Everyone uses Vanta, at least among YC companies (Vanta is a YC company). There are things I like about Vanta, and you can't argue with the track record. I have one big concern with it, which is that in working with other companies that used Vanta, my experience was that it pulled those teams towards an expansive take on what SOC2 is, and induced them to do extra engineering work. Alarm bells should go off in your head when you do engineering work specifically for SOC2, because SOC2 has weird ideas of how serverside engineering should work, and you probably don't want to adopt them.

I know Vanta (and the other tools like them) are customizable, and you don't have to do everything they suggest. If you know that going in, and you're careful about minimizing your Type I, they work great and you can't argue with the track record.

The thing with me is: you really can't flunk a Type I. If you're serious about getting certified, you will get certified. So you should be much more worried about SOC2 dragging you into extra work or bad engineering decisions than you should be about whether you'll succeed and getting a Type I. So anything that creates the perception that "extra stuff" has to get done for SOC2 is something I'm automatically wary of.

Agreed. We did a process on Drata vs Vanta and ended up choosing Drata, but they're similar in terms of product/pricing. Drata has saved us tons of time.