What Vanta and Drata Don't Automate (The 20% Gap)
Vanta and Drata excel at automating infrastructure controls through APIs, but they cannot automate application testing, workflow documentation, or screenshot capture. This 20% gap costs companies 40-60 hours per audit cycle.
Vanta and Drata automate infrastructure-level evidence collection through API integrations, covering approximately 80% of SOC 2 compliance work. However, they cannot automate application-level testing, web UI screenshot capture, workflow documentation, or process verification—leaving 20% of evidence collection manual and requiring 40-60 hours per audit cycle.
The 80/20 Split in Compliance Automation
What Vanta and Drata Automate Well (80%)
Both platforms excel at API-based evidence collection for infrastructure and SaaS tools:
| Category | Automation Method | Examples |
|---|---|---|
| Cloud Infrastructure | API polling | AWS security groups, GCP IAM roles, Azure configurations |
| Identity Management | SAML/SCIM integration | Okta users, Google Workspace access, Azure AD policies |
| Code Repositories | Git API | GitHub branch protections, commit signing, PR approvals |
| Security Tools | Direct integration | Snyk scans, Wiz findings, CrowdStrike alerts |
| HR Systems | HRIS API | BambooHR employee records, Workday role changes |
| Endpoint Security | MDM integration | Jamf encryption status, Intune device compliance |
Controls automated:
- CC6.6 (Encryption at rest/in transit)
- CC6.7 (Transmission security)
- CC7.3 (Infrastructure configurations)
- CC7.5 (System monitoring)
- CC9.1 (Risk assessments)
Time savings: Infrastructure evidence that previously took 80+ hours now takes less than 5 hours with automated monitoring.
The 20% That Remains Manual
1. Application-Level Access Control Testing
What's required: Proof that your application enforces access controls correctly.
Why APIs can't help:
- APIs show configurations ("User X has role Y")
- Auditors need behavioral proof ("User X cannot access admin panel")
- Testing requires interacting with your application's UI
- Results must be captured visually with screenshots
Common test scenarios:
| Control | Test Required | Evidence Needed | Vanta/Drata Capability |
|---|---|---|---|
| CC6.1 | Non-admin tries to access restricted data | Screenshots of access denial + audit log | ❌ Manual |
| CC6.2 | New user provisioning with approval | Screenshots of approval workflow steps | ❌ Manual |
| CC6.3 | Terminated user cannot login | Screenshots of disabled account + login failure | ❌ Manual |
Manual effort per control: 45-60 minutes per test
2. Web UI Screenshots and Visual Evidence
What's needed: Visual documentation of how your application implements security controls.
Examples of required screenshots:
- Login page showing MFA requirement
- Permission denied error messages
- Role configuration interfaces
- Data encryption indicators in UI
- Security warnings and user confirmations
- Privacy consent forms
- Session timeout notifications
- Password complexity requirements
Why Vanta/Drata can't capture these:
Technical limitation:
├─ Vanta/Drata operate via backend APIs
├─ APIs return data structures (JSON), not visual interfaces
├─ No browser rendering capability
└─ Cannot capture what end users actually see
Security limitation:
├─ Cannot access customer production environments
├─ Cannot interact with proprietary application UIs
└─ Cannot automate actions in custom applications
Manual work required:
- Taking 50-100 screenshots per audit cycle
- Organizing by control ID
- Adding annotations and descriptions
- Formatting into evidence packages
- Time: 15-20 hours per audit
3. Workflow and Process Documentation
What's required: Step-by-step proof of how multi-system processes work.
Common workflows requiring documentation:
| Workflow | Systems Involved | Evidence Components | Automation Gap |
|---|---|---|---|
| Incident Response | PagerDuty → Slack → Jira → GitHub → AWS | 10-15 screenshots showing each step | Vanta/Drata see isolated events, not connected workflow |
| Access Requests | Slack → Okta → AWS Console → Audit log | 6-8 screenshots of approval chain | APIs show approval status, not approval process |
| Deployment Process | GitHub → CircleCI → AWS → Datadog | 8-12 screenshots from PR to production | APIs show deployment occurred, not approval workflow |
| Data Deletion | Support ticket → Database → Backup deletion → Confirmation | 10-12 screenshots proving complete removal | APIs cannot verify visual confirmations |
Why automation fails:
- Workflows cross multiple systems without unified APIs
- Human decision points cannot be observed by APIs
- Visual context matters (approval buttons, confirmation dialogs)
- Narrative documentation required to connect steps
Manual effort required:
- 45-60 minutes per workflow to document
- 4-6 key workflows per audit
- Total time: 12-18 hours per audit cycle
4. Application-Specific Security Features
What's needed: Evidence that custom security features in your application work as designed.
Examples:
- Custom data masking implementation
- Proprietary encryption workflows
- Application-specific RBAC logic
- Custom audit logging display
- Tenant isolation verification
- Data retention rule enforcement
The API limitation:
Your custom application:
├─ Has unique security architecture
├─ Implements controls specific to your business
├─ No standard API exists for custom features
└─ Visual testing is the only verification method
Vanta/Drata:
├─ Built for standard SaaS tools (AWS, Okta, GitHub)
├─ Cannot integrate with custom applications
├─ Cannot understand proprietary security logic
└─ Cannot verify application-specific controls
Testing burden:
- 3-5 custom controls per application
- 60-90 minutes per control to test and document
- Total time: 8-12 hours per audit
5. Third-Party Vendor UI Screenshots
What's needed: Visual proof of vendor security configurations.
Common requirements:
- AWS Console showing security group rules (even though API data exists)
- Stripe dashboard showing PCI compliance badge
- Auth0 showing MFA enforcement settings
- Datadog showing security monitoring configuration
- Cloudflare WAF rule screenshots
Why Vanta/Drata can't fully automate:
Example scenario:
Vanta collects via API: "AWS Security Group sg-abc123 blocks SSH from internet"
Auditor request: "Please provide screenshot showing this in AWS Console"
Why both are needed:
├─ API data proves configuration exists in code
├─ Screenshot proves configuration visible to operators
└─ Combined evidence shows consistency
The double documentation burden:
- Vanta/Drata: Automated API collection ✅
- Screenshot evidence: Still required manually ❌
- Time: 8-10 hours per audit
The Manual Work in Real Numbers
Breakdown by Evidence Type
| Evidence Type | Controls Affected | Vanta/Drata Automation | Manual Hours (per audit) | Annual Hours (4 audits) |
|---|---|---|---|---|
| Infrastructure Configs | 35% | ✅ 95% automated | 2 hours | 8 hours |
| HR/Policy Evidence | 25% | ✅ 90% automated | 3 hours | 12 hours |
| Application Screenshots | 15% | ❌ 0% automated | 15-20 hours | 60-80 hours |
| Workflow Documentation | 12% | ❌ 5% automated | 12-18 hours | 48-72 hours |
| Application Testing | 8% | ❌ 0% automated | 8-12 hours | 32-48 hours |
| Vendor Screenshots | 5% | ❌ 0% automated | 8-10 hours | 32-40 hours |
| TOTAL | 100% | 80% automated | 48-65 hours | 192-260 hours/year |
Annual Time Impact
Manual effort for evidence collection:
- Annual manual hours: 192-260 hours
- Quarterly disruption: ~20 context switches per quarter
Hidden costs:
- Context switching disruption: ~20 interruptions per quarter
- Rework and corrections: 25-30% of evidence needs revision
- Audit delay costs: Manual bottlenecks extend readiness timeline
- Team burnout: Repetitive screenshot work during crunch periods
Why Can't Vanta/Drata Automate the 20%?
Technical Architecture Constraints
1. API-First Design
Vanta and Drata are built on API integration architecture:
Their automation model:
1. Integrate with SaaS tool API (AWS, Okta, GitHub)
2. Poll for configuration data
3. Map data to SOC 2 controls
4. Flag non-compliance issues
What this model cannot do:
├─ Interact with web browsers
├─ Simulate user actions
├─ Capture visual rendering
└─ Test application behavior
2. No Browser Automation Layer
To capture screenshots and test applications, platforms would need:
- Browser extension or desktop agent
- Permission to access production applications
- Ability to execute test scenarios
- Visual comparison and verification logic
Why they don't add this:
- Shifts business model from "monitoring" to "testing"
- Security concerns with accessing customer applications
- Every application has unique UI (no standard automation)
- High complexity vs. current API integrations
Business Model Limitations
Vanta and Drata's core value proposition:
- Continuous compliance monitoring
- Infrastructure as code verification
- Automated policy management
- Integration with standard SaaS tools
What's outside their scope:
- Custom application testing
- Manual process verification
- Visual documentation
- Application-specific controls
Strategic positioning:
Infrastructure monitoring (Vanta/Drata) ← They focus here
+
Application testing (Manual or specialized tools) ← The gap
=
Complete SOC 2 compliance
Detailed Example: CC6.1 Logical Access Controls
What Vanta Automates
Control objective: Restrict access to sensitive systems and data based on user role.
Automated evidence collected by Vanta:
✅ Okta: User list with assigned roles
✅ AWS IAM: Policies attached to each role
✅ GitHub: Repository access permissions
✅ Google Workspace: Admin role assignments
✅ Jamf: Device access logs
Result: Infrastructure-level access controls are verified automatically.
What Remains Manual
Still required for complete CC6.1 evidence:
1. Application-level access test
Test procedure:
1. Create test user with "Viewer" role
2. Login to application as test user
3. Attempt to access "Admin Settings" page
4. Capture screenshot of "Access Denied" message
5. Verify audit log shows blocked attempt
6. Document test steps, expected vs actual results
7. Include tester name, timestamp, pass/fail determination
Manual time: 45-60 minutes
2. Permission UI screenshots
Required screenshots:
├─ Admin panel showing role configuration page
├─ User management interface with permission matrix
├─ Role assignment workflow
└─ Access control rule settings
Manual time: 30 minutes
3. Test documentation
Written evidence:
├─ Test plan describing scenario
├─ Step-by-step execution log
├─ Expected behavior vs actual behavior
├─ Pass/fail conclusion
└─ Auditor notes section
Manual time: 30 minutes
Total CC6.1 manual effort: 2 hours per quarter = 8 hours per year
Just for this one control, the manual work that Vanta cannot automate requires 8 hours per year. With 15-20 controls having similar gaps, this adds up to 120-160 hours annually of manual evidence collection work.
What Drata Automates vs. What's Manual
Drata's Automation Strengths
Infrastructure monitoring: ✅ AWS/GCP/Azure resource compliance ✅ Kubernetes security configurations ✅ Database encryption settings ✅ Network access controls
SaaS integrations: ✅ GitHub security settings ✅ Okta user lifecycle ✅ Google Workspace configurations ✅ Slack security policies
Policy management: ✅ Employee acknowledgment tracking ✅ Training completion monitoring ✅ Background check verification ✅ Vendor assessment workflows
Drata's Manual Evidence Requirements
Drata designates certain controls as "Manual" requiring evidence uploads:
| Control Category | Drata Auto | Manual Evidence Required | Time (per audit) |
|---|---|---|---|
| Application Controls | ❌ | Screenshots of UI tests | 15-20 hours |
| Process Documentation | Partial | Workflow screenshots and narratives | 12-15 hours |
| Vendor Configurations | Partial | Console screenshots from third parties | 8-10 hours |
| Custom Security Features | ❌ | Test results with visual proof | 10-12 hours |
Drata's "Additional Evidence" feature:
- Upload PDFs manually
- Attach screenshots
- Write text descriptions
- Link to control IDs
- Still requires 45-57 hours of manual work per audit
Comparison: Vanta vs. Drata vs. Other GRC Tools
Automation Coverage Comparison
| Platform | Infrastructure Automation | Application Testing | Screenshot Capture | Workflow Documentation | Total Automation |
|---|---|---|---|---|---|
| Vanta | ✅ Excellent (95%) | ❌ None | ❌ None | ⚠️ Minimal (10%) | ~80% |
| Drata | ✅ Excellent (95%) | ❌ None | ❌ None | ⚠️ Minimal (15%) | ~82% |
| Secureframe | ✅ Very Good (90%) | ❌ None | ❌ None | ⚠️ Minimal (10%) | ~78% |
| Tugboat Logic | ✅ Very Good (90%) | ❌ None | ❌ None | ⚠️ Minimal (5%) | ~77% |
Key finding: All major GRC platforms have the same 20% gap for application-level evidence.
The Industry-Wide Gap
Why No GRC Platform Has Solved This
Reason 1: Different technical stack required
API-based monitoring:
└─ Backend integrations, data polling, config checks
Application testing:
└─ Browser automation, visual capture, user simulation
Reason 2: Application diversity
- Every company has unique applications
- Custom UI patterns and workflows
- No standardized testing approach
- High implementation complexity
Reason 3: Security and access concerns
- GRC platforms operate with read-only API access
- Testing requires write access and user interaction
- Production environment access creates security risks
- Liability concerns with automated actions
Result: The 20% gap is a structural limitation, not a product gap that will be filled by existing vendors.
How Companies Currently Handle the 20% Gap
Method 1: Manual Screenshot Collection (65% of companies)
Process:
- Create evidence checklist from control matrix
- Schedule dedicated time for screenshot capture
- Use generic tools (Snagit, CloudApp, OS built-in)
- Organize files in folders by control ID
- Add descriptions in Word or Google Docs
- Export to PDF
- Upload to Vanta/Drata manually
Pros:
- No additional software cost
- Full control over what's captured
Cons:
- 45-65 hours per audit cycle
- Highly repetitive and error-prone
- Context switching disrupts other work
- No standardization across audits
Time investment: 45-65 hours per audit
Method 2: Outsource to Compliance Consultant (20% of companies)
Process:
- Hire third-party compliance firm
- Grant consultant temporary system access
- Consultant captures evidence
- Internal team reviews and approves
- Consultant uploads to Vanta/Drata
Pros:
- Frees internal team capacity
- Consultant expertise speeds process
Cons:
- High cost (consultant fees)
- Security risk of external system access
- Knowledge transfer gaps
- Dependency on external schedule
Time saved internally but replaced with external dependency
Method 3: Screen Recording + Manual Processing (10% of companies)
Process:
- Use Loom or similar to record test executions
- Watch recordings to identify key moments
- Extract screenshots using video player
- Annotate and organize screenshots
- Write documentation
- Format into PDFs
- Upload to GRC platform
Pros:
- Captures full context of actions
- Easier to review test execution
- Timestamps automatically recorded
Cons:
- Still requires 30-45 hours of processing
- Video files are large and hard to organize
- Extracting screenshots is manual work
- Auditors need screenshots, not videos
Time investment: 30-45 hours of processing per audit
Method 4: Hybrid Automation (5% of companies, emerging)
Process:
- Continue using Vanta/Drata for infrastructure (80%)
- Add specialized screenshot automation tool (15-18%)
- Manual work only for edge cases (2-5%)
Pros:
- Reduces manual work by 85-90%
- Standardized evidence format
- Audit-ready automatically
- Integrates with existing GRC platform
Cons:
- Requires additional tool subscription
- New workflow to learn
Time savings: Reduces manual evidence collection by 85-90%, freeing up 200+ hours annually
The Solution: Complementary Automation
What's Needed to Close the Gap
To achieve 95%+ total automation, companies need:
| Capability | Vanta/Drata | Screenshot Automation Tool | Combined Result |
|---|---|---|---|
| Infrastructure monitoring | ✅ Excellent | Not needed | ✅ Automated |
| SaaS integrations | ✅ Excellent | Not needed | ✅ Automated |
| Policy management | ✅ Very good | Not needed | ✅ Automated |
| Browser-level capture | ❌ None | ✅ Excellent | ✅ Automated |
| Application testing | ❌ None | ✅ Very good | ✅ Automated |
| Workflow documentation | ⚠️ Minimal | ✅ Excellent | ✅ Automated |
| Visual evidence | ❌ None | ✅ Excellent | ✅ Automated |
Architecture:
Complete SOC 2 Automation Stack:
Infrastructure Layer (80%)
├─ Vanta or Drata
└─ API-based monitoring
Application Layer (20%)
├─ Screenshot automation tool (Screenata)
└─ Browser-based capture
Total coverage: 95-98%
Integration: Screenshot Automation + Vanta/Drata
How Complementary Tools Work Together
Step 1: Vanta/Drata continues handling infrastructure
- Cloud configs monitored continuously
- SaaS integrations run automatically
- Policies tracked and verified
- 80% of evidence collected without intervention
Step 2: Screenshot tool captures application evidence
- Browser extension records control tests
- Screenshots auto-captured with metadata
- Evidence organized by control ID
- PDF reports generated automatically
Step 3: Evidence syncs to GRC platform
- Export evidence pack from screenshot tool
- Upload to Vanta "Additional Evidence" or Drata "Manual Evidence"
- Link to specific controls
- Audit trail maintained
Result:
Before: 80% automated (Vanta/Drata alone)
After: 95% automated (Vanta/Drata + screenshot tool)
Time reduction:
48-65 hours → 5-8 hours per audit
Time Savings Analysis: Adding Screenshot Automation
Current State (Vanta or Drata Only)
Annual time investment:
- Automation coverage: 80%
- Manual hours per audit: 48-65 hours
- Annual manual hours: 192-260 hours
Future State (Vanta/Drata + Screenshot Automation)
Annual time investment:
- Automation coverage: 95%
- Manual hours per audit: 4-6 hours
- Annual manual hours: 16-24 hours
Time Savings Summary
Annual efficiency gains:
- Time saved: 220-240 hours per year
- Reduction: 90% decrease in manual work
- Payback period: First audit cycle (3 months)
- Hours saved per quarter: 55-60 hours
Frequently Asked Questions
Will Vanta or Drata add screenshot automation eventually?
Unlikely to be their core focus for several reasons:
Technical: Their architecture is optimized for API integrations, not browser automation. Adding screenshot capabilities would require:
- Entirely new technology stack (browser extensions)
- User interaction simulation logic
- Visual capture and processing systems
- Application-specific customization framework
Business: Screenshot automation serves a different market segment:
- Vanta/Drata: "Continuous compliance monitoring"
- Screenshot tools: "Compliance testing and documentation"
- These are complementary, not competitive
Strategic: GRC platforms benefit from ecosystem partners:
- Better to integrate with specialized tools
- Lower development cost
- Faster innovation through partnerships
- Focus on core infrastructure monitoring
More likely scenario: Official integration partnerships with screenshot automation tools rather than building internally.
Can't I just hire someone to take screenshots cheaper?
Short-term: Maybe. Long-term: Probably not.
Comparison:
| Approach | Setup Time | Ongoing Maintenance | Scalability | Quality Consistency |
|---|---|---|---|---|
| Part-time hire | Weeks | High (training, turnover) | ⚠️ Requires training | ⚠️ Varies by person |
| Offshore contractor | Days | Medium (communication overhead) | ⚠️ Communication overhead | ⚠️ Variable |
| Automation tool | Hours | Low (automatic updates) | ✅ Instant | ✅ 100% consistent |
Hidden costs of manual approach:
- Knowledge loss when person leaves
- Training time for new hires
- Quality variability
- Management overhead
- Scope creep into other tasks
When manual makes sense:
- First 1-2 audit cycles (while learning process)
- Very small companies (< 20 controls)
- One-time audit (not recurring)
When automation makes sense:
- Recurring audits (SOC 2 Type II)
- Growing compliance requirements
- Multiple frameworks (SOC 2 + ISO 27001 + HIPAA)
- Team wants to focus on strategic work
Do I need to replace Vanta/Drata with a new tool?
No—complementary, not replacement.
Think of it like this:
Cybersecurity stack analogy:
Firewall (infrastructure protection)
+
Antivirus (endpoint protection)
=
Complete security
Same for compliance:
Vanta/Drata (infrastructure evidence)
+
Screenshot automation (application evidence)
=
Complete compliance automation
Integration approach:
- Keep existing Vanta or Drata subscription
- Add screenshot automation tool for application layer
- Export evidence from automation tool
- Upload to Vanta/Drata "Additional Evidence" section
- Both tools reference same control framework (Trust Service Criteria)
Result: Unified audit package with 95% automation instead of 80%.
Which controls specifically require the manual 20%?
High-manual controls (30+ minutes each):
| Control ID | Control Name | Why Manual | Time (per audit) |
|---|---|---|---|
| CC6.1 | Logical Access Controls | Application access testing with screenshots | 60-90 min |
| CC6.2 | Prior to Issuing Credentials | Provisioning workflow documentation | 45-60 min |
| CC6.3 | Removes Access Timely | Deprovisioning process screenshots | 45-60 min |
| CC7.2 | Change Management | Deployment approval workflow | 60-90 min |
| CC7.4 | Backup and Recovery | Restore testing with visual proof | 90-120 min |
| CC8.1 | Change Detection | Incident response process documentation | 45-60 min |
| A1.2 | Privacy Controls | Consent forms and privacy UI screenshots | 45-60 min |
Medium-manual controls (15-30 minutes each):
- CC6.6: Encryption implementation screenshots
- CC6.7: Data transmission security verification
- CC7.1: System operations monitoring dashboards
- CC9.2: Vendor security reviews
Total manual-heavy controls: 12-18 controls × 45-90 min each = 45-65 hours per audit
What if my audit firm says Vanta/Drata is enough?
They might be referring to infrastructure controls only.
Ask your auditor:
- "Do we need to provide screenshots of our application's access controls?"
- "How should we document our deployment approval workflow?"
- "What evidence is needed for application-level testing of CC6.1?"
Likely response:
- "Yes, we'll need screenshots for application controls"
- "Workflow documentation should show step-by-step process"
- "Application testing requires visual proof of denied access attempts"
Reality:
- Vanta/Drata satisfies ~80% of evidence requirements
- Remaining ~20% requires manual submission
- Audit firm may help collect evidence (additional fees apply)
- Or you handle it yourself (45-65 hours of work)
Screenshot automation helps either way:
- If you collect evidence yourself: 90% time savings
- If audit firm collects it: Faster turnaround with automation
Can I use generic RPA tools instead of compliance-specific automation?
Technically yes, practically challenging.
RPA tools (UIPath, Automation Anywhere, Blue Prism):
✅ Pros:
- Powerful automation capabilities
- Can capture screenshots
- Can interact with applications
❌ Cons:
- Not designed for compliance use cases
- No SOC 2 control mapping
- Requires significant configuration per test
- High cost ($10,000-40,000/year)
- IT/developer resources needed for setup
- Brittle (breaks when UI changes)
- No audit-ready report generation
Compliance-specific tools (Screenata, etc.):
✅ Advantages:
- Pre-built SOC 2 control mappings
- Audit-ready PDF generation
- Browser extension (no IT setup)
- Quick test creation
- Automatically includes metadata (tester, timestamp, control ID)
- Low cost ($1,800-3,600/year)
- Self-service setup
Verdict: RPA tools are overkill unless you already have them deployed for other purposes. Compliance-specific tools offer 80% of the benefit at 10% of the cost and complexity.
How do I know if my company has the 20% gap?
You have the gap if you answer "yes" to any of these:
✅ "We use Vanta/Drata but still spend hours taking screenshots each quarter"
✅ "Our audit checklist includes 'gather application screenshots' as a manual task"
✅ "We have to document our deployment/incident/access workflows with screenshots"
✅ "Auditors request screenshots of our application even though Vanta/Drata shows config data"
✅ "Compliance prep still takes our team 40+ hours per quarter despite automation tools"
✅ "We pay consultants thousands of dollars to collect application evidence"
You might NOT have the gap if:
- Your company is 100% SaaS (no custom applications)
- Your audit scope excludes application controls
- You're doing SOC 2 Type I only (one-time snapshot, not recurring)
To quantify your gap:
- List all controls in your audit scope
- Mark which ones Vanta/Drata fully automates
- For remaining controls, estimate manual hours
- Multiply by 4 (quarterly audits) for annual burden
If the total is > 30 hours/year, automation will likely have strong ROI.
Key Takeaways
✅ Vanta and Drata automate 80% of SOC 2 compliance through API-based infrastructure monitoring—a massive time saver for cloud configurations, identity management, and policy tracking.
✅ The remaining 20% cannot be automated by GRC platforms due to technical and business model constraints—specifically application testing, screenshot capture, and workflow documentation.
✅ This 20% gap costs 40-65 hours per audit in manual labor, translating to significant time and resource investment annually for most companies.
✅ The gap is structural, not temporary—GRC platforms are unlikely to add browser automation due to different technology stacks, security concerns, and strategic focus.
✅ Complementary screenshot automation tools can close the gap, bringing total automation from 80% to 95% and reducing manual work from 48-65 hours to 4-6 hours per audit.
✅ Time savings of 220-240 hours annually with payback period of one audit cycle, making screenshot automation one of the highest-impact compliance investments.
Related Articles
Ready to Automate Your Compliance?
Join 50+ companies automating their SOC 2 compliance documentation with Screenata.