Can Drata or Vanta Capture Screenshots for SOC 2 Evidence?
No. Drata and Vanta automate infrastructure evidence via APIs but cannot capture application screenshots or workflow documentation. This article explains what screenshot evidence SOC 2 auditors require, why Drata and Vanta can't automate it, and how to automate screenshot collection to eliminate 40–60 hours of manual work per audit.
No, Drata and Vanta cannot capture screenshots for SOC 2 evidence. Both platforms automate API-based evidence collection (cloud configs, logs, user lists) but cannot capture web UI screenshots, workflow documentation, or application-level testing. This leaves 20% of SOC 2 evidence collection manual—requiring 40–60 hours per audit for screenshot collection alone. This article explains what screenshot evidence remains manual and how to automate it.
What Drata and Vanta Automate (The 80%)
Both Drata and Vanta excel at automating infrastructure-level evidence through direct API integrations:
| Evidence Type | Automation Method | Examples |
|---|---|---|
| Infrastructure Configs | API polling | AWS security groups, GCP IAM policies, Azure network rules |
| Access Logs | Log aggregation | Okta login events, Google Workspace access records |
| Employee Data | HRIS integration | BambooHR, Workday employee lists and roles |
| Code Repository | Git integration | GitHub branch protections, commit logs, PR approvals |
| Security Scanning | Tool integration | Snyk vulnerabilities, Wiz cloud security findings |
| Endpoint Management | MDM integration | Jamf device compliance, Intune encryption status |
Result: These platforms reduce infrastructure evidence collection time by 90%, handling controls like:
- CC6.6 (Encryption in transit/at rest)
- CC6.7 (Transmission integrity)
- CC7.3 (Security configurations)
- CC9.1 (Risk assessment documentation)
What Drata and Vanta Cannot Automate (The 20%)
1. Application-Level Screenshots
What's needed: Visual proof of how your application enforces controls.
Examples:
- Login page showing MFA requirement
- Access denied screen for unauthorized users
- Role-based permission settings in admin panel
- Data encryption indicators in UI
- Security warnings and user confirmations
Why automation fails: No API can capture what a user sees in a web browser.
| Control | Required Evidence | Drata/Vanta Capability |
|---|---|---|
| CC6.1 - Logical Access | Screenshots of denied access attempts | ❌ Manual |
| CC6.2 - Access Removal | Screenshots of disabled user accounts | ❌ Manual |
| CC7.2 - Change Management | Screenshots of approval workflows in UI | ❌ Manual |
| A1.2 - Data Privacy | Screenshots of consent forms and privacy controls | ❌ Manual |
2. Workflow Documentation
What's needed: Step-by-step proof of how processes work.
Examples:
- Incident response procedure execution
- Access request approval process
- Deployment workflow from PR to production
- Data deletion request handling
- Security review process for new features
Why automation fails: Cross-system workflows require human interaction that APIs cannot observe.
Manual effort required:
- Taking 10-20 screenshots per workflow
- Writing descriptions for each step
- Organizing images chronologically
- Creating narrative documentation
- Time per workflow: 45-60 minutes
3. Application-Level Testing Results
What's needed: Evidence that controls work as designed during testing.
Examples:
- Testing that non-admin users cannot access sensitive data
- Verifying data is encrypted before database storage
- Confirming audit logs capture all access attempts
- Testing password complexity requirements
- Validating session timeout enforcement
Why automation fails: Testing requires performing actions in your application UI and capturing results visually.
| Test Type | What Auditors Need | Manual Work Required |
|---|---|---|
| Access Control Test | Screenshots showing: attempted access, denial message, audit log entry | 30-45 min per test |
| Data Encryption Test | Screenshots showing: plaintext input, encrypted storage, decryption on retrieval | 45-60 min per test |
| Backup Restoration Test | Screenshots showing: backup selection, restore process, validation of restored data | 60-90 min per test |
4. Third-Party Vendor Screenshots
What's needed: Proof of security controls in vendor systems.
Examples:
- AWS Console showing security group configurations
- Stripe dashboard showing PCI compliance status
- Datadog showing security monitoring alerts
- Auth0 showing MFA enforcement settings
- Cloudflare showing WAF rules
Why Drata/Vanta can't fully automate:
- They pull data via API (showing a rule exists)
- They cannot capture visual context (showing where it's configured in UI)
- Auditors often request screenshots for verification
Gap example:
Vanta report: "AWS Security Group sg-123 blocks port 22 from 0.0.0.0/0"
Auditor request: "Please provide a screenshot of this configuration in AWS Console"
→ Manual screenshot still required
The Manual Evidence Gap in Numbers
Typical SOC 2 Type II Audit Evidence Breakdown
| Evidence Category | Controls Affected | Drata/Vanta Automation | Manual Work Required |
|---|---|---|---|
| Infrastructure | 30-40% of controls | ✅ 95% automated | ~2 hours |
| HR/Policies | 25-30% of controls | ✅ 90% automated | ~4 hours |
| Application Testing | 20-25% of controls | ❌ 0% automated | ~40 hours |
| Workflow Documentation | 15-20% of controls | ❌ 10% automated | ~20 hours |
| Total | 100% | 80% automated | 60-66 hours |
Time impact:
- Manual evidence effort: 60-66 hours per audit
- Annual manual hours (4 audits): 240-264 hours
Detailed Breakdown: What Each Platform Handles
Drata's Automation Coverage
What Drata automates: ✅ AWS/GCP/Azure resource configurations ✅ GitHub/GitLab repository settings ✅ Okta/Google Workspace user management ✅ Policy acknowledgment tracking ✅ Vulnerability scan aggregation ✅ Penetration test result collection
What requires manual work: ❌ Application UI screenshots ❌ Custom workflow documentation ❌ Manual control testing (CC6.1, CC6.2) ❌ Process-level evidence (incident response execution) ❌ Application-specific access control tests ❌ User-facing security control screenshots
Drata's solution: "Additional Evidence" upload feature
- Manually create screenshots and PDFs
- Upload to relevant control
- Write descriptions
- Time: 50-60 hours per audit cycle
Vanta's Automation Coverage
What Vanta automates: ✅ Cloud infrastructure monitoring ✅ Continuous compliance scanning ✅ Employee onboarding/offboarding tracking ✅ Security training completion ✅ Access review automation ✅ Vendor risk assessment tracking
What requires manual work: ❌ Application behavior verification ❌ UI-level access control screenshots ❌ Custom application testing documentation ❌ Workflow step-by-step proof ❌ Application-level encryption verification ❌ Manual test execution evidence
Vanta's solution: "Manual Evidence" section
- Upload evidence files manually
- Link to specific controls
- Add context and descriptions
- Time: 50-60 hours per audit cycle
Real Example: CC6.1 Logical Access Control
What Vanta/Drata Automate
Control objective: Restrict access to sensitive data based on user role.
Automated evidence collected:
✅ Okta user list with assigned roles
✅ AWS IAM policies for each role
✅ Database access logs showing queries
✅ GitHub repository permission settings
✅ Slack workspace access levels
What Remains Manual
Still needed for complete evidence:
-
Application-level access test
- Login as non-admin user
- Attempt to access admin panel
- Take screenshot of "Access Denied" message
- Verify audit log entry
- Document test procedure
-
UI permission verification
- Screenshot of admin panel showing user roles
- Screenshot of permission assignment interface
- Screenshot of role configuration page
-
Test documentation
- Written description of test steps
- Expected vs actual results
- Tester identity and timestamp
- Pass/fail determination
Manual time required: 60 minutes per quarter
Why Can't Drata/Vanta Capture Screenshots?
Technical Limitations
1. No Browser Access
- Platforms operate via backend APIs
- Cannot interact with web UIs
- Cannot render browser sessions
- Cannot simulate user actions in frontends
2. No Visual Context
- APIs return data structures (JSON, XML)
- Cannot capture rendered HTML/CSS
- Cannot screenshot modal dialogs or alerts
- Cannot document user interaction flows
3. Security and Privacy Boundaries
- Cannot access customer production environments directly
- Cannot interact with third-party vendor UIs
- Cannot capture proprietary application interfaces
- Cannot automate testing in customer-facing systems
4. Application Diversity
- Every company has unique application architecture
- Custom-built admin panels differ across companies
- No standardized API for application UI elements
- Cannot create generic screenshot automation
What This Means for Your Audit
Manual Work You'll Still Do with Drata/Vanta
Quarterly tasks (per audit cycle):
| Task | Estimated Time | Tools Used |
|---|---|---|
| Screenshot application access controls | 8-12 hours | Manual (browser, Snagit, CloudApp) |
| Document approval workflows | 6-8 hours | Manual (screenshots + Word/Docs) |
| Test and capture role-based permissions | 10-15 hours | Manual (test accounts + screenshots) |
| Capture vendor security dashboards | 4-6 hours | Manual (login to each vendor) |
| Format evidence into PDFs | 8-10 hours | Manual (Word/Docs + PDF export) |
| Upload and organize in Drata/Vanta | 4-6 hours | Drata/Vanta UI |
| Total manual effort | 40-57 hours | Mix of tools |
Hidden Costs
Beyond direct labor time:
- Context switching: Interrupting normal work 10-15 times per quarter
- Rework: 20-30% of evidence requires reformatting or clarification
- Stress: Audit crunch time creates overtime and burnout
- Opportunity cost: Compliance team cannot work on strategic initiatives
How Companies Currently Handle the Gap
Approach 1: Manual Screenshot Collection (Most Common)
Process:
- Create checklist of required screenshots
- Schedule time to capture each one
- Use generic screenshot tools (Snagit, CloudApp, built-in OS tools)
- Organize files in folders by control ID
- Write descriptions in Word/Google Docs
- Format into PDFs
- Upload to Drata/Vanta manually
Pros: No additional tools required Cons: 40-60 hours of repetitive work Time investment: 40-60 hours per audit
Approach 2: Hire Compliance Consultant (10-20% of companies)
Process:
- Outsource screenshot collection to audit firm
- Provide consultant with system access
- Consultant captures and documents evidence
- Internal team reviews and approves
- Upload to Drata/Vanta
Pros: Frees internal team time Cons: High cost (consultant fees), security concerns with access Time tradeoff: Saves internal hours but adds external dependency
Approach 3: Screen Recording + Manual Processing (5-10% of companies)
Process:
- Use Loom/ScreenRec to record control tests
- Watch recordings to identify key moments
- Extract screenshots manually
- Document in Word/Docs
- Format and upload
Pros: Captures context around actions Cons: Still requires 30-40 hours of processing Time investment: 30-40 hours of post-processing per audit
The Solution: Automate the 20%
What's needed: A tool that bridges the gap between Drata/Vanta's API automation and application-level evidence.
Requirements for Complete Automation
| Capability | Why It Matters | Drata/Vanta | Screenshot Automation Tool |
|---|---|---|---|
| Browser-level capture | Records what users actually see | ❌ | ✅ |
| Workflow recording | Documents multi-step processes | ❌ | ✅ |
| Automatic annotation | Adds control IDs and descriptions | ❌ | ✅ |
| Audit-ready formatting | Outputs standardized PDFs | Partial | ✅ |
| Integration with GRC | Syncs to Drata/Vanta | ✅ | ✅ |
| Infrastructure automation | Monitors cloud/SaaS configs | ✅ | ❌ |
Complementary approach: Use Drata/Vanta for infrastructure + screenshot automation tool for application evidence.
Integration: How Screenshot Automation Works with Drata/Vanta
Workflow with Screenata + Drata
Step 1: Drata automates infrastructure evidence
- AWS, GitHub, Okta integrations run continuously
- 80% of evidence collected automatically
Step 2: Screenata captures application evidence
- Browser extension records control tests
- Screenshots auto-organized by control ID
- Evidence packs generated in audit-ready format
Step 3: Sync to Drata
- Export Screenata evidence pack
- Upload to Drata "Additional Evidence" for relevant control
- Link to control test documentation
Result: 95% total automation (vs 80% with Drata alone)
Workflow with Screenata + Vanta
Step 1: Vanta monitors continuous compliance
- Cloud configs, HR data, policies tracked automatically
- 80% of evidence collected via API
Step 2: Screenata handles manual controls
- Records application testing workflows
- Captures screenshots with metadata
- Generates structured PDF reports
Step 3: Upload to Vanta
- Add evidence to Vanta "Manual Evidence" section
- Attach to relevant Trust Service Criteria control
- Include tester info and timestamps
Result: 95% total automation (vs 80% with Vanta alone)
Time Savings Analysis
Current State: Drata or Vanta Only
Annual time investment:
- Manual screenshot work: 240 hours/year (60 hrs × 4 quarters)
- Coverage: 80% automated, 20% manual
- Quarterly effort: 60+ hours of manual evidence collection
Future State: Drata/Vanta + Screenshot Automation
Annual time investment:
- Residual manual work: 20 hours/year (5 hrs × 4 quarters)
- Coverage: 95% automated, 5% manual
- Quarterly effort: ~5 hours of manual evidence collection
Annual time savings: 220 hours (92% reduction) Hours freed per quarter: 55 hours Payback period: First audit cycle
Frequently Asked Questions
Will Drata or Vanta add screenshot automation in the future?
Unlikely for technical reasons:
- Their architecture is API-first (backend integrations)
- Adding browser automation would require browser extensions
- Application UI testing is highly customized per company
- Security concerns with accessing production application UIs
- Their focus is infrastructure/SaaS monitoring, not application testing
More likely: They will continue to support "Additional Evidence" uploads, expecting customers to use complementary tools.
Can I use Loom or ScreenRec instead of a compliance tool?
Partially, but with limitations:
| Feature | Loom/ScreenRec | Compliance Tool (Screenata) |
|---|---|---|
| Screen recording | ✅ | ✅ |
| Auto screenshot extraction | ❌ | ✅ |
| Control ID mapping | ❌ | ✅ |
| Audit-ready formatting | ❌ | ✅ |
| Automatic descriptions | ❌ | ✅ (AI-generated) |
| Drata/Vanta integration | ❌ | ✅ |
Time comparison:
- Loom + manual processing: ~35 hours per audit
- Compliance automation tool: ~5 hours per audit
Do auditors accept screenshots from automation tools?
Yes, if the evidence includes:
- ✅ Original, unaltered screenshots
- ✅ Accurate timestamps
- ✅ Tester identity
- ✅ Control objectives
- ✅ Clear pass/fail results
Auditors care about authenticity and traceability, not whether screenshots were taken manually or automatically.
Should I switch from Vanta to Drata (or vice versa)?
This article isn't about choosing between them. Both have similar limitations regarding screenshot-based evidence.
Key point: Whichever platform you use (Vanta, Drata, or alternatives like Secureframe, Tugboat Logic), you'll still need a solution for application-level screenshot evidence.
How do I know which controls require screenshots?
Common screenshot-required controls:
| Control ID | Control Name | Screenshot Requirement |
|---|---|---|
| CC6.1 | Logical Access Controls | Access denied messages, permission settings |
| CC6.2 | Prior to Issuing Credentials | User provisioning workflow, approval process |
| CC6.3 | Removes Access | Disabled user accounts, revoked permissions |
| CC7.2 | Change Management | Deployment approval flows, PR reviews |
| CC7.4 | Backup and Recovery | Backup restoration process, verification |
| A1.2 | Data Privacy | Consent forms, privacy settings, data controls |
Rule of thumb: If the control involves "verify," "test," or "demonstrate" application behavior, you likely need screenshots.
What if my application is too sensitive to screenshot?
Options:
- Use test/staging environment with synthetic data
- Apply automatic redaction for PII/sensitive fields
- Limit screenshots to non-sensitive pages (login, navigation, settings)
- Use annotated diagrams where screenshots aren't possible
Best practice: Configure screenshot tools to exclude sensitive screens or auto-blur sensitive fields.
Key Takeaways
✅ Drata and Vanta automate 80% of SOC 2 evidence through API integrations
✅ The remaining 20% (40-60 hours/audit) is application screenshots and workflow documentation
✅ Technical limitations prevent GRC platforms from capturing browser-level evidence
✅ Manual workarounds require 240-264 hours annually in labor
✅ Screenshot automation tools complement Drata/Vanta, bringing total automation to 95%
✅ Time savings of 92% by reducing manual screenshot work from 60 hours to 5 hours per audit
Learn More About SOC 2 Automation
For a complete guide to automating SOC 2 evidence collection, including how Drata and Vanta handle screenshot-based evidence and how to fill the manual gap, see our comprehensive SOC 2 automation guide.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.