Can you get SOC 2 without a compliance platform?
- Yes. A SOC 2 report is signed by a licensed CPA firm, not produced by a platform, so the monthly subscription is optional.
- Compliance platforms organize your evidence well. That is real and genuinely useful. But they cannot sign the report.
- Under AICPA standards (AT-C 205), the CPA does the actual audit work. You can hire one directly.
- A subscription is rent you pay every year. The audit is the one-time thing your customer actually asked for.
The short answer
Yes. You can get a SOC 2 without a compliance platform. The report is a CPA's formal opinion, signed in the name of a licensed CPA firm. The platform is software that organizes your evidence. Those are two different layers, and only the second one is required.
I say this as a CPA who runs these audits. The audit itself is the part you need. The subscription is optional tooling.
First, the part the platforms got right
Let me give them their due, because they earned it. Before compliance software existed, a founder who got a SOC 2 request from an enterprise customer had two bad options. Hire a traditional CPA firm at a price built for big companies. Or hand-collect evidence in a spreadsheet for months, with no idea whether any of it was right.
Platforms gave founders a third option. They connect to your cloud, identity, and code tools, pull evidence out of them, and keep it organized over time. Vanta, for example, markets "more than 400 integrations and 1,300 tests" doing exactly that, reading from your systems without changing anything in them. For a decade that was genuinely useful work, and the sheer number of those connections was a real advantage.
Why did they need so many connections? Because software can't log into your AWS account or your HR system the way a person can. So a platform had to build a separate connector for each tool you use, then translate all those different outputs into one tidy view. Building and maintaining that long list of connectors was, in a real sense, the product. That was a sensible design for the world it was built for.
So this isn't "platforms bad." They solved a real problem. The thing worth noticing is a small shift in how the value got described along the way.
What the platform does, and what only a CPA can do
Here is the line that matters. A SOC 2 report is a CPA's opinion. Vanta says this plainly on its own site: "A SOC 2 audit must be performed by a certified public accountant (CPA) at a firm that is accredited by the American Institute of CPAs (AICPA)."
Read that again. The platform is telling you the audit isn't theirs to give. They organize the evidence. A CPA examines it and signs the report in the firm's name. The platforms partner with small CPA firms who issue that report, and in practice that auditor is usually so far back in the process that the buyer never really meets them.
Under AICPA standards, the audit work belongs to the CPA, not to the software. AT-C 205, the standard that governs this kind of examination (the audit and the CPA's formal opinion on it), assigns the design and performance of every procedure to the CPA, and says the auditor "has sole responsibility for the opinion expressed." There is no clause for software anywhere in it. The standard doesn't know what a dashboard is.
So when you buy a SOC 2 "from a platform," what you're really buying is two things bolted together. Evidence software you rent monthly, and an audit a CPA performs once. You can buy them apart.
| Compliance platform | The CPA firm | |
|---|---|---|
| What it is | Evidence-organizing software | The licensed auditor |
| Can sign the report? | No | Yes |
| How you pay | Recurring subscription | Per engagement |
| Required by AICPA? | No | Yes |
"SOC 2 without Vanta" is a normal path
It isn't a hack or a loophole. It's simply how this kind of audit has always worked. You hire a CPA firm, the firm runs the examination, the firm signs the report. Plenty of companies do this directly and never touch a platform.
The part worth thinking through honestly is the cost. A subscription is rent you keep paying. The audit is the one-time thing you actually needed. When the audit gets described as a feature of the software, the recurring cost starts to feel mandatory. It isn't. The signed opinion is what your enterprise customer asked for, and a CPA produces that whether or not you also rent the evidence layer.
The profession is starting to say this out loud too. The AICPA's SOC working group has warned that "fast and easy" marketing may come at the expense of quality and objectivity, pointing to template reports that look "exactly the same, with a different client logo." That's the profession flagging a market dynamic, not me accusing anyone. The point holds either way: the value lives in the examination, and the examination is a CPA's job.
What "without a platform" actually looks like now
In my own fieldwork, I no longer need a standing platform to collect evidence. Here is why that old constraint went away.
Those integrations existed because software couldn't reach into your systems on its own. But your own AI coding tool already has a terminal, the command line where you type instructions to your computer. Through the Model Context Protocol, an open standard that lets an AI tool run approved commands, your agent can run the exact command a CPA asks for against the real system. The actual user access report. The real audit log. Returned word for word, with the CPA deciding which check to run and looking at the output directly.
That means no waiting on a connector, and no "sorry, we don't support that tool." Anything your own command line can reach, the audit can reach. The whole question of how many integrations a platform has was the answer to a problem that no longer exists. And the evidence is actually stronger this way, because the auditor reads the raw output straight from your system instead of a green checkmark on a dashboard that the software put there.
So you get the part you're required to have, the signed CPA opinion, without renting the optional part forever. Same standards. Less of your time. A real auditor in the loop.
Frequently asked questions
Do I actually need Vanta or a compliance platform to get SOC 2?
If the platform doesn't sign the report, who does?
Is getting SOC 2 without a platform legitimate, or is it a shortcut?
What is the real cost difference between a platform and a direct audit?
How do you collect evidence for SOC 2 without a platform's integrations?
Keep reading
Will AI make SOC 2 prep tools obsolete?
AI agents can now do the prep work a compliance subscription used to sell. What gets cheap, and what doesn't.
Can a once-a-year audit keep up with AI?
Snapshots and samples were workarounds for the cost of looking. AI collapsed that cost. What independent verification looks like next.
Does the name on your SOC 2 report matter?
The famous logo is a stand-in for what the report will not show you. Here is how to read past it.
Why can't an auditor just take your word?
The rules make the auditor inspect the real evidence, not just ask. A green checkmark is not proof.
Sources
- Under AT-C 205, the practitioner designs and performs every procedure and has sole responsibility for the opinion expressed.
- The AICPA's SOC working group warns that 'fast and easy' may come at the expense of quality and objectivity, with template reports.
- SOC 2 is an examination performed by a CPA under the AICPA's SOC for Service Organizations framework, producing the CPA's report, not a certification.