Dock + Vanta: security control evidence with agent-drafted gap remediation

Vanta runs the continuous tests. The agent reads failing controls, drafts remediation, and Dock holds the interpretation alongside the security lead's review. Dock is the system of record for the decision: which gap is real, which is a false positive, and who signed off. This is how security operations keep an audit trail when an agent does the first pass.

The architecture

Vanta and Drata stay the system of record for the raw data. Dock is the system of record for what the agent interprets. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.

A failing Vanta test today may resolve itself tomorrow when an engineer pushes a fix. The agent should never act on cached state.

The Dock surface: Control Gap Triage table

Each row links back to the Vanta control URL. The "agent interpretation" column is load-bearing. Auditors and security leads read it first.

The workflow

The Vanta webhook fires when a control test transitions to failing. The agent pulls the test detail, fetches the underlying resource state from AWS or GitHub, and writes a triage row to Dock. It classifies severity using the team's published rubric, drafts a remediation pointing to existing terraform or runbook paths, and tags the on-call security lead.

The security lead reviews in Dock. Approving triggers the agent to open the Linear ticket and post to Slack. Rejecting sends the row back with a comment, and the agent redrafts. Anything tagged as a dangerous operation, such as production IAM changes, requires a second reviewer first.

Why this matters

Compliance teams need to show auditors not just that a control failed and was fixed, but that the interpretation in between was sound. When an agent does the first pass, "the agent decided this was a false positive" needs the same provenance as a human analyst's note. Dock gives every interpretation a signed agent identity, the prompt context, and the reviewer who approved it. This is what makes agent work auditable under SOC 2 CC7 and CC8.

Vanta runs 1,200+ automated tests hourly across 400+ tool integrations ¹. Humans cannot triage every failing test, and the AICPA Trust Services Criteria require evidence that someone did ². The agent triages; Dock records the triage; the security lead signs.

Get started

Connect Vanta or Drata to Dock, point the webhook at the Control Gap Triage surface, and shadow the agent for two weeks before letting it file tickets. The compliance use case page has the checklist.

FAQ

Does the agent close Vanta tests automatically? No. The agent drafts remediation and files the ticket. The control returns to passing only when the underlying fix lands and Vanta's next automated test confirms it. Dock never writes back to Vanta's control state.

What if the agent misclassifies a high-severity gap as low? The severity rubric is versioned in Dock. Security leads review every row regardless of severity, and the rubric is refined based on misses. The agent's classification is a draft, not a decision.

How does this handle SOC 2 evidence requests during an audit? Auditors get a filtered view of the Control Gap Triage table for the audit period. Each row shows the Vanta control, the agent's interpretation, the reviewer, and the timestamp.

Can the agent draft remediation for non-terraform controls? Yes, but quality depends on what runbooks exist. The agent searches Dock-indexed runbooks. If nothing matches, it flags "no playbook found" and routes to the security lead unedited.