Man #Vanta is so bad... Their Entra MFA enforcement check is horrible. It only checks if a conditional access policy exists, and if it has 'MFA' in the builtinControls. If it does, it's a pass. But it doesn't check... - if any users are excluded from the policy - if any groups are excluded - if the policy covers all users even after exclusions (e.g. if the exclusions are service accounts for any reason) - if the geoblocking is functional - if any of the excluded users are privileged Vanta is a tool designed to mislead auditors, presenting as a third-party authority with their 'trust center' and all the flashy shiny dashboards. Yet the core is rotten. I haven't been this insulted since I found out that #vanta has a barely functional risk API (was trying to sync our risk register from our internal repo... long story). Just... I lack words. #infosec #cybersec #grc #privacy #compliance #fintech #informationsecurity #audit #soc2