Can you get SOC 2 without a compliance platform?

The short answer

Yes. You can get a SOC 2 without a compliance platform. The report is a CPA's opinion, signed by a licensed CPA firm. The platform is software that organizes your evidence. Those are two different layers, and only the second one is required.

I say this as a CPA who runs these examinations. The audit is the part you need. The subscription is optional tooling.

First, the part the platforms got right

Let me steelman them, because they earned it. Before compliance automation existed, a founder who got a SOC 2 demand from an enterprise prospect had two bad options. Hire a traditional CPA firm at a price built for big companies. Or hand-collect evidence in a spreadsheet for months with no idea if any of it was right.

Platforms gave founders a third option. Integrations that pull evidence out of your cloud, identity, and code tools and organize it continuously. Vanta markets "more than 400 integrations and 1,300 tests" doing exactly that, pulling read-only from your stack. For a decade that was genuinely useful, and the connector count was a real moat.

Why so many integrations? Because software cannot log into your AWS account or your HR system. So a platform had to ship a connector for each tool and normalize the result. The backlog of connectors was the product. That was a sensible design for the world it was built for.

So this is not "platforms bad." They solved a real problem. The issue is a positioning slip that happened along the way.

What the platform does vs what only a CPA can do

Here is the line that matters. A SOC 2 report is a CPA's opinion. Vanta says it plainly on its own site: "A SOC 2 audit must be performed by a certified public accountant (CPA) at a firm that is accredited by the American Institute of CPAs (AICPA)."

Read that again. The platform is telling you the audit is not theirs to give. They organize evidence. A CPA examines it and signs. The platforms partner with small CPA firms who issue the actual report, and that auditor is usually buried so far back in the process that the buyer never really meets them.

Under AICPA standards, the procedures belong to the practitioner, not the tool. AT-C 205 assigns the design and performance of every procedure to the CPA, and states the auditor "has sole responsibility for the opinion expressed." No software clause exists in there. The standard does not know what a dashboard is.

So when you buy a SOC 2 "from a platform," what you are actually buying is two things bolted together. Evidence software you rent monthly, and an audit a CPA performs once. You can buy them apart.

"SOC 2 without Vanta" is a normal path

It is not a hack or a loophole. It is how attestation always worked. You hire a CPA firm, the firm runs the examination, the firm signs. Plenty of companies do this directly and never touch a platform.

The thing worth doing honestly is the cost framing. A subscription is rent you pay forever. The audit is the one-time thing you actually needed. When the audit gets framed as a feature of the software, the recurring cost feels mandatory. It is not. The signed opinion is what your enterprise prospect asked for, and a CPA produces that whether or not you also rent the evidence layer.

The profession is starting to say this out loud, too. The AICPA's SOC working group has warned that "fast and easy" marketing may come at the expense of quality and objectivity, with template reports that look "exactly the same, with a different client logo." That is the profession flagging a market dynamic, not me accusing anyone. The point stands: the value lives in the examination, and the examination is a CPA's job.

What "without a platform" actually looks like now

In my fieldwork I do not need a standing platform to collect evidence anymore. Here is why that constraint dissolved.

Integrations existed because software could not enter your systems. But your own AI coding tool already has a terminal. Through the Model Context Protocol, an open standard, your agent can run the exact command a CPA asks for against the real source system. The actual credential report. The real audit log. Returned verbatim, with the CPA directing which procedure runs and observing the output.

That means no connector to wait for and no "we don't support that tool." Anything your own CLI can reach, the audit can reach. The 400-integration question was the answer to a problem that no longer exists. And the evidence is stronger, because the auditor inspects the raw system output directly rather than a normalized tile the software handed over.

So you get the required part, the signed CPA opinion, without renting the optional part forever. Same standards. Less of your time. A real auditor in the loop.

If you want to see what that costs without a subscription, the chiarohq.com calculator prices the audit directly.