I really have enjoyed that all the evidence is aggregated in one spot and presented in a way that auditors have understood it. The integrations are also useful, data that syncs up with any changes is especially useful in a fast paced business environment. Review collected by and hosted on G2.com.
The real downside of using drata was the fact that Auditors were reluctant to use it. All the evidence was there in the platform and visible for them to use, but they still wanted us to walk them through all of our controls over video chats. This defeated the purpose of Drata and did not save us time. Review collected by and hosted on G2.com.
966 out of 967 Total Reviews for Drata
Overall Review Sentiment for Drata
Log in to view review sentiment.
I'm a vCISO and work with customers on building their security programs and preparing for an audit. Drata has been amazing in preparing my customer for SOC2. It's amazing in that 85% of the evidence is automatically gathered and tested every 24 hours. No more screenshots and manual gathering of evidence. The best part is knowing the control is actually being enforced on a daily basis. Ali McCormick our Drata Customer Success Manager has been great in helping us use Drata and meet the customer's accelerated SOC2 timeline. Review collected by and hosted on G2.com.
I wish the Risk Assessment and Remediation Plan were more automated. Having to map the Remediation to the control manually was disappointing. The SOC2 system description isn't automated. Review collected by and hosted on G2.com.
It seems dumb to say out loud, but it works as expected, every time, and I have the support I need to do what I need to do, when I need to do it. I don't think I've ever waited on help or an answer, and our entire team finds value in the tool each time we use it. You can't say that about much in the software world. We had an easy implementation, easy integration experience, and I love that the chatbot actually works in the after hours when I need to ask my obscure questions. Turns out they're really not all that out of the ordinary, because there's a ready made and easy to find answer no matter what time I want to ask the question. Review collected by and hosted on G2.com.
I'm a little sad my person moved onto another job (Claire), but we have a lovely new person and I know we're in good hands. Review collected by and hosted on G2.com.
We had an awesome experience working with Drata, especially with Elizabeth John, who was incredibly helpful throughout the process. She made setting up everything for our SOC 2 Type 1 and 2 so much easier, guiding us every step of the way and always being available to answer questions. Elizabeth was extremely prompt, responding quickly whenever we needed support, which made the entire process feel smooth and efficient. The platform itself is intuitive and streamlined, taking a lot of the stress out of compliance. Highly recommend Drata if you’re looking for a straightforward compliance journey — and if you get the chance to work with Elizabeth, you’re in great hands! Review collected by and hosted on G2.com.
The only downside we’ve encountered is the lack of integration with Oracle Cloud Infrastructure (OCI), which would make the platform even more versatile for our needs. Review collected by and hosted on G2.com.
1. Drata's compliance automation is a game changer. The available integrations allow a small compliance team to scale to an unlimited size organization. For example, vulnerability scanning, device monitoring, data security testing, policy, network infrastructure, risk assessment, and the list goes on. These were previously controlled and documented in independent places and my compliance team 1) struggled to manage all of the compliance evidence and 2) "pushed" the information to the SOC 2 auditor. Drata consolidates this into one portal and the auditor has on demand access. This truly is automated compliance.
2. Live chat support, compliance library, policy templates, risk assessment guide. The provided tools help you effectively set up a compliance program.
3. My vendor rep has been extremely helpful and available throughout the process. We meet every two weeks to ensure we are progressing sufficiently. But also, I appreciate that she understands everyone works at their own pace so is not pushing us if not necessary. Review collected by and hosted on G2.com.
The vendor management functionality is lacking. Specifically, the questionairre function is very limited and not very useful. Review collected by and hosted on G2.com.
Drata has been great to map from the ISO 27001 framework requirements to actual controls. Whilst it doesn't replace compliance activities, it has sped up our alignment of our existing process to the ISO 27001 framework controls. The in-built policies have been great to use a base for review and sometimes wholly draft new policies. The risk assessment area is also very good for keeping and scoring risks.
Finally the automation of controls is very good and suited to our environment (circa 150 employees + AWS infratructure). The tool makes it easy to disable tests (where not appropriate) or exclude particular items from the test (and justify this). The raw evidence is often very helpful for troubleshootin why our infrastructure may fail a particular test.
Their customer success folk are absolutely excellent and work with you the whole way, and the interface is very intuitive and so it's as 'self-service' as you can imagine. The onboarding of the various integrations/connections was seamless with little need for help.
During the "getting compliant", Drata has been used pretty mcuh every day by the security team in order to keep track of progress. Review collected by and hosted on G2.com.
Dislike is a strong word. Given the relative youngness of the company, there are a few rough edges spread around none of which stop getting the value from the tool. It sometimes feel like the tool is geared more towards "keeping compliant" than "getting compliant" - which of course will be the vast majority of the platform's use.
Occasionally, the platform is a little limited (integrating with Enterprise Intune policies needs to be done in a very particular way) - though this we managed to overcome with the help our Customer Success manager. In other areas, we disagreed with some of the automated monitoring tests and their implementation (for example around production access to Gitlab). but that was overcome by using their API to upload evidence automatically from a small CI/CD job and disabling that single test. On the whole, we use almost every test provided by Drata out of the box. Review collected by and hosted on G2.com.
Drata supports the most common compliance frameworks. It effectively translates compliance requirements into readable control items. Each control item consists of a set of tests that are defined with clear specifications. For example, if an organization wants to adhere to the compliance NIST CSF, personnel responsible for achieving compliance simply focus on the control items of target compliance that Drata organized. Some tests can be shared across multiple compliance frameworks! It is easier for them to implement other compliances more efficiently in the future. Secondly, the most impressive design is the capability of automated evidence collection. With easy configuration on integrations to popular platforms, it can save effort when collecting the evidence of control items. To manage the overall readiness of compliance continuously, Drata provides efficient monitoring of controls, the status of tests, and the integrity of essential evidence. It provides users with real-time status and benchmarks in the dashboard. That helps internal or external auditors to track progress, identify gaps, and demonstrate compliance to key stakeholders. Finally, when I was new to Drata in the beginning, the Drata support team consistently delivered effective solutions to customer issues. The experience of customer support really touched my heart. Review collected by and hosted on G2.com.
The automated evidence-collection feature is a very productive design. However, it has both pros and cons. The limitations on integrations may become a burden if the target platform is not on the support list. Another thing that needs to be improved is the instructions for fixing the failed/error tests. Sometimes, I can not directly understand the root cause of the failed test. I hope the error information or solution instructions become more transparent or readable. Review collected by and hosted on G2.com.
Drata streamlines compliance journey from start to audit-ready and provides professional support from its team of security and compliance experts, specially Ali!
And I would like to take a moment to commend her (Ali) for an exceptional efforts and dedication. She has consistently gone above and beyond in providing assistance, following up on meetings, and keeping us updated on Drata.
Ali’s proactive approach in ensuring that the our team remains as compliant as possible has been invaluable. Her diligence and commitment to excellence are truly commendable and have greatly contributed to the success of our compliance efforts.
We appreciate Ali’s hard work and dedication!
She's truly an asset! Review collected by and hosted on G2.com.
None . Review collected by and hosted on G2.com.
The Drata platform is very user friendly and provides great support and help articles for users to navigate and understand the compliance requirements. The Drata team is also extremely helpful, responsive, and approachable any time they are needed. Review collected by and hosted on G2.com.
I would like to see a feature that requires manual user updates (i.e. marking items ready for audit) as opposed to automatically checking off as green since this could lead to confusion. Review collected by and hosted on G2.com.
It is a very complete package. My team and I do audits and risk management integration daily. It is straight forward to work with. Everything is there, and it is so convenient for us to work with. Risk Management within an organization is a discipline, a commitment within the organization that risk management is more important than internet access. GRC becomes the public face of the collective strategic risk initiatives. It is a place to share risk efforts with auditors, regulators, clients and leads.
The platform is complex, but it makes sense in it's role within risk management. Review collected by and hosted on G2.com.
The interaction with auditors focuses around the DCF (Drata Control Framework) rather than a specific framework control (like SOC2, ISO, etc). I know that Drata is using that to increase coverage of more frameworks. However, forcing auditors to use DCF rather than an ISO control is a bit of a nuisance.
Despite that, auditors have figured it out. This is a small inconvenience and not a major stopper. Review collected by and hosted on G2.com.
When it comes to Drata there are two things that have left a lasting impression: continual product improvement and a remarkable level of support.
I've seen Drata push out new features and improvements quarter after quarter, and I am blown away by their growth even after only a year of use. Their "Trust Center" as a resource as well as Docusign and Salesforce integrations help automate and streamline our internal processes.
Above that our CSM, Benjamin Chau, is phenominal. His professionlism, his can-do attitude, and availability makes him stand out against other CS personnel I've worked with in the past. There was more than one occasion Benjamin dropped what he was doing and joined one of our calls without hesitation to ensure our success, making us feel truly valued both as a customer and a partner. Review collected by and hosted on G2.com.
A small gripe I have is there were some technical nuances that were not clearly mentioned within the help articles when attempting to self-service the SFDC and Docusign connection. This created small hiccups in the integration process, but Benjamin was a strategic partner helping iron our the nuances. Review collected by and hosted on G2.com.
