What SOC 2 Application Evidence Do Auditors Require That Drata Cannot Automate?

SOC 2 auditors require application-level screenshots to prove security controls function correctly within your software. While Drata automates infrastructure evidence through APIs (AWS encryption, GitHub MFA, Okta access), it cannot capture screenshots of your application UI or document manual workflows. For SOC 2 controls like CC6.1 (logical access/RBAC), CC7.2 (change management), and CC8.1 (vulnerability management), auditors demand visual evidence showing how your application enforces security—evidence that requires screenshots, not API data.

Why Do SOC 2 Auditors Require Application Screenshots?

In a SOC 2 Type II audit, the goal is to prove that your controls operated effectively over a period of time (usually 3–12 months). Drata and Vanta are excellent for Infrastructure-as-Code and Identity Provider monitoring, but they often stop at the API layer.

The "20% Manual Gap"

Most compliance teams find that Drata automates roughly 80% of their evidence. The remaining 20% consists of Application-Level Controls. These are the manual processes, UI behaviors, and internal workflows that don't have a public API for Drata to plug into.

What auditors actually ask for:

"Show me a screenshot of the 'Settings' page for a user with 'Viewer' permissions."
"Provide proof that the 'Delete' button is hidden for non-admin users."
"Demonstrate the workflow for approving a sensitive configuration change within your custom dashboard."

What Evidence Does Drata Automate vs. What Requires Screenshots?

It is a common misconception that you must choose between a GRC platform (Drata) and an evidence automation tool (Screenata). In reality, they are complementary.

Feature	Drata (Infrastructure Automation)	Screenata (Application Automation)
Primary Source	Cloud APIs (AWS, GCP, Azure)	Application UI / User Workflows
Control Scope	Database encryption, Laptop MDM, SSO	RBAC UI, Change Approvals, App Logs
Evidence Type	JSON Metadata / Configuration State	Timestamped Screenshots / PDF Packs
Auditor View	Compliance Dashboard	Verified Evidence Packs
Manual Effort	Low (Set and forget)	High (Without Screenata) / Low (With Screenata)

What Auditors Actually Ask For: A Control-by-Control Breakdown

Auditors are trained to look for "sufficient and appropriate" evidence. Here is how they evaluate specific application-level controls and where traditional automation falls short.

1. CC6.1 – Logical Access (Role-Based Access Control)

The Auditor's Question: "How do you ensure that a regular employee cannot access the billing information or delete production data?"

The Drata Approach: Checks if the user is in the correct Okta group.
The Auditor's Requirement: Visual proof. They want to see the application's interface showing the restricted menu items being hidden or disabled for that specific user.
The Screenata Solution: An AI agent records a session where a "Viewer" logs in, attempts to navigate to the /admin/billing URL, and receives a "403 Unauthorized" or "Access Denied" screen.

2. CC7.2 – Change Management

The Auditor's Question: "Can you prove that every change to the production environment was reviewed and approved?"

The Drata Approach: Checks GitHub for branch protection rules and PR approval counts.
The Auditor's Requirement: Contextual proof. For applications with internal configuration toggles (like "Feature Flags"), auditors want to see the audit log within the application showing who toggled the switch and when.
The Screenata Solution: Screenata records the configuration change workflow, captures the internal audit log entry, and generates a PDF report linking the GitHub PR to the UI-level change.

3. CC8.1 – System Operations (Vulnerability Management)

The Auditor's Question: "Show me that you are actively reviewing and remediating high-priority vulnerabilities in your application dashboard."

The Drata Approach: Connects to Snyk or Wiz to verify scans are running.
The Auditor's Requirement: Proof of human review. They want to see the dashboard where a security engineer marked a vulnerability as "In Progress" or "Resolved."
The Screenata Solution: Automatically captures a weekly screenshot of the vulnerability dashboard, highlighting the remediation status and the user who performed the action.

How Do You Automate Application Screenshot Evidence for SOC 2?

If you are currently taking manual screenshots for your SOC 2 audit, you can reduce your workload by 92% by following this workflow.

Step 1: Identify Your Manual Controls

Review your Drata dashboard for any controls marked as "Manual" or "Upload Required." These are typically your application-level tests.

Step 2: Record the "Golden Path"

Use the Screenata Browser Extension to perform the control test once. For example, if you need to prove MFA is required for your app:

Start recording.
Navigate to your app login.
Enter credentials.
Capture the screen showing the MFA prompt.
Stop recording.

Step 3: AI-Powered Evidence Generation

Screenata’s AI analyzes the recording, extracts the relevant screenshots, adds NTP-synced timestamps, and writes a narrative explaining the test. It then compiles this into an Audit-Ready PDF Evidence Pack.

Step 4: Sync to Drata

Export the Evidence Pack directly into the Drata Evidence Library. Drata now has the visual proof the auditor needs, and your control status moves to "Compliant."

Comparison: Manual Evidence vs. Screenata Automation

Metric	Manual Screenshotting	Screenata AI Agents
Preparation Time	60-90 minutes per control	< 5 minutes per control
Evidence Consistency	Low (Different testers, different formats)	High (Standardized AI reports)
Metadata Verification	None (Just an image file)	Cryptographic timestamps & DOM snapshots
PII Protection	Manual blurring in Photoshop	Automated AI-driven redaction
Auditor Trust	Medium	High (Verifiable metadata chain)

Example Use Case: Documenting GitHub Access Controls (CC6.1)

Objective: Prove that only authorized users have "Admin" access to the production repository.

The Trigger: It is the end of the quarter, and your SOC 2 window is closing.
The Action: You launch Screenata and navigate to the "People" tab in your GitHub Organization settings.
The Capture: Screenata automatically identifies the list of users, their roles (Owner, Member), and whether they have MFA enabled.
The Output: A 3-page PDF is generated. Page 1 shows the Control ID (CC6.1). Page 2 shows the list of Admins. Page 3 shows the timestamped metadata.
The Result: You upload the PDF to Drata in 30 seconds.

Best Practices for Application-Level Compliance

To ensure your application-level evidence passes auditor scrutiny, follow these B2B industry standards:

Include the Full Browser Window: Auditors want to see the URL bar and the system clock to verify the environment and timing. Screenata captures this automatically.
Use Verifiable Timestamps: Do not rely on your computer's local clock. Use NTP (Network Time Protocol) synced timestamps to prove the evidence wasn't captured outside the audit window.
Redact PII at the Source: Use AI to blur email addresses or names of users not involved in the audit. This keeps you compliant with GDPR and CCPA while satisfying SOC 2.
Map to Control IDs: Ensure every piece of evidence is clearly labeled with the specific SOC 2 Trust Services Criteria (TSC) it supports (e.g., CC6.1, CC7.1).
Maintain a Chain of Custody: Use tools that provide a manifest.json or cryptographic hash for each screenshot to prove the evidence hasn't been tampered with.

Frequently Asked Questions About SOC 2 Application Evidence

What screenshots do SOC 2 auditors require for application controls?

SOC 2 auditors require screenshots showing: role-based access restrictions (CC6.1), change management approval workflows (CC7.2), vulnerability dashboard reviews (CC8.1), and application-level security features. These screenshots must include timestamps, URLs, and user context.

Can Drata capture screenshots of application controls?

No. Drata automates infrastructure evidence via APIs but cannot log into your application or capture UI screenshots. Application-level evidence requiring screenshots remains "Manual" in Drata and requires screenshot automation tools.

What is the 20% manual gap in SOC 2 compliance?

The 20% manual gap refers to SOC 2 controls requiring application screenshots and workflow documentation that APIs cannot capture—typically CC6.1 (RBAC), CC7.2 (change management), CC8.1 (vulnerability management), and custom internal tools.

Do SOC 2 auditors accept automated screenshots?

Yes. Auditors accept automated screenshots when they include verifiable metadata: NTP-synced timestamps, browser/URL information, tester identity, and DOM snapshots. Automated screenshots with metadata are more trustworthy than manual screenshots.

How much time does screenshot automation save for SOC 2?

Screenshot automation reduces application evidence collection from 40–80 hours to under 5 hours per SOC 2 audit—a 90%+ time savings on the manual controls Drata cannot automate.

Key Takeaways

✅ Drata is the "Brain," Screenata is the "Sensor": Use Drata for infrastructure monitoring and Screenata for the visual application proof auditors demand.
✅ Close the 20% Gap: Automate the manual controls (CC6.1, CC7.2) that APIs cannot reach.
✅ Auditors Want Visual Proof: Screenshots of UI-level access controls and change management logs are mandatory for a successful SOC 2 Type II report.
✅ Standardize Your Evidence: Move away from unstructured folders of images toward AI-generated, timestamped PDF Evidence Packs.
✅ Integrate for Efficiency: Connect Screenata to your Drata or Vanta dashboard to maintain a 100% automated compliance posture.

Learn More About SOC 2 Automation

For a complete guide to automating SOC 2 evidence collection, including what application-level controls auditors require and how to automate screenshot-based evidence, see our comprehensive SOC 2 automation guide.