Man #Vanta is so bad…
Their Entra MFA enforcement check is horrible. It only checks if a conditional access policy exists, and if it has ‘MFA’ in the builtinControls. If it does, it’s a pass.
But it doesn’t check…
- if any users are excluded from the policy
- if any groups are excluded
- if the policy covers all users even after exclusions (e.g. if the exclusions are service accounts for any reason)
- if the geoblocking is functional
- if any of the excluded users are privileged
Vanta is a tool designed to mislead auditors, presenting as a third-party authority with their ‘trust center’ and all the flashy shiny dashboards.
Yet the core is rotten.
I haven’t been this insulted since I found out that #vanta has a barely functional risk API (was trying to sync our risk register from our internal repo… long story).
Just… I lack words.
#infosec #cybersec #grc #privacy #compliance #fintech #informationsecurity #audit #soc2
