ISO 27001 Penetration Testing: What Auditors Expect and How to Deliver It

Vanta does not publish a single price on its website. Every quote is custom, generated after a sales call, and shaped by four variables: your headcount, the number of frameworks you need, the add-ons you select, and how long you commit. The median Vanta contract sits around $20,000 per year based on aggregated procurement-platform data, with the full range running from about $10,000 for a lean startup to $80,000 and beyond for a multi-framework enterprise. There is also one cost that most analyses miss: the actual audit fee, which is not included in the Vanta subscription price. This breakdown covers every tier, every hidden line item, and the levers that actually move the number down. Vanta Pricing at a Glance Vanta sells five named tiers, each aligned to a company stage or GRC maturity level. The figures below come from customer-reported benchmarks aggregated by procurement and price-intelligence platforms such as Vendr and PriceLevel, since no list prices exist publicly. Treat them as ranges, not quotes. The audit, paid to an independent firm, sits on top of all of these and typically adds $10,000 to $50,000 depending on framework and scope. Plan Typical Annual Cost Best For Core ~$10,000 Startups, single framework Plus $15,000–$30,000 Growing teams needing access reviews and questionnaire automation Growth $25,000–$50,000 Scaling companies running multiple frameworks Scale $50,000–$80,000 Formalised GRC or security teams Enterprise $80,000+ Multi-entity, IPO-level, or highly complex environments Vanta Pricing Plans Explained Core Plan: Entry-Level Compliance for Startups Core is the entry point, generally landing around $10,000 per year, with reported deals clustering between roughly $7,500 and $14,000. It covers one framework, usually SOC 2 or ISO 27001, with automated evidence collection, ready-made policy templates, basic integrations, a public-facing Trust Center, and access to Vanta’s network of approved audit firms. Smaller teams pursuing a single framework land at the low end of that range. It is built for the first-time compliance journey, not for running compliance as an ongoing operational function. Plus Plan: Advanced Features for Growing Teams Plus typically runs $15,000 to $30,000 per year. It adds the capabilities Core leaves out: automated access reviews, approval workflows, and a capped allowance of automated security-questionnaire responses, commonly cited at 25 per year. That questionnaire cap is the detail that catches growing teams off guard, and it is covered in the hidden-fees section below. Growth Plan: Built for Scaling GRC Programs Growth, sometimes sold as the Professional tier, ranges from roughly $25,000 to $50,000 per year and is Vanta’s most commonly sold plan for scaling companies. It supports multiple frameworks, advanced integrations, customisable risk-management workflows, custom monitoring tests for non-standard controls, automated access reviews, advanced reporting, and a far larger questionnaire allotment, often cited at 144 per year. This is the tier for organisations treating compliance as a service and a real business function, rather than a one-time checkbox. Scale Plan: Expanded Compliance Coverage Scale pricing starts where Growth tops out and can reach up to $80,000 per year. It is aimed at companies with formalised GRC or security teams, many connected assets, and several frameworks running in parallel. SCIM-based user provisioning and deeper automation across onboarding and offboarding tend to appear at this level. Enterprise Plan: Fully Custom Pricing Enterprise is entirely bespoke, starting above $80,000 and quoted case by case. It bundles a dedicated customer success manager, priority support, custom integrations, and tailored implementation. It becomes relevant for organisations managing multiple legal entities, thousands of assets, strict SLA requirements, or IPO-level scrutiny. Insider note: Vanta’s plan names shift over time and between sales reps. You will see Core called Essentials, and Growth called Professional, in different quotes and on different comparison sites. Anchor your evaluation to what the plan actually includes, frameworks supported, questionnaire allowance, access review automation, rather than the label on the proposal, because the label is the least stable thing about it. How Much Does Vanta Cost Per Year? Annual Cost by Company Size and Stage For a startup under 50 employees chasing a single framework, expect roughly $10,000 to $12,000 per year. Most growing companies pay between $25,000 and $55,000. Larger organisations running multiple frameworks commonly land between $50,000 and $110,000 or more once add-ons and headcount are factored in. The median across all reported deals stays near $20,000, which tells you most buyers sit in the Core-to-Growth band rather than at the extremes. How Pricing Scales With Company Size and Complexity Vanta prices primarily on employee count and framework count. Add an employee bracket, and the per-seat-driven base creeps up. Add a framework, and you pay again for the incremental coverage. Complexity compounds this: more cloud accounts, more vendors to assess, and more integrations all push you toward higher tiers and more add-ons. Two companies of identical headcount can pay very different amounts purely on framework count and the modules they bolt on. How to Negotiate Vanta Pricing Buy Through a Certified Partner Certified partners can frequently pass through discounts of 20 to 40 percent off list on multi-year contracts, alongside faster onboarding and implementation support. As a certified Vanta partner, Axipro secures clients 25% off Vanta pricing, and that discount applies on top of the platform’s standard multi-year terms rather than instead of them. The saving is only part of the value. Axipro folds the licence into a consultant-led compliance program, so you get the negotiated rate plus hands-on implementation, framework scoping, and audit preparation, rather than a cheaper login and a blank dashboard. For a team weighing a $25,000 quote, a quarter off the platform cost covers a meaningful slice of the audit fee that Vanta’s subscription never includes. Negotiate Multi-Year Discounts A two or three-year commitment is the most reliable discount lever. Vanta will trade a lower annual rate for a longer term and committed future growth. If you expect to add headcount or frameworks, name that expansion in the negotiation and use it to pull the rate down now. Bundle Frameworks You’ll Need Later If ISO 27001 or HIPAA is on your roadmap, negotiate

The Vanta agent checks four things on a laptop: whether the disk is encrypted, whether a password manager is installed, whether antivirus is running, and whether the screen locks on its own. That is the entire job. It is a lightweight background program that reports those signals back to Vanta so your compliance evidence stays current without anyone emailing screenshots to an auditor. Most of the confusion around it comes from one of two directions: people expect it to manage their fleet like a full device-management platform, or they worry it reads far more than it does. Neither is true, and the gap between those two assumptions is where this guide lives. What follows covers what the agent collects, what it deliberately ignores, how it talks to the Vanta platform, how it stacks up against a full MDM, and which compliance frameworks the evidence ends up supporting. What Is the Vanta Agent? The Vanta agent is a small program installed on employee computers to continuously confirm that each device meets a short list of security requirements. If you have seen it referred to as the Vanta Device Monitor, that is the same product under an earlier name. The two terms are interchangeable. Under the hood, it runs a hardened build of osquery, an open-source framework that exposes operating system state as a queryable SQL database. Vanta ships a modified version that strips out the tables it considers risky, which is why the agent can read a disk-encryption flag but cannot pull your browser history or SSH keys. It is read-only by design. It inspects configuration and reports back; it never changes a setting on the machine. Vanta positions it primarily for smaller fleets, generally companies running fewer than about 75 devices, where standing up a full management platform would be overkill. What Does the Vanta Agent Do? The agent exists to turn a recurring manual chore — proving that every laptop is configured securely — into something that happens quietly in the background. Continuous Device Monitoring Once installed, the agent keeps tabs on the device’s security posture on an ongoing basis rather than at a single point in time. This matters because audits care about whether a control held throughout the period, not whether it happened to be true the morning someone took a screenshot. Continuous checks caught the laptop with encryption switched off last Tuesday. Automated Compliance Checks Each signal the agent gathers maps to a control your auditor wants evidence for. Instead of chasing employees for proof that their disk is encrypted, the check runs automatically, and the result flows into Vanta as evidence. The work that used to eat days of an onboarding cycle collapses into a background process. Real-Time Security Posture Tracking The findings appear in Vanta as pass or fail states against each requirement, so a security lead can see fleet-wide compliance at a glance. A device that drifts out of compliance surfaces quickly, which shortens the window between a problem appearing and someone noticing it. What Information Does the Vanta Agent Collect? This is the question employees actually care about, and the honest answer is reassuring: the agent collects security configuration, not content. It does not transmit passwords, environment variables, SSH keys, emails, or browsing history. It reads whether protections are switched on, not what you are doing with the machine. Insider Note: The reason the agent cannot snoop even if someone wanted it to is architectural, not a policy promise. Vanta deploys a modified osquery build that removes the tables capable of reading sensitive content. The dangerous queries are not blocked at the dashboard; they are absent from the binary. That distinction is worth raising directly when an employee pushes back on installation. Operating System and Version Details The agent records the OS and version so Vanta can confirm the device runs a supported, patchable platform. An end-of-life operating system is a control failure in its own right, and this is how it gets flagged. Disk Encryption Status It checks whether full-disk encryption is active — FileVault on macOS and BitLocker on Windows. This is the single most universally required device control across every major framework, which is also why it is the one Linux check the agent does support. Screen Lock and Password Policies The agent verifies that the screen locks automatically after a period of inactivity and that a password or equivalent is required to get back in. An unlocked laptop left on a train is a textbook breach, and this control is the cheapest defense against it. Antivirus and Firewall Status It confirms that antivirus or endpoint protection software is installed and running. The point is not to endorse a particular product but to prove that some recognized protection is active and has not been quietly disabled. Installed Software and Auto-Update Settings To detect the controls above, the agent reads the list of installed applications — for example, to confirm a password manager is present — along with update-related settings. It is reading the inventory to verify protections exist, not building a behavioral profile of the user. How Does the Vanta Agent Work? How the Agent Communicates with the Vanta Platform After installation, the employee registers the device against your Vanta account, which links that machine to its owner. From then on the agent runs its checks locally and sends only the results — the pass or fail signals — up to Vanta over an encrypted connection. The raw system queries stay on the device. What travels is the verdict, not the underlying data. How Often the Vanta Agent Runs Checks The agent uses osquery’s scheduled-query model, meaning each check runs on a recurring interval in the background rather than continuously hammering the system. Results sync to Vanta periodically through the day, and the platform’s tests re-evaluate on a regular cadence so a freshly remediated device clears its failing check without anyone forcing a manual refresh. In practice, a fixed laptop usually shows green within hours, not at the