Integration · grc

Vanta

Bridges program (non-automatable) CIS Controls v8 safeguards, data management, security awareness, vendor risk, incident response, and similar governance practices, to controls in your Vanta workspace. Draxis pulls each mapped control's pass/fail status on schedule, then suppresses passing program safeguards from the recommended-controls list on the risk register.

sourceType: grc vendorId: vanta auth: oauth2 (client credentials) schedule: daily
Manual setup — not part of guided onboarding
This connector requires you to register an app or issue an API token in your own vendor console first, so it sits outside the guided onboarding chat. Follow the steps below in your vendor admin UI, then add the integration from Settings → Integrations in Draxis. The four connectors that are in guided onboarding (Microsoft Entra ID, Microsoft Defender for Endpoint, Google Workspace, GitHub Advanced Security) install via a one-click OAuth popup with no per-customer registration step.

At a glance

VendorVanta (Trust Management Platform)
Source typegrc, this connector does not emit KRIs. It writes pass/fail rows to grc_safeguard_status, which the risk register reads to suppress passing program safeguards.
Vendor ID (slug)vanta
Base URLhttps://api.vanta.com (fixed). Override only for Vanta on-prem deployments.
Auth methodoauth2, client credentials grant against https://api.vanta.com/oauth/token. The connector mints a fresh access token per run; no token persisted.
Schedule defaultdaily, program-safeguard state changes slowly; daily is sufficient for risk-view freshness (90-day window).
Status mapping ruleVanta's PASS → Draxis pass. Anything else (FAIL, NEEDS_ATTENTION, NOT_APPLICABLE, DEACTIVATED, missing) collapses to Draxis fail.
Recommended forTenants who already use Vanta as their attestation system of record. The connector is a one-way read; Draxis never writes to Vanta.
AvailabilityNew in 2026.05.

Required scopes

Draxis authenticates with a Vanta API app (Client ID + Client Secret) using the OAuth 2.0 client credentials grant. The app needs one read-only scope:

  • vanta-api.all:read, lets the connector list controls and their roll-up test status.

Do not grant any :write scopes. The connector never modifies Vanta state, it only reads control status. If your workspace policy requires least-privilege scopes per integration, this is the only one you need.

Setup steps

  1. Create a Vanta API app. In the Vanta admin console, go to Settings → Developer → API Apps → Create app. Name it draxis-readonly or similar so it shows up clearly in audit logs.
  2. Grant only the read scope. Tick vanta-api.all:read and uncheck everything else.
  3. Generate credentials. Vanta gives you a Client ID and Client Secret. Copy both, you'll need them in the next section. The Client Secret can be regenerated but not re-displayed; if you lose it, rotate.
  4. Confirm your control catalog is populated. If Vanta hasn't finished onboarding (no controls yet, no test results), the Draxis run will succeed but report 0 mappings refreshed. That's expected, come back once Vanta is fully evaluating.

Wire it into Draxis

  1. Open Settings → Integrations in your tenant.
  2. Click Add integration and pick GRC Platform as the source type.
  3. Pick Vanta from the vendor dropdown. Draxis pre-fills the API base URL (https://api.vanta.com), the OAuth 2.0 auth method, and the daily schedule.
  4. Paste the Client ID and Client Secret from the previous section. Both are encrypted server-side with encryption.key before storage.
  5. Click Test. Green means Draxis successfully exchanged credentials for an access token and reached /v1/controls?pageSize=1.
  6. Save. The connector runs daily by default; Run now from run history triggers an immediate refresh.
  7. Open the Risk Register and click Map program safeguards. For each program (non-automatable) CIS safeguard you want covered, add a mapping, pick vanta as the vendor and paste the matching Vanta control ID. The next connector run will pull pass/fail for it.

How mapping works

Program safeguards in the Draxis CIS Controls v8 catalog (e.g. CIS-3.1 "Establish and Maintain a Data Management Process", CIS-14.1 "Establish and Maintain a Security Awareness Program") are tagged automatable=0, measurement_source='grc' by Platform Admin. Telemetry connectors (Okta, CrowdStrike, etc.) cannot measure these, they require a GRC platform.

The mapping is a stable triple: (cis_ref, vendor_id, external_control_id). You can map the same CIS ref to multiple Vanta controls if your governance program splits coverage across controls; the safeguard reads as covered iff any mapped control passes. You can also map the same Vanta control to multiple CIS refs if it attests to several at once.

The Vanta connector pulls the full /v1/controls list each run, then upserts grc_safeguard_status rows only for the controls you've actually mapped, not the entire Vanta catalog. If a control you mapped no longer exists in Vanta (deleted, deactivated), the status writes as fail and the safeguard surfaces as recommended again.

What the connector does NOT do

  • Does not write KRIs. Telemetry connectors emit per-KRI numeric values; Vanta emits a binary pass/fail per mapped control. Different model, different table, different read path. The Draxis runner simply skips KRI seeding for connectors with no kris declaration.
  • Does not auto-discover mappings. The first version requires you to enter the Vanta control ID by hand in the mapping UI. A future release will surface an LLM-suggested control match per CIS ref using listExternalControls(); in the meantime, you can use Vanta's UI to find the right control ID and paste it.
  • Does not push data to Vanta. The OAuth scope is read-only and the connector has no write code paths. Vanta remains the source of truth for evidence, attestations, and tests.
  • Does not import Vanta's framework mappings (SOC 2, ISO 27001, HIPAA). Draxis stays at the CIS Controls v8 layer; Vanta keeps the per-framework crosswalk. If you need to view "which Draxis safeguard maps to which SOC 2 criterion", do that in Vanta.

Vendor quirks

  • OAuth tokens have short lifetimes. Vanta access tokens expire (typically 1 hour). The connector mints a fresh token at the start of each run; nothing is cached across runs. If your run takes longer than the token lifetime, refactor or contact support.
  • Status rollup happens on Vanta's side. A single Vanta control may have multiple tests; testStatus on the control object is the worst-of rollup. If you need finer granularity (e.g. "8 of 10 tests pass"), open the control in Vanta, Draxis only stores the binary roll-up.
  • NOT_APPLICABLE still reads as fail. If you've marked a Vanta control N/A, Draxis can't tell whether you mean "this safeguard doesn't apply to us" or "we haven't evaluated it." Either remove the mapping in Draxis (so the safeguard isn't expected) or change Vanta's status. The user's binary rule applies: pass or it's a fail.
  • Pagination uses opaque cursors. The connector caps at 50 pages of 100 controls = 5000 controls. If you have more than that, raise the cap or contact support; we haven't seen a Vanta workspace exceed that ceiling in practice.

Troubleshooting

  • HTTP 401 on token exchange, Client ID or Client Secret is wrong, or the API app was deleted in Vanta. Re-create credentials in Settings → Developer → API Apps and update Draxis.
  • HTTP 403 on /v1/controls, the API app doesn't have vanta-api.all:read. Add the scope and try again.
  • Run reports mapped: 0, you haven't created any mappings yet in Risk Register → Map program safeguards. Until you do, the connector has nothing to refresh.
  • Run reports missing_in_vanta > 0, one or more mapped Vanta control IDs no longer exist (deleted or renamed). Open Map program safeguards, find the affected mappings (they'll show as fail with no display name), and update the control ID.
  • Safeguard still shows as recommended after the run completed, the mapped control passes in Vanta but is more than 90 days old (the freshness window). Either re-evaluate in Vanta or change the Draxis schedule to surface a fresher evaluated_at.
  • Still stuck? Open a support ticket with the run ID (from Run history) and we'll dig in.