Vanta sells SOC 2 as SaaS
Vanta at $220M/year
Vanta turns a painful audit project into an always on system of record, which is why it can charge like software instead of like an accounting engagement. The product keeps pulling evidence from tools like AWS, GitHub, Google Workspace, HR systems, and employee devices, then shows which controls are passing or broken. That ongoing monitoring matters because SOC 2 expires, auditors need fresh evidence, and customers increasingly want live proof that security practices are still in place.
-
Traditional firms mostly got paid once to prepare a company and run the audit, often with manual screenshots, spreadsheets, and on site checks. Vanta keeps the customer subscribed because the same controls must be re tested every year, and the platform keeps collecting and organizing evidence in between audits.
-
The SaaS model also expands ACV over time. Once Vanta is connected to the stack for SOC 2, it can sell additional frameworks like ISO 27001 and HIPAA by reusing many of the same controls, then layer on adjacent products like trust centers, questionnaire automation, and vendor risk workflows.
-
This is now the standard playbook across the category, not just a Vanta quirk. Drata also sells annual subscriptions priced by company size and number of frameworks, while peers like Laika and Secureframe describe the same shift from one time audit prep to recurring monitoring and recertification software.
The market is heading toward broader security operations, not just faster audits. As compliance automation vendors collect more live data across a company’s systems, the winning products will use that footprint to sell more frameworks, answer more buyer diligence requests, and move from a twice yearly purchase into a daily workflow for security and go to market teams.