$50K is too high, unless you had a lot of actual process gaps to fill initially and are counting staff time in that. Also expertise isn't really that important - honestly the auditors are often (not always) minimally trained and often don't have much experience in cloud. Having someone on staff that truly understands what your unique system and processes and can articulate and document how it is (or is not) operating securely is a better use of money. Spend the $50K on actual security (training, code reviews, red team exercises, learning about TTPs and allocating time in the dev and QA cycles for these considerations).
As others have said above, the compliance part will be a by-product and will essentially fall in place modulo some extra documentation effort (which can be heavily borrowed from templates).
Vanta and StrikeGraph etc no doubt will make it more convenient to follow best practices and scaffold your continuous monitoring, but I see it as a nice to have, not a must have.
This is pretty much where I was coming from too, although better articulated. I do see value in the structure of responses, but if we have already done everything we need to then we should be able to respond to the audit formulaicly.
Though seeing the other comments that Vanta + audit being cheaper than audit alone is an interesting quality and may change the initial defensive rejection I have for receiving cold contact mail on non-public addresses (which means they also buy harvested data).
As others have said above, the compliance part will be a by-product and will essentially fall in place modulo some extra documentation effort (which can be heavily borrowed from templates).
Vanta and StrikeGraph etc no doubt will make it more convenient to follow best practices and scaffold your continuous monitoring, but I see it as a nice to have, not a must have.