Compliance

What SOC 2 Application Evidence Do Auditors Require That Drata Cannot Automate?

SOC 2 auditors require application evidence for controls like RBAC, change management, and vulnerability review. Drata monitors infrastructure over API but flags application controls as manual and waits. This article covers what visual proof auditors ask for and how Vera, an agent that runs continuous compliance, captures it and chases the attestations a dashboard can't.

January 2, 20269 min read
SOC 2DrataCompliance AutomationApplication ControlsScreenshotsAuditor Requirements
What SOC 2 Application Evidence Do Auditors Require That Drata Cannot Automate?

SOC 2 auditors require application-level evidence to prove your security controls actually work inside your software. Drata monitors infrastructure over API (AWS encryption, GitHub MFA, Okta access), but it cannot capture your application UI or confirm a manual workflow happened, so it flags those controls as manual and waits. For CC6.1 (logical access), CC7.2 (change management), and CC8.1 (vulnerability management), auditors want visual proof of how your application enforces security, plus the attestations behind your reviews. A dashboard flags that work; Vera, an agent who runs continuous compliance, does it, capturing the evidence and chasing the sign-offs, alongside Drata or in place of it.


Why Do SOC 2 Auditors Require Application Evidence?

In a SOC 2 Type II audit, the goal is to prove your controls operated effectively over a period, usually 3 to 12 months. Drata and Vanta are strong at infrastructure and identity-provider monitoring, but they stop at the API layer.

The 20% Manual Gap

Most teams find a dashboard automates roughly 80% of their evidence. The remaining 20% is application-level controls: the manual processes, UI behaviors, and internal workflows with no public API to plug into, plus the periodic attestations only a person can confirm.

What auditors actually ask for:

  • "Show me the Settings page for a user with Viewer permissions."
  • "Prove the Delete button is hidden for non-admin users."
  • "Demonstrate the approval workflow for a sensitive configuration change in your custom dashboard."
  • "Confirm the quarterly access review happened, and who signed off."

Drata vs. Vera

A dashboard reads APIs and flags what it can't reach. Vera does the work a dashboard flags.

CapabilityDrata (monitoring dashboard)Vera (agent that runs the program)
Primary sourceCloud APIs (AWS, GCP, Azure)Same scans plus application capture and attestations
Control scopeEncryption, MDM, SSOFull stack: infra, RBAC, change mgmt, app logs
Evidence typeJSON and configuration stateSigned, traced PDF packs
Application UIFlagged manualCaptured and scored
AttestationsFlagged as dueChased in Slack and filed
Policy writingTemplates you fill inDrafted from your attested reality

For most startups Vera replaces both the platform and the consultant. If you already run Drata, she works alongside it and syncs signed evidence back.


What Auditors Actually Ask For, Control by Control

Auditors look for sufficient and appropriate evidence. Here is how they evaluate the high-friction application controls, and how Vera satisfies each.

CC6.1: Logical Access (Role-Based Access Control)

The auditor's question: how do you ensure a regular employee cannot reach billing information or delete production data?

  • A dashboard checks that the user is in the correct Okta group.
  • The auditor wants visual proof: the interface showing restricted menu items hidden or disabled for that user.
  • Vera runs a session where a "Viewer" logs in, attempts to reach /admin/billing, and receives a 403 or "Access Denied," and captures it as signed evidence.

CC7.2: Change Management

The auditor's question: can you prove every production change was reviewed and approved?

  • A dashboard checks GitHub branch protection and approval counts.
  • The auditor wants contextual proof: for internal configuration toggles or feature flags, the audit log within the application showing who changed the setting and when.
  • Vera captures the configuration-change workflow, records the internal audit-log entry, and files a pack linking the GitHub pull request to the UI-level change.

CC8.1: System Operations (Vulnerability Management)

The auditor's question: show me you are actively reviewing and remediating high-priority vulnerabilities.

  • A dashboard connects to Snyk or Wiz to verify scans run.
  • The auditor wants proof of human review: the dashboard where an engineer marked a finding "in progress" or "resolved."
  • Vera captures the vulnerability dashboard on a schedule, highlighting the remediation status and the person who acted, and files it against CC8.1.

How Vera Captures Application Evidence

Vera runs the compliance program as an agent. Her evidence mix is the honest breakdown: about 70% fully API-automated, roughly 9% automated screenshots (the browser extension plus a vision model scoring the capture), about 9% guided capture, and around 5% ingested from your inbox. Zero percent comes from a person uploading files into a dashboard.

Step 1: Scope the manual controls

Review your Drata dashboard for controls marked manual or upload-required. These are typically your application-level tests.

Step 2: Capture the control test

Vera runs the test once through the Screenata browser extension. To prove MFA is required, she navigates to the app login, submits credentials, and captures the MFA prompt, with the URL, a signed timestamp, and a DOM snapshot embedded.

Step 3: Sign and narrate

Vera scores the capture against the control, redacts PII, writes the narrative, and compiles an audit-ready pack. Every artifact is hashed, timestamped (RFC 3161), and signed, and traces back through a control test to a policy claim.

Step 4: Sync to Drata

Vera pushes the pack into the Drata evidence library and links it to the control, which moves to covered. The auditor sees the API data and the signed capture together.


Manual Evidence vs. Vera

MetricManual screenshottingVera
Preparation time60 to 90 minutes per controlMinutes of review
ConsistencyLow, varies by testerHigh, standardized packs
MetadataNone, just an imageSigned timestamps and DOM snapshots
PII protectionManual blurringRedacted at capture
AttestationsYou chase themVera chases them in Slack
Auditor trustMediumHigh, verifiable chain

The Attestation Problem No Dashboard Solves

A large share of the 20% gap is a people problem, not a capture problem. Access reviews, exception approvals, and vendor sign-offs can only be answered by a human. A dashboard flags them and waits; someone then chases three colleagues across Slack and email, every quarter. Vera does the chasing: she DMs the right person, reminds at 24 hours, escalates at 48, and files the reply as evidence the moment it lands. On access reviews she schedules and orchestrates the review and chases the reviewers, while the final judgment stays with your team. That is the part of the gap a camera can't fix and a dashboard won't touch on its own.


Example: Documenting GitHub Access Controls (CC6.1)

Objective: prove only authorized users have Admin access to the production repository.

  1. The quarter is closing and the SOC 2 window is near.
  2. Vera navigates to the "People" tab in your GitHub organization settings.
  3. She captures the list of users, their roles, and whether MFA is enabled.
  4. She generates a signed pack: the control ID (CC6.1), the list of admins, and the timestamped metadata.
  5. She syncs it to Drata, and DMs the repo owner to confirm the admin list is current.

What This Costs

A dashboard alone still needs a vCISO or consultant (roughly $2K to $5K a month) to write policies, decide what to fix, and run the program it only monitors. With the audit, a traditional first year lands around $85K. Vera replaces both: Screenata is $499 a month for SOC 2 Type II, with Type I from $299, bringing a typical first year to around $18K. You get 20+ native integrations, 489+ checks, and 27+ agent tools across Slack, email, the CLI and a Claude Code MCP, and GitHub pull-request reviews.


A Week in Vera's Compliance Cadence

Application evidence goes stale fast: a UI change can quietly break a permission the day after you capture it. Vera treats compliance as a schedule rather than a scramble. At 6:30 AM she posts a Slack briefing with current readiness and anything she escalated overnight. During the week she captures the RBAC, change-management, and vulnerability-review tests as they come due, DMs the owners to confirm the judgment calls, and files each as a signed pack. By the weekend she runs a full cloud and repo scan and opens remediation tickets for anything that drifted. When the audit window opens, the application evidence is already collected, dated inside the period, and mapped to the controls, so there is no scramble to reproduce it.

Best Practices for Application-Level Evidence

  1. Capture the full browser window. Auditors want the URL bar and the clock to verify environment and timing. Vera captures both.
  2. Use verifiable timestamps. Vera uses NTP-synced timestamps so evidence proves it was captured inside the window.
  3. Redact at the source. Vera blurs emails and names of uninvolved users, which keeps you aligned with GDPR and CCPA while satisfying SOC 2.
  4. Map to control IDs. Every artifact is labeled with the Trust Services Criteria it supports.
  5. Keep a chain of custody. Vera signs each artifact and traces it to a claim, so nothing rests on a file name.

Frequently Asked Questions About SOC 2 Application Evidence

What application evidence do SOC 2 auditors require?

Proof of role-based access restrictions (CC6.1), change-approval workflows (CC7.2), vulnerability-dashboard review (CC8.1), and application-level security features, with timestamps, URLs, and user context. Auditors also want the attestations confirming periodic reviews happened.

Can Drata capture application controls?

No. A dashboard monitors infrastructure via API but cannot log into your application or capture the UI, so these controls stay manual. Vera captures them and files signed packs.

What is the 20% manual gap?

The SOC 2 controls that need application evidence and attestations an API cannot produce: CC6.1 (RBAC), CC7.2 (change management), CC8.1 (vulnerability management), custom internal tools, and periodic reviews.

Do auditors accept Vera's evidence?

Yes. It carries verifiable provenance: NTP-synced timestamps, browser and URL context, tester identity, a DOM snapshot, and a claim-to-evidence chain the auditor can re-derive and verify independently.

How much time does this save?

Vera reduces application-evidence collection from 40 to 80 hours to review time per audit, and keeps the evidence current between audits instead of scrambling before the deadline.


Key Takeaways

  • A dashboard flags the work; Vera does it. She captures the application evidence, chases attestations in Slack, and files signed, traceable packs.
  • The 20% gap is real. Application controls like CC6.1 and CC7.2, plus periodic attestations, are mandatory for a clean SOC 2 Type II report.
  • Auditors want visual proof and a chain of custody, not a bare image or a raw JSON dump.
  • Vera writes your policies from your attested reality and tells you what to fix, so you don't need a $2K to $5K/month consultant.
  • Vera replaces both the platform and the consultant, bringing a typical first year to around $18K versus roughly $85K for the traditional stack.

Learn More About SOC 2 Automation

Connect and see

See your SOC 2 with your real systems.

Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.