Drata Security & Compliance Automation Platform (D)

What do you like best about the product?

Intuitive User Interface (UI): The great UI makes navigating complex compliance tasks much easier, contributing to a smoother user experience.
Robust Connections and Integrations: Drata's ability to integrate seamlessly with other tools automates evidence collection, significantly reducing manual effort and ensuring continuous monitoring.
Customizable Frameworks: The flexibility to set up custom frameworks (like PCI 3DS) allows for tailored compliance programs that meet specific industry and business requirements.

What do you dislike about the product?

Inconsistent Support Experience: You've noted that support can be hit or miss. While some interactions are super quick, others suffer from poor communication, a lack of progress updates, and extended resolution times. Consistent and transparent support is vital for compliance tools.
Missing Key Features: The absence of certain functionalities, such as bulk evidence upload, can create inefficiencies and increase manual workload, especially for organizations with large volumes of data or evidence. This suggests opportunities for feature enhancement to streamline processes.
Perceived High Cost: Although you weren't involved in the pricing, the sense that Drata is "rather expensive" when compared to previously used platforms like Vanta indicates a potential concern regarding value proposition or competitive pricing. Cost-effectiveness is a significant factor in tool adoption

What problems is the product solving and how is that benefiting you?

Refining Current PCI DSS Compliance:

Problem Solved: PCI DSS (Payment Card Industry Data Security Standard) has stringent requirements for handling cardholder data. Refining compliance means ensuring all controls are met, evidence is up-to-date, and potential gaps are identified.
Benefit: Drata likely provides a centralized platform to monitor PCI DSS controls, automate evidence collection from integrated systems, and continuously assess your posture. This reduces the manual effort in maintaining compliance, minimizes the risk of non-compliance (and associated penalties), and helps ensure your systems are securely handling payment data. It streamlines the ongoing process, making audits less disruptive.

Preparing for Future SOC 2 and ISO 27001 Certifications:

Problem Solved: SOC 2 (Service Organization Control 2) focuses on trust service principles (security, availability, processing integrity, confidentiality, and privacy), while ISO 27001 (Information Security Management System) provides a framework for managing information security risks. Both require extensive preparation, policy development, and evidence gathering.
Benefit: Drata acts as a compliance roadmap and automation engine for these new frameworks. It helps you:
Understand requirements: Clearly outline the controls needed for SOC 2 and ISO 27001.
Automate evidence: Leverage existing integrations (or set up new ones) to automatically collect evidence relevant to these standards.
Track progress: Monitor your readiness in real-time, identifying what still needs to be done.
Streamline policies: Manage and version control the necessary security policies.
This proactive preparation saves significant time and resources compared to a manual approach, reduces audit fatigue, and accelerates your readiness for obtaining these crucial certifications, which can enhance trust with customers and partners.

What do you like best about the product?

Drata offers strong visibility into compliance readiness across frameworks and significantly reduces the manual effort required for evidence collection, control tracking, and audit coordination. Having a centralized view of controls, integrations, and audit status makes it much easier to manage ongoing compliance work and keep teams aligned.

What do you dislike about the product?

Nothing to add—overall, we’re very pleased with Drata.

What problems is the product solving and how is that benefiting you?

Drata streamlines compliance management by centralizing controls, evidence collection, and audit tracking in one platform. It cuts down on manual follow-ups across teams, improves visibility into audit readiness, and helps us manage ongoing compliance activities more efficiently across frameworks.

What do you like best about the product?

The continuous compliance monitoring is the standout, automated evidence collection from AWS, GitHub, and HR tools means SOC2 audits stop being a fire drill. The control dashboard gives a clear real-time view of what's passing, failing, or drifting.

What do you dislike about the product?

Initial setup and integration tuning takes effort, and some automated checks produce false positives that need manual review. Pricing scales quickly as you add frameworks or users.

What problems is the product solving and how is that benefiting you?

It turns SOC2 (and other frameworks) from a once-a-year scramble into a continuous, automated process. Evidence is collected on its own, policies are versioned, and personnel onboarding/offboarding is tracked — which means audits become a review instead of a rebuild.

What do you like best about the product?

The best feature Drata has is the mapping of recurring requirements of different frameworks/standards to generic Drata Controls. What this means is that if multiple of your frameworks require pretty much the same thing, you only have one Drata control you need to comply with to satisfy all the requirements of your frameworks. This also means only one place to store evidence, add policies, do tasks, etc. This is tremendous time-saver compared to other GRC tools.

Another great feature is the onboarding service they offer. Every subscription has a number of hours attached that you can use to call in GRC-specialists to help you set up something, or just ask questions. You don't have to struggle to get Drata up and running, but can lean on their expertise.

The AI policy builder they have works quite well. It starts you off with a template for whatever policy you selected, but it can also analyse something you made yourself to see if it adheres with the requirements of the Drata controls. It also makes suggestions for what is missing. It isn't always foolproof, so you do need to review the suggestions yourself, but it is a good tool to pinpoint where you are lacking.

Connections are important to get your compliance evidence in Drata in an automated way, and it is adequate. There are many out-of-the-box intergrations, but frankly some of them are missing automated evidence collection. As an example, we integrated our password manager using the built-in Drata connection, and it was easy to set up and gather our list of users. However, it didn't get data to show that our security-related settings were configured properly. We ended up having to use a custom integration.

Lastly some praise for the UI. It is clean, easy to navigate and most importantly, is intuitive. If I want to see my Risk Register, you just navigate to "Risks".

What do you dislike about the product?

As a premium offering, the only real barrier to entry is the price. It isn't the most expensive GRC tool I have seen, but it is up there. This can be compounded if you need alot of extras (more frameworks, etc.).

Our experiences with customer support have also been mixed. Some responded very quickly and accurately, while other times the response was too vague to actually answer our question.

What problems is the product solving and how is that benefiting you?

Our company prides itself on (cybersecurity) compliance, and in the course of several years we have achieved quite a number of certifications to international standards. When the company was smaller, it was feasible to, by hand, maintain our spreadsheets, documents and make screenshots of relevant information needed to pass our audits.

Some time later we saw the added value of a GRC system, but weren't ready to commit to something with a larger price tag, so we started working with a small local SaaS offering. It definately helped give us a better overview of our entire compliance landscape, but frankly it didn't save us alot of time, because everything still had to be done by hand. I estimate that I spent roughly 30% of my hours maintaining and updating our GRC system. This manual work was time-intensive and error-prone, so that was the moment we decided to invest in a established GRC solution.

We now use Drata as our single source of truth when it comes to businness compliance, and the main benefit is the time saved. No more manual labor to get the right evidence from the right person, it is all automated and sent to the platform.

What do you like best about the product?

Comprehensive alerts on tasks and status pf controls. Could not have passed SOC2 audit without Drata. Initial onboarding was difficult as the platform is not intuitive, especially for folks new to the CRG arena. Good documention but not easy to formulate searches as a newbie.

What do you dislike about the product?

Usage is not intuitive, UI is OK

Support is excellent

What problems is the product solving and how is that benefiting you?

Prior to utilizing the platform we had not idea as to the work necessary to become SOC2 certified.

It took a while to understand the the template policies were just that, templates. I suggest an onboarding specialist work with folks new to the platform in designing a customized workflow and how policies, controls and evidence relate to each other.

There is a plethora of documentation which is pretty good