Vanta at least made me sign a separate contract with the auditor, so I’m not sure they’re making money on the difference. The policy docs indeed don’t seem very closely scrutinized, and I’d prioritize the service that can automate more for you. Vanta provided its own client monitoring application which exists alongside JAMF and seems to cover the same controls.
It's more that there is a market price for SOC2 that auditors can charge, and they are adding $20-25K to the price tag, so they need the auditors to subsidize that. At least when I talked to these firms, you could not bring your own audit firm. You had to go with theirs. Nothing wrong there and kudos to them for innovating on the pricing/biz dev, but you can pocket that savings yourself by negotiating the same price drop directly with the audit firm, and using your own scripts or open source to collect evidence. Vanta and Tugboat have nice UIs definitely. It's just the difference between buying a Honda vs. Mercedes. Not everyone cares about paying the lowest amount for a solution. If your budget affords high end convenience, go for it.
Christina, Vanta founder here. Can confirm we don’t make money on any difference, and no money changes hands between us and auditors. It’s just a lower price for customers.
