Decent SOC 2 Tracking, but would prefer more advanced capabilities for the price
What do you like best about the product?
It’s a decent tool for tracking SOC 2 compliance rules and controls. It also integrates with our HRIS, which helps keep things connected and easier to manage.
What do you dislike about the product?
The “tests” for various controls aren’t very intuitive, and at times they feel more arbitrary than helpful. Pricing also seems high relative to the platform’s actual capabilities. During onboarding, the reliability of the tool was oversold, which made it harder to gauge how deep we needed to go with our controls and any supplemental tracking tools. I would have preferred clearer, more practical guidance throughout.
What problems is the product solving and how is that benefiting you?
SOC 2 security and compliance.
Broken UI/UX and Unexplained Platform Changes
What do you like best about the product?
The recent improvement in vendor management and risk management module and the addition of evidence library,
What do you dislike about the product?
The UI, UX is very broken, everytime you exit a page you will end up in an unintuitive place. Integrations are still limited compared to other products. So many unexpected things happen in the platform, data and settings changes, without the customer service providing the proper explanation.
What problems is the product solving and how is that benefiting you?
Compliance.
Structured ISMS and ICS support with strong risk and vendor management
What do you like best about the product?
Structured support in the development of an ISMS and ICS, good risk and vendor management.
What do you dislike about the product?
Not all areas create documented information, so you are not 100% compliant with ISO27001.
What problems is the product solving and how is that benefiting you?
Creating a good ISMS structure, Drata supports enormously here!
Automated Compliance Made Easy, But Needs User Management Improvements
What do you like best about the product?
I find Drata easy to track my compliance status, and it helps me identify compliance gaps. I also appreciate the automated monitoring that integrates with my existing tools, making real-time tracking possible. Setting up Drata was easy, which was a definite plus for me.
What do you dislike about the product?
The user review process is a bit tedious as it does not allow you to remove offboarded users directly from products. Right now, we do not have a way to exclude users directly in integrations, so you have to manually exclude them on each review which is a tedious process.
What problems is the product solving and how is that benefiting you?
I use Drata for SOC 2 compliance, making compliance effortless with automated monitoring. It's easy to track my compliance status and identify gaps in real-time.
Strong Framework Structure and Seamless Connections
What do you like best about the product?
Framework structure and connections with different sources for tests.
What do you dislike about the product?
Generic policy templates. Not many connectors available in comparison with other tools.
What problems is the product solving and how is that benefiting you?
Compliance roadmap. Fast deployment. Governance, audit readiness and view from customers.
Drata Keeps Us Continuously Audit-Ready with Hands-Off Evidence Collection
What do you like best about the product?
What I like about Drata is how it transforms compliance from a manual, point-in-time effort into a continuous, automated process. Its integrations with tools like cloud providers and identity systems make evidence collection largely hands-off. The dashboard is clear and accessible, giving both technical and non-technical stakeholders quick insight into compliance status. Overall, Drata makes it much easier to stay audit-ready without the usual operational burden, and it scales well as organizations grow.
What do you dislike about the product?
What I dislike about Drata is that the initial setup and configuration can be time-consuming and sometimes confusing, especially when mapping controls across multiple frameworks.The platform can also generate a high volume of alerts or tasks, which may create noise if not carefully tuned.
What problems is the product solving and how is that benefiting you?
Drata solves the problem of time-consuming, manual compliance processes by automating evidence collection, control monitoring, and audit preparation. Instead of scrambling to gather documentation at audit time, it keeps everything continuously up to date, which reduces stress and minimizes the risk of missing requirements. This benefits me by saving significant time, improving accuracy, and providing real-time visibility into our compliance posture. It also makes it easier to stay audit-ready year-round and focus more on higher-value work rather than repetitive administrative tasks.
Expect things to break all the time silently
What do you like best about the product?
Comes with a Drata Trust Center that's relatively easy to manage. That's pretty much the only thing that hasn't broken on me this past year.
What do you dislike about the product?
Drata seems to have major breakage on what seems to be a monthly basis.
- MDM integration is currently broken
- Audit hub messages from auditors are currently broken
- Using a custom framework, only your auditors can create the controls (and control mappings in the audit hub vs what's in your view of the custom framework are not kept in sync)
I've reached the point where I'm running audits outside of Drata because Drata is so broken.
Customer Service seems to have taken a major step back in quality. I've been advised at least twice to make dangerous changes that each time broke my Drata instance (Google, HRIS).
What problems is the product solving and how is that benefiting you?
Their Trust Center does give me a way to manage showing our compliance documents under NDA to prospects and customers.
DRATA’s Easy Interface and Rapid Updates with Lots of Features
What do you like best about the product?
The Interface and ease of use are two key things for me within DRATA along with the loads of features that are available. However, there is another aspect to it, which is the upgrades that are moved to the platform are quite quick and to the business needs.
What do you dislike about the product?
having access to more frameworks could be an option. limitation of connection that can be created if there are more than 2 apps used under same category.
What problems is the product solving and how is that benefiting you?
GRC and automation around it.
Prompt Support, Effortless Access
What do you like best about the product?
I like how quickly Drata responded and how polite they were. It was also easy to contact customer support since the button was right at the top, and they responded immediately. Additionally, the initial setup of Drata was very easy for me.
What do you dislike about the product?
Nothing I can think of
What problems is the product solving and how is that benefiting you?
Drata solved my email authorization issue and allowed me to access my account easily. The customer service was quick, helpful, and polite, making it easy to contact support when needed.
Centralized audits and policies have transformed how our team manages compliance workflows
What is our primary use case?
I am an end user of
Drata. Most of the time I work with
Drata for control mapping, uploading evidence, and sometimes risk management and the Policy Center, such as uploading policies. Those are mainly the features that I work with most of the time.
I primarily do internal audit support with Drata. Drata has been really helpful in terms of centralizing audit evidence. During the traditional audit method, you would have to send evidence via emails. With Drata, everything is centralized, and once external auditors have access to the system, they are able to review everything within a centralized tool. They are also able to download the evidence in a package form and review it. Having to upload policies in one centralized system has been feasible and most effective. Drata has the feature of Policy Center where you are able to upload all the policies within the company and they can be published from there. They can also be acknowledged by employees and approved by policy owners.
What is most valuable?
I think the tool having the ability to centralize most of the things is one of the most good things about Drata because when you do things that are scattered, managing policies from another tool and managing evidence collection during audits from another tool becomes difficult. Drata has Audit Hub where you can actually do the audit and when a control has been audited and prepared, you can mark it as complete within the system. With Drata having those capabilities as a
GRC tool, I think it has most of the capabilities that are needed within
GRC. We do not need to be purchasing other third-party tools. Though they might be needed, it is most useful that most of the work can be performed within the tool without having multiple third parties.
Currently, we have a dashboard in Drata. The dashboards go with admin access and relevant access that you need. With the views that I have, I am able to see all the frameworks that we are compliant with. I am able to see if there are certain controls that are not yet fulfilled. It will show that out of 60 controls, 23 is fulfilled and the rest is not fulfilled. That feature is helpful so that you are able to see that when it is 100%, it means you are compliant.
Overall, Drata as a tool has brought a lot of improvements within the GRC team. Having to centralize everything in one system, mapping the controls within one system, performing audits within one system, monitoring policies within one system, and doing risk management within one system is something that in GRC, speaking from a GRC perspective in cybersecurity, has been very impactful and effective within the team.
What needs improvement?
At the moment, integrating Drata with other AIs would be beneficial. I am not too sure if it is something that can be done or if it is possible, but I am not aware. Integrating it with AI where maybe with regards to evidence collection, I would not have to be collecting the evidence manually would be helpful. When you are managing a lot of frameworks, it is a lot of work to actually individually and manually upload all the evidence in Drata. If maybe there is an AI which can be able to automate that kind of a workflow, and obviously as human beings, we will have to do a human error check, I think it would be amazing. I am not too sure if maybe at the moment it is something that is in place and I am not aware of, but I think it would be great.
Integrations within my team are managed by someone, but I do have an idea about Drata's automated control monitoring. For example, with tests, there are certain systems such as AWS that has been integrated with Drata, and it tests those systems and puts them as part of evidence. For example, data encryption at rest. We can put it a test and integrate it with AWS, and then it will automatically test the encryption in data at rest. If the test has failed, you will see it. When I log in to check all the controls that have failed, it will show on Drata that the test has failed. Then I will be able to coordinate with the relevant stakeholders and tell them that it needs to be fixed.
I would like Drata to make the user interface more intuitive.
For how long have I used the solution?
I joined SUSE in October 2024, and we started using Drata from May of last year.
What do I think about the stability of the solution?
Drata has been an 8 in terms of stability and reliability for me so far.
There was one instance where our auditors could not access the Audit Hub in Drata, and it was not really something that was wrong from our company side. It was something wrong with Drata. Technical issues do occur. Speaking with them, it took a bit longer than we expected, and we were during the audit process and auditors had to audit, so we had to switch and do it the traditional way without using the tool. However, it was not really that too long.
What do I think about the scalability of the solution?
Drata is a 9 in terms of scalability.
How are customer service and support?
I do not communicate with the technical support of Drata. I am copied in the emails during the conversations, but I am not the one who is handling the overall support. As part of the GRC team, I am just there for visibility to see what the status of the issues is, but I am not the one who is handling the overall issues.
How was the initial setup?
I was there to do reviews regarding Drata. The setup and the integration of the systems itself was not really done by me, but I was there to review the features and when we do the control mappings and uploading things, I was there to actually see if it was a user-friendly app and if it was understandable.
Which other solutions did I evaluate?
I know there is SafetyCulture. It is also for compliance and project management, but it is not really the same as Drata. I would say Drata outperforms it.
What other advice do I have?
From my experience with Drata, if maybe for someone who is entry-level or who is not really too technical, they would not really understand some of the things. For someone who is not really technical, some of the terms they would not understand. However, overall, it is understandable and clear and comprehensive.
Drata has official documentation, guides, and manuals. I think it is going to depend on who is doing the integration. If Drata has that feature, it means it is something that is possible. From my experience, there have been some integrations that have been made and they were a success. Sometimes they do fail because of maybe the problem, it might be with Drata or it might be with the third-party tool that it has been integrated with. However, overall, with my experience having gone through some of the controls, the integrations have been a success.
At the moment, the ones that I know that Drata has been integrated with are AWS and Qualys. I do not use any tools from Drata's 75 plus integrations overall.
I would give this review a rating of 10.
