Logo StartupKit
EN

Vanta Integration

Connect Vanta to turn your triaged VDP vulnerabilities into live SOC 2 and ISO 27001 compliance evidence automatically.

Why It Matters

If you run a vulnerability disclosure program and pursue SOC 2 or ISO 27001, your auditor wants proof that vulnerabilities are tracked, prioritized by severity, and remediated within your SLAs. Assembling that proof by hand — exporting spreadsheets, screenshotting tickets, reconciling dates — is the part of audit season everyone dreads.

The Vanta integration removes that work. Once connected, Kit automatically sends your triaged vulnerabilities into Vanta as live compliance evidence. Severity and remediation status flow over continuously, so Vanta can track your remediation SLAs against controls like SOC 2 CC7.1 and ISO 27001 A.8.8 — without you hand-assembling a single export.

What You Need

  • A Kit account with the VDP Add-on enabled
  • A Vanta account with access to the Developer Console (permission to create integrations)
  • A private Vanta app, which gives you the three things Kit asks for: a Client ID, a Client Secret, and two Resource IDs

Note

The integration only sends vulnerabilities that have been triaged with a severity. Until your team is actively assessing reports, there will be nothing to send — see Triaging Reports.

Setup

1. Create a Private Vanta App

  1. In Vanta, go to Settings > Developer Console
  2. Click Create
  3. Choose the app type Build Integrations and set the distribution to Private
  4. Fill in the application name and description — the Kit settings page suggests a name with a copy button
  5. The Client ID is generated automatically; copy it
  6. Click Generate client secret and copy the secret

The app needs the OAuth scopes connectors.self:write-resource and connectors.self:read-resource. Keep the Client Secret somewhere safe — you will paste it into Kit once and it is stored securely from then on.

2. Create the Two Resources

Kit pushes vulnerabilities into two Vanta resources — one for vulnerable components, one for API endpoint vulnerabilities. Create both inside your private app:

  1. Open the app’s Resources tab and click Add resource
  2. Create one resource with the base resource type Vulnerable Component
  3. Click Add resource again and create a second one with the base resource type API Endpoint Vulnerability
  4. Leave Custom Properties empty for both — the predefined schemas already cover everything Kit sends

After you click Create, each resource appears in the Resources tab with a generated Resource ID. Copy both IDs exactly as shown — they are case-sensitive, and Kit needs the generated ID, not the resource name you typed.

3. Connect in Kit

Navigate to VDP > Settings > Vanta. The page walks you through a guided three-step setup:

  1. Step 1 — Paste your Client ID and Client Secret. Kit verifies them against Vanta live before moving on.
  2. Step 2 — Paste both Resource IDs. Kit verifies each one against Vanta and runs the first sync.
  3. Step 3 — The success state confirms the connection and shows the result of that first sync.

From this point on, your triaged vulnerabilities flow to Vanta automatically.

What Syncs, and When

Kit sends your triaged vulnerabilities to Vanta — that is, reports your team has confirmed and assigned a severity to. Reports still awaiting triage are not sent, because they don’t yet carry the severity Vanta needs to track a remediation SLA.

Behavior How It Works
Sync schedule Triaged vulnerabilities are pushed to Vanta automatically every hour
Severity Each vulnerability’s severity is sent so Vanta can track remediation SLAs against the right deadline
Sync on status change Optional toggle — when on, a vulnerability is pushed the moment its status changes, instead of waiting for the next hourly run
Resolution When you resolve a report in Kit, it automatically drops out of Vanta and is recorded as remediated

You don’t need to mark anything in Vanta by hand. Triage a report and it appears; resolve it and it closes out as remediated. The hourly schedule keeps everything reconciled even if a single update is missed.

What Is Not Sent

This is a compliance-evidence integration, not a data dump. Kit deliberately sends only the minimal metadata Vanta needs to track a vulnerability and its remediation — nothing more.

The following are never sent to Vanta:

  • Researcher personal information — names, emails, and any contact details stay in Kit
  • Raw reproduction steps — the technical proof-of-concept and exploit details are not shared
  • Report bodies — the full narrative and discussion of each report stays in Kit

Important

Only the minimal metadata required for evidence — such as severity and remediation status — leaves Kit. Sensitive researcher details and the substance of each report never reach Vanta.

Managing the Integration

Everything below lives on the VDP > Settings > Vanta page.

  • Sync now — Pushes your current triaged vulnerabilities to Vanta immediately instead of waiting for the next hourly run. Useful right after connecting, or after a triage session.
  • Sync on status change — A toggle that controls whether updates are sent the instant a report’s status changes. Leave it on for near-real-time evidence; turn it off if you prefer the steady hourly cadence.
  • Sync status and errors — The settings page shows when the last sync ran and surfaces any errors. A green badge means the connection is healthy; an error badge means something needs attention (see Troubleshooting).
  • Disconnect — Stops all syncing and removes the stored credentials. Your data in Kit is untouched; Kit simply stops sending updates to Vanta.

Troubleshooting

Symptom Cause Fix
“Connection failed” when verifying credentials (Step 1) Client ID or Secret is wrong, or the credentials have expired Re-copy both values from your private app in the Vanta Developer Console and paste them again
“Could not find resourceId” sync error A Resource ID is wrong or incomplete Open the Resources tab of your private app in the Vanta Developer Console and copy the ID exactly as shown — it is case-sensitive, and Kit needs the generated ID, not the resource name you typed
Connection stops working after rotating the client secret in Vanta Kit still holds the old secret Re-enter the credentials in Kit (Step 1); existing synced data is preserved
Connection shows an error badge Credentials were revoked or expired in Vanta Re-connect with fresh credentials; Kit pauses syncing while authentication is failing
Nothing showing up in Vanta No triaged vulnerabilities yet Confirm you have reports that are triaged with a severity assigned — untriaged reports are never sent
Nothing showing up in Vanta VDP Add-on not enabled The integration requires the VDP Add-on; check Account > Billing
Recently triaged report not in Vanta yet Waiting for the hourly sync Click Sync now, or enable Sync on status change for immediate updates
Sync errors on the settings page A recent push to Vanta failed Click Sync now to retry; if it persists, re-test your credentials in case they expired

Quick Checklist

  • Confirm the VDP Add-on is enabled on your account
  • Create a private Vanta app: Settings > Developer Console > Create, app type Build Integrations, distribution Private
  • Copy the Client ID and click Generate client secret
  • In the app’s Resources tab, add two resources: Vulnerable Component and API Endpoint Vulnerability
  • Copy both generated Resource IDs from the Resources tab (they are case-sensitive)
  • In VDP > Settings > Vanta, paste the credentials (Step 1), then both Resource IDs (Step 2), and confirm the success state (Step 3)
  • (Optional) Enable Sync on status change for near-real-time evidence
  • Triage a report with a severity, then click Sync now to verify it appears in Vanta

Next Steps

Type to search...