Vanta and Drata SOC 2 Implementation: What Still Has to Be Done
Bought Vanta or Drata for SOC 2? Here's what the platforms automate, what they don't, and how an implementation partner gets your policies, controls, evidence, and audit prep done.
Vanta and Drata are good tools. They can connect to your cloud accounts, identity provider, HR system, code repositories, device management tools, and ticketing systems. They can monitor controls, collect evidence, organize policies, and give your auditor a cleaner place to review documentation.
That is useful. Very useful. But buying Vanta or Drata is not the same thing as becoming SOC 2 ready.
The platform gives you visibility. It gives you structure. It gives you a place to manage the work. It does not make the hard decisions for you. It does not write policies that match how your company actually operates. It does not fix your AWS configuration, clean up your access controls, prepare your vendor reviews, or answer auditor questions for you.
That is the implementation work. And that is where most companies get stuck.
What Vanta and Drata Actually Do Well
Compliance platforms solve a real problem: SOC 2 has a lot of moving parts.
You need policies. You need controls. You need evidence. You need access reviews. You need vendor management. You need risk assessments. You need proof that your infrastructure is configured securely. You need to show an auditor that these things are not just written down, but actually operating.
Trying to manage all of that in spreadsheets and Google Drive gets messy fast.
Vanta and Drata help by giving you a central system for the program. They can:
- Connect to systems like AWS, Google Workspace, GitHub, Okta, Jira, HR tools, and MDM tools
- Automatically collect evidence from supported integrations
- Show which controls are passing and failing
- Track policy acceptance
- Organize employee onboarding and offboarding evidence
- Help manage vendor reviews
- Give auditors a place to review documentation and evidence
- Monitor controls over time
That is why we usually recommend using a compliance automation platform for SOC 2. If you are serious about getting through the audit efficiently, Vanta or Drata is usually worth it.
But the platform is not the implementation team.
What Vanta and Drata Do Not Do For You
This is the part that surprises people.
You buy the platform, connect a few integrations, and suddenly the dashboard is full of failed checks, missing policies, incomplete evidence, and controls with unclear ownership. That is normal.
The tool is showing you the work. It is not doing all of it for you.
Vanta and Drata do not automatically:
- Decide the right SOC 2 scope for your company
- Determine which systems should be included in the audit
- Write policies that match your actual operations
- Configure AWS, Azure, or GCP securely
- Fix IAM issues or excessive permissions
- Enable and tune logging, monitoring, and alerting
- Clean up stale users and access reviews
- Create a real incident response process
- Build a vendor management process
- Decide what evidence satisfies a control
- Coordinate your team through the audit
- Respond to auditor follow-up requests
They can help organize and automate pieces of the process. They cannot replace the judgment and execution needed to make the program real.
That is why companies end up with a platform subscription and still need help.
The Real SOC 2 Work After You Buy the Platform
Once Vanta or Drata is in place, the implementation work usually falls into a few buckets.
1. Scoping the Audit
Before you can configure the platform correctly, you need to know what is in scope.
Which product are you auditing? Which cloud accounts? Which databases? Which internal systems? Which vendors? Which teams? Which Trust Services Criteria?
Bad scoping creates problems later. If the scope is too broad, you create unnecessary work. If it is too narrow, the report may not satisfy customers.
A good implementation starts by defining the scope clearly.
2. Connecting Integrations Correctly
Connecting AWS or Google Workspace is easy. Connecting it correctly is different.
The platform needs access to the right accounts, services, repositories, identity providers, ticketing systems, HR systems, and device management tools. You also need to confirm the integration is collecting the evidence you think it is collecting.
A green check in the platform is not enough. You need to know whether the evidence actually supports the control.
3. Mapping Controls to Reality
The platform gives you a control library. Your company still has to make the controls real.
That means answering practical questions:
- Who reviews access?
- How often are reviews performed?
- Where are changes approved?
- How are incidents reported?
- What happens when an employee leaves?
- How are vendors assessed?
- Who owns security exceptions?
- How are backups tested?
- What logs are retained, and for how long?
The control has to match how the company actually works. If it does not, the auditor will find the gap.
4. Writing Policies That Are Not Generic Templates
This is one of the biggest weak spots in DIY SOC 2 efforts.
The platform may provide policy templates. Templates are a starting point. They are not the finished product.
Your policies need to describe how your company actually operates. If your access control policy says terminated employees are removed within 24 hours, you need a process that actually does that. If your change management policy says production changes require review, your GitHub and ticketing workflow need to support that.
A policy is not just a document. It is a promise to the auditor.
We write policies to match the way the company really works, then adjust the process where the current process is not audit-ready.
5. Fixing Technical Control Gaps
This is where engineering-led SOC 2 work matters.
Most failed controls are not writing problems. They are infrastructure and operations problems.
Common examples:
- CloudTrail is not enabled everywhere
- GuardDuty or equivalent monitoring is missing
- S3 buckets or storage systems are not locked down correctly
- IAM permissions are too broad
- MFA is not enforced for all required users
- Production access is not reviewed
- Logging retention is too short
- Backups exist but are not tested
- Vulnerability scanning is inconsistent
- Change approval is not documented
- Devices are unmanaged or missing encryption evidence
The platform can flag these problems. Someone still has to fix them.
That usually means configuring cloud services, identity systems, ticketing workflows, endpoint management, monitoring tools, and CI/CD processes so the controls are actually operating.
Where Companies Get Stuck Inside Vanta or Drata
The common pattern looks like this:
A company buys Vanta or Drata because a customer asks for SOC 2. They connect the obvious integrations. The dashboard lights up with tasks. At first, it feels manageable.
Then the work slows down.
Policies need to be customized. Access reviews need owners. Vendor reviews need to be completed. Cloud controls are failing. Some evidence has to be uploaded manually. The auditor asks questions no one knows how to answer. Engineering gets pulled into compliance work they do not have time for.
The platform is doing its job. It is exposing the gaps. But exposing the gaps is not the same as closing them.
That is where an implementation partner helps.
What a SOC 2 Implementation Partner Does Inside Vanta or Drata
When we help a company with SOC 2, we work directly inside their Vanta or Drata portal.
We are not just advising from the outside. We help run the actual implementation.
That includes:
- Reviewing the current portal setup
- Confirming audit scope
- Connecting and validating integrations
- Mapping controls to your actual systems and processes
- Writing and customizing required policies
- Assigning control owners
- Cleaning up failed tests
- Preparing evidence
- Uploading manual evidence where automation is not enough
- Fixing technical gaps in cloud and identity systems
- Preparing for auditor review
- Helping respond to auditor questions
- Keeping the project moving until the report is complete
The goal is simple: get the portal from mostly red and confusing to audit-ready.
DIY vs Hiring Help
Some companies can do this themselves.
If you have a security lead, a compliance owner, and engineering bandwidth, Vanta or Drata may be enough structure to get through SOC 2 internally.
But most startups do not have that luxury.
If your team is already stretched, SOC 2 work competes directly with product work. Every hour spent figuring out policy language, access review evidence, or AWS control failures is an hour not spent building the company.
You should consider hiring help if:
- A customer is blocked until you have SOC 2
- You already bought Vanta or Drata but progress has stalled
- Your dashboard has failed controls no one knows how to fix
- You need policies written and customized
- Engineering does not have time to own compliance work
- You want to get to audit-ready without dragging the process out for months
The Bottom Line
Vanta and Drata are good SOC 2 platforms. But they are not magic.
They automate evidence collection. They organize the program. They make the audit cleaner. They help you see what needs to happen.
They do not replace the implementation work.
Someone still has to configure the system, write the policies, fix the controls, gather the evidence, prepare the audit room, and keep the project moving.
That is what we do.
If you already have Vanta or Drata and want someone to take the implementation off your plate, we can help. We work inside your portal, clean up the gaps, write the policies, implement the controls, and get you ready for the audit.
Already using Vanta or Drata? Take the SOC 2 readiness assessment or contact us and we'll show you what still needs to be done.
Find the gaps before the auditor does.
Take the ten-question SOC 2 readiness assessment.