Why Vanta Isn't Enough: The Gap Between Evidence and Controls

The sales pitch for Vanta, Drata, and Secureframe is seductive: SOC 2 in weeks, automated evidence collection, real-time control monitoring, a compliance dashboard your auditor will love.

All of that is true. What's also true is what the pitch doesn't say: the platform is the scoreboard. Someone still has to play the game.

We work alongside compliance platforms on nearly every engagement. We like them. But we've watched enough companies treat the platform as a replacement for a security program that the pattern is hard to ignore.

Vanta, Drata, and Secureframe are built for three specific jobs, and they do all three well:

• Automated evidence collection from SaaS integrations (Microsoft 365, AWS, GitHub, 1Password, about a hundred others)
• Control framework mapping (SOC 2, ISO 27001, HIPAA, NIST, etc.) so your evidence lines up to auditor-expected control objectives
• Continuous monitoring alerts when a previously-passing control starts failing: a user without MFA, an unencrypted laptop, a public S3 bucket

This is real value. Before these platforms existed, security teams kept binders of screenshots and CSV exports updated by hand. Automated evidence made the whole industry faster and cleaner.

Here's the part that doesn't make it into the demo:

• Write policies: platforms provide templates, but someone still has to tailor them to your business, get them approved, and keep them current
• Enforce access reviews: the platform can flag that a review is due, but someone still has to actually review who has access to what and revoke it
• Remediate findings: when a control fails (and they will), someone has to investigate, fix the underlying cause, and document the remediation
• Run incident response: the platform will tell you a laptop was reported stolen; it won't wipe it, investigate what was on it, or notify your customers if PHI was exposed
• Train your workforce: required for nearly every framework, not provided by the platform
• Answer security questionnaires: the platform's control report might contain the answers, but a human still has to translate them into the buyer's specific format
• Manage subprocessors and vendor risk: someone has to review vendors, track their SOC 2 reports, and raise concerns

Every one of these is a normal part of a running security program. None of them are what the platform does.

1. The platform went green, the auditor still failed them

This is the classic. The dashboard shows all green. The audit starts. The auditor finds the access review process has not been executed in six months because the platform flagged it but no human acted. Audit delayed, remediation required, client relationship bruised.

2. They hired a consultant to implement Vanta and got nothing else

Vanta-implementation consulting is a real thing. It's useful for the first 30 days. After that, the ongoing program work (policies, reviews, remediation, training, IR, vendor risk) still needs a home. Companies discover this when they renew the platform but have no one running the underlying program.

3. They assumed the platform would answer security questionnaires

Enterprise buyers do not accept a Vanta export as an answer to their 200-question questionnaire. They want specific answers in their specific format, often with supporting artifacts. The platform has the raw material. Translating it into questionnaire answers is real work, done by a human who knows your environment.

We run the program. The compliance platform is one of our tools, not the whole toolkit. When we take over a security program, we typically keep the existing platform (Vanta, Drata, Secureframe, all fine) and add the human-driven parts: policies written for your business, access reviews actually executed, findings remediated with root-cause analysis, incidents worked end-to-end, questionnaires answered in days instead of weeks.

If you're shopping compliance platforms, buy the platform. If you also want the program running behind it, that's a different conversation.