How Do I Create a PDF Evidence Pack for SOC 2 Automatically After Running Test Steps?

Configure your evidence collection tool to automatically: 1) Capture screenshots during test execution, 2) Generate AI-powered descriptions for each step, 3) Map evidence to SOC 2 controls, 4) Format into auditor-ready PDF with table of contents, timestamps, and metadata. Most tools can schedule this quarterly.

---

What is a PDF Evidence Pack?

Definition

A PDF evidence pack is a self-contained document that includes all evidence for a specific SOC 2 control test:

Required components:

1. Cover page - Control ID, test date, result
2. Executive summary - Test objective and outcome
3. Test methodology - Steps performed
4. Screenshots - Visual evidence with timestamps
5. Descriptions - Explanation of what each screenshot shows
6. Audit logs - System logs corroborating the test
7. Metadata - Tester info, environment, timestamps
8. Appendix - Raw data, certifications

Why Auditors Require PDFs

Auditors prefer PDF format because:

✅ Self-contained - All evidence in one file ✅ Immutable - Can't be edited after generation ✅ Portable - Easy to share and archive ✅ Professional - Consistent formatting ✅ Searchable - Text can be searched/indexed ✅ Printable - Can be printed if needed

What auditors reject: ❌ Loose screenshot files without context ❌ Word documents (editable, version confusion) ❌ Video files (too large, hard to navigate) ❌ Scattered evidence across multiple systems

---

Manual PDF Creation Process (Traditional)

Step-by-Step (Per Control Test)

1. Take screenshots during test (15 minutes)

• Login to application
• Perform test steps
• Manually screenshot each step
• Save with descriptive filenames

2. Organize screenshots (10 minutes)

• Rename files chronologically
• Verify all steps captured
• Check image quality

3. Write documentation (45 minutes)

• Open Word/Google Docs
• Add cover page with control ID
• Write executive summary
• Describe each screenshot
• Add timestamps manually

4. Format document (25 minutes)

• Insert screenshots
• Add captions
• Format headings consistently
• Add page numbers
• Create table of contents

5. Export to PDF (5 minutes)

• Export from Word to PDF
• Verify formatting preserved
• Check file size reasonable
• Rename with control ID and date

6. Upload to GRC platform (10 minutes)

• Navigate to Vanta/Drata
• Find correct control
• Upload PDF
• Add metadata

Total time: 110 minutes per control test

Annual cost (20 controls × 4 quarters):

• 80 tests × 110 minutes = 8,800 minutes = 147 hours
• At $200/hour = $29,333/year

---

Automated PDF Generation

How It Works

Step 1: Automatic Screenshot Capture

During test execution:

{
  "test_session": {
    "control": "CC6.1",
    "start_time": "2025-07-18T10:00:00Z",
    "tester": "compliance@company.com",

    "automatic_captures": [
      {
        "step": 1,
        "timestamp": "10:00:15",
        "action": "login",
        "url": "https://app.company.com/login",
        "screenshot": "01_login_page.png",
        "metadata": {
          "viewport": "1920x1080",
          "browser": "Chrome 121",
          "user_role": "Viewer"
        }
      },
      {
        "step": 2,
        "timestamp": "10:01:30",
        "action": "navigate",
        "url": "https://app.company.com/admin",
        "http_status": 403,
        "screenshot": "02_access_denied.png"
      },
      {
        "step": 3,
        "timestamp": "10:02:15",
        "action": "audit_log_check",
        "screenshot": "03_audit_log.png",
        "log_entry": {
          "timestamp": "2025-07-18T10:01:31Z",
          "event": "access_denied",
          "user": "viewer@company.com"
        }
      }
    ]
  }
}

Step 2: AI Description Generation

AI analyzes screenshots and generates:

Step 1: User Authentication At 10:00:15 UTC on July 18, 2025, compliance tester (compliance@company.com) accessed the application login page. The tester authenticated using credentials for a test user with "Viewer" role to verify role-based access control restrictions.

Step 2: Access Control Verification At 10:01:30 UTC, the authenticated Viewer user attempted to navigate to the administrative dashboard at /admin. The application correctly denied access, returning HTTP 403 Forbidden with the error message "Access Denied - Insufficient Permissions." This demonstrates that logical access controls are functioning as designed per control CC6.1.

Step 3: Audit Log Validation At 10:02:15 UTC, the tester verified that the access denial event was logged to the audit trail. The log entry shows timestamp 2025-07-18T10:01:31Z, user viewer@company.com, event type "access_denied", and resource "/admin". This satisfies the logging requirement for security events.

Step 3: Control Mapping

{
  "control_mapping": {
    "primary_control": {
      "id": "CC6.1",
      "name": "Logical and Physical Access Controls",
      "tsc_category": "Common Criteria 6.1",
      "test_objective": "Verify that users can only access resources appropriate for their assigned role"
    },
    "related_controls": [
      {
        "id": "CC6.6",
        "name": "Audit Logging",
        "evidence": "Access denial logged at 10:01:31 UTC"
      }
    ],
    "test_result": "PASS",
    "risk_assessment": "No exceptions noted"
  }
}

Step 4: PDF Assembly

Automated PDF generation includes:

Page 1: Cover Page

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SOC 2 CONTROL TEST EVIDENCE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Control ID: CC6.1
Control Name: Logical and Physical Access Controls
Test Date: July 18, 2025
Test Environment: Production
Tester: compliance@company.com

TEST RESULT: PASS

Generated by: Screenata Evidence Automation
Document ID: CC6.1_2025-Q3_20250718
Pages: 8

Page 2: Executive Summary

EXECUTIVE SUMMARY

Test Objective:
Verify that role-based access controls prevent users with "Viewer" role
from accessing administrative features.

Test Methodology:
1. Authenticate as user with Viewer role
2. Attempt to access administrative dashboard
3. Verify access denial with 403 error
4. Confirm access denial logged to audit trail

Test Result: PASS

All role-based access controls functioned as designed. User with Viewer
role was correctly denied access to administrative features, and the
access attempt was properly logged.

Risk Assessment: No exceptions or deficiencies noted.

Page 3: Test Methodology

TEST PROCEDURE

Test ID: CC6_1_RBAC_2025Q3
Control: CC6.1 - Logical Access Controls
Frequency: Quarterly
Previous Test Date: April 15, 2025

Test Steps:
1. Login as Viewer user (viewer@company.com)
2. Navigate to admin dashboard (/admin)
3. Verify access denied message displayed
4. Check audit log for denial event

Pass Criteria:
- Access denied with HTTP 403 error
- Error message displayed to user
- Event logged with correct details

Test Environment:
- URL: https://app.company.com
- Environment: Production
- Browser: Chrome 121.0.6167.85
- Test Duration: 2 minutes 15 seconds

Pages 4-7: Step-by-Step Evidence

STEP 1: USER AUTHENTICATION
Timestamp: 2025-07-18 10:00:15 UTC

[Full-page screenshot]

Description:
Compliance tester authenticated to the application using test
credentials for a user with "Viewer" role. Login successful.

Evidence Details:
- User: viewer@company.com
- Role: Viewer
- Session ID: sess_abc123
- IP Address: 192.168.1.100

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

STEP 2: ACCESS CONTROL VERIFICATION
Timestamp: 2025-07-18 10:01:30 UTC

[Full-page screenshot]

Description:
User attempted to access administrative dashboard. Application
correctly denied access with HTTP 403 Forbidden error.

Evidence Details:
- Requested URL: /admin/users
- HTTP Status: 403 Forbidden
- Error Message: "Access Denied - Insufficient Permissions"
- Response Time: 45ms

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[Additional steps...]

Page 8: Appendix

APPENDIX

A. Test Metadata
- Test Session ID: test_abc123
- Recording Duration: 2 min 15 sec
- Screenshots Captured: 3
- Total File Size: 2.4 MB

B. System Information
- Application Version: v2.5.3
- Database: PostgreSQL 14.2
- Auth Provider: Okta

C. Tester Certification
I certify that this test was performed in accordance with established
procedures and that the evidence presented accurately reflects the
test execution.

Signature: _________________________
Name: compliance@company.com
Date: July 18, 2025

D. Document Hash (SHA-256)
a3f7c9d2e8b1f4a6c9d2e8b1f4a6c9d2e8b1f4a6c9d2e8b1f4a6c9d2e8b1f4a6

This document was automatically generated by Screenata v3.2.1

Total generation time: 30 seconds

---

Configuration Options

PDF Template Customization

Brand customization:

{
  "pdf_template": {
    "company_logo": "https://company.com/logo.png",
    "company_name": "Acme Corp",
    "primary_color": "#1E40AF",
    "font_family": "Inter",
    "cover_page": {
      "show_logo": true,
      "show_test_result": true,
      "show_document_id": true
    },
    "header_footer": {
      "show_page_numbers": true,
      "show_confidential_marking": true,
      "confidential_text": "CONFIDENTIAL - FOR AUDIT USE ONLY"
    }
  }
}

Content customization:

{
  "content_options": {
    "include_executive_summary": true,
    "include_test_methodology": true,
    "include_raw_data_appendix": true,
    "include_tester_certification": true,
    "screenshot_layout": "full_page",  // or "two_per_page"
    "description_length": "detailed",  // or "concise"
    "technical_details": "verbose"     // or "minimal"
  }
}

Screenshot Options

Quality settings:

{
  "screenshot_settings": {
    "resolution": "1920x1080",
    "quality": "high",  // PNG format
    "compression": false,
    "annotations": {
      "add_timestamp_overlay": true,
      "add_url_overlay": false,
      "highlight_important_elements": true,
      "redact_sensitive_data": true
    }
  }
}

Redaction rules:

{
  "redaction_rules": [
    {
      "type": "email",
      "pattern": "[a-z0-9._%+-]+@[a-z0-9.-]+\\.[a-z]{2,}",
      "replace_with": "***@***.com",
      "exclude_domains": ["company.com"]  // Don't redact company emails
    },
    {
      "type": "api_key",
      "pattern": "sk_[a-zA-Z0-9]{32}",
      "replace_with": "sk_REDACTED"
    },
    {
      "type": "ip_address",
      "pattern": "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}",
      "replace_with": "192.168.x.x"
    }
  ]
}

Export Options

Automatic export destinations:

{
  "export_destinations": [
    {
      "type": "local_download",
      "enabled": true,
      "filename_pattern": "{control_id}_{date}_Q{quarter}.pdf"
    },
    {
      "type": "vanta",
      "enabled": true,
      "auto_upload": true,
      "control_mapping": "automatic"
    },
    {
      "type": "drata",
      "enabled": false
    },
    {
      "type": "s3_archive",
      "enabled": true,
      "bucket": "compliance-evidence",
      "path": "soc2/{year}/Q{quarter}/{control_id}/"
    },
    {
      "type": "email",
      "enabled": true,
      "recipients": ["compliance@company.com", "auditor@firm.com"],
      "subject": "SOC 2 Evidence: {control_id} - {date}"
    }
  ]
}

---

Scheduling Automatic PDF Generation

Quarterly Schedule

Set up recurring evidence collection:

{
  "quarterly_schedule": {
    "controls": [
      {
        "control_id": "CC6.1",
        "test_name": "RBAC Access Controls",
        "schedule": {
          "frequency": "quarterly",
          "test_window": "first_two_weeks",
          "quarters": ["Q1", "Q2", "Q3", "Q4"]
        },
        "assignee": "compliance@company.com",
        "auto_generate_pdf": true,
        "auto_export_to_vanta": true
      },
      {
        "control_id": "CC7.2",
        "test_name": "Change Management",
        "schedule": {
          "frequency": "per_deployment",
          "trigger": "github_pr_merged"
        },
        "auto_generate_pdf": true
      }
    ],
    "reminders": {
      "days_before_due": [14, 7, 3, 1],
      "notification_methods": ["email", "slack"]
    }
  }
}

Slack reminder example:

🔔 Quarterly Evidence Collection Due

Control: CC6.1 - RBAC Access Controls Due: July 15, 2025 (7 days) Assignee: @compliance-team

Last test: April 18, 2025 (PASS) Evidence needed for: Q2 2025

[Start Test] [View Last Evidence] [Reschedule]

On-Demand Generation

Generate PDFs immediately after test:

// Browser extension workflow
1. Record test (5 minutes)
2. Click "Stop Recording"
3. Extension processes automatically:
   - Analyzes screenshots
   - Generates descriptions
   - Maps to control
   - Creates PDF
   - **Total time: 30 seconds**
4. PDF ready for download

// Or configure auto-export:
{
  "immediate_export": {
    "generate_on_test_complete": true,
    "show_preview_before_export": false,  // Skip preview, auto-export
    "auto_download": true,
    "auto_upload_to_vanta": true
  }
}

---

PDF Quality Standards

What Makes a Good Evidence PDF?

Auditor requirements:

✅ Clear cover page with control ID, date, result ✅ Executive summary explaining test objective and outcome ✅ Step-by-step evidence with screenshots and descriptions ✅ Timestamps for each action ✅ Tester identification (name, email) ✅ High-quality screenshots (1920x1080 minimum) ✅ Consistent formatting across quarters ✅ Table of contents for easy navigation ✅ Page numbers on every page ✅ Professional appearance (not hand-crafted Word doc)

Common deficiencies that get flagged:

❌ Missing timestamps ❌ Unclear screenshots (blurry, low-res) ❌ No tester information ❌ Inconsistent formatting between quarters ❌ Missing executive summary ❌ No test methodology documented ❌ Editable format (Word instead of PDF)

File Naming Convention

Good naming:

CC6.1_RBAC_Access_Controls_2025-Q3_20250718.pdf
CC7.2_Change_Management_2025-Q3_20250720.pdf
CC8.1_Vulnerability_Mgmt_2025-Q3_20250722.pdf

Pattern:

{ControlID}_{TestName}_{Year}-Q{Quarter}_{YYYYMMDD}.pdf

Bad naming:

test1.pdf
evidence_july.pdf
screenshot_final_v2.pdf

File Size Optimization

Typical sizes:

• 3-5 screenshots: 2-4 MB
• 6-10 screenshots: 4-8 MB
• 11-15 screenshots: 8-12 MB

If file too large (>10 MB):

• Compress screenshots to 80% quality (still high enough)
• Use PNG for screenshots with text
• Use JPEG for screenshots without important text
• Split into multiple PDFs if necessary

---

Integration Examples

Example 1: Screenata → Vanta Auto-Export

Configuration:

{
  "integration": "vanta",
  "api_key": "vanta_xxxxx",
  "workflow": {
    "1_record_test": "manual",
    "2_generate_pdf": "automatic",
    "3_export_to_vanta": "automatic",
    "4_update_control_status": "automatic"
  },
  "control_mapping": {
    "CC6.1": "vanta_control_id_123",
    "CC7.2": "vanta_control_id_456"
  },
  "execution_time": "30 seconds after test completion"
}

What happens automatically:

1. You record test (5 min)
2. Click "Stop Recording"
3. 30 seconds later:
   • PDF generated
   • Uploaded to Vanta control CC6.1
   • Control status updated to "Evidence Collected"
   • Email confirmation sent

Example 2: Cypress Tests → PDF Evidence

Cypress + Screenata Plugin:

// cypress/e2e/compliance/cc6-1.cy.js
import { ScreenataPlugin } from '@screenata/cypress'

describe('CC6.1 - RBAC', () => {
  before(() => {
    ScreenataPlugin.startRecording({
      control: 'CC6.1',
      pdfOptions: {
        includeExecutiveSummary: true,
        includeTestMethodology: true,
        screenshotLayout: 'full_page'
      },
      autoExport: {
        generatePDF: true,
        uploadToVanta: true,
        emailTo: ['compliance@company.com']
      }
    })
  })

  it('denies Viewer access to admin', () => {
    cy.login('viewer@test.com', 'password')
    cy.visit('/admin/users', { failOnStatusCode: false })
    cy.contains('Access Denied').should('be.visible')
  })

  after(() => {
    // PDF generated automatically
    ScreenataPlugin.stopRecording()
  })
})

Output:

✓ Test passed
✓ Screenshots captured: 3
✓ PDF generated: CC6.1_RBAC_2025-Q3.pdf
✓ Uploaded to Vanta: Control CC6.1
✓ Email sent to: compliance@company.com

Example 3: Scheduled Quarterly Generation

GitHub Actions workflow:

# .github/workflows/quarterly-compliance.yml
name: Quarterly SOC 2 Evidence Collection

on:
  schedule:
    - cron: '0 9 1 1,4,7,10 *'  # First day of each quarter, 9am

jobs:
  collect-evidence:
    runs-on: ubuntu-latest
    steps:
      - name: Run RBAC tests
        run: npm run test:compliance

      - name: Generate PDF evidence packs
        uses: screenata/generate-evidence@v1
        with:
          controls: 'CC6.1,CC6.2,CC7.2'
          quarter: ${{ env.CURRENT_QUARTER }}
          auto-export: 'vanta'

      - name: Notify compliance team
        run: |
          echo "Evidence collected for Q${{ env.CURRENT_QUARTER }}"
          # Send Slack notification

---

Comparison: Manual vs Automated PDF Creation

Task	Manual Time	Automated Time	Time Saved
Screenshot capture	15 min	0 min (auto)	15 min
Screenshot organization	10 min	0 min (auto)	10 min
Write descriptions	45 min	0 min (AI)	45 min
Format document	25 min	0 min (auto)	25 min
Export to PDF	5 min	0 min (auto)	5 min
Upload to GRC	10 min	0 min (auto)	10 min
Total per control	110 min	0 min	110 min

Annual savings (20 controls × 4 quarters):

• Manual: 80 tests × 110 min = 8,800 min = 147 hours
• Automated: 80 tests × 0 min = 0 hours
• Time saved: 147 hours
• Cost saved: $29,333 (at $200/hour)

---

Common Questions

Can I customize the PDF template?

Yes. Most tools allow:

• Adding company logo and branding
• Changing colors and fonts
• Modifying cover page layout
• Adjusting screenshot layout
• Customizing section headings

What format are screenshots in the PDF?

High-resolution PNG (for clarity and text readability)

• Resolution: 1920x1080 or higher
• No compression artifacts
• Embedded metadata (timestamp, URL)

Can I regenerate the PDF if I find an error?

Yes. Most tools allow:

• Re-generating from saved test data
• Editing descriptions before regeneration
• Adding manual annotations
• Updating control mappings

How secure is the PDF?

Security features:

• Document hash for integrity verification
• Optional password protection
• Digital signatures
• Encrypted storage
• Audit trail of who accessed

Can auditors search text in the PDF?

Yes. All text is searchable, including:

• Screenshot descriptions
• Test methodology
• Control IDs
• Dates and timestamps

What if my test fails?

Failed tests still generate PDFs showing:

• Expected behavior
• Actual behavior
• Failure reason
• Remediation needed

Example:

TEST RESULT: FAIL

Expected: Access denied with 403 error
Actual: Access granted (200 OK)

DEFICIENCY IDENTIFIED:
Role-based access controls not functioning correctly.
User with Viewer role was able to access administrative features.

REMEDIATION REQUIRED:
Fix RBAC implementation and retest.

---

Key Takeaways

✅ Automated PDF generation reduces evidence prep time from 110 minutes to 30 seconds

✅ AI generates professional descriptions for each screenshot automatically

✅ Consistent formatting across all quarters and controls

✅ Automatic export to Vanta/Drata or email

✅ Customizable templates for branding and style

✅ Scheduled generation for quarterly compliance

✅ Annual savings of $20,000-$30,000 for typical companies

✅ Auditors prefer professional PDF format over loose files

---

Get Started with Automated PDF Evidence Packs

Screenata automatically generates audit-ready PDF evidence packs after every test with AI-powered descriptions, control mapping, and professional formatting.

What you get:

• Automatic PDF generation (30 seconds)
• AI-written step descriptions
• Customizable templates (logo, colors)
• Auto-export to Vanta/Drata
• Quarterly scheduling
• Email delivery

Pricing: $149/month Setup time: 30 minutes Time savings: 110 minutes per control test

Start your 14-day free trial →

---

Related Articles

• How to Automate SOC 2 Evidence Collection with Screenshots
• Is There a System That Records My App Testing and Turns It Into SOC 2 Evidence?
• Can I Integrate Automated Screenshot Documentation with Drata or Vanta?