Compliance

How to Automate Manual SOC 2 Evidence Drata Can't Capture

Drata automates about 80% of SOC 2 through APIs, then flags the rest as manual and waits. This guide shows how Vera, an agent that runs continuous compliance, does the work a dashboard leaves behind: capturing application evidence for CC6.1, CC7.2, and CC8.1, chasing the attestations only a person can answer, and filing signed, traceable packs, alongside Drata or in place of it.

January 1, 202610 min read
DrataSOC 2Compliance AutomationEvidence CollectionScreenshotsManual Controls
How to Automate Manual SOC 2 Evidence Drata Can't Capture

You automate the manual SOC 2 evidence Drata misses by putting an agent on it instead of a person. Drata monitors infrastructure over API (AWS, GitHub, Okta), then marks application controls "manual" and waits for you to go capture them. For CC6.1 (logical access), CC7.2 (change management), and CC8.1 (vulnerability management), that is 40 to 80 hours of screenshots, formatting, and attestation chasing per audit. Screenata gives you Vera, an agent who does that work: she captures the application evidence a dashboard can't see, DMs your team for the sign-offs a dashboard can only flag, and files signed, traceable packs that sync back to Drata. A dashboard flags the work; Vera does it.


Why Does Drata Leave a 20% Manual Gap?

Drata and similar GRC platforms are readers of APIs. They connect to your cloud stack to verify that databases are encrypted, MFA is on, and background checks are done. That covers roughly 80% of a SOC 2 or ISO 27001 program.

The other 20% is application and process controls, and no API can see them. A dashboard cannot log into your proprietary SaaS product and run a user-level test, so it flags the control and waits. It cannot ask a person whether the access review actually happened, so it flags that too. A dashboard flags the work; it does not do the work.

What Drata Automates (about 80%)

  • Infrastructure: AWS, Azure, and GCP configuration.
  • HRIS: employee onboarding and termination.
  • Identity: Okta and Google Workspace MFA and SSO status.
  • Code: GitHub and GitLab branch protection and repository settings.

What Drata Leaves to You (the other 20%)

  • Role-based access: proving a "Viewer" cannot reach "Admin" settings in your app.
  • UI-based approvals: change-management steps inside Jira or a proprietary tool.
  • Data redaction: proving PII is masked in the application UI.
  • Attestations: access reviews, exception approvals, and vendor sign-offs a person has to confirm.

Which SOC 2 Controls Need Application Evidence?

SOC 2 auditors want sufficient and appropriate visual proof for application-level controls. A dashboard leaves these as manual tasks.

Control IDControl nameWhy a dashboard misses it
CC6.1Logical AccessSees the user exists, not what they can do in the UI
CC6.7Physical AccessNeeds logs of office or data-center security no API exposes
CC7.2Change ManagementNeeds the UI approval and deployment proof outside GitHub
CC8.1Vulnerability ManagementNeeds proof a human triaged findings in the dashboard
CC9.1Business ContinuityNeeds UI confirmation a backup restoration test succeeded

How Vera Does the Work a Dashboard Flags

Vera runs the compliance program as an agent. She scans your infrastructure read-only, scopes your control matrix, drafts policies grounded in what she finds, and works the controls on a schedule. For the 20% a dashboard flags, she does the collection: she captures application evidence through the Screenata browser extension, chases attestations in Slack or Teams, and files signed, traceable artifacts.

Her evidence mix is the honest breakdown: about 70% fully API-automated, roughly 9% automated screenshots (the browser extension plus a vision model scoring the capture), about 9% guided capture, and around 5% ingested from your inbox. Zero percent comes from a person uploading files into a dashboard. Screenshots are one of several ways she collects evidence, and the one an API can never reach, not the identity of the product.

The Workflow

  1. A control comes due. Whether Drata flags CC6.1 as manual or Vera scopes it from your matrix, the control is picked up, not parked.
  2. Vera captures the test. You (or Vera, on a schedule) run the control test once. The extension captures timestamped screenshots, a DOM snapshot, and metadata, and a vision model scores the result against the control. PII is redacted at capture.
  3. Vera chases what only a person can answer. For a review or exception, she DMs the right teammate, reminds at 24 hours, escalates to you at 48, and files their reply as evidence.
  4. Vera signs and syncs it. Every artifact is hashed, timestamped (RFC 3161), and signed, and traces back through a control test to a policy claim. If you run Drata, she pushes the pack into the matching control.

Step by Step: Covering CC6.1 (Logical Access)

CC6.1 requires proof that access to protected information is restricted. Here is how the work gets done.

Step 1: Scope the control

Vera links the test to SOC 2 control CC6.1 and identifies the restricted route to exercise (for example, /admin or /settings).

Step 2: Run the denial path

Vera runs the test against a "Viewer" account and attempts the restricted action. When the app returns "Access Denied" or a 403, the extension captures the result automatically.

Step 3: Attach verifiable provenance

Each capture carries an NTP-synced timestamp proving the test happened in the audit window, the URL proving the route attempted, and a DOM snapshot proving the UI existed as shown.

Step 4: Sign, file, and sync

Vera assembles the pack, writes the narrative, links it to CC6.1, and pushes it into Drata's manual-evidence section for that control. Total hands-on time is a couple of minutes of review.


Manual Collection vs. Vera

MetricManual screenshot processVera
Time per control45 to 60 minutesMinutes of review
Evidence qualityInconsistent, lacks contextSigned, metadata-rich, uniform
PII riskHigh, redacted by handLow, redacted at capture
Audit readinessManual formatting in a documentSigned PDF and ZIP packs
TraceabilityRelies on file namesClaim to test to signed artifact
AttestationsYou chase themVera chases them in Slack

The Attestation Problem No Dashboard Solves

Most discussion of the 20% gap fixates on screenshots, but a large share of it is a people problem, not a capture problem. Plenty of controls can only be satisfied by a human answering a question:

  • Did the quarterly access review actually happen, and did the right managers sign off?
  • Who approved this production exception, and why?
  • Was this vendor reviewed before it was onboarded?
  • Did offboarding revoke access in every downstream system?

A dashboard flags these and waits. Someone then has to remember, chase colleagues across Slack and email, gather the answers, and upload the proof, every quarter. Vera does the chasing: she DMs the right person, reminds at 24 hours, escalates at 48, and files the reply the moment it lands. On access reviews she schedules and orchestrates the review and chases the reviewers, while the final judgment stays with your team.


Why Auditors Trust Vera's Evidence

Auditors are skeptical of static screenshots because they are easy to alter. Vera's packs carry a verifiable chain instead.

A signed, re-derivable chain

Every screenshot is hashed and timestamped at capture, which prevents backdating, the common scramble to produce evidence the week before the auditor arrives. Every artifact ties back through a control test to a specific policy claim, so an auditor can start from a policy sentence and follow it to the signed evidence, then verify the signature with a free CLI, no Screenata account required.

Context, not a bare image

Each pack carries a narrative and a machine-readable manifest with the browser, OS, and session, proving the test ran in a real environment. Instead of an uncaptioned image, the auditor reads that a "Viewer" account attempted the admin route at a specific time and received a 403, shown in the capture.

Consistency

Because Vera packages every control the same way, OCR'd, an auditor can search hundreds of pages for a phrase like "Access Denied" instead of parsing one-off formats from five people. That consistency is what shortens audit windows.


A Week in Vera's Compliance Cadence

Continuous compliance is a schedule, not a scramble before the audit. Once Vera runs alongside Drata:

  • At 6:30 AM she posts a Slack briefing: current readiness, which controls need attention, and anything she escalated overnight.
  • Mid-week a CC6.2 offboarding control comes due. She DMs the IT lead to confirm access was revoked, captures the disabled-account screenshot, and files both.
  • When Drata flags a CC6.1 control as manual, she runs the RBAC test, captures the denial, signs the pack, and syncs it into the matching control.
  • By week's end she runs a full cloud and repo scan, catches a new bucket without encryption, and opens the remediation ticket for a human to apply.

The dashboard, if you keep one, stays the surface your auditor logs into. Vera keeps it green between audits.


What This Costs

Drata alone still needs a vCISO or consultant (roughly $2K to $5K a month) to write policies, decide what to fix, and run the program the dashboard only monitors. With the audit, a traditional first year lands around $85K. Vera replaces both the platform and the consultant: Screenata is $499 a month for SOC 2 Type II, with Type I from $299, bringing a typical first year to around $18K. You get 20+ native integrations, 489+ checks, and 27+ agent tools across Slack, email, the CLI and a Claude Code MCP, and GitHub pull-request reviews.


Best Practices for the Last Mile

  • Use dedicated test accounts (for example, audit-viewer@company.com) for UI evidence to minimize PII exposure.
  • Keep a consistent naming convention for packs, such as [Year]_[Quarter]_[ControlID]_[Description].
  • Let Vera redact at capture so emails, API keys, and customer names are blurred before anything is filed.
  • Collect continuously. Let Vera record your CC6.1 and CC7.2 tests every month so a broken permission shows up as a self-corrected observation, not an audit failure.

Frequently Asked Questions

Does Vera replace Drata?

For most startups, yes. A dashboard monitors infrastructure and leaves the work to you. Vera scans the same infrastructure, captures the application evidence, chases attestations, and writes policies grounded in your real systems, replacing both the platform and the consultant. If you already have Drata, Vera works alongside it to cover everything it leaves manual. See Do You Actually Need a vCISO for SOC 2?

How much time does this save?

For a SOC 2 Type II audit with around 40 manual controls, Vera absorbs the 40 to 80 hours per cycle that would otherwise go to screenshotting, formatting, chasing sign-offs, and uploading, and she keeps evidence current between audits.

Does this work for ISO 27001 too?

Yes. Vera is framework-agnostic. One captured test can map to SOC 2, ISO 27001 Annex A, HIPAA safeguards, or CMMC practices, so you collect once and satisfy several standards.

Do auditors accept this evidence?

Yes. Auditors accept Vera's packs because they carry more provenance and traceability than a manual screenshot: signed timestamps, a DOM snapshot, and a claim-to-evidence chain they can verify independently.


Key Takeaways

  • A dashboard flags the work; Vera does it. She captures the application evidence, chases attestations in Slack, and files signed, traceable packs, alongside Drata or in place of it.
  • The 20% gap is real work. Application controls like CC6.1 and CC7.2, plus the periodic attestations, are the slowest part of a SOC 2 audit.
  • Signed, re-derivable evidence beats loose screenshots. Verifiable provenance and a claim-to-evidence chain reduce follow-up questions and shorten the window.
  • Vera replaces both the platform and the consultant, bringing a typical first year to around $18K versus roughly $85K for the traditional stack.
  • Continuous beats audit sprints. Recording tests throughout the year keeps the program audit-ready instead of red the week before.

Learn More About SOC 2 Automation

Connect and see

See your SOC 2 with your real systems.

Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.