How Do Drata or Vanta Handle Screenshot-Based Evidence — and What's Still Manual?
Drata and Vanta automate 80% of SOC 2 evidence through APIs but cannot capture application screenshots or workflow documentation. Learn what remains manual and how to automate it.
Drata and Vanta automate API-based evidence collection (cloud configs, logs, user lists) but cannot capture web UI screenshots, workflow documentation, or application-level testing. This leaves 20% of SOC 2 evidence collection manual, requiring 40-60 hours per audit for screenshots alone.
What Drata and Vanta Automate (The 80%)
Both Drata and Vanta excel at automating infrastructure-level evidence through direct API integrations:
| Evidence Type | Automation Method | Examples |
|---|---|---|
| Infrastructure Configs | API polling | AWS security groups, GCP IAM policies, Azure network rules |
| Access Logs | Log aggregation | Okta login events, Google Workspace access records |
| Employee Data | HRIS integration | BambooHR, Workday employee lists and roles |
| Code Repository | Git integration | GitHub branch protections, commit logs, PR approvals |
| Security Scanning | Tool integration | Snyk vulnerabilities, Wiz cloud security findings |
| Endpoint Management | MDM integration | Jamf device compliance, Intune encryption status |
Result: These platforms reduce infrastructure evidence collection time by 90%, handling controls like:
- CC6.6 (Encryption in transit/at rest)
- CC6.7 (Transmission integrity)
- CC7.3 (Security configurations)
- CC9.1 (Risk assessment documentation)
What Drata and Vanta Cannot Automate (The 20%)
1. Application-Level Screenshots
What's needed: Visual proof of how your application enforces controls.
Examples:
- Login page showing MFA requirement
- Access denied screen for unauthorized users
- Role-based permission settings in admin panel
- Data encryption indicators in UI
- Security warnings and user confirmations
Why automation fails: No API can capture what a user sees in a web browser.
| Control | Required Evidence | Drata/Vanta Capability |
|---|---|---|
| CC6.1 - Logical Access | Screenshots of denied access attempts | ❌ Manual |
| CC6.2 - Access Removal | Screenshots of disabled user accounts | ❌ Manual |
| CC7.2 - Change Management | Screenshots of approval workflows in UI | ❌ Manual |
| A1.2 - Data Privacy | Screenshots of consent forms and privacy controls | ❌ Manual |
2. Workflow Documentation
What's needed: Step-by-step proof of how processes work.
Examples:
- Incident response procedure execution
- Access request approval process
- Deployment workflow from PR to production
- Data deletion request handling
- Security review process for new features
Why automation fails: Cross-system workflows require human interaction that APIs cannot observe.
Manual effort required:
- Taking 10-20 screenshots per workflow
- Writing descriptions for each step
- Organizing images chronologically
- Creating narrative documentation
- Time per workflow: 45-60 minutes
3. Application-Level Testing Results
What's needed: Evidence that controls work as designed during testing.
Examples:
- Testing that non-admin users cannot access sensitive data
- Verifying data is encrypted before database storage
- Confirming audit logs capture all access attempts
- Testing password complexity requirements
- Validating session timeout enforcement
Why automation fails: Testing requires performing actions in your application UI and capturing results visually.
| Test Type | What Auditors Need | Manual Work Required |
|---|---|---|
| Access Control Test | Screenshots showing: attempted access, denial message, audit log entry | 30-45 min per test |
| Data Encryption Test | Screenshots showing: plaintext input, encrypted storage, decryption on retrieval | 45-60 min per test |
| Backup Restoration Test | Screenshots showing: backup selection, restore process, validation of restored data | 60-90 min per test |
4. Third-Party Vendor Screenshots
What's needed: Proof of security controls in vendor systems.
Examples:
- AWS Console showing security group configurations
- Stripe dashboard showing PCI compliance status
- Datadog showing security monitoring alerts
- Auth0 showing MFA enforcement settings
- Cloudflare showing WAF rules
Why Drata/Vanta can't fully automate:
- They pull data via API (showing a rule exists)
- They cannot capture visual context (showing where it's configured in UI)
- Auditors often request screenshots for verification
Gap example:
Vanta report: "AWS Security Group sg-123 blocks port 22 from 0.0.0.0/0"
Auditor request: "Please provide a screenshot of this configuration in AWS Console"
→ Manual screenshot still required
The Manual Evidence Gap in Numbers
Typical SOC 2 Type II Audit Evidence Breakdown
| Evidence Category | Controls Affected | Drata/Vanta Automation | Manual Work Required |
|---|---|---|---|
| Infrastructure | 30-40% of controls | ✅ 95% automated | ~2 hours |
| HR/Policies | 25-30% of controls | ✅ 90% automated | ~4 hours |
| Application Testing | 20-25% of controls | ❌ 0% automated | ~40 hours |
| Workflow Documentation | 15-20% of controls | ❌ 10% automated | ~20 hours |
| Total | 100% | 80% automated | 60-66 hours |
Time impact:
- Manual evidence effort: 60-66 hours per audit
- Annual manual hours (4 audits): 240-264 hours
Detailed Breakdown: What Each Platform Handles
Drata's Automation Coverage
What Drata automates: ✅ AWS/GCP/Azure resource configurations ✅ GitHub/GitLab repository settings ✅ Okta/Google Workspace user management ✅ Policy acknowledgment tracking ✅ Vulnerability scan aggregation ✅ Penetration test result collection
What requires manual work: ❌ Application UI screenshots ❌ Custom workflow documentation ❌ Manual control testing (CC6.1, CC6.2) ❌ Process-level evidence (incident response execution) ❌ Application-specific access control tests ❌ User-facing security control screenshots
Drata's solution: "Additional Evidence" upload feature
- Manually create screenshots and PDFs
- Upload to relevant control
- Write descriptions
- Time: 50-60 hours per audit cycle
Vanta's Automation Coverage
What Vanta automates: ✅ Cloud infrastructure monitoring ✅ Continuous compliance scanning ✅ Employee onboarding/offboarding tracking ✅ Security training completion ✅ Access review automation ✅ Vendor risk assessment tracking
What requires manual work: ❌ Application behavior verification ❌ UI-level access control screenshots ❌ Custom application testing documentation ❌ Workflow step-by-step proof ❌ Application-level encryption verification ❌ Manual test execution evidence
Vanta's solution: "Manual Evidence" section
- Upload evidence files manually
- Link to specific controls
- Add context and descriptions
- Time: 50-60 hours per audit cycle
Real Example: CC6.1 Logical Access Control
What Vanta/Drata Automate
Control objective: Restrict access to sensitive data based on user role.
Automated evidence collected:
✅ Okta user list with assigned roles
✅ AWS IAM policies for each role
✅ Database access logs showing queries
✅ GitHub repository permission settings
✅ Slack workspace access levels
What Remains Manual
Still needed for complete evidence:
-
Application-level access test
- Login as non-admin user
- Attempt to access admin panel
- Take screenshot of "Access Denied" message
- Verify audit log entry
- Document test procedure
-
UI permission verification
- Screenshot of admin panel showing user roles
- Screenshot of permission assignment interface
- Screenshot of role configuration page
-
Test documentation
- Written description of test steps
- Expected vs actual results
- Tester identity and timestamp
- Pass/fail determination
Manual time required: 60 minutes per quarter
Why Can't Drata/Vanta Capture Screenshots?
Technical Limitations
1. No Browser Access
- Platforms operate via backend APIs
- Cannot interact with web UIs
- Cannot render browser sessions
- Cannot simulate user actions in frontends
2. No Visual Context
- APIs return data structures (JSON, XML)
- Cannot capture rendered HTML/CSS
- Cannot screenshot modal dialogs or alerts
- Cannot document user interaction flows
3. Security and Privacy Boundaries
- Cannot access customer production environments directly
- Cannot interact with third-party vendor UIs
- Cannot capture proprietary application interfaces
- Cannot automate testing in customer-facing systems
4. Application Diversity
- Every company has unique application architecture
- Custom-built admin panels differ across companies
- No standardized API for application UI elements
- Cannot create generic screenshot automation
What This Means for Your Audit
Manual Work You'll Still Do with Drata/Vanta
Quarterly tasks (per audit cycle):
| Task | Estimated Time | Tools Used |
|---|---|---|
| Screenshot application access controls | 8-12 hours | Manual (browser, Snagit, CloudApp) |
| Document approval workflows | 6-8 hours | Manual (screenshots + Word/Docs) |
| Test and capture role-based permissions | 10-15 hours | Manual (test accounts + screenshots) |
| Capture vendor security dashboards | 4-6 hours | Manual (login to each vendor) |
| Format evidence into PDFs | 8-10 hours | Manual (Word/Docs + PDF export) |
| Upload and organize in Drata/Vanta | 4-6 hours | Drata/Vanta UI |
| Total manual effort | 40-57 hours | Mix of tools |
Hidden Costs
Beyond direct labor time:
- Context switching: Interrupting normal work 10-15 times per quarter
- Rework: 20-30% of evidence requires reformatting or clarification
- Stress: Audit crunch time creates overtime and burnout
- Opportunity cost: Compliance team cannot work on strategic initiatives
How Companies Currently Handle the Gap
Approach 1: Manual Screenshot Collection (Most Common)
Process:
- Create checklist of required screenshots
- Schedule time to capture each one
- Use generic screenshot tools (Snagit, CloudApp, built-in OS tools)
- Organize files in folders by control ID
- Write descriptions in Word/Google Docs
- Format into PDFs
- Upload to Drata/Vanta manually
Pros: No additional tools required Cons: 40-60 hours of repetitive work Time investment: 40-60 hours per audit
Approach 2: Hire Compliance Consultant (10-20% of companies)
Process:
- Outsource screenshot collection to audit firm
- Provide consultant with system access
- Consultant captures and documents evidence
- Internal team reviews and approves
- Upload to Drata/Vanta
Pros: Frees internal team time Cons: High cost (consultant fees), security concerns with access Time tradeoff: Saves internal hours but adds external dependency
Approach 3: Screen Recording + Manual Processing (5-10% of companies)
Process:
- Use Loom/ScreenRec to record control tests
- Watch recordings to identify key moments
- Extract screenshots manually
- Document in Word/Docs
- Format and upload
Pros: Captures context around actions Cons: Still requires 30-40 hours of processing Time investment: 30-40 hours of post-processing per audit
The Solution: Automate the 20%
What's needed: A tool that bridges the gap between Drata/Vanta's API automation and application-level evidence.
Requirements for Complete Automation
| Capability | Why It Matters | Drata/Vanta | Screenshot Automation Tool |
|---|---|---|---|
| Browser-level capture | Records what users actually see | ❌ | ✅ |
| Workflow recording | Documents multi-step processes | ❌ | ✅ |
| Automatic annotation | Adds control IDs and descriptions | ❌ | ✅ |
| Audit-ready formatting | Outputs standardized PDFs | Partial | ✅ |
| Integration with GRC | Syncs to Drata/Vanta | ✅ | ✅ |
| Infrastructure automation | Monitors cloud/SaaS configs | ✅ | ❌ |
Complementary approach: Use Drata/Vanta for infrastructure + screenshot automation tool for application evidence.
Integration: How Screenshot Automation Works with Drata/Vanta
Workflow with Screenata + Drata
Step 1: Drata automates infrastructure evidence
- AWS, GitHub, Okta integrations run continuously
- 80% of evidence collected automatically
Step 2: Screenata captures application evidence
- Browser extension records control tests
- Screenshots auto-organized by control ID
- Evidence packs generated in audit-ready format
Step 3: Sync to Drata
- Export Screenata evidence pack
- Upload to Drata "Additional Evidence" for relevant control
- Link to control test documentation
Result: 95% total automation (vs 80% with Drata alone)
Workflow with Screenata + Vanta
Step 1: Vanta monitors continuous compliance
- Cloud configs, HR data, policies tracked automatically
- 80% of evidence collected via API
Step 2: Screenata handles manual controls
- Records application testing workflows
- Captures screenshots with metadata
- Generates structured PDF reports
Step 3: Upload to Vanta
- Add evidence to Vanta "Manual Evidence" section
- Attach to relevant Trust Service Criteria control
- Include tester info and timestamps
Result: 95% total automation (vs 80% with Vanta alone)
Time Savings Analysis
Current State: Drata or Vanta Only
Annual time investment:
- Manual screenshot work: 240 hours/year (60 hrs × 4 quarters)
- Coverage: 80% automated, 20% manual
- Quarterly effort: 60+ hours of manual evidence collection
Future State: Drata/Vanta + Screenshot Automation
Annual time investment:
- Residual manual work: 20 hours/year (5 hrs × 4 quarters)
- Coverage: 95% automated, 5% manual
- Quarterly effort: ~5 hours of manual evidence collection
Annual time savings: 220 hours (92% reduction) Hours freed per quarter: 55 hours Payback period: First audit cycle
Frequently Asked Questions
Will Drata or Vanta add screenshot automation in the future?
Unlikely for technical reasons:
- Their architecture is API-first (backend integrations)
- Adding browser automation would require browser extensions
- Application UI testing is highly customized per company
- Security concerns with accessing production application UIs
- Their focus is infrastructure/SaaS monitoring, not application testing
More likely: They will continue to support "Additional Evidence" uploads, expecting customers to use complementary tools.
Can I use Loom or ScreenRec instead of a compliance tool?
Partially, but with limitations:
| Feature | Loom/ScreenRec | Compliance Tool (Screenata) |
|---|---|---|
| Screen recording | ✅ | ✅ |
| Auto screenshot extraction | ❌ | ✅ |
| Control ID mapping | ❌ | ✅ |
| Audit-ready formatting | ❌ | ✅ |
| Automatic descriptions | ❌ | ✅ (AI-generated) |
| Drata/Vanta integration | ❌ | ✅ |
Time comparison:
- Loom + manual processing: ~35 hours per audit
- Compliance automation tool: ~5 hours per audit
Do auditors accept screenshots from automation tools?
Yes, if the evidence includes:
- ✅ Original, unaltered screenshots
- ✅ Accurate timestamps
- ✅ Tester identity
- ✅ Control objectives
- ✅ Clear pass/fail results
Auditors care about authenticity and traceability, not whether screenshots were taken manually or automatically.
Should I switch from Vanta to Drata (or vice versa)?
This article isn't about choosing between them. Both have similar limitations regarding screenshot-based evidence.
Key point: Whichever platform you use (Vanta, Drata, or alternatives like Secureframe, Tugboat Logic), you'll still need a solution for application-level screenshot evidence.
How do I know which controls require screenshots?
Common screenshot-required controls:
| Control ID | Control Name | Screenshot Requirement |
|---|---|---|
| CC6.1 | Logical Access Controls | Access denied messages, permission settings |
| CC6.2 | Prior to Issuing Credentials | User provisioning workflow, approval process |
| CC6.3 | Removes Access | Disabled user accounts, revoked permissions |
| CC7.2 | Change Management | Deployment approval flows, PR reviews |
| CC7.4 | Backup and Recovery | Backup restoration process, verification |
| A1.2 | Data Privacy | Consent forms, privacy settings, data controls |
Rule of thumb: If the control involves "verify," "test," or "demonstrate" application behavior, you likely need screenshots.
What if my application is too sensitive to screenshot?
Options:
- Use test/staging environment with synthetic data
- Apply automatic redaction for PII/sensitive fields
- Limit screenshots to non-sensitive pages (login, navigation, settings)
- Use annotated diagrams where screenshots aren't possible
Best practice: Configure screenshot tools to exclude sensitive screens or auto-blur sensitive fields.
Key Takeaways
✅ Drata and Vanta automate 80% of SOC 2 evidence through API integrations
✅ The remaining 20% (40-60 hours/audit) is application screenshots and workflow documentation
✅ Technical limitations prevent GRC platforms from capturing browser-level evidence
✅ Manual workarounds require 240-264 hours annually in labor
✅ Screenshot automation tools complement Drata/Vanta, bringing total automation to 95%
✅ Time savings of 92% by reducing manual screenshot work from 60 hours to 5 hours per audit
Related Articles
Ready to Automate Your Compliance?
Join 50+ companies automating their SOC 2 compliance documentation with Screenata.