Compliance
How Teams Extend Drata to Fully Pass SOC 2 with Automated Evidence
Drata automates infrastructure monitoring, but SOC 2 audits still require application evidence and periodic attestations it can only flag. This guide explains how Vera, an agent that runs continuous compliance, does that work: capturing application evidence, chasing sign-offs, and filing signed, traceable packs, alongside Drata or in place of it.

Running SOC 2 on Drata automates infrastructure monitoring, but most teams hit the same wall: application-level controls and periodic attestations still require manual evidence. Auditors want application captures, workflow proof, and confirmation that reviews actually happened, and a dashboard's API integrations cannot produce any of it. To pass SOC 2 without the manual grind, teams put an agent on the work a dashboard only flags. That agent is Vera: she captures the application evidence, chases the attestations, and files signed, traceable packs, alongside Drata or in place of it.
What Does Drata Automate for SOC 2, and What Is Missing?
Drata automates infrastructure-level evidence by connecting to APIs (AWS, GitHub, Google Workspace, Gusto). It validates controls like "Is MFA enabled?" or "Is disk encryption on?" continuously.
It cannot produce application-level evidence or confirm a process happened. It cannot log into your custom admin panel to capture user permissions, it cannot record a backup restoration test, and it cannot ask a manager whether the access review was completed. That is a manual gap of roughly 20 to 30% of the audit. A dashboard flags the work; it does not do the work.
The SOC 2 Automation Reality
| Control category | Drata coverage | What is missing |
|---|---|---|
| Cloud infrastructure (AWS/Azure) | Automated via API | Contextual console configuration |
| Device management (MDM) | Automated via API | Physical security of non-MDM devices |
| HR and onboarding | Mostly automated via HRIS | Evidence of manual background checks |
| Application access (CC6.1) | Manual | Application captures of custom admin panels |
| Change management (CC8.1) | Partial | Evidence for changes outside Jira/GitHub |
| Backup restoration (CC7.4) | Manual | Proof of a successful restoration test |
| Periodic attestations | Flagged as due | A person confirms; someone chases them |
Where Traditional SOC 2 Automation Stops
A GRC dashboard is the system of record for your audit, but it is bounded by what public APIs expose. It works like a checklist that turns green when an API returns "true."
Auditors don't just trust APIs; they verify implementation. For CC6.1 (logical access), an auditor wants to see how access is restricted in your internal tools. Since your admin panel has no public API, the dashboard raises a manual request and waits. The consequences are familiar: engineers spend 40 to 80 hours a quarter on screenshots, static evidence lacks timestamps or URL context and gets rejected, and the "automated" audit becomes a manual scramble during the observation period.
To close this, teams put Vera on the work. She scans the same infrastructure a dashboard reads, captures the application evidence it can't see, chases the attestations it can only flag, drafts policies from your attested reality, and files signed, traceable artifacts.
How Vera Closes the Manual Gap
Vera runs the compliance program as an agent. Her evidence mix is the honest breakdown: about 70% fully API-automated, roughly 9% automated screenshots (the browser extension plus a vision model scoring the capture), about 9% guided capture, and around 5% ingested from your inbox. Zero percent comes from a person uploading files into a dashboard.
Step 1: Identify the offline controls in Drata
Filter your Drata controls by "source: manual" or "evidence upload." Common ones are CC6.1 (access reviews for internal tools), CC7.4 (backup restoration), and CC8.1 (change management for hotfixes).
Step 2: Let Vera capture the workflow
Instead of manual screenshots, Vera runs the control test through the Screenata browser extension. She captures timestamped screenshots of the user list and role definitions, a DOM snapshot, and metadata, and a vision model scores the result against the control. PII is redacted at capture.
Step 3: Chase the human parts
For a review or approval, Vera DMs the right person in Slack or Teams, reminds at 24 hours, escalates to you at 48, and files their sign-off as an attestation.
Step 4: Sign and sync to Drata
Vera assembles a signed pack, links it to the control, and pushes it into Drata. The manual control turns green, and the auditor sees the API data alongside the visual proof.
Example: Logical Access (CC6.1)
Control objective: logical access to the system is restricted to authorized users.
The gap: a dashboard can confirm MFA on your identity provider, but it cannot verify role-based access inside your proprietary "super-admin" dashboard.
How Vera does it:
- The quarterly access review comes due on Vera's schedule.
- She runs a guided capture of the admin panel: the "Users" page, the filtered "Admin" role showing only authorized personnel, and a negative test where a "Viewer" attempts a restricted setting and receives "Access Denied."
- She DMs the panel owner to confirm the list is correct, and files their sign-off with the captures.
- She generates a signed
CC6.1_Access_Review_Q1.pdf, links it to CC6.1, and pushes it to Drata.
A four-hour manual task becomes a couple of minutes of review, and the judgment about who should have access still rests with a person.
The Attestation Problem No Dashboard Solves
Much of the gap is a people problem, not a capture problem. Controls like access reviews, exception approvals, and vendor sign-offs can only be satisfied by a human answering a question. A dashboard flags them and waits; someone then chases three colleagues every quarter, which is unbillable, easy to drop, and the most common reason a program marketed as "fully automated" is red the week before an audit. Vera does the chasing and files the answer as evidence the moment it lands, while the final judgment stays with your team.
Do Auditors Accept Vera's Evidence?
Yes, and they tend to prefer it over manual screenshots.
- Chain of custody: every artifact is hashed and timestamped at capture, so evidence can't be quietly backdated, and it traces back through a control test to a specific policy claim an auditor can re-derive.
- Consistency: every pack is formatted the same way, OCR'd, with visible URLs, timestamps, and control IDs, so an auditor can search hundreds of pages instead of parsing five formats.
- Completeness: Vera captures each required step, including the negative test, before the pack is filed.
Housed inside Drata, this presents one audit trail: the dashboard proves the policy exists and the infrastructure is secure, and Vera's signed captures prove the application logic matches the policy.
What This Costs
A dashboard alone still needs a vCISO or consultant (roughly $2K to $5K a month) to write policies, decide what to fix, and run the program it only monitors. With the audit, a traditional first year lands around $85K. Vera replaces both: Screenata is $499 a month for SOC 2 Type II, with Type I from $299, bringing a typical first year to around $18K. You get 20+ native integrations, 489+ checks, and 27+ agent tools across Slack, email, the CLI and a Claude Code MCP, and GitHub pull-request reviews.
Frequently Asked Questions
Does Drata take screenshots for SOC 2?
No. Drata monitors configurations over API and does not capture screenshots. For evidence that requires visual confirmation, a dashboard flags the control and waits. Vera captures it through the browser extension and files a signed pack.
Can I use Vera without Drata?
Yes. Vera runs the full program: she scans infrastructure, captures application evidence, chases attestations, writes policies from your codebase, and files signed artifacts. For most startups she replaces both Drata and the consultant. See Do You Actually Need a vCISO for SOC 2?
How much time does this save?
For a Series B SaaS company, manual evidence for application controls runs 60 to 80 hours a quarter. Vera absorbs almost all of it and keeps the evidence current between audits.
What happens during the audit window?
You grant the auditor access to Drata, and they see a mix of API-verified controls and Vera's signed captures. There is no evidence scavenger hunt, because Vera has been collecting continuously.
Key Takeaways
- A dashboard flags the work; Vera does it. She captures the application evidence, chases attestations in Slack, and files signed, traceable packs, alongside Drata or in place of it.
- The manual gap is 20 to 30% of the audit. Controls like CC6.1 and CC8.1, plus periodic attestations, are the slowest and most error-prone part.
- Auditors prefer signed, traceable evidence over pasted documents.
- Vera replaces both the platform and the consultant, bringing a typical first year to around $18K versus roughly $85K for the traditional stack.
- Continuous beats audit sprints. Vera keeps the program audit-ready instead of scrambling the week before.
Learn More About SOC 2 Automation
- The Bootstrapped Founder's Guide to SOC 2 covers the full cost breakdown and what to expect.
- Do You Actually Need a vCISO for SOC 2? explains why most startups no longer need a consultant.
- Why ChatGPT SOC 2 Policies Fail Audits shows what auditors actually want in your policies.
- How to Automate SOC 2 Evidence Collection is the comprehensive automation guide.
Connect and see
See your SOC 2 with your real systems.
Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.