP, you can leverage DefectDojo’s agentic features to de-noise this data before it even reaches the LLM.

• User: "Claude, summarize the risk profile of the Payments API."
• Claude: Calls DefectDojo.
• DefectDojo Pro: Returns a deduplicated list of findings, aggregating results from Snyk, Trivy, and ZAP into single, canonical issues.
• Result: DefectDojo gives Claude a summary of 5 unique problems, rather than a list of 50 redundant alerts.

3. "Breach by Proxy" Prevention (Governance)

Connecting an LLM to your security data is a trust exercise. You don't want an AI agent to hallucinate permissions or leak PII from a vulnerability description.

DefectDojo’s Pro MCP implements Governance by Design. It respects the permissions of the API token used, meaning Claude Code can only "see" what the human user is allowed to see. If a developer doesn't have access to the "Executive Dashboard" reports, neither does their AI agent. This prevents the "Breach by Proxy" scenario where an AI inadvertently escalates privileges.

Technical Spotlight: The Pro Advantage

The DefectDojo Pro MCP is designed for enterprise scale. The Pro MCP utilizes a Progressive Data Loading strategy.

Instead of dumping thousands of JSON objects into the context window (which costs money and confuses models), the Pro server uses smart pagination and summary-first data retrieval.

• Smart Filtering: It supports complex arrays for filtering (e.g., date: ["3 - Past 30 days"]).
• Efficiency: It allows Claude to ask "How many?" before asking "Show me all," optimizing token usage.

Conclusion

The combination of Claude Code and DefectDojo represents the shift from Managing vulnerabilities to Solving them. By bringing high-fidelity, deduplicated, and governed security data directly into the developer's terminal, we are finally removing the friction from DevSecOps.

For more on setting up the MCP server, check out the official news release.