Drata Security & Compliance Automation Platform (D)

Our main use case for Drata  is to provide a platform for us to manage our SOC 2 compliance.

The best features that Drata  offers, even though my overall experience wasn't great, include monitoring that worked effectively, although it was somewhat inflexible.

Almost all of the monitoring worked, but they have very specific ways that they want to see the infrastructure set up. For instance, one of the SOC 2 requirements is having a business recovery plan, which necessitates periodic database backups. We had it set up using AWS  Backups to do it twice daily, but Drata requires using a different service for daily backups. Even though we had already covered the requirement, they still required it to be done their way, which I felt was not ideal. But overall, their monitoring of infrastructure worked pretty effectively.

Drata helped us manage our SOC 2 compliance by automating the monitoring of our infrastructure, but overall, the platform didn't work effectively at all.

Being fairly new SOC 2 compliance, understanding how the platform worked was really difficult to use. In particular, their UI shows many false positives, indicating that requirements are taken care of even when they're not. This makes it really difficult to manage and understand where we were in the process without being a compliance expert myself.

A specific example of when the UI gave us a false positive is that there were several controls within the Drata platform that were completely monitored, such as ensuring that our databases are encrypted at rest. However, there are other controls that are a combination of monitored controls and manual evidence required, and they don't show that secondary requirement at all, even though it's what an actual auditor would require. Using Drata to understand the full scope of what we needed to accomplish and what we needed to provide evidence on was unsuccessful. I went back and forth between the auditor a dozen times and talked to the Drata team multiple times about trying to sort that out to ensure I actually had a punch list of things to do so that they understood the scope of what we needed, but couldn't get there. We eventually tried to cancel the subscription, but they refused, despite the platform not providing the value they promised.

We attempted to get their Slack  integration working so that we would be notified in real-time of any monitoring issues that were out of compliance, but ultimately, we couldn't get that to work.

Drata has impacted our organization negatively, as it made the whole compliance process more complicated and cost me significant time. The complications with Drata extended the entire process by about six months and cost me probably 10 hours a week while we were still trying to get Drata to work, totaling about 40 hours of my time.

I think Drata could be improved by changing it so that it reports the actual status of the controls and are more proactive about helping organizations at our stage of business get to compliance.

We have been using Drata for about nine months.

I suppose Drata is stable.

Drata's scalability is fine.

My experience with customer support was good; they were responsive, but they didn't ever get us to a solution that worked. In the end, it wasn't great. I would rate the customer support a seven on a scale of 1 to 10.

I did not previously use a different solution.

Drata integrates quite well with other AWS  services we use. The procurement process was easy.

I haven't seen a return on investment with Drata, as there are no relevant metrics such as money saved, time saved, or fewer employees needed.

My experience with pricing, setup cost, and licensing is all fine.

Before choosing Drata, we evaluated other options, namely Vanta  and Secureframe.

My advice to others looking into using Drata is that I would advise them not to use it.

I would rate Drata a 1 out of five because the platform requires that you be a compliance expert and doesn't help guide the user through the process. The platform fundamentally requires compliance expertise, which can be a barrier for many users.

I have been deploying all the services to Australia and USA. These are for customer compliance on HIPAA, ISO 27001, SOC 2, and similar standards.

Drata  provides compliance management, including customer compliance on HIPAA, ISO 27001, and other standards. The platform allows for documentation and uploads of records, which can be reviewed by qualified security assessors. This helps in seamless audit preparations.

Drata  offers APIs for every clause so that it can integrate into various platforms. It has real-time features and dashboards and allows for automation. The support is excellent, with rapid response within an hour. The platform is described as very rich, offering a comprehensive array of features.

The existing features of Drata are already extensive and costly to integrate. It requires a certain level of development understanding from companies. Improvements could be in the area of reducing costs and making integrations more accessible.

Drata services have been deployed to Australia and the USA.

Drata has a good speed and is described as a fast solution.

Customer service is excellent, with responses typically received within an hour. The support system, including TalkShare, is available and highly efficient.

Positive

I have used several solutions before. Every  company uses different software; not everyone goes for the highest qualified security systems available.

It doesn't provide monitoring benefits or savings directly as it's an assessment platform, yet it offers comprehensive compliance features.

Drata is very expensive with each API incurring a cost. It is described as a costly tool. Rarely do people choose the most qualified security assessment tools due to cost considerations.

ServiceNow  is cheaper, around $25,000 per company compared to Drata. Other tools evaluated include Avaya and various VMware products.

I'd rate the solution eight out of ten.

We mainly use Drata as our GRC tool. Previously, we didn't have a GRC tool in-house. As a payment company, we must complete two annual audits: PCI for the payment card industry and SOC 2 Type 2, which most software companies also need. Without a GRC tool, we had separate contracts with each auditing firm, and they provided their tools for us to upload audit evidence. We had to produce the same evidence every year and manually upload it to these tools. If we changed auditors, we'd have to use new software each time, and our previous year's evidence stayed with the auditors. Now, with Data, we can store all our information in-house. Instead of auditors using their platforms, they come to Drata to access the evidence. Throughout the year, we upload and complete audit evidence in Drata, so during the audit period, auditors access what they need from the Drata platform. This means that when we change auditors, it doesn't matter who they are as long as they can access Drata.

Data contains evidence that InfoSec-related audits are often similar. About 30-40% of SOC 2 evidence can be used for PCI audits. Previously, we had to produce separate evidence for each audit and send it to different auditors. Everything lives in Drata, and we can use the sameevidence for PCI and SOC 2 audits. Drata’s cross-mapping between evidence and requirements makes this possible.

Drata keeps adding new features, allowing us to build our entire InfoSec program within it. Adding new components and evidence for different audits is easy. Drata also integrates with various software, like ticketing systems, source code control, and cloud platforms, continuously pulling evidence from these integrations. Without a GRC tool with these integrations, we used to gather evidence from different software during audits manually.

Drata has a significant impact on our security posture management. Previously, Drata had features for security posture management, primarily through integration with AWS. For example, it would scan AWS for specific security requirements, like ensuring all S3 buckets are private. It will be reported on the Drata platform if it finds a public bucket.

Recently, Drata introduced a new feature that uses an infrastructure-as-code approach. This feature detects issues and provides AI-generated suggestions for fixing them. If an organization uses infrastructure-as-code solutions like Terraform, Drata will suggest changes to the Terraform code to address the issues. You can then review and apply these changes to fix the problems. This is particularly useful when dealing with many topics, as it helps automate and speed up the process of implementing fixes. However, this AI-generated code feature is part of Drata’s upsell options. The basic version of Drata offers limited capabilities compared to the advanced features available with a paid upgrade.

Even without this new feature, Drata's security posture management is valuable, as it scans cloud environments for deviations from defined security baselines. Many tools offer similar capabilities, but Drata’s new feature that translates issues into actionable fixes is a notable advancement. This benefits teams with the capability and resources to use this tool effectively.

There is room for improvement in Drata. The core features are solid, but some new features are in a very MVP (Minimum Viable Product) stage. They work, but the user experience isn't always smooth. While the core features are well-developed compared to the market, the new features need more polish. They could benefit from more user feedback and iterations to make them more useful. Some of these new features look promising buthave flaws, so we can’t fully adopt them or justify paying extra for them now. The user interface is clean and intuitive. However, you'll need some specific knowledge if you're a security policy manager or need to set updifferent integrations.

I have been using Drata for more than one year.

I've never noticed Drata having stability issues, like bugs or breakdowns. It doesn’t have high real-time availability requirements, so minor outages usually go unnoticed unless they last for a day or more. I've never seen latency or significant downtime.

Regarding scalability, Drata works well for small to medium-sized businesses withfewer than 500 employees like ours. However, I can't speak to its performance for large enterprises with thousands of employees. For us, it handles our cloud footprint adequately, but there could be issues with some features at a larger scale. For example, its access management lacks batch review capabilities, which could be problematic for large organizations. Reviewing every software and access in a vast enterprise might become excessively complex without betterscaling solutions.

The support team at Drata is top-notch, the best I’ve seen. They have two main types of support: technical support for software or integration issues and auditing support from experienced consultants for audit-related advice. Technical support is excellent, with quick response times. For auditing support, they handle more straightforward issues through live chat within the software, but for more complex problems, I reach out to our customer success manager. We can collaborate through meetings or document sharing; they’re always willing to discuss questions face-to-face if needed. Overall, I have nothing but praise for their support.

Positive

Compared to other tools we tried before adopting Drata, Drata stands out. Many tools either have fundamental features with a clean UI but limited functionality or offer similar features to Drata but with a complicated, hard-to-use interface. Drata has achieved a good balance between itsfeatures and usability. However, it could become problematic if they continue adding features without maintaining thisbalance. For now, Drata is in a good place regarding usability and complexity.

Drata's pricing is quite reasonable. Compared to other tools in the market, including its biggest competitor, Vanta, Drata is much cheaper. Even compared to other tools like AuditBoard, which aren’t as good, Drata’s price remains competitive.

Overall, I would rate Drata a ten. I would recommend it to others. For new users, I advise relying heavily on their support team, especially if you're not experienced in compliance. The support team is accommodating and reliable.

Regarding integration capabilities, I’d rate it an eight. Drata supports many primary software tools, but there are still some gaps. For example, they currently only support Salesforce for CRM and do not yet support HubSpot, which many people use. They’re good with the integrations they offer, but there’s room for improvement in coverage.