Our main use case for Drata is to provide a platform for us to manage our SOC 2 compliance.

The best features that Drata offers, even though my overall experience wasn't great, include monitoring that worked effectively, although it was somewhat inflexible.

Almost all of the monitoring worked, but they have very specific ways that they want to see the infrastructure set up. For instance, one of the SOC 2 requirements is having a business recovery plan, which necessitates periodic database backups. We had it set up using AWS Backups to do it twice daily, but Drata requires using a different service for daily backups. Even though we had already covered the requirement, they still required it to be done their way, which I felt was not ideal. But overall, their monitoring of infrastructure worked pretty effectively.

Drata helped us manage our SOC 2 compliance by automating the monitoring of our infrastructure, but overall, the platform didn't work effectively at all.

Being fairly new SOC 2 compliance, understanding how the platform worked was really difficult to use. In particular, their UI shows many false positives, indicating that requirements are taken care of even when they're not. This makes it really difficult to manage and understand where we were in the process without being a compliance expert myself.

A specific example of when the UI gave us a false positive is that there were several controls within the Drata platform that were completely monitored, such as ensuring that our databases are encrypted at rest. However, there are other controls that are a combination of monitored controls and manual evidence required, and they don't show that secondary requirement at all, even though it's what an actual auditor would require. Using Drata to understand the full scope of what we needed to accomplish and what we needed to provide evidence on was unsuccessful. I went back and forth between the auditor a dozen times and talked to the Drata team multiple times about trying to sort that out to ensure I actually had a punch list of things to do so that they understood the scope of what we needed, but couldn't get there. We eventually tried to cancel the subscription, but they refused, despite the platform not providing the value they promised.

We attempted to get their Slack integration working so that we would be notified in real-time of any monitoring issues that were out of compliance, but ultimately, we couldn't get that to work.

Drata has impacted our organization negatively, as it made the whole compliance process more complicated and cost me significant time. The complications with Drata extended the entire process by about six months and cost me probably 10 hours a week while we were still trying to get Drata to work, totaling about 40 hours of my time.

I think Drata could be improved by changing it so that it reports the actual status of the controls and are more proactive about helping organizations at our stage of business get to compliance.

We have been using Drata for about nine months.

I suppose Drata is stable.

Drata's scalability is fine.

My experience with customer support was good; they were responsive, but they didn't ever get us to a solution that worked. In the end, it wasn't great. I would rate the customer support a seven on a scale of 1 to 10.

I did not previously use a different solution.

Drata integrates quite well with other AWS services we use. The procurement process was easy.

I haven't seen a return on investment with Drata, as there are no relevant metrics such as money saved, time saved, or fewer employees needed.

My experience with pricing, setup cost, and licensing is all fine.

Before choosing Drata, we evaluated other options, namely Vanta and Secureframe.

My advice to others looking into using Drata is that I would advise them not to use it.

I would rate Drata a 1 out of five because the platform requires that you be a compliance expert and doesn't help guide the user through the process. The platform fundamentally requires compliance expertise, which can be a barrier for many users.

I have been deploying all the services to Australia and USA. These are for customer compliance on HIPAA, ISO 27001, SOC 2, and similar standards.

Drata provides compliance management, including customer compliance on HIPAA, ISO 27001, and other standards. The platform allows for documentation and uploads of records, which can be reviewed by qualified security assessors. This helps in seamless audit preparations.

Drata offers APIs for every clause so that it can integrate into various platforms. It has real-time features and dashboards and allows for automation. The support is excellent, with rapid response within an hour. The platform is described as very rich, offering a comprehensive array of features.

The existing features of Drata are already extensive and costly to integrate. It requires a certain level of development understanding from companies. Improvements could be in the area of reducing costs and making integrations more accessible.

Drata services have been deployed to Australia and the USA.

Drata has a good speed and is described as a fast solution.

Customer service is excellent, with responses typically received within an hour. The support system, including TalkShare, is available and highly efficient.

Positive

I have used several solutions before. Every company uses different software; not everyone goes for the highest qualified security systems available.

It doesn't provide monitoring benefits or savings directly as it's an assessment platform, yet it offers comprehensive compliance features.

Drata is very expensive with each API incurring a cost. It is described as a costly tool. Rarely do people choose the most qualified security assessment tools due to cost considerations.

ServiceNow is cheaper, around $25,000 per company compared to Drata. Other tools evaluated include Avaya and various VMware products.

I'd rate the solution eight out of ten.

We mainly use Drata as our GRC tool. Previously, we didn't have a GRC tool in-house. As a payment company, we must complete two annual audits: PCI for the payment card industry and SOC 2 Type 2, which most software companies also need. Without a GRC tool, we had separate contracts with each auditing firm, and they provided their tools for us to upload audit evidence. We had to produce the same evidence every year and manually upload it to these tools. If we changed auditors, we'd have to use new software each time, and our previous year's evidence stayed with the auditors. Now, with Data, we can store all our information in-house. Instead of auditors using their platforms, they come to Drata to access the evidence. Throughout the year, we upload and complete audit evidence in Drata, so during the audit period, auditors access what they need from the Drata platform. This means that when we change auditors, it doesn't matter who they are as long as they can access Drata.

Data contains evidence that InfoSec-related audits are often similar. About 30-40% of SOC 2 evidence can be used for PCI audits. Previously, we had to produce separate evidence for each audit and send it to different auditors. Everything lives in Drata, and we can use the sameevidence for PCI and SOC 2 audits. Drata’s cross-mapping between evidence and requirements makes this possible.

Drata keeps adding new features, allowing us to build our entire InfoSec program within it. Adding new components and evidence for different audits is easy. Drata also integrates with various software, like ticketing systems, source code control, and cloud platforms, continuously pulling evidence from these integrations. Without a GRC tool with these integrations, we used to gather evidence from different software during audits manually.

Drata has a significant impact on our security posture management. Previously, Drata had features for security posture management, primarily through integration with AWS. For example, it would scan AWS for specific security requirements, like ensuring all S3 buckets are private. It will be reported on the Drata platform if it finds a public bucket.

Recently, Drata introduced a new feature that uses an infrastructure-as-code approach. This feature detects issues and provides AI-generated suggestions for fixing them. If an organization uses infrastructure-as-code solutions like Terraform, Drata will suggest changes to the Terraform code to address the issues. You can then review and apply these changes to fix the problems. This is particularly useful when dealing with many topics, as it helps automate and speed up the process of implementing fixes. However, this AI-generated code feature is part of Drata’s upsell options. The basic version of Drata offers limited capabilities compared to the advanced features available with a paid upgrade.

Even without this new feature, Drata's security posture management is valuable, as it scans cloud environments for deviations from defined security baselines. Many tools offer similar capabilities, but Drata’s new feature that translates issues into actionable fixes is a notable advancement. This benefits teams with the capability and resources to use this tool effectively.

There is room for improvement in Drata. The core features are solid, but some new features are in a very MVP (Minimum Viable Product) stage. They work, but the user experience isn't always smooth. While the core features are well-developed compared to the market, the new features need more polish. They could benefit from more user feedback and iterations to make them more useful. Some of these new features look promising buthave flaws, so we can’t fully adopt them or justify paying extra for them now. The user interface is clean and intuitive. However, you'll need some specific knowledge if you're a security policy manager or need to set updifferent integrations.

I have been using Drata for more than one year.

I've never noticed Drata having stability issues, like bugs or breakdowns. It doesn’t have high real-time availability requirements, so minor outages usually go unnoticed unless they last for a day or more. I've never seen latency or significant downtime.

Regarding scalability, Drata works well for small to medium-sized businesses withfewer than 500 employees like ours. However, I can't speak to its performance for large enterprises with thousands of employees. For us, it handles our cloud footprint adequately, but there could be issues with some features at a larger scale. For example, its access management lacks batch review capabilities, which could be problematic for large organizations. Reviewing every software and access in a vast enterprise might become excessively complex without betterscaling solutions.

The support team at Drata is top-notch, the best I’ve seen. They have two main types of support: technical support for software or integration issues and auditing support from experienced consultants for audit-related advice. Technical support is excellent, with quick response times. For auditing support, they handle more straightforward issues through live chat within the software, but for more complex problems, I reach out to our customer success manager. We can collaborate through meetings or document sharing; they’re always willing to discuss questions face-to-face if needed. Overall, I have nothing but praise for their support.

Positive

Compared to other tools we tried before adopting Drata, Drata stands out. Many tools either have fundamental features with a clean UI but limited functionality or offer similar features to Drata but with a complicated, hard-to-use interface. Drata has achieved a good balance between itsfeatures and usability. However, it could become problematic if they continue adding features without maintaining thisbalance. For now, Drata is in a good place regarding usability and complexity.

Drata's pricing is quite reasonable. Compared to other tools in the market, including its biggest competitor, Vanta, Drata is much cheaper. Even compared to other tools like AuditBoard, which aren’t as good, Drata’s price remains competitive.

Overall, I would rate Drata a ten. I would recommend it to others. For new users, I advise relying heavily on their support team, especially if you're not experienced in compliance. The support team is accommodating and reliable.

Regarding integration capabilities, I’d rate it an eight. Drata supports many primary software tools, but there are still some gaps. For example, they currently only support Salesforce for CRM and do not yet support HubSpot, which many people use. They’re good with the integrations they offer, but there’s room for improvement in coverage.

I use the solution in my company to apply for SOC 2 certification and to take notes on some controls that we have in AWS and other stuff.

I wish the tool were more granular with some configurations about the controls or the platforms. I don't know whether the information and the way that we share it with third parties could be made more granular, if the benefit could be done, and if it would be a fine product.

The product can improve in its API documentation area.

I have been using Drata for a year and eight months. I am the solution's customer.

I never had any issues with the stability of the product.

I was impressed the first time using Drata because you could put all the data that you have in all across all the platforms over there. Drata tells you how good or bad you will be for applying for those certifications. I rate the tool's scalability a nine out of ten.

In the cybersecurity team, three or four people used to use the tool. The rest of the team used only the agents in their laptops.

I didn't use the solution's technical support a lot, but when I had to, it was great. I had no problem. I rate the technical support an eight out of ten.

Positive

The product is really expensive. I remember that my company used to pay 25,000 USD to use the product, but I can recommend it to those who have no team and still need a certification, evidence or anything related to such areas. The product's cost is really high, but it is a powerful tool.

Impact of the product on your company's security posture management has been great because we had a team of three people in the security part, and I was their technical leader. In our company, we have a CIO and an operations team. We have only three people on the team, and Drata helps us to increase and enhance the maturity of our controls and evidence for future auditing and other compliance assessments.

With the automated evidence feature of the product, we connected all our platforms, like Amazon, and then we connected with GitHub Enterprise to get information about the outbound application. Data has a control panel for third parties so that they can read or know what controls are working and how, which is a breaking advantage for such a tool.

The product is 100 percent friendly to use.

I rate Drata's integration capabilities as an eight out of ten.

If I have ten people with Excel and fully commit to write the controls, then maybe we won't require Drata. If you have a small team, and you want to hurry up with things in your company, Drata is the perfect solution.

I rate the tool an eight out of ten.

I use Drata from the auditor's end. I am an information security auditor for companies that provide SaaS and PaaS-based services, and that would be more concentrated on the US SaaS and PaaS-based companies. I use Drata to check and comment on my client's internal security controls, their operative effectiveness, and how they are upholding their security standards.

Drata's DCF mapping is really good. The way the tool's controls are linked to the framework, specifically with SAST and HIPAA frameworks or any other frameworks, is really good. Basically, when I look into a control, the control's particular DCF number gives me all the information about the automated tests linked to that control, and then the external evidence that the client provides to me for verification and review is also available in one place. Drata's Audit Hub is useful for communicating with the client, and it is also a really good place where the client can feel safe sharing sensitive information for audits as it is a protected platform.

For a particular control, such as vulnerability scans, we mostly have clients provide us with external third-party reports of scans. Drata could have something in place for real-time monitoring so that we could actually see the vulnerabilities directly instead of requesting external vulnerability scans for the platforms or cloud containers one uses.

The thing with Drata is you cannot open multiple tabs on the same interface or the same desktop. When you come out of Drata's Audit Hub, you will have to go back into the client interface and then return to another request. There is a lot of time-consuming activity happening in the tool. When I come out of Drata's Audit Hub, I would like to go to the previous phase I visited without being completely kicked out of the interface.

I have been using Drata since September 2022. My firm has a partnership with Drata, but I am unsure about it.

In terms of stability, the product has been very smooth. Stability-wise, I rate the solution an eight out of ten.

It is a scalable solution. As far as just seeing the other compliances are concerned in the tool, and since it is not the only compliance tool I use for auditing, I can say that when I compare tools, Drata is fine.

I would not want to talk about my experience with the product's support team extensively, but I can give the technical support a rating of six out of ten. There was a time during the initial stages of my work when I found a lot of data to convert into PDFs or download in an Excel format, and a lot of metadata was coming out. When I reached out to Drata's support team, they said the metadata that was coming out was not their issue but something from my end. The issue eventually vanished, but it was never fixed. I stopped seeing the heavy data again on my interface, but it was never properly received by the tool's support team. I only had one such customer support requirement.

I rate the technical support a six or seven out of ten.

Neutral

I have experience with multiple compliance platforms like Vanta and Secureframe.

With the product's initial setup phase, I honestly faced some issues while the clients gave us auditors access to set up cards or read-only access. I have seen a lot of back and forth for multiple clients, and even though the clients tell us that they have given us access, we don't receive it. We don't get Drata's invitation sometimes. I think there is a bit of work, but it is not difficult. It is easy to use the tool to log in to your work emails or Google, but I found some errors in the auditor assignments and access assignments.

In terms of security posture management, as far as I am exposed to Drata, I can say that the tool has some automated tests. The autopilot feature in the tool is really helpful for verifying things, and the client's data is in sync with Drata. The tool has continuous monitoring and it provides me with real-time data on every aspect of the firm's internal security, which is also an add-on.

The tool is really user-friendly. I believe there is always room for improvement.

I do not work on integration processes. We actually have a dedicated team for it, and my team focuses only on testing.

I recommend the product to those who plan to use it since it is a seamless and easy tool to use.

I think going with what is on the interface to view could be the best thing to know more, explore more, and get to the things you want to get to.

I rate the tool an eight out of ten.

I use it as a way to shift from using spreadsheets for SOC2 compliance to something where I can operationalize it into a platform and manage my documents and schedules when needed and where attention needs to be given to the auditor's review of the tools.

Once the tool is set up, Drata offers several valuable features. One key aspect is its integrations, which connect seamlessly with your ecosystem, including cloud services, HR systems, and various security tools. It checks configurations to determine compliance, significantly reducing the overhead of creating evidence from screenshots and configuration changes. This proactive approach allows users to address issues as they arise.

Another important feature relates to organizational efficiency during audits. Typically, you would need to review folder structures where specific controls are located and manually set up calendar events to remind you when to upload documents or screenshots as proof of compliance. Drata streamlines this process by providing a platform that automates control management. You can check your policies and procedures, conduct reviews, and automatically generate evidence for tracking compliance.

I consider my team and myself to be advanced users of Drata, continually pushing the boundaries of use cases and feature requests. We were actively involved in enhancements related to metrics from the risk register and compliance areas, focusing on visualizing trends in risk closure over time and assessing tolerance levels across different categories.

We engaged with customer success on improvements for the Trust Center, seeking metrics like the most downloaded documents, visitor analytics, and insights into which verticals access our site most frequently. This information is crucial for identifying hotspots and areas for improvement across sectors such as K-12, higher education, corporate, and government.

The readiness state of compliance frameworks can sometimes be misleading. For instance, despite having been in SOC 2 Type II compliance for a few years and being 36 months into using Drata, our readiness metric may still show around 60%. This often doesn't reflect our readiness, which is closer to 90-100%. The score can be impacted by recent policy revisions, such as updates made in Q3 or Q4, which may not yet be reflected in the system. These nuances often require additional explanation regarding the reported readiness status.

I have been using Drata for a year and a half.

Some minor bugs occasionally appeared in the web UI, and when reported, they were quickly fixed. There was also a minor outage on the Trust Center caused by an issue with CloudFlare that was outside their control. They provide a status page where users can check for such incidents and their resolutions.

We have about fifteen people with access to Drata, each in different roles. As a global company, these users are spread across various locations around the world.

Our experience with customer success at Drata has been quite positive, largely due to the quality of the personnel assigned to us and the frequency of our meetings, which occurred every two to three weeks for about a year and a half. Having a game plan for these meetings and treating them like office hour sessions has been valuable, as it allows for timely answers to our questions, either on the spot or as follow-ups. This level of involvement from Drata's team stands in stark contrast to some other vendors, where you might not even know who your representative is, and they typically only reach out during quarterly business reviews or renewal discussions.

Positive

I strongly advocate for evaluations that prioritize objectivity by removing emotions from the decision-making process. During my assessment of various tools, I utilized a scorecard and test plan that included clear requirements and priorities. I compared options such as Fanta, OneTrust, and Drata, which was emerging as a strong contender.

Throughout the evaluation, we encountered several bugs within Drata's platform, but their team quickly addressed these issues in production. Additionally, having visibility into their roadmap was a crucial factor that indicated Drata would be a reliable vendor and partner for us.

It supports my privacy and legal team with features like auto consent and AI capabilities, which meet our needs. We chose this tool because of its agility; we felt confident it would grow alongside us and allow us to influence its roadmap.

The platform includes a helpful wizard for setting up integrations, organizing our policies and procedures, and addressing unready controls through a punch list. Additionally, we have assigned a customer success manager who will collaborate with us to tackle these items. We aim to ensure all controls are ready, connected, and scheduled, enabling us to transition to an operational state.

Five people are required for the deployment.

Before implementing Drata, I managed compliance tasks using spreadsheets, which required significant discipline and involvement. With Drata, I could transition most responsibilities to a more junior team member in security, allowing them to take on the bulk of the work, except for certain nuances like writing policies or phrasing things correctly to support sales. The value of Drata is quite high in terms of trust enablement, which can nearly pay for itself from an organizational standpoint.

There’s a dependence on licensing with Drata, as it varies based on the frameworks you purchase and whether you opt for advanced capabilities like the Trust Center and risk module. Pricing is influenced by the number of frameworks you buy. The price ranges from about $18,000 to $30,000, with a sweet spot for small and medium-sized businesses around $20,000. The pricing is reasonable, and it’s worth noting that software can often be heavily discounted if you know how to negotiate.

Our Drata package has a risk register capability that allows you to track all organizational risks while providing insights and metrics to support that tracking. The proactive integration checks compliance against the controls set for different compliance frameworks. The Trust Center is significant for the company, as it showcases all the controls you test against, whether automated or manual—in a public-facing format. This transparency allows customers and prospects to see how we monitor our infrastructure and integrations. If a control fails, it will appear amber on the public Trust Center, demonstrating our commitment to oversight.

The package streamlines the NDA process, reducing the time required for technical reviews by minimizing reliance on the legal team for manual NDA sign-offs. This functionality decreases the manual work involved for each prospect and has proven a competitive advantage, significantly supporting sales efforts and expediting the review process.

It becomes much easier to use once you familiarize yourself with the web UI and its documentation. Jira has a solid knowledge base, and we also create internal documentation to address specific nuances. After getting past the initial learning curve, the UI is relatively straightforward. I had someone new to security successfully take over most of the operational tasks.

Some nuances are involved in getting your onboarding with Drata set up, particularly in understanding how the AuditHub and its capabilities function. The process can be straightforward as long as everyone is on the same page.

Overall, I rate the solution a nine out of ten.

I work with Drata on compliance and audit processes.

Drata helps eliminate evidence gathering and makes assigning different activities to different team members easier, simplifying compliance and audit processes. In Pennsylvania, we're putting in thousands of hours. Drata improves our security posture by reducing extra work, allowing us to focus on other security directives. I like the control editing and task management features the most. It's easy to use, but it's also easy for people to think they don't need security experts if they have it.

In terms of improvements, I'd suggest better marketing since the industry tends to market these tools as security experts, which isn't true.

I have been using Drata for the past eight months.

I've had no issues with stability.

Drata is very scalable and suitable for larger organizations due to the ability to assign tasks to different business lines. We have around twenty users across various companies, and I still use other tools.

The technical support team is good, though I haven't used them much.

The initial setup is pretty straightforward.

It's one of the more expensive options, but I think it's worth the money if you can afford it.

I'd rate Drata an eight out of ten because there's always room for improvement. We've seen value and impact from this tool, and I would recommend it to others. My advice would be to have a set project plan for implementation and to get help from a security expert if you don't have one in-house.

We use the solution to achieve both SOC 2 and ISO 27001 compliance.

Drata improved our security posture by ensuring that all our laptops were encrypted and all our production environments were validated with MFA access. We tracked all our Jira tickets to ensure timely remediation. Going through SOC 2 compliance, we still had to perform other tasks like external pen testing, which we achieved, and document it. We also developed tabletop exercises, which were conducted annually, and performed disaster recovery testing on the database. All this was tracked in Drata in real-time, allowing us to quickly identify and address issues, such as TLS encryption problems. 

Drata helped us publish our ISO and SOC reports, which was essential for the acquisition. The challenge now is whether Drata can scale up to meet the needs of a larger company. Drata is excellent for startups and small—to medium-sized companies but may face challenges in larger organizations with multiple environments. 

One of the challenges with Drata is that if you're paying for a subscription to ISO 27001, you must undergo a risk assessment. You should have access to all necessary modules on the platform to achieve your compliance posture and certification.

It provides real-time reporting regarding SOC 2 or ISO compliance. The auditors issue the reports. Therefore, if the auditors make a recommendation, such as configuring our alert system internally based on their advice, we implement it. Drata must also address its bugs to improve things for the auditors.

I have been using Drata for one and a half years.

After the acquisition, we're still integrating Drata into our environment. The challenges of this integration with the new regime are more significant than anticipated. One issue is stability; when Drata releases updates, we notice some bugs, especially those affecting Mac users. While Drata seems well-suited for smaller startups and mid-sized companies, larger enterprises may encounter more hurdles. Such platforms must remain robust despite occasional integration issues, as updates are necessary for continuous improvement.

I rate the solution's stability a nine out of ten.

These platforms provide real-time reporting. For example, if a control fails, such as requiring all users to log in with unique passwords, I receive an alert. If a user hasn't logged in, the system flags it. Drata helps streamline this process. When a new employee starts, I meet with them to configure their laptop with Drata and show them where the training is. Drata's real-time monitoring is beneficial. 

Drata is particularly effective for smaller companies, where communication is easier, and departments are not siloed like in larger organizations. This makes Drata a good platform for startups to complete their audit reporting and demonstrate their legitimacy. Companies can use this to attract private equity, go IPO, or secure more funding from investors.

Ultimately, companies reach a certain level of corporate maturity where they recognize the value of these investments. Real-time reporting and monitoring with Drata pay off by highlighting smaller issues early on, which benefits the company's overall operation and growth.

Drata also made certain promises regarding specific features but did not deliver. 

Neutral

I've had other demos and due diligence meetings with various vendors, some at the same level as Drata. The challenge becomes whether the bigger company wants to spend the higher cost. It becomes a negotiation between price and service.

Drata has excellent integrations and allows for real-time monitoring. Some tasks require manual uploads for screenshot evidence. It can have company policies within the module. This prevents data islands in Dropbox, Google Drive, or other locations. You can tell critical stakeholders, "Alright, we're having a meeting. Here's the draft; let's edit it." Once edited, the owner can press the green button to publish it, automatically sending alerts to the entire company or specific groups. 

For example, if the access control policy is updated, everyone must acknowledge the change. You can create groups, like the dev team, to agree to policies like SDLC, change management, or vulnerability management. Any changes are automatically pushed to designated personnel, who must review and approve them. You can track when they've done this in real-time, which is essential for auditors. Everything within the module shows whether personnel have agreed to specific policies.

There are other competitors out there. If you don't prefer Drata, find a similar platform. Many different companies exist because Drata enables you to monitor things in real time, which is crucial for both short-term and long-term goals. Short-term goals include daily or weekly reviews for compliance, while long-term goals aim to achieve SOC 2 and ISO goals.

Overall, I rate the solution an eight out of ten.