Drata Security & Compliance Automation Platform

What do you like best about the product?

It's complete: when well configured, it covers efficiently all the controls necessary to reach SOC-2 compliance (and presumably other standards, that I haven't checked yet). It even goes further with list of vendors, risk assessments, and a partnership with SafeBase to host your Trust Center. Great!
The product was pretty responsive and easy to navigate, administrate and use (I haven't worked much with the new UI/UX, tho), and integration with our tech stack (IDP, code-base, etc.) is simple.
Their AI-chatbot is most of the time helpful for basic support, although the corresponding doc is not always up-to-date (so the chatbot may be out-of-date too; but there's always a human to take over).

What do you dislike about the product?

Integration with Linear was supported, but the main point is to submit Linear ticket as evidence… which is not possible (and frustrating).
The "Tasks" module of Drata could be a powerful tool to manage/plan/track/remind all the tasks to do, recurring or punctual, but it is not as complete and smooth as a good old Google or Outlook Calendar (to invite several people, to link to a document, etc.), so we have quickly stopped using it.
Also, like all other GRC tools, it's always hard to justify the price to our management when everything goes well and no threat was directly addressed via Drata.

What problems is the product solving and how is that benefiting you?

We wanted a tool that our auditors could access to answer most of their questions for a SOC-2 audit. Apart from the on-boarding and some permissions issues, Drata did all the work I would have had to do to satisfay the auditors.

What do you like best about the product?

The platform is relatively easy to use and has everything included within it

What do you dislike about the product?

Sometimes it is unclear how the process works fully, especially with the involvement of 3rd party companies

What problems is the product solving and how is that benefiting you?

SOC 2 Type 2 Certification, it would help us in our sales endeavors

What do you like best about the product?

I like Drata's interface and the ease of usage. It's great that it updates automatically when something needs fixing, so I don't have to worry about manual interventions. Compared to other tools, it gives me a sense of knowing exactly what to expect and how things will work. Also, the integrations are pretty good, even though there's room for more apps to be added. Great policy templats.

What do you dislike about the product?

Lack of integrations and maybe a little bit of lack of comprehensive rules regarding for example systems that should not be included / scanned. It doesnt use most secure way of connecting applications via OIDC / workload identity systems. There was a lack of ability to import evidence from other vendors, so we had to do a lot of stuff manually.

What problems is the product solving and how is that benefiting you?

I use Drata to set up ISO 27001 and SOC 2. The interface is easy to use and updates automatically when something needs fixing, so I always know what to expect.

What do you like best about the product?

I like the simplicity of SafeBase. I also appreciate the design and the support by David. The initial setup was very smooth. Everything works well.

What do you dislike about the product?

I like everything

What problems is the product solving and how is that benefiting you?

It helps make us legit in front of customers.

What do you like best about the product?

I love the ease of use of Drata. The centralization is what helps us the most, it saves a lot of time with our small team. It prevents us from having confusion about what is up-to-date or not. I also appreciate the sharing with our auditors for certifications.

What do you dislike about the product?

For now, nothing. Except maybe the price, which is high for a startup.

What problems is the product solving and how is that benefiting you?

Drata helps us manage our compliance with a small team, especially for SOC 2 and soon GDPR. The centralization, notifications, and task tracking help us stay compliant. Saves a lot of time by avoiding confusion over up-to-date documents.

What do you like best about the product?

The connection to the auditors. I would not have connected with Sensible if it weren't for them, and our auditing team is incredibly helpful and informative.

The My Personnel section makes it easy to monitor the progress of my teams MyDrata section. I can send them a nudge in the page to remind them to complete their tasks.

It is overall, well-organized, intuitive UX/UI.

I like the integrations feature, this has made completing many of our controls much more simple.

What do you dislike about the product?

I was extremely confused around the mandatory controls for the SOC2, and this was not explained to me clearly when we were onboarded. There was 208 controls, and once speaking with the auditor, it became clear that we would only need to complete 25% of that.

Also receiving explanation on the risk management and vendor management page. I was very confused with what to do with these, and how they related to the final audit.

What problems is the product solving and how is that benefiting you?

We are not SOC2 compliant, and Drata is helping us obtain that certification through frameworks and structure. it is benefiting me because the learning curve of figuring out how to be soc2 compliant and the necessary structures to build would take much time, and I imagine would be incredibly confusing.

What do you like best about the product?

The interface is clean, intuitive, and visually appealing. The platform communicates issues effectively, maintains a professional design, and provides a smooth, user-friendly experience overall today.

What do you dislike about the product?

Drata experienced performance issues today, with repeated “Too many concurrent requests” errors disrupting access and workflow.

What problems is the product solving and how is that benefiting you?

Drata helps automate compliance and security management by centralizing evidence collection, monitoring security controls, and simplifying audit preparation. This reduces manual effort, saves time during compliance reviews, improves visibility into security posture, and helps maintain certifications such as SOC 2 and ISO 27001 more efficiently. However, today's performance issues limited these benefits by causing delays and reducing productivity.

What do you like best about the product?

There are a lot of native integrations available for you to connect to ensure compliance for workstations, identity, and policy acknolwedgements

Very easy to connect Entra ID to pull in all your users and from there you can connect your MDM (Intune or JAMF/Kandji), RMM tools, and security training (KnowBe4) platforms to match up with the respective end user.

Its really easy to manage users and their associated devices and check for device and policy compliance.

What do you dislike about the product?

Particularly for MDM platforms such as Intune or JAMF, a workstation might have all the appropiate policies in place for compliance but Drata sometimes doesn't pull in that data correctly for some users/devices. In Intune, a device could show that all compliance policies have been sucessfully deployed however Drata might still list it as "non compliant"

What problems is the product solving and how is that benefiting you?

It's a single platform for managing our end user and device compliance for audits and ceritifications.

What do you like best about the product?

We use it for compliance tracking. It has a very intuitive framework with automatic tests and controls mapped to specific compliance requirements. It also offers tools to keep track of compliance requirements like Personnel compliance list, Vendor and Subprocessor inventories, a policy center, and a risk register - all of which we use as part of our day-to-day company processes. It easily connected to our infrastructure console, cloud workspace, HR system, and trust portal - automatically running tests and checking controls, which reduces our workload. The performance is smooth, and the AI agent gives quick advice when you bump into an unknown. Tickets were addressed and resolved quickly, so technical support is responsive and gives ample explanation and updates. The pricing is competitive and can be compared to other alternatives.

What do you dislike about the product?

There are really no big downsides for me - it offers more than we are using now. Maybe the connection between assets and personnel could offer more actions to easily reflect changes/updates and record what changed. In specific cases, we need to involve TS to resolve unusual states.

What problems is the product solving and how is that benefiting you?

We use it as a Compliance hub: We track our compliance controls, upload evidence, track personnel compliance, host our policies, log our subprocessors and risks.
Also, it is an assessment hub to communicate with our auditors. And we also host our trust portal on the child product Safebase.

What do you like best about the product?

As a devops engineer the most useful part is the AWS integrations (and other similar integrations), and the automated controls.

What do you dislike about the product?

The web interface is sometimes hard to navigate, links don't always open what I expect, or are just lacking. The wording is sometimes confusing: some terms seem specific to Drata and need to be learnt, but there's no contextual help.

What problems is the product solving and how is that benefiting you?

Mostly gathering data, proofs, for security audits. In particular for complex scenarios or broad areas where manual collection would be very painful.