In Vanta, a test is an automated configuration check that evaluates the resources in your tenant and produces pass/fail evidence against your controls. Tests are how synced data turns into the audit-ready signal that frameworks like SOC 2, ISO 27001, and HIPAA actually require. Every test answers the same question for every resource it sees: does this resource meet the rule, or doesn’t it? That per-resource result rolls up into an overall test status (Documentation Index
Fetch the complete documentation index at: https://vanta.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
OK, NEEDS_ATTENTION, DEACTIVATED, IN_PROGRESS, INVALID, NOT_APPLICABLE) and feeds the controls the test is mapped to.
This page is about what tests are and when to author your own. To query existing test results and failing entities through the API, see Manage failing tests.
How tests work
Every test follows the same shape, regardless of whether Vanta shipped it or you built it:- Pick a resource type — user accounts, devices, vulnerabilities, custom resources, etc.
- Apply a rule to each record of that type (e.g. “MFA is enabled”, “disk is encrypted”, “
active = trueANDlastUpdatedwithin 30 days”). - Emit a per-resource pass/fail with the resource’s identifier, status, and reason.
- Roll up to a single test status that shows on the test page and on every control the test is mapped to.
- Re-run on a schedule as new sync data arrives, automatically flipping status when the underlying data changes.
Built-in tests vs Custom Tests
There are two kinds of tests in Vanta, and the choice between them is driven entirely by what data you’re testing.| Built-in tests | Custom Tests | |
|---|---|---|
| Authored by | Vanta | You |
| Available for | Vanta-supported resource types (UserAccount, Computer, Vulnerability, BackgroundCheck, TrainingRecord, etc.) | Any resource type with synced data — including custom resources |
| Setup | Auto-created when you connect an integration that produces a supported resource | Authored in the Vanta Dashboard under Tests → + Create custom test |
| Logic | Maintained and versioned by Vanta | A pass/fail rule you define against the resource’s properties |
| Mutability | Versioned by Vanta; you can deactivate but not edit | Immutable after creation — copy and edit the copy if you need changes |
| Framework mapping | Pre-mapped to common framework controls | You map each Custom Test to the controls it satisfies |
| API support | Queryable via the Manage Vanta API | Queryable via the Manage Vanta API; no API to create them |
Built-in tests
Built-in tests are the default. The moment you connect an integration that produces a supported resource type, Vanta auto-creates the relevant tests, runs them on the synced data, and pre-maps them to the right controls in your enabled frameworks. You don’t author them, you don’t maintain them, and you don’t need to know what “compliant” means forUserAccount or Computer — Vanta has already encoded the audit expectations.
Reach for a built-in test when:
- You’re syncing a supported resource type and the prebuilt rule is what your auditor is going to ask about anyway.
- You want test coverage to follow the framework — when a control is added or revised by Vanta, your built-in tests track with it.
- You’d rather not own pass/fail logic, edge cases, or the audit-evidence story for that data.
Custom Tests
A Custom Test is a pass/fail rule you define on top of resource data Vanta is already syncing. You pick the resource type, write the rule (e.g. “all records haveactive = true AND lastUpdated within the last 30 days”), and Vanta evaluates it per record on every sync.
Custom Test logic is evaluated per record with an implicit “all records must pass” reducer — one failing record fails the whole test.
Custom Tests are authored in the Vanta Dashboard. There is no API to create them, and they may require a plan upgrade or add-on. See Vanta Plans and Pricing or contact your Customer Success team if the + Create custom test button isn’t visible on the Tests page.
When to use a Custom Test over a standard test
Built-in tests cover the common case. Reach for a Custom Test when one of the following is true:You’re testing a custom resource
This is the headline use case. Custom resources ship with no tests at all — Vanta doesn’t know what “compliant” means for a schema you defined yourself. Until you author a Custom Test against them, custom-resource records are passive data and contribute zero evidence to your controls. If you’ve gone to the trouble of defining a custom resource, a Custom Test is the step that turns it into audit signal.You need a stricter rule than the built-in test enforces
Built-in tests encode Vanta’s interpretation of the framework requirement, which is usually the audit floor. If your internal policy is stricter — for example, MFA must use a hardware key rather than any second factor, or vulnerabilities of a specific CVSS range must be remediated faster than the built-in SLA — author a Custom Test that enforces your tighter rule and map it to the same control.Your auditor is asking for evidence on a property Vanta doesn’t already test
Built-in resource types support custom properties — fields you add to a built-in schema likeUserAccount or Computer. The built-in tests don’t know about those custom properties; only a Custom Test can read them. If a control hinges on a field you added (e.g. requires_background_check = true, data_classification = "restricted"), a Custom Test is the only way to evaluate it.
You’re modeling something framework-adjacent that isn’t covered out of the box
Internal-only servers, change-management records, vendor-review artifacts, on-prem appliances, custom inventory — anything you sync as a custom resource because Vanta doesn’t natively model it. A Custom Test is what defines the compliance criteria for that data shape inside your tenant.You want to layer a tenant-specific rule on data Vanta already pulls in
Even when Vanta has a built-in test, you may want an additional rule that’s specific to your environment — for example, “every production database resource must have anowner tag matching an active employee.” Build a Custom Test alongside the built-in one; they both contribute evidence to the controls they’re mapped to.
When not to use a Custom Test
If your data fits a supported resource type and the built-in test asks the same question your auditor will, use the built-in test. Custom Tests are a deliberate extension, not the default — every Custom Test is a rule you now own, version, and explain to an auditor.How tests fit with integrations and resources
Tests are the third leg of the data model:- An integration authenticates and pushes data into Vanta.
- That data lands as resources of a built-in or custom type.
- Tests evaluate those resources and emit pass/fail results.
- Test results are mapped to controls, which roll up into the frameworks you’re tracking.
Lifecycle of a Custom Test
A typical Custom Test lifecycle:- Sync the data first. The Custom Test builder only shows resource types that have at least one record synced. Push at least one record before you start authoring.
- Author the test in the Vanta Dashboard under Tests → + Create custom test, picking the resource type and writing the per-record rule.
- Preview the evaluation — confirm the resource count is non-zero and the right records are flagged passing/failing before you save.
- Lock in the rule. Once saved, the test is immutable. Changes require copying the test and editing the copy.
- Map to controls so failing resources surface as gaps in the frameworks you care about.
- Monitor and triage via the List Tests endpoint or the Tests page; failing entities become the work queue.
Related
Manage failing tests
Query test results and filter for failing resources via the API.
Resources
The data model tests evaluate — built-in resource types and custom resources.
Integrations
How resource data gets into Vanta in the first place.
Creating Custom Tests
Step-by-step authoring guide in the Vanta Help Center.