Our main use case for Drata is to provide a platform for us to manage our SOC 2 compliance.
External reviews
External reviews are not included in the AWS star rating for the product.
Platform requires compliance expertise and struggles with control accuracy
What is our primary use case?
What is most valuable?
The best features that Drata offers, even though my overall experience wasn't great, include monitoring that worked effectively, although it was somewhat inflexible.
Almost all of the monitoring worked, but they have very specific ways that they want to see the infrastructure set up. For instance, one of the SOC 2 requirements is having a business recovery plan, which necessitates periodic database backups. We had it set up using AWS Backups to do it twice daily, but Drata requires using a different service for daily backups. Even though we had already covered the requirement, they still required it to be done their way, which I felt was not ideal. But overall, their monitoring of infrastructure worked pretty effectively.
What needs improvement?
Drata helped us manage our SOC 2 compliance by automating the monitoring of our infrastructure, but overall, the platform didn't work effectively at all.
Being fairly new SOC 2 compliance, understanding how the platform worked was really difficult to use. In particular, their UI shows many false positives, indicating that requirements are taken care of even when they're not. This makes it really difficult to manage and understand where we were in the process without being a compliance expert myself.
A specific example of when the UI gave us a false positive is that there were several controls within the Drata platform that were completely monitored, such as ensuring that our databases are encrypted at rest. However, there are other controls that are a combination of monitored controls and manual evidence required, and they don't show that secondary requirement at all, even though it's what an actual auditor would require. Using Drata to understand the full scope of what we needed to accomplish and what we needed to provide evidence on was unsuccessful. I went back and forth between the auditor a dozen times and talked to the Drata team multiple times about trying to sort that out to ensure I actually had a punch list of things to do so that they understood the scope of what we needed, but couldn't get there. We eventually tried to cancel the subscription, but they refused, despite the platform not providing the value they promised.
We attempted to get their Slack integration working so that we would be notified in real-time of any monitoring issues that were out of compliance, but ultimately, we couldn't get that to work.
Drata has impacted our organization negatively, as it made the whole compliance process more complicated and cost me significant time. The complications with Drata extended the entire process by about six months and cost me probably 10 hours a week while we were still trying to get Drata to work, totaling about 40 hours of my time.
I think Drata could be improved by changing it so that it reports the actual status of the controls and are more proactive about helping organizations at our stage of business get to compliance.
For how long have I used the solution?
We have been using Drata for about nine months.
What do I think about the stability of the solution?
I suppose Drata is stable.
What do I think about the scalability of the solution?
Drata's scalability is fine.
How are customer service and support?
My experience with customer support was good; they were responsive, but they didn't ever get us to a solution that worked. In the end, it wasn't great. I would rate the customer support a seven on a scale of 1 to 10.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
Drata integrates quite well with other AWS services we use. The procurement process was easy.
What was our ROI?
I haven't seen a return on investment with Drata, as there are no relevant metrics such as money saved, time saved, or fewer employees needed.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing is all fine.
Which other solutions did I evaluate?
Before choosing Drata, we evaluated other options, namely Vanta and Secureframe.
What other advice do I have?
My advice to others looking into using Drata is that I would advise them not to use it.
I would rate Drata a 1 out of five because the platform requires that you be a compliance expert and doesn't help guide the user through the process. The platform fundamentally requires compliance expertise, which can be a barrier for many users.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Horrible customer service
Drata is a buy and they forget about you.
I previously used Thoropass to accomplish the same objective and they are hands down much better. Do not waste your time or money with Drata.
Stay away this scam company
Their platform provided little value and their account manager reached out first time after half a year, only because we wanna cancel the service. Their private offer is a 2-year non-cancellable agreement, which is rare and very different from most other month-by-month products you will find on Marketplace. Think twice whether you wanna enter into a 2-year non-cancellable agreement before you know the concrete value that the product provide.
A very basic product with no improvement over the years
The product is very simple in terms of functionality, even the forms inside the product are delegated to a 3rd party. Agent constantly loses connection and the turnaround time from support was uncomfortably high. The generated policies are very simple and presented to you in a generic text editor, where the editing experience is not nice. Alternatives like Vanta are much more polished and has more features.