Overview
Vanta automates security compliance for SOC 2, ISO 27001, HIPAA, and other frameworks. The Pwnbook Vanta integration imports your compliance posture — controls, automated tests, evidence requests, and vendor assessments — so security teams can track compliance alongside operational security work in a single view.Prerequisites
- A Vanta account with access to Settings → API
- Admin or Owner access in Pwnbook
Credentials required
| Field | Description |
|---|---|
| Client ID | OAuth client ID from Vanta Settings → API |
| Client Secret | OAuth client secret from Vanta Settings → API |
Setup
Create a Vanta API client
- In Vanta, go to Settings → Integrations → API.
- Click Create API client.
- Give it a name like “Pwnbook” and set the required scopes:
vanta.api.general.tests:read— automated test resultsvanta.api.general.controls:read— control statusvanta.api.vendor:read— vendor management datavanta.api.general.evidence:read— evidence requests
- Copy the Client ID and Client Secret.
What gets synced
Controls
Pwnbook imports your Vanta control library including:| Field | Description |
|---|---|
| Name and description | Human-readable control name and what it covers |
| Status | Passing, failing, or needs attention |
| Framework mapping | Which SOC 2 trust criteria, ISO controls, or HIPAA safeguards each control maps to |
| Assigned owner | The Vanta user responsible for the control |
Automated tests
Each automated security check Vanta runs appears as a test result in Pwnbook:| Field | Description |
|---|---|
| Test name | The automated check (e.g., “MFA enabled for all users”) |
| Status | Passing or failing |
| Linked control | Which compliance control the test validates |
| Failure details | Resources or accounts that caused the test to fail |
Evidence requests
Open evidence collection requests from your Vanta audits appear in Pwnbook:| Field | Description |
|---|---|
| Title | What evidence is being requested |
| Due date | When evidence must be submitted |
| Status | Open, submitted, or approved |
| Assigned to | Team member responsible for gathering evidence |
Vendor management
The vendor list from your Vanta workspace is imported with full metadata:| Field | Description |
|---|---|
| Vendor name | Vendor or SaaS tool name |
| Security owner | Vanta workspace user responsible for the vendor from a security perspective |
| Business owner | Vanta workspace user who owns the vendor relationship |
| Vendor PoC | External contact at the vendor (name and email) |
| Authentication method | How your team authenticates to the vendor |
| Headquarters | Vendor country of incorporation |
| Trust center | Link to the vendor’s trust/security portal |
Viewing in Pwnbook
Once connected, Vanta data is available from the Workbench and the sidebar:- The Vanta workbench card shows control pass rate, failing test count, and open evidence requests at a glance.
- The full Vanta view shows tabbed sections: Controls, Tests, Evidence, and Vendors.
- Filters let you narrow by framework, status, and assigned owner.
- Failing tests and controls link back to the corresponding item in Vanta for remediation.
Disconnecting
- Go to Organization Settings → Marketplace → Vanta.
- Click Disconnect.
- Confirm.