Our main use case for Drata is to provide a platform for us to manage our SOC 2 compliance.
External reviews
1,075 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Platform requires compliance expertise and struggles with control accuracy
What is our primary use case?
What is most valuable?
The best features that Drata offers, even though my overall experience wasn't great, include monitoring that worked effectively, although it was somewhat inflexible.
Almost all of the monitoring worked, but they have very specific ways that they want to see the infrastructure set up. For instance, one of the SOC 2 requirements is having a business recovery plan, which necessitates periodic database backups. We had it set up using AWS Backups to do it twice daily, but Drata requires using a different service for daily backups. Even though we had already covered the requirement, they still required it to be done their way, which I felt was not ideal. But overall, their monitoring of infrastructure worked pretty effectively.
What needs improvement?
Drata helped us manage our SOC 2 compliance by automating the monitoring of our infrastructure, but overall, the platform didn't work effectively at all.
Being fairly new SOC 2 compliance, understanding how the platform worked was really difficult to use. In particular, their UI shows many false positives, indicating that requirements are taken care of even when they're not. This makes it really difficult to manage and understand where we were in the process without being a compliance expert myself.
A specific example of when the UI gave us a false positive is that there were several controls within the Drata platform that were completely monitored, such as ensuring that our databases are encrypted at rest. However, there are other controls that are a combination of monitored controls and manual evidence required, and they don't show that secondary requirement at all, even though it's what an actual auditor would require. Using Drata to understand the full scope of what we needed to accomplish and what we needed to provide evidence on was unsuccessful. I went back and forth between the auditor a dozen times and talked to the Drata team multiple times about trying to sort that out to ensure I actually had a punch list of things to do so that they understood the scope of what we needed, but couldn't get there. We eventually tried to cancel the subscription, but they refused, despite the platform not providing the value they promised.
We attempted to get their Slack integration working so that we would be notified in real-time of any monitoring issues that were out of compliance, but ultimately, we couldn't get that to work.
Drata has impacted our organization negatively, as it made the whole compliance process more complicated and cost me significant time. The complications with Drata extended the entire process by about six months and cost me probably 10 hours a week while we were still trying to get Drata to work, totaling about 40 hours of my time.
I think Drata could be improved by changing it so that it reports the actual status of the controls and are more proactive about helping organizations at our stage of business get to compliance.
For how long have I used the solution?
We have been using Drata for about nine months.
What do I think about the stability of the solution?
I suppose Drata is stable.
What do I think about the scalability of the solution?
Drata's scalability is fine.
How are customer service and support?
My experience with customer support was good; they were responsive, but they didn't ever get us to a solution that worked. In the end, it wasn't great. I would rate the customer support a seven on a scale of 1 to 10.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
Drata integrates quite well with other AWS services we use. The procurement process was easy.
What was our ROI?
I haven't seen a return on investment with Drata, as there are no relevant metrics such as money saved, time saved, or fewer employees needed.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing is all fine.
Which other solutions did I evaluate?
Before choosing Drata, we evaluated other options, namely Vanta and Secureframe.
What other advice do I have?
My advice to others looking into using Drata is that I would advise them not to use it.
I would rate Drata a 1 out of five because the platform requires that you be a compliance expert and doesn't help guide the user through the process. The platform fundamentally requires compliance expertise, which can be a barrier for many users.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
No ability to add users
What do you like best about the product?
Gives us a process for getting ISO27001 that would have been difficult to follow otherwise.
What do you dislike about the product?
There's only really one thing, but it's important and incredibly painful. There's no ability to add your own users if they don't exist in your IDP. For example a contractor that doesn't have their email address on your domain - you cannot bring them into the system. This has wasted so much time as we need to find alternative systems for things that we're already paying for as part of Drata.
What problems is the product solving and how is that benefiting you?
ISO27001 is complicated and Drata at least makes the process easier to understand. There's a lot of value just in their documentation despite the platform being difficult to navigate.
Unreliable, full of bugs, rarely accurate.
What do you like best about the product?
Drata gives one hope for what a compliance monitoring system should be.
What do you dislike about the product?
I had originally left the management of Drata to our compliance officer but, after hearing the system was not performing as it had been pitched to me and other members of executive leadership, I stepped in to see what a day in the life was like as an administrator. A week later, I was still trying to sort out the mess. While the look and feel of the interface is great, that "automagic" user interface is a marketing illusion. Drata was hopelessly full of user experience, admin experience, integration, and status reporting errors that could not be fixed without, amongst other things, accessing pages no human could reach through the normal interface, asking the helpdesk to restart the system on the backend, and manually overriding background check mappings. Working with the helpdesk (good people unable to overcome their development team's delivery tempo) was a daily undertaking.
In the end, our auditors said the reports coming off of Drata were inadmissable due to their superficial nature and the unreliability of the underlying data. I love the idea, but it's just three to four years of development from being a product we can rely upon.
In the end, our auditors said the reports coming off of Drata were inadmissable due to their superficial nature and the unreliability of the underlying data. I love the idea, but it's just three to four years of development from being a product we can rely upon.
What problems is the product solving and how is that benefiting you?
We purchased Drata as a force multiplier for our compliance officer. It was intended to automate the monitoring and report generation around day to day compliance activities associated with our firm.
Their platform was not honest about what it was doing until I called them on it.
What do you like best about the product?
The tool is easy to use and it's clear how I can achieve ISO27001 and SOC2 compliance using the platform. The automated checks are what I want for my business, and I can see us utilising the platform in the future.
What do you dislike about the product?
I noticed that their MDM checks for hard drive encryption are only checking that there's an MDM policy called "FileVault" applied to the computers, and are not checking whether that policy actually contains a setting that enables disk encryption. When I confronted their support about this I was given incorrect information. They told me that it was actually checking encryption status when my testing showed that that's not the case. They are working on improving the check to actually check what it says it checks on the trust report it's checking, but...shouldn't that have already been done? Why is a customer pointing out that your platform doesn't do what it says it's doing? Why are you reporting on customer trust centers that you're checking hard drive encryption status with a big green tick when you're not actually checking that?
I was also misled during the sales process. The salesman insisted that all of support was available with a 2 minute turnaround. This is not true, as the compliance team is not available in my timezone at all. This is in no way a 2 minute response time, it's overnight response times for me.
I can see how I will leverage the platform to achieve the compliance requirements I want, but I do not trust them anymore, and I recommend other users don't trust them either after my experience.
I was also misled during the sales process. The salesman insisted that all of support was available with a 2 minute turnaround. This is not true, as the compliance team is not available in my timezone at all. This is in no way a 2 minute response time, it's overnight response times for me.
I can see how I will leverage the platform to achieve the compliance requirements I want, but I do not trust them anymore, and I recommend other users don't trust them either after my experience.
What problems is the product solving and how is that benefiting you?
It automates the evidence gathering portion of achieving ISO27001 compliance. This is the most labour intensive part of the work, so it's nice to have a platform that automates this work.
showing 1 - 4