Drata Reviews

I use it as a way to shift from using spreadsheets for SOC2 compliance to something where I can operationalize it into a platform and manage my documents and schedules when needed and where attention needs to be given to the auditor's review of the tools.

Once the tool is set up, Drata offers several valuable features. One key aspect is its integrations, which connect seamlessly with your ecosystem, including cloud services, HR systems, and various security tools. It checks configurations to determine compliance, significantly reducing the overhead of creating evidence from screenshots and configuration changes. This proactive approach allows users to address issues as they arise.

Another important feature relates to organizational efficiency during audits. Typically, you would need to review folder structures where specific controls are located and manually set up calendar events to remind you when to upload documents or screenshots as proof of compliance. Drata streamlines this process by providing a platform that automates control management. You can check your policies and procedures, conduct reviews, and automatically generate evidence for tracking compliance.

We mainly use Drata as our GRC tool. Previously, we didn't have a GRC tool in-house. As a payment company, we must complete two annual audits: PCI for the payment card industry and SOC 2 Type 2, which most software companies also need. Without a GRC tool, we had separate contracts with each auditing firm, and they provided their tools for us to upload audit evidence. We had to produce the same evidence every year and manually upload it to these tools. If we changed auditors, we'd have to use new software each time, and our previous year's evidence stayed with the auditors. Now, with Data, we can store all our information in-house. Instead of auditors using their platforms, they come to Drata to access the evidence. Throughout the year, we upload and complete audit evidence in Drata, so during the audit period, auditors access what they need from the Drata platform. This means that when we change auditors, it doesn't matter who they are as long as they can access Drata.

Data contains evidence that InfoSec-related audits are often similar. About 30-40% of SOC 2 evidence can be used for PCI audits. Previously, we had to produce separate evidence for each audit and send it to different auditors. Everything lives in Drata, and we can use the sameevidence for PCI and SOC 2 audits. Drata’s cross-mapping between evidence and requirements makes this possible.

I work with Drata on compliance and audit processes.

Drata helps eliminate evidence gathering and makes assigning different activities to different team members easier, simplifying compliance and audit processes. In Pennsylvania, we're putting in thousands of hours. Drata improves our security posture by reducing extra work, allowing us to focus on other security directives. I like the control editing and task management features the most. It's easy to use, but it's also easy for people to think they don't need security experts if they have it.

I use the solution in my company to apply for SOC 2 certification and to take notes on some controls that we have in AWS and other stuff.

I wish the tool were more granular with some configurations about the controls or the platforms. I don't know whether the information and the way that we share it with third parties could be made more granular, if the benefit could be done, and if it would be a fine product.

The product can improve in its API documentation area.

I have been deploying all the services to Australia and USA. These are for customer compliance on HIPAA, ISO 27001, SOC 2, and similar standards.

Drata provides compliance management, including customer compliance on HIPAA, ISO 27001, and other standards. The platform allows for documentation and uploads of records, which can be reviewed by qualified security assessors. This helps in seamless audit preparations.

We use the solution to achieve both SOC 2 and ISO 27001 compliance.

Drata improved our security posture by ensuring that all our laptops were encrypted and all our production environments were validated with MFA access. We tracked all our Jira tickets to ensure timely remediation. Going through SOC 2 compliance, we still had to perform other tasks like external pen testing, which we achieved, and document it. We also developed tabletop exercises, which were conducted annually, and performed disaster recovery testing on the database. All this was tracked in Drata in real-time, allowing us to quickly identify and address issues, such as TLS encryption problems. 

Drata helped us publish our ISO and SOC reports, which was essential for the acquisition. The challenge now is whether Drata can scale up to meet the needs of a larger company. Drata is excellent for startups and small—to medium-sized companies but may face challenges in larger organizations with multiple environments. 

I use Drata from the auditor's end. I am an information security auditor for companies that provide SaaS and PaaS-based services, and that would be more concentrated on the US SaaS and PaaS-based companies. I use Drata to check and comment on my client's internal security controls, their operative effectiveness, and how they are upholding their security standards.

Drata's DCF mapping is really good. The way the tool's controls are linked to the framework, specifically with SAST and HIPAA frameworks or any other frameworks, is really good. Basically, when I look into a control, the control's particular DCF number gives me all the information about the automated tests linked to that control, and then the external evidence that the client provides to me for verification and review is also available in one place. Drata's Audit Hub is useful for communicating with the client, and it is also a really good place where the client can feel safe sharing sensitive information for audits as it is a protected platform.

I was working on a project that required using ROC tools and SOC 2 compliance. To address this, we integrated with the Drata tool to reduce vulnerabilities in the infrastructure and address other loopholes. Additionally, Drata seamlessly integrated with our cloud services, including SysTrack S3 and other key creation and GuardDuty services.

Drata can identify loopholes and provide solutions for improved security. Drata secures the organisation's infrastructure, achieve SOC 2 compliance, and address HIPAA requirements. It can identify and close security loopholes proactively.

Drata is a comprehensive and informative tool that provides in-depth guidance on how to protect your infrastructure. However, it is also quite expensive and requires restarting if any loopholes are available.