Can you get SOC 2 without a compliance platform?

TL;DR
  • Yes. A SOC 2 report is signed by a licensed CPA firm, not produced by a platform, so the monthly subscription is optional.
  • Compliance platforms organize your evidence well. That is real and genuinely useful. But they cannot sign the report.
  • Under AICPA standards (AT-C 205), the CPA does the actual audit work. You can hire one directly.
  • A subscription is rent you pay every year. The audit is the one-time thing your customer actually asked for.

The short answer

Yes. You can get a SOC 2 without a compliance platform. The report is a CPA's formal opinion, signed in the name of a licensed CPA firm. The platform is software that organizes your evidence. Those are two different layers, and only the second one is required.

I say this as a CPA who runs these audits. The audit itself is the part you need. The subscription is optional tooling.

First, the part the platforms got right

Let me give them their due, because they earned it. Before compliance software existed, a founder who got a SOC 2 request from an enterprise customer had two bad options. Hire a traditional CPA firm at a price built for big companies. Or hand-collect evidence in a spreadsheet for months, with no idea whether any of it was right.

Platforms gave founders a third option. They connect to your cloud, identity, and code tools, pull evidence out of them, and keep it organized over time. Vanta, for example, markets "more than 400 integrations and 1,300 tests" doing exactly that, reading from your systems without changing anything in them. For a decade that was genuinely useful work, and the sheer number of those connections was a real advantage.

Why did they need so many connections? Because software can't log into your AWS account or your HR system the way a person can. So a platform had to build a separate connector for each tool you use, then translate all those different outputs into one tidy view. Building and maintaining that long list of connectors was, in a real sense, the product. That was a sensible design for the world it was built for.

So this isn't "platforms bad." They solved a real problem. The thing worth noticing is a small shift in how the value got described along the way.

What the platform does, and what only a CPA can do

Here is the line that matters. A SOC 2 report is a CPA's opinion. Vanta says this plainly on its own site: "A SOC 2 audit must be performed by a certified public accountant (CPA) at a firm that is accredited by the American Institute of CPAs (AICPA)."

Read that again. The platform is telling you the audit isn't theirs to give. They organize the evidence. A CPA examines it and signs the report in the firm's name. The platforms partner with small CPA firms who issue that report, and in practice that auditor is usually so far back in the process that the buyer never really meets them.

Under AICPA standards, the audit work belongs to the CPA, not to the software. AT-C 205, the standard that governs this kind of examination (the audit and the CPA's formal opinion on it), assigns the design and performance of every procedure to the CPA, and says the auditor "has sole responsibility for the opinion expressed." There is no clause for software anywhere in it. The standard doesn't know what a dashboard is.

So when you buy a SOC 2 "from a platform," what you're really buying is two things bolted together. Evidence software you rent monthly, and an audit a CPA performs once. You can buy them apart.

Compliance platformThe CPA firm
What it isEvidence-organizing softwareThe licensed auditor
Can sign the report?NoYes
How you payRecurring subscriptionPer engagement
Required by AICPA?NoYes

"SOC 2 without Vanta" is a normal path

It isn't a hack or a loophole. It's simply how this kind of audit has always worked. You hire a CPA firm, the firm runs the examination, the firm signs the report. Plenty of companies do this directly and never touch a platform.

The part worth thinking through honestly is the cost. A subscription is rent you keep paying. The audit is the one-time thing you actually needed. When the audit gets described as a feature of the software, the recurring cost starts to feel mandatory. It isn't. The signed opinion is what your enterprise customer asked for, and a CPA produces that whether or not you also rent the evidence layer.

The profession is starting to say this out loud too. The AICPA's SOC working group has warned that "fast and easy" marketing may come at the expense of quality and objectivity, pointing to template reports that look "exactly the same, with a different client logo." That's the profession flagging a market dynamic, not me accusing anyone. The point holds either way: the value lives in the examination, and the examination is a CPA's job.

What "without a platform" actually looks like now

In my own fieldwork, I no longer need a standing platform to collect evidence. Here is why that old constraint went away.

Those integrations existed because software couldn't reach into your systems on its own. But your own AI coding tool already has a terminal, the command line where you type instructions to your computer. Through the Model Context Protocol, an open standard that lets an AI tool run approved commands, your agent can run the exact command a CPA asks for against the real system. The actual user access report. The real audit log. Returned word for word, with the CPA deciding which check to run and looking at the output directly.

That means no waiting on a connector, and no "sorry, we don't support that tool." Anything your own command line can reach, the audit can reach. The whole question of how many integrations a platform has was the answer to a problem that no longer exists. And the evidence is actually stronger this way, because the auditor reads the raw output straight from your system instead of a green checkmark on a dashboard that the software put there.

So you get the part you're required to have, the signed CPA opinion, without renting the optional part forever. Same standards. Less of your time. A real auditor in the loop.

Frequently asked questions

Do I actually need Vanta or a compliance platform to get SOC 2?
No. A SOC 2 report is signed by a licensed CPA firm, not produced by a platform. The platform organizes your evidence, which is useful, but it's optional tooling. You can hire a CPA firm directly and get the same signed opinion your enterprise customer is asking for.
If the platform doesn't sign the report, who does?
A certified public accountant at an AICPA-accredited firm, and the report is signed in that firm's name. The platforms say this themselves. They partner with small CPA firms who perform the examination and issue the actual report under AICPA standards (AT-C 205). The audit was always the CPA's job, not the software's.
Is getting SOC 2 without a platform legitimate, or is it a shortcut?
It's completely normal. Hiring a CPA firm directly is how this kind of audit has always worked. There's no loophole involved. The platform path is one option among several, and plenty of companies get audited without ever subscribing to one.
What is the real cost difference between a platform and a direct audit?
A platform subscription is recurring rent you pay every year. The audit is the one-time engagement you actually needed. When the audit gets described as a feature of the software, the subscription feels mandatory. It isn't. The signed opinion is the deliverable, and a CPA produces that either way.
How do you collect evidence for SOC 2 without a platform's integrations?
Through your own AI tool's terminal, the command line where you type instructions to your computer. Using the Model Context Protocol, an open standard that lets an AI tool run approved commands, your agent runs the exact command a CPA requests against your real systems and returns the raw output. No pre-built connector is required, and the auditor reads the actual source data directly rather than a green checkmark on a dashboard.

Keep reading

Sources
  1. Under AT-C 205, the practitioner designs and performs every procedure and has sole responsibility for the opinion expressed.
  2. The AICPA's SOC working group warns that 'fast and easy' may come at the expense of quality and objectivity, with template reports.
  3. SOC 2 is an examination performed by a CPA under the AICPA's SOC for Service Organizations framework, producing the CPA's report, not a certification.