Man #Vanta is so bad...
Their Entra MFA enforcement check is horrible.
It only checks if a conditional access policy exists, and if it has 'MFA' in the builtinControls. If it does, it's a pass.
But it doesn't check...
- if any users are excluded from the policy
- if any groups are excluded
- if the policy covers all users even after exclusions (e.g. if the exclusions are service accounts for any reason)
- if the geoblocking is functional
- if any of the excluded users are privileged
Vanta is a tool designed to mislead auditors, presenting as a third-party authority with their 'trust center' and all the flashy shiny dashboards.
Yet the core is rotten.
I haven't been this insulted since I found out that #vanta has a barely functional risk API (was trying to sync our risk register from our internal repo... long story).
Just... I lack words.
#infosec #cybersec #grc #privacy #compliance #fintech #informationsecurity #audit #soc2
Phil
@phil@fed.bajsicki.com
I'm Phil, I do things, I know things. It's good to make friends. #emacs #foss #selfhosted #actuallyautistic #cptsd #cybersec #infosec #systemadministration Bots /not/ welcome. Bridges out of Fedi /not/ welcome. Corporations/ businesses /not/ welcome.
fed.bajsicki.com
Phil
@phil@fed.bajsicki.com
I'm Phil, I do things, I know things. It's good to make friends. #emacs #foss #selfhosted #actuallyautistic #cptsd #cybersec #infosec #systemadministration Bots /not/ welcome. Bridges out of Fedi /not/ welcome. Corporations/ businesses /not/ welcome.
fed.bajsicki.com
@phil@fed.bajsicki.com
·
Mar 04, 2026
0
0
0
You've seen all posts