Compliance
How to Achieve 100% SOC 2 Automation with Vanta and Screenshot Tools
Vanta monitors your infrastructure and leaves the rest to you, which means 40 to 60 hours of evidence chasing per audit. Screenata closes that gap with an agent named Vera who runs the program, collecting infrastructure and application evidence, chasing attestations in Slack, and tracing every artifact back to a control. This guide shows how to reach full coverage, whether you keep Vanta or replace it.

Vanta automates the infrastructure layer of SOC 2, roughly 80% of evidence pulled through API integrations with AWS, Okta, and GitHub. As a dashboard, it tells you which controls still need evidence and then waits for you to go collect it. That remaining 20% (application screenshots, access-review attestations, workflow documentation) is 40 to 60 hours of manual work per audit that no dashboard does for you.
Screenata closes the gap by giving you Vera, an agent that runs the compliance work directly. She scans the same infrastructure Vanta reads, captures the application evidence Vanta can't, DMs your team for the attestations a dashboard can only flag, and files everything as signed, audit-grade artifacts. You reach the same destination, full SOC 2 coverage, with an agent doing the work instead of a dashboard reminding you to do it yourself every quarter.
This guide covers both paths: keeping Vanta and adding Vera for everything it leaves manual, or replacing the stack entirely.
Why Does Vanta Leave a 20% Manual Gap in SOC 2?
Vanta and Drata are excellent at one thing: connecting to your infrastructure, code repositories, and identity providers over API and continuously checking their configuration. That covers about 80% of a standard SOC 2 or ISO 27001 audit, including encryption settings, SSO enforcement, branch-protection rules, and training completion.
The remaining 20% lives inside your application's UI and in your team's day-to-day operations, where an API can't see. A dashboard can only mark those controls "manual evidence required" and wait. Vanta cannot, on its own, prove that:
- A "Viewer" role in your specific SaaS app cannot reach the "Billing" page.
- A "Delete" action triggers an MFA prompt.
- Your quarterly access review actually happened, with the right people signing off.
- Your internal approval workflow for a sensitive change was followed.
Historically, closing that gap meant a human taking screenshots, writing narratives, chasing colleagues for sign-off, and uploading PDFs into the dashboard. That's the work Vera does instead.
How Vera runs the program
Vera works as an agent rather than a dashboard you log into and feed. She scans your infrastructure read-only, scopes your control matrix, writes policies grounded in what she finds, and then works the controls on a schedule: collecting API evidence, capturing application screenshots, and chasing the attestations that only a person can answer. When she can't complete a control herself, she escalates it to you with a specific reason instead of leaving a red square on a screen no one logs into.
For teams already on Vanta, Vera works alongside it to cover everything the dashboard leaves manual. For teams starting fresh, Vera replaces both the dashboard and the consultant you'd otherwise pay to do this work.
How Do You Reach Full SOC 2 Coverage?
Full coverage comes from collecting evidence at every layer, from cloud configuration down to a single button click, and keeping it current between audits. Here is how the layers fit together.
1. The infrastructure layer
Vera scans your stack (AWS, GCP, GitHub, Okta, and 20+ native providers across 489+ checks) read-only and continuously verifies configuration. This is the same automated coverage you'd expect from Vanta, about 70% of evidence fully automated. If you keep Vanta, this is the layer it already owns.
2. The application layer
For controls that live behind your UI, such as CC6.1 logical access and CC7.2 change management, Vera captures the evidence through guided workflows and the Screenata browser extension. You (or Vera, on a schedule) run the test once. The extension captures timestamped screenshots, a DOM snapshot, and metadata, and a vision model scores the result against the control. This is roughly 9% of evidence and it is the piece a dashboard's APIs can never reach.
3. The attestation layer
Some controls can only be answered by a person: "Did the access review happen?" "Who approved this exception?" A dashboard flags these and stops. Vera DMs the right person in Slack or Teams, reminds them at 24 hours, escalates to you at 48, and files their reply as evidence when it arrives. You see the whole thread.
4. Signed, traceable packaging
Every artifact Vera files, whether a screenshot, scan result, or attestation, is hashed, timestamped (RFC 3161), and signed, and it traces back through a control test to a policy claim. If you keep Vanta, Vera can push these packs into your Vanta workspace so the dashboard shows the control as covered. If you don't, the audit vault is the source of truth.
Step-by-Step: Closing the Gap on Top of Vanta
Step 1: Identify what Vanta leaves manual
In your Vanta dashboard, filter SOC 2 or ISO 27001 controls by "manual evidence required." You'll typically see gaps in Logical Access (CC6 series), Change Management (CC7/CC8), and the periodic attestations (access reviews, risk assessments).
Step 2: Let Vera take those controls
Connect Vera read-only to GitHub and your cloud, then point her at the manual controls. For each one she either collects the evidence directly through an API scan or guided screenshot capture, or, if it needs a human answer, opens an attestation request in Slack and tracks it to resolution.
Step 3: Review and approve
Vera drafts the evidence and the narrative; you approve. For application tests, she shows the screenshot side-by-side with the control it satisfies and the pass/fail rationale. PII in screenshots is redacted before anything is filed.
Step 4: Sync back to Vanta
Vera pushes the signed evidence pack (the PDF, raw screenshots, and a JSON manifest) into the corresponding Vanta control, moving it from "missing evidence" to covered.
| Layer | Who does it | What you get |
|---|---|---|
| Cloud configuration | Vanta or Vera | ~70% automated coverage |
| Application UI tests | Vera | Captures the screenshot 9% |
| Attestations / reviews | Vera | Chased and filed in Slack |
| Packaging & sync | Vera | Signed packs, traced to controls |
Which Controls Does Vera Cover for Vanta Users?
These are the high-friction Trust Services Criteria that a dashboard flags but can't satisfy.
CC6.1: Logical Access Security
- Vanta checks that SSO is enabled in Okta.
- Vera runs a test showing that a "Marketing" role cannot reach production database settings inside the app, and captures it as signed evidence.
CC7.2 / CC8.1: Change Management
- Vanta checks that GitHub pull requests require two approvals.
- Vera captures the end-to-end deployment, including the manual QA sign-off and the production-deploy confirmation that lives outside the repo.
Periodic access reviews
- Vanta checks nothing here; it only flags the review as due.
- Vera schedules and orchestrates the review, DMs each reviewer for sign-off, and files the completed attestation. She coordinates the review and chases the humans, while the final judgment stays with your team.
Why Auditors Trust Vera's Evidence
Auditors are increasingly skeptical of loose screenshots, the kind of PNGs sitting in a folder with no provenance. They want a chain of custody.
Verifiable provenance
Every pack Vera files includes a signed manifest with NTP-synced timestamps proving the test happened in the audit window, a DOM snapshot proving the UI existed as shown, and the identity of who performed (or attested to) the test.
A traceable chain, not just a file
Every artifact ties back through a control test to a specific policy claim. An auditor can start from a sentence in your policy and follow it to the test and the signed evidence behind it, then verify the signature independently with a free CLI, no Screenata account required.
Consistency
Because Vera packages every control the same way, an auditor sees uniform, searchable evidence (OCR'd, so they can grep for "Access Denied" across hundreds of pages) instead of one-off formats from five different people. That consistency is what shortens audit windows.
The Attestation Problem No Dashboard Solves
Most discussion of the "20% gap" focuses on screenshots, but a large part of it is a people problem rather than a capture problem. Plenty of SOC 2 controls can only be satisfied by a human answering a question:
- Did the quarterly access review actually happen, and did the right managers sign off?
- Who approved this production exception, and why?
- Was this vendor reviewed before it was onboarded?
- Did the offboarding revoke access in every downstream system?
A dashboard's only move here is to flag the control and wait. Someone on your team then has to remember it, chase three colleagues over Slack and email, collect their answers, and upload the proof, every quarter, for every periodic control. That chasing is unbillable, easy to drop, and the single most common reason a "fully automated" program is red the week before an audit.
Vera does the chasing. She DMs the right person, reminds them at 24 hours, escalates to you at 48, and files their reply as evidence the moment it lands, with the whole thread visible. This is the part of the 20% gap a camera can't fix and a dashboard won't touch on its own.
Vanta + Vera: A Day in the Life
Concretely, here is how the two fit together once Vera is running alongside Vanta:
- At 6:30 AM, Vera posts a Slack briefing: readiness is 94%, two controls need attention.
- Mid-morning, a CC6.2 offboarding control comes due. Vera DMs the IT lead to confirm app access was revoked, captures the disabled-account screenshot, and files both.
- In the afternoon, Vanta flags a CC6.1 control as needing manual evidence. Vera runs the RBAC test, captures the denial, signs the pack, and syncs it back into the Vanta control.
- By the end of the week, Vera runs a full cloud and repo scan, catches a new bucket without encryption, and opens the remediation.
Vanta remains the dashboard your auditor logs into, while Vera is the teammate doing the work that keeps it green.
Manual Collection vs. Vanta vs. Vera
| Metric | Manual collection | Vanta only | Vanta + Vera |
|---|---|---|---|
| Coverage | 0% automated | ~80% automated | Full coverage |
| Who closes the gap | You | You | Vera |
| Time per manual control | 60 to 90 min | unchanged | minutes |
| Attestations | You chase them | Flagged only | Vera chases in Slack |
| Evidence format | Random screenshots | API logs | Signed, traced packs |
| Between audits | Goes stale | Dashboard turns red | Vera keeps running |
Example: Proving RBAC for a Support Role
Objective: prove a "Support Tier 1" user cannot export customer data.
- The control comes due. Vanta flags it as manual; Vera picks it up.
- Vera runs the test against a "Support Tier 1" account and clicks "Export CSV."
- The app returns "You do not have permission to perform this action."
- The extension captures the modal, the user's role settings, and the URL, with a DOM snapshot and signed timestamp.
- Vera assembles
SOC2_CC6.1_RBAC_Test_Q4.pdf, links it to CC6.1, and, if you're on Vanta, pushes it to the control. - You approve. Total hands-on time: a couple of minutes, most of it review.
Frequently Asked Questions
Does Screenata replace Vanta?
For most startups, yes. Vanta monitors infrastructure and leaves the work to you. Screenata gives you Vera, an agent that does the work: scanning the same infrastructure, capturing application evidence, chasing attestations, and writing policies grounded in your real systems. With Vanta you still need a vCISO or consultant ($2K to $5K/month) to actually run the program. Vera replaces both. If you already have Vanta, Vera works alongside it to cover everything it leaves manual. See Do You Actually Need a vCISO for SOC 2?
Is the integration secure?
Yes. Screenata connects to your infrastructure read-only, is SOC 2 Type II compliant, and encrypts evidence at rest and in transit. Vera redacts PII from screenshots before any evidence is filed or synced.
Can I use Vera with Drata or Secureframe instead of Vanta?
Yes. This article focuses on Vanta, but Vera works the same way alongside Drata, Secureframe, or any GRC platform, covering the controls the dashboard leaves manual and syncing signed evidence back.
How much time does this actually save?
For a mid-market SaaS company with 40 to 50 manual controls, Vera absorbs the 80 to 120 hours per audit cycle that would otherwise go to screenshotting, formatting, chasing sign-offs, and uploading. She also keeps the evidence current between audits instead of letting the dashboard drift red.
Key Takeaways
- Vanta gives you a dashboard, and Vera gives you an agent that runs the program. The 20% gap is real work, and a dashboard doesn't do that work for you.
- Vera delivers full coverage at every layer: infrastructure scans, application screenshots, and the attestations a person has to answer.
- Every artifact is signed and traceable, tying back to a control and a policy claim, and any auditor can verify it independently.
- You can keep Vanta or replace it. Vera works alongside your dashboard or stands alone in place of the platform-plus-consultant stack, bringing total SOC 2 cost to around $18K versus the traditional path of roughly $85K.
Learn More About SOC 2 Automation
- The Bootstrapped Founder's Guide to SOC 2 covers the full cost breakdown and what to expect.
- Do You Actually Need a vCISO for SOC 2? explains why most startups no longer need a consultant.
- Why ChatGPT SOC 2 Policies Fail Audits shows what auditors actually want in your policies.
- How to Automate SOC 2 Evidence Collection is the comprehensive guide.
Connect and see
See your SOC 2 with your real systems.
Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.