[hmahncke]

We found Vanta very helpful for identifying and managing all of the to-do's (gap analysis). Our initial discussion with an auditor was very paperwork-focused, and Vanta helped us see the gap analysis as technical/process focused (with the paperwork following, describing what we were now actually doing). It would have been much more challenging to achieve SOC-2 compliance without Vanta.

From a cost perspective, Vanta + a Vanta-partnered auditor was less expensive that just an auditor (presumably because the information was organized so the auditor had to do less work to complete the audit).

The Vanta platform ends up being a place to put documents so the auditor can find them (which is more useful than you might think if you haven't done a SOC-2 audit). They offer several Vanta-developed continuous monitoring tools (e.g., endpoint configuration monitoring, AWS vulnerability monitoring), which are not as well developed as independent tools (e.g., Kandji, AWS Inspector) but are convenient for auditors documenting continuous compliance.

As I understand it, they are working towards being more of an integration center for independent tools, so Kandji/AWS Inspector information can flow into the Vanta system.