This is the mechanics page. If you haven't yet made peace with the stall itself — the eight months of paying for a platform nobody logs into — that page is here, and it includes a self-check for whether finishing is even the right call for you. This page assumes it is (for most stalled programs, it is), and covers how.
Everything below is platform-generic: the sequence is the same whether your dashboard says Vanta, Drata, or Secureframe. Where the platforms name things differently, we say so.
Where do you start when the whole dashboard is red?
With the understanding that the failing checks are not equally urgent — that's the single fact that unfreezes a stalled program. A first audit is blocked by a specific, smallish set of items (access control and published policies, mostly), helped enormously by a second set (the automated evidence checks), and barely affected by a long tail that can genuinely wait. Triage the wall of red into those three groups and "two hundred findings" becomes "a dozen that matter this month" — which is a plan, not a wall.
The platforms don't present it this way because they're built to show completeness, not sequence. Vanta's monitor list and Drata's monitoring controls both sort by category or framework section, not by "what blocks your audit" — so a failing MFA on your identity provider check (audit-critical, fixable this afternoon) renders with the same red dot as an obscure logging-retention item nobody will ask about in year one. The sorting is your job. Here's the frame.
The three-pass triage
Pass 1 — access and policies (the audit blockers). Two clusters, both mostly administrative. First, access control: MFA enforced on the identity provider and code hosting, offboarding actually removing accounts, admin access reviewed and justified. On Vanta these live under access-flavored monitors ("MFA enabled on GitHub", "Former employees' access removed"); Drata files them under access control monitoring. Second, policies: every platform ships templates — get the core set adapted (not perfected), published, and accepted by employees. Policy acceptance is one of the highest-visibility items in any audit and one of the fastest wins on the board: it's clicking, not engineering.
Pass 2 — evidence automation (make the checks that can pass, pass). These are the findings where the platform says precisely what it wants: encryption at rest on this bucket, backups enabled on that database, logging turned on, dependency alerts active. Each is a small, specific configuration fix — annoying in aggregate, trivial individually. The trap during a stall was reading this list as one giant task. Worked as a checklist, an engineer clears a surprising amount of it in a focused day or two.
Pass 3 — the long tail (later, honestly). Low-severity findings, edge-case checks, items tied to frameworks you're not pursuing this year. Much of this can wait past your first audit without consequence — auditors assess whether your program addresses the framework, not whether a dashboard shows zero findings. Anything genuinely out of scope shouldn't even wait: mark it not applicable with a one-line reason (every platform supports this), and it stops costing attention forever.
The restart week: a realistic first week for a program dead for 6+ months
Name the owner (day one, an hour, mostly a leadership conversation). One person owns the push to audit-ready — with recurring hours their manager has actually agreed to, not aspirational ones. This is the step that decides whether the restart sticks. Everything else on this page is mechanics; this is the fix for why the program stalled.
Re-inventory the integrations (half a day). Six months of drift breaks connections quietly: tokens expire, permissions get revoked in unrelated cleanups, someone migrated the HR system. Open the integrations page, reconnect what's broken, and connect the two or three obvious missing systems — identity provider, HR, and code hosting matter most, because personnel and access data drive the biggest check clusters.
Archive the noise (half a day, weirdly satisfying). Deactivate frameworks you aren't pursuing this year. Mark out-of-scope checks N/A with a reason. Clear personnel records for people who left. This pass exists so that what remains on the dashboard is real — the difference between a to-do list you trust and one you avoid.
Run Pass 1 of the triage (the rest of the week). Access findings and policy publication, as above. A week of part-time attention typically moves the dashboard visibly — which matters beyond the audit math, because a dashboard that responds to effort is what keeps the restart alive in week two.
Pick the audit date (one call, before the week ends). Book the auditor while things are still amber. This feels backwards and is the most reliable move on this page: a real date converts the remaining backlog into a schedule, and auditor lead times (commonly 6–12 weeks to fieldwork) mean you're committing to be ready then, not now. Programs with a booked audit finish; programs waiting until they're ready to book one drift.
How long does it take to get audit-ready from a stall?
For most companies under about 100 people with one framework, the restart-to-audit-ready range we typically see is 4 to 12 weeks of calendar time at roughly 4–8 focused hours a week — closer to the short end if kickoff got the core integrations connected before the drift, closer to the long end if policies were never adapted or the integration inventory comes back messy. Under ~25 people with a standard stack, the short end is honestly achievable. Above 100 people, or with a second framework in play, think in quarters rather than weeks — the work parallelizes, but coordination eats the gains.
These are hedged ranges from observed patterns, not promises — your integration count, policy state, and owner's real availability move the number more than company size does. The encouraging constant: it's nearly always less work than the red dashboard implies, because the dashboard counts findings, not the (much smaller) set of distinct fixes behind them.
One quiet note: we're building tooling that answers "where do we actually stand?" with data instead of estimates — the same local, read-only scan engine behind our Migration Readiness Scan, pointed at implementation completeness rather than migration scope. If you'd want a number instead of a range, the early-access list is there.
When to bring in help — and when not to
DIY-finish is the right call when someone can genuinely own it for a few hours a week, your stack is standard (major cloud, common SaaS), and the audit date is a quarter or more out. The sequence above plus the platform's own support docs is enough; the platforms' support teams are also more useful than stalled buyers assume — you're paying for them either way.
Help earns its keep in two situations. First: the ownership problem is structural — there is truly nobody with the hours, which is the same condition that caused the stall and won't fix itself by resolve. Second: the audit date is close enough that a sequencing mistake blows it. A finish-line engagement is a specific, bounded thing: someone runs the triage, drives the weekly cadence, and hands you an audit-ready program on your existing platform. Industry rates for this kind of implementation help typically land between a few thousand dollars and the low five figures depending on company size and how much drift there is to unwind — meaningfully smaller than a migration engagement, because nothing is being moved, only finished.
The independence line, because money just came up: we take no commissions from any platform, and a consultation that ends in "you don't need anyone — here's your sequence, go finish it yourself" is a normal outcome we're happy with. The first conversation is free either way.
Still not sure finishing is the right path at all? The finish-or-switch page is the honest fork — including the cases where switching genuinely is the answer.
Want someone to run the restart with you?
A free 30-minute consultation maps your exact situation — what data moves, what doesn't, whether your timeline is viable, and what the switch will actually cost in time and disruption.
Independent advice. Not affiliated with any platform vendor.