Our main use case for Drata is to provide a platform for us to manage our SOC 2 compliance.
External reviews
1,074 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Great overall experience with Drata
What do you like best about the product?
Ease of use and automation. Ease of implementation. Customer support is very responsive and timely with follow up.
What do you dislike about the product?
Some manual entry required depending more on business practices and limitations with applications.
What problems is the product solving and how is that benefiting you?
Creates automation experience around execution of multiple compliance frameworks.
Complete and Organized Solution
What do you like best about the product?
It is built to help you get compliance done. You rarely feel uncertain about what to do next, and the support is great.
What do you dislike about the product?
Nothing honestly. When I find gaps they close them quickly
What problems is the product solving and how is that benefiting you?
Security compliance and demonstrating that to our clients
Professional and prompt
What do you like best about the product?
How quick they are to get back to my issue and solve it.
What do you dislike about the product?
Not much to complain about. A different agent got back to me then the original but it's no big deal
What problems is the product solving and how is that benefiting you?
Our need for a compliancy platform
Review For Drata
What do you like best about the product?
The Ease of use , the interface is user friendly and the support team is the best
What do you dislike about the product?
I did not find anything which I not like in Drata
What problems is the product solving and how is that benefiting you?
All of our compliance issue
Platform requires compliance expertise and struggles with control accuracy
What is our primary use case?
What is most valuable?
The best features that Drata offers, even though my overall experience wasn't great, include monitoring that worked effectively, although it was somewhat inflexible.
Almost all of the monitoring worked, but they have very specific ways that they want to see the infrastructure set up. For instance, one of the SOC 2 requirements is having a business recovery plan, which necessitates periodic database backups. We had it set up using AWS Backups to do it twice daily, but Drata requires using a different service for daily backups. Even though we had already covered the requirement, they still required it to be done their way, which I felt was not ideal. But overall, their monitoring of infrastructure worked pretty effectively.
What needs improvement?
Drata helped us manage our SOC 2 compliance by automating the monitoring of our infrastructure, but overall, the platform didn't work effectively at all.
Being fairly new SOC 2 compliance, understanding how the platform worked was really difficult to use. In particular, their UI shows many false positives, indicating that requirements are taken care of even when they're not. This makes it really difficult to manage and understand where we were in the process without being a compliance expert myself.
A specific example of when the UI gave us a false positive is that there were several controls within the Drata platform that were completely monitored, such as ensuring that our databases are encrypted at rest. However, there are other controls that are a combination of monitored controls and manual evidence required, and they don't show that secondary requirement at all, even though it's what an actual auditor would require. Using Drata to understand the full scope of what we needed to accomplish and what we needed to provide evidence on was unsuccessful. I went back and forth between the auditor a dozen times and talked to the Drata team multiple times about trying to sort that out to ensure I actually had a punch list of things to do so that they understood the scope of what we needed, but couldn't get there. We eventually tried to cancel the subscription, but they refused, despite the platform not providing the value they promised.
We attempted to get their Slack integration working so that we would be notified in real-time of any monitoring issues that were out of compliance, but ultimately, we couldn't get that to work.
Drata has impacted our organization negatively, as it made the whole compliance process more complicated and cost me significant time. The complications with Drata extended the entire process by about six months and cost me probably 10 hours a week while we were still trying to get Drata to work, totaling about 40 hours of my time.
I think Drata could be improved by changing it so that it reports the actual status of the controls and are more proactive about helping organizations at our stage of business get to compliance.
For how long have I used the solution?
We have been using Drata for about nine months.
What do I think about the stability of the solution?
I suppose Drata is stable.
What do I think about the scalability of the solution?
Drata's scalability is fine.
How are customer service and support?
My experience with customer support was good; they were responsive, but they didn't ever get us to a solution that worked. In the end, it wasn't great. I would rate the customer support a seven on a scale of 1 to 10.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
Drata integrates quite well with other AWS services we use. The procurement process was easy.
What was our ROI?
I haven't seen a return on investment with Drata, as there are no relevant metrics such as money saved, time saved, or fewer employees needed.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing is all fine.
Which other solutions did I evaluate?
Before choosing Drata, we evaluated other options, namely Vanta and Secureframe.
What other advice do I have?
My advice to others looking into using Drata is that I would advise them not to use it.
I would rate Drata a 1 out of five because the platform requires that you be a compliance expert and doesn't help guide the user through the process. The platform fundamentally requires compliance expertise, which can be a barrier for many users.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Great Experience
What do you like best about the product?
Drata helps organize all your documentation like a dream. Theres a ton of time saved figuring out related controls. The integrations make tracking changes much easier. I have used this platform everyday for the past few months preparing for our PCI compliance audit. After all the initial heavy lifting I can see that huge amount of burden relief this product offers its clients.
What do you dislike about the product?
There are some features that feel lacking such as, no way to track requirements that are in progress state in the midst of an audit in audit hub.
What problems is the product solving and how is that benefiting you?
Drata helps monitor realtime environment compliance.
Customer Support
What do you like best about the product?
Whenever I had to contact customer support, the issue was handled promptly. The support team is helpful and communicates clearly, keeping you informed of any delays, recommended steps to resolve the issue.
What do you dislike about the product?
I have not come across any downsides using drata.
What problems is the product solving and how is that benefiting you?
Helping us towards SOC type 2 compliance.
Comprehensive platform with excellent support
What do you like best about the product?
The support, including access to compliance professionals
What do you dislike about the product?
The UI not always intuitive, and you can bounce between sections easily
What problems is the product solving and how is that benefiting you?
Helping us achieve ISO27001 compliance.
Drata has been helpful for client audits, but is often a bit confusing to work with.
What do you like best about the product?
Policy center, risk register, vendor inventory, and other sections are very helpful.
What do you dislike about the product?
The automated tests, evidence, and policy mappings are often confusing. I find myself asking how to turn a control green often.
What problems is the product solving and how is that benefiting you?
Simplifying SOC 2 audits, saves everyone time.
Good but implementation heavy, needs more features for mature capabilities
What do you like best about the product?
The interface is clear and straightforward, easy to navigate, has a lot of options to cover different areas of GRC. When fully implemented, it can be very useful. Convenient - A lot of auditors are familiar with Drata and can integrate their audits into Drata, both internal and external. The support teams are responsive.
What do you dislike about the product?
Lack of customization, which limits capabilities. Implementation is more complex than was estimated.
The implementation team could benefit from prioritizing the features of Drata that give the most value to each organization, instead of basically going through a checklist of Drata features that may not save the org any time/effort.
The audit hub is very basic at this point and doesn't give much visibility into the progress of an audit. I will also include that, if you have a repository of past evidence in your auditor's portal, you will not have that when you go through an audit in Drata. Some of our users have complained that it felt like going through our first audit, when they were unsure what evidence is needed for each control.
The implementation team could benefit from prioritizing the features of Drata that give the most value to each organization, instead of basically going through a checklist of Drata features that may not save the org any time/effort.
The audit hub is very basic at this point and doesn't give much visibility into the progress of an audit. I will also include that, if you have a repository of past evidence in your auditor's portal, you will not have that when you go through an audit in Drata. Some of our users have complained that it felt like going through our first audit, when they were unsure what evidence is needed for each control.
What problems is the product solving and how is that benefiting you?
Control documentation and evidence collection
showing 11 - 20