I use Drata from the auditor's end. I am an information security auditor for companies that provide SaaS and PaaS-based services, and that would be more concentrated on the US SaaS and PaaS-based companies. I use Drata to check and comment on my client's internal security controls, their operative effectiveness, and how they are upholding their security standards.

Drata's DCF mapping is really good. The way the tool's controls are linked to the framework, specifically with SAST and HIPAA frameworks or any other frameworks, is really good. Basically, when I look into a control, the control's particular DCF number gives me all the information about the automated tests linked to that control, and then the external evidence that the client provides to me for verification and review is also available in one place. Drata's Audit Hub is useful for communicating with the client, and it is also a really good place where the client can feel safe sharing sensitive information for audits as it is a protected platform.

For a particular control, such as vulnerability scans, we mostly have clients provide us with external third-party reports of scans. Drata could have something in place for real-time monitoring so that we could actually see the vulnerabilities directly instead of requesting external vulnerability scans for the platforms or cloud containers one uses.

The thing with Drata is you cannot open multiple tabs on the same interface or the same desktop. When you come out of Drata's Audit Hub, you will have to go back into the client interface and then return to another request. There is a lot of time-consuming activity happening in the tool. When I come out of Drata's Audit Hub, I would like to go to the previous phase I visited without being completely kicked out of the interface.

I have been using Drata since September 2022. My firm has a partnership with Drata, but I am unsure about it.

In terms of stability, the product has been very smooth. Stability-wise, I rate the solution an eight out of ten.

It is a scalable solution. As far as just seeing the other compliances are concerned in the tool, and since it is not the only compliance tool I use for auditing, I can say that when I compare tools, Drata is fine.

I would not want to talk about my experience with the product's support team extensively, but I can give the technical support a rating of six out of ten. There was a time during the initial stages of my work when I found a lot of data to convert into PDFs or download in an Excel format, and a lot of metadata was coming out. When I reached out to Drata's support team, they said the metadata that was coming out was not their issue but something from my end. The issue eventually vanished, but it was never fixed. I stopped seeing the heavy data again on my interface, but it was never properly received by the tool's support team. I only had one such customer support requirement.

I rate the technical support a six or seven out of ten.

Neutral

I have experience with multiple compliance platforms like Vanta and Secureframe.

With the product's initial setup phase, I honestly faced some issues while the clients gave us auditors access to set up cards or read-only access. I have seen a lot of back and forth for multiple clients, and even though the clients tell us that they have given us access, we don't receive it. We don't get Drata's invitation sometimes. I think there is a bit of work, but it is not difficult. It is easy to use the tool to log in to your work emails or Google, but I found some errors in the auditor assignments and access assignments.

In terms of security posture management, as far as I am exposed to Drata, I can say that the tool has some automated tests. The autopilot feature in the tool is really helpful for verifying things, and the client's data is in sync with Drata. The tool has continuous monitoring and it provides me with real-time data on every aspect of the firm's internal security, which is also an add-on.

The tool is really user-friendly. I believe there is always room for improvement.

I do not work on integration processes. We actually have a dedicated team for it, and my team focuses only on testing.

I recommend the product to those who plan to use it since it is a seamless and easy tool to use.

I think going with what is on the interface to view could be the best thing to know more, explore more, and get to the things you want to get to.

I rate the tool an eight out of ten.

I use it as a way to shift from using spreadsheets for SOC2 compliance to something where I can operationalize it into a platform and manage my documents and schedules when needed and where attention needs to be given to the auditor's review of the tools.

Once the tool is set up, Drata offers several valuable features. One key aspect is its integrations, which connect seamlessly with your ecosystem, including cloud services, HR systems, and various security tools. It checks configurations to determine compliance, significantly reducing the overhead of creating evidence from screenshots and configuration changes. This proactive approach allows users to address issues as they arise.

Another important feature relates to organizational efficiency during audits. Typically, you would need to review folder structures where specific controls are located and manually set up calendar events to remind you when to upload documents or screenshots as proof of compliance. Drata streamlines this process by providing a platform that automates control management. You can check your policies and procedures, conduct reviews, and automatically generate evidence for tracking compliance.

I consider my team and myself to be advanced users of Drata, continually pushing the boundaries of use cases and feature requests. We were actively involved in enhancements related to metrics from the risk register and compliance areas, focusing on visualizing trends in risk closure over time and assessing tolerance levels across different categories.

We engaged with customer success on improvements for the Trust Center, seeking metrics like the most downloaded documents, visitor analytics, and insights into which verticals access our site most frequently. This information is crucial for identifying hotspots and areas for improvement across sectors such as K-12, higher education, corporate, and government.

The readiness state of compliance frameworks can sometimes be misleading. For instance, despite having been in SOC 2 Type II compliance for a few years and being 36 months into using Drata, our readiness metric may still show around 60%. This often doesn't reflect our readiness, which is closer to 90-100%. The score can be impacted by recent policy revisions, such as updates made in Q3 or Q4, which may not yet be reflected in the system. These nuances often require additional explanation regarding the reported readiness status.

I have been using Drata for a year and a half.

Some minor bugs occasionally appeared in the web UI, and when reported, they were quickly fixed. There was also a minor outage on the Trust Center caused by an issue with CloudFlare that was outside their control. They provide a status page where users can check for such incidents and their resolutions.

We have about fifteen people with access to Drata, each in different roles. As a global company, these users are spread across various locations around the world.

Our experience with customer success at Drata has been quite positive, largely due to the quality of the personnel assigned to us and the frequency of our meetings, which occurred every two to three weeks for about a year and a half. Having a game plan for these meetings and treating them like office hour sessions has been valuable, as it allows for timely answers to our questions, either on the spot or as follow-ups. This level of involvement from Drata's team stands in stark contrast to some other vendors, where you might not even know who your representative is, and they typically only reach out during quarterly business reviews or renewal discussions.

Positive

I strongly advocate for evaluations that prioritize objectivity by removing emotions from the decision-making process. During my assessment of various tools, I utilized a scorecard and test plan that included clear requirements and priorities. I compared options such as Fanta, OneTrust, and Drata, which was emerging as a strong contender.

Throughout the evaluation, we encountered several bugs within Drata's platform, but their team quickly addressed these issues in production. Additionally, having visibility into their roadmap was a crucial factor that indicated Drata would be a reliable vendor and partner for us.

It supports my privacy and legal team with features like auto consent and AI capabilities, which meet our needs. We chose this tool because of its agility; we felt confident it would grow alongside us and allow us to influence its roadmap.

The platform includes a helpful wizard for setting up integrations, organizing our policies and procedures, and addressing unready controls through a punch list. Additionally, we have assigned a customer success manager who will collaborate with us to tackle these items. We aim to ensure all controls are ready, connected, and scheduled, enabling us to transition to an operational state.

Five people are required for the deployment.

Before implementing Drata, I managed compliance tasks using spreadsheets, which required significant discipline and involvement. With Drata, I could transition most responsibilities to a more junior team member in security, allowing them to take on the bulk of the work, except for certain nuances like writing policies or phrasing things correctly to support sales. The value of Drata is quite high in terms of trust enablement, which can nearly pay for itself from an organizational standpoint.

There’s a dependence on licensing with Drata, as it varies based on the frameworks you purchase and whether you opt for advanced capabilities like the Trust Center and risk module. Pricing is influenced by the number of frameworks you buy. The price ranges from about $18,000 to $30,000, with a sweet spot for small and medium-sized businesses around $20,000. The pricing is reasonable, and it’s worth noting that software can often be heavily discounted if you know how to negotiate.

Our Drata package has a risk register capability that allows you to track all organizational risks while providing insights and metrics to support that tracking. The proactive integration checks compliance against the controls set for different compliance frameworks. The Trust Center is significant for the company, as it showcases all the controls you test against, whether automated or manual—in a public-facing format. This transparency allows customers and prospects to see how we monitor our infrastructure and integrations. If a control fails, it will appear amber on the public Trust Center, demonstrating our commitment to oversight.

The package streamlines the NDA process, reducing the time required for technical reviews by minimizing reliance on the legal team for manual NDA sign-offs. This functionality decreases the manual work involved for each prospect and has proven a competitive advantage, significantly supporting sales efforts and expediting the review process.

It becomes much easier to use once you familiarize yourself with the web UI and its documentation. Jira has a solid knowledge base, and we also create internal documentation to address specific nuances. After getting past the initial learning curve, the UI is relatively straightforward. I had someone new to security successfully take over most of the operational tasks.

Some nuances are involved in getting your onboarding with Drata set up, particularly in understanding how the AuditHub and its capabilities function. The process can be straightforward as long as everyone is on the same page.

Overall, I rate the solution a nine out of ten.