Inside Grammarly’s AI-driven automation with the MCP Server for Wiz

Meet the system that cut manual triage times by 90% and enables engineers to focus on strategic thinking.

From unified security solutions to strategic automation

Since 2009, Grammarly has set the standard for AI assistance, supporting millions of users and thousands of organizations in brainstorming, composing, and enhancing communication that moves work forward. However, as the company transitioned from a consumer-focused platform to an enterprise-grade solution, Grammarly’s security framework needed to evolve.

Building trust with larger organizations meant scaling security strategies to meet stringent enterprise demands while maintaining the developer velocity that gives Grammarly its edge. “Our engineering teams are constantly building new services, which means keeping their systems secure is hard to do manually,” says Giles Douglas, Grammarly’s Chief Information Security Officer. “We needed to understand and analyze the infrastructure and architecture, and we  needed a toolchain that could make this repeatable.”

This vision first led Grammarly to adopt Wiz, which transformed the company’s approach to cloud visibility, vulnerability detection, and secure-by-design workflows. But as operations expanded through acquisitions, heightened security complexity, and the need to automate routine tasks, Grammarly needed an additional layer of expertise.

Looking to scale past conventional processes and focus efforts on innovation, Grammarly leveraged the Model Context Protocol (MCP) Server for Wiz. MCP is an open standard introduced by Anthropic that creates connections between companies’ data sources and AI-powered tools. The Wiz MCP was released as part of Wiz's AI efforts, helping security teams harness large language models (LLMs) to work smarter and more efficiently.

Growing complexity and the case for automation

On its journey from consumer products to a robust B2B offering, Grammarly implemented Wiz to gain unified visibility and actionable intelligence across cloud assets, vulnerabilities, and potential risks. But as the company continued to innovate, even these enhanced workflows required streamlining.

Like many security teams, Grammarly needed to balance increasing data and security challenges while providing its lean security engineering team with agile tools. To address these growing demands, Grammarly initially experimented with building an in-house MCP-powered solutions. While functional, this approach was resource-intensive and didn’t address broader needs.

When Grammarly’s security team evaluated the MCP Server for Wiz, however, it discovered new opportunities to go from reactive to proactive. By integrating MCP servers with LLMs using natural language queries and subsequently with Multi Agent Systems, Grammarly once again redefined its security strategy.

Boosting security efficiency by 90% with Wiz MCP

When adopting Wiz MCP, Grammarly followed a key best practice: Start with a high-impact, easy-to-automate problem. The team first focused on solving one of its core challenges — tier-1 incident triage — which allowed the team to test and optimize workflows without overcomplicating its initial deployment. This incremental and iterative approach became a blueprint for their success.

The team began using tools like Claude Desktop and the Wiz MCP servers with custom prompt templates to automate repeatable standard processes. With these prompts, a typical triage flow begins with a Jira ticket, which automatically retrieves issue details and analyzes the context using Wiz. The next step in their orchestration involved integrating the Wiz MCP into an AI agented workflow via the LangGraph framework, combined with other tools that access the internal knowledge base and communication systems, thereby fully orchestrating and automating the triage process.

When appropriate, the AI workflow proposed additional actions or steps, drastically reducing manual effort to triage security events. This streamlined process cut investigation time from 30-45 minutes to a maximum of four minutes per ticket, an efficiency boost of nearly 90%.

Grammarly then refined its AI workflows by feeding it real-world organizational data and fine-tuning prompts. Over time, the team expanded the system's role beyond incident triage to include threat hunting, detection engineering, and building threat intelligence and knowledge for agents. By tailoring LLMs for specific tasks, Grammarly optimized performance across use cases.

“Building AI workflows is a bit like training a new chef in the kitchen,” says Thijn Bukkems, Threat Hunting Lead at Grammarly. “At first, you might only let them make the pizza dough, while you handle shaping, topping, and baking it yourself. As they get better and you gain confidence in their abilities, you gradually delegate more—maybe next you let them shape the dough too, and you review the results. Over time, as your assistant continues to improve based on your feedback, you can trust them with more steps until eventually they can make the whole pizza on their own.”

Wiz’s natural language querying and contextual awareness also allow AI Workflows to assist in crafting detection logic for new vulnerabilities. Using MCP to map vulnerable paths and validate findings has paved the way for automation in areas traditionally reliant on manual inputs.

Faster incident response, better insights, and reduced engineering toil

By integrating Wiz MCP into its security processes, Grammarly discovered new possibilities for automation and efficiency while enhancing the quality of its investigations. Beyond accelerating incident response workflows, the team uses Wiz MCP to automate repetitive tasks like cross-referencing resources and checking logs, giving engineers richer insights without missing out on key anomalies.

Security engineers now spend less time on routine monitoring, enabling them to focus on exploratory tasks and strategic planning. And as Grammarly scaled its business operations, these systems helped mitigate engineer overwhelm by reducing ticket volume. Instead of manually combing through countless tickets, even newer team members can rely on the AI workflows to provide quick, comprehensive context.

“AI workflows with Wiz MCP connectivity ensure our minimum level of triage is the same high standard our systems maintain consistently,” explains Igor Tarpan, Security Engineer at Grammarly. “It helps new engineers by gathering and synthesizing data in ways that save hours of manual work.”

The key to scaling security operations: progress over perfection

By starting with focused use cases, iterating through real-world data, and embracing automation incrementally, Grammarly has set an example for how to scale security operations without sacrificing flexibility or precision. And this is just the beginning. With plans to expand into advanced threat hunting, offensive security, and knowledge-driven intelligence, Grammarly is staying proactive in its approach to AI-augmented security.

“We are no longer buried in operational toil,” Tarpan explains. “Wiz tools are enablers of strategic thinking, allowing our security engineers to focus on solving tomorrow’s challenges instead of yesterday’s incidents.”

As security threats continue to grow in sophistication, Grammarly has been quick to understand that automation is essential to longevity. Here are the core principles that helped Grammarly unlock a new era of efficiency, innovation, and resilience in cybersecurity: 

  • Start small and iterate: Don't strive for end-to-end automation immediately. Begin with high-impact, easy-to-automate problems and continuously refine your approach using real-world data.

  • Prioritize expertise: Focus on problems where your team has existing subject matter expertise. This allows you to effectively guide the LLMs and ensure the quality of their output.

  • Embrace human-in-the-loop: Begin with human-guided processes and gradually increase automation. The goal is to move from manual effort to human-reviewed stages, where the LLM performs the analysis and a person makes the final decision.

  • Shift from tactical to strategic: By automating routine tasks, you can empower your team to move beyond daily "firefighting" and focus on strategic planning, threat hunting, and building better systems.

“When it comes to automating cybersecurity, don’t let perfection be the enemy of good,” Bukkems says. “You don’t need to automate every piece for it to deliver value. Even a single use case can drive major efficiency gains.” 

Example SOC Prompt on how Grammarly gets the AI workflow system to use the Wiz MCP:

You are a specialized agent for collecting technical context using Wiz Security MCP server.
 
CRITICAL: You MUST use your available Wiz tools to gather technical information. Do not just analyze the provided text - actively search for technical context using these tools.
 
YOUR AVAILABLE WIZ TOOLS:
🔍 wiz_get_issue_data_by_id - Get detailed information about specific Wiz issues
   - Input: Wiz issue IDs (e.g. be21b858-b468-5bc8-de50-c5c9e97c5a92)
   - Use when you have specific issue ID from tickets or alerts
 
🔍 wiz_get_issues - Search for Wiz security issues
   - Input: search queries, severity filters, status filters
   - Examples: search for issues by resource, vulnerability type, or project
 
🔍 wiz_get_projects - Get information about Wiz projects and resources
   - Input: project names, resource identifiers
   - Use to understand resource ownership and configuration
 
🔍 wiz_get_threats - Search for threat and vulnerability information
   - Input: threat names, CVE IDs, vulnerability types
   - Use to assess security posture
 
🔍 wiz_search - General search across Wiz data
   - Input: natural language queries about resources
   - Examples: "AWS account 123456789012 RDS my-service"
 
INVESTIGATION METHODOLOGY:
 
1. **CRAFT SIMPLE, FOCUSED QUERIES**
✅ GOOD: "AWS account 123456789012 RDS my-service"
❌ BAD: "AWS account 123456789012 RDS instance or cluster with identifier or tag containing 'user@domain.com' in us-east-1, include policy, network, configuration, recent changes, users, and provider details"
 
Query Pattern: `<cloud_type> account <account_id> <resource_type> <resource_name>`
 
2. **ALWAYS GET RAW PROVIDER DATA**
For cloud resources (S3, IAM, EC2, RDS, etc.), ALWAYS retrieve complete configuration:
 
```json
{ "limit": 1, "query": "externalid <EXACT_ARN_OR_ID>", "project_id": "*", "output_transformation": { "include_fields": ["providerData"], "exclude_fields": [] } }
```
 
BREAK DOWN COMPLEX REQUESTS When you receive complex requests like: "Collect full technical context and configuration for the RDS instance 'my-service' in AWS account 123456789012"
Execute as separate, focused queries:
- Find the RDS resource: wiz_search("AWS account 123456789012 RDS my-service")
- Get resource configuration: Use the externalId from results with providerData query
- Find connected IAM entities: wiz_search("IAM roles RDS my-service access")
- Check security issues: wiz_get_issues(search="RDS my-service", severity=["CRITICAL","HIGH"])
- Get network configuration: Search for associated security groups and VPCs
EXECUTE WITH REFLECTION For each search:
- Make initial tool call with primary search terms
- REFLECT on results: • Empty results → Try broader search terms or partial matches • Error messages → Simplify query, check syntax • Partial matches → Refine with additional keywords • Too many results → Add filters or use more specific terms
- ADAPT approach: Based on results, adjust next searches
- PERSIST: Make 3-5 attempts per entity using different strategies
- ERROR RECOVERY PATTERNS
   - No results → Try variations: resource name only, account only, then combine
- API errors → Simplify query, try different tool
- Timeout → Break complex queries into smaller parts
- Access denied → Try alternative search methods
 
EXAMPLE INVESTIGATION FLOW:
Task: "Investigate S3 bucket 'prod-data' in AWS account 123456789012 for misconfigurations"
Step 1: Initial resource search
wiz_search("AWS account 123456789012 S3 prod-data")
Step 2: Get detailed configuration (using externalId from Step 1)
json
{
  "query": "externalid arn:aws:s3:::prod-data",
  "limit": 1,
  "output_transformation": {
  "include_fields": ["providerData"]
  }
}
Step 3: Check for security issues
wiz_get_issues(search="S3 prod-data", severity=["CRITICAL","HIGH"], status=["OPEN"])
Step 4: Find IAM entities with access
wiz_search("IAM S3 prod-data access policy")
Step 5: Check for public exposure
wiz_search("S3 prod-data public exposure")
OUTPUT FORMAT: Return structured findings with:
Technical facts discovered through Wiz tools
Resource configurations and permission details
Security findings and vulnerabilities
Missing information despite search attempts
{ "facts": [ "S3 bucket 'prod-data' has public read access enabled", "Bucket policy allows access from 3 external AWS accounts", "No encryption at rest configured", "15 HIGH severity Wiz issues found related to this bucket" ], "references": [ { "fact_index": 0, "source_type": "wiz_tool", "source_id": "wiz_search: AWS account 123456789012 S3 prod-data", "timestamp": "2025-01-XX" } ], "missing_info": [ "Unable to retrieve CloudTrail logs for bucket access", "IAM role trust policies not visible in Wiz data" ] }
CRITICAL REQUIREMENTS:
- You MUST use Wiz tools to gather information - don't just analyze text
- Focus on the specific entities mentioned in the investigation
- Search for configurations, permissions, and security findings
- Look for privilege escalations, misconfigurations, and exposure risks
- Document both findings and gaps in your searches
- Always get providerData for cloud resources to see complete configuration

Learn more about Wiz MCP

Grammarly’s journey with the Wiz MCP Server shows how targeted automation can deliver outsized impact—cutting response times, boosting efficiency, and freeing teams to focus on high-value work. By starting small, iterating, and keeping humans in the loop, they’ve built a scalable approach to security that’s both practical and forward-looking. The MCP Server is currently available for Wiz customers in the integration portal, or the AWS marketplace. Details are accessible through our documentation.

See Wiz MCP in Action

Continue lendo

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades