I use Drata from the auditor's end. I am an information security auditor for companies that provide SaaS and PaaS-based services, and that would be more concentrated on the US SaaS and PaaS-based companies. I use Drata to check and comment on my client's internal security controls, their operative effectiveness, and how they are upholding their security standards.
Drata's DCF mapping is really good. The way the tool's controls are linked to the framework, specifically with SAST and HIPAA frameworks or any other frameworks, is really good. Basically, when I look into a control, the control's particular DCF number gives me all the information about the automated tests linked to that control, and then the external evidence that the client provides to me for verification and review is also available in one place. Drata's Audit Hub is useful for communicating with the client, and it is also a really good place where the client can feel safe sharing sensitive information for audits as it is a protected platform.
For a particular control, such as vulnerability scans, we mostly have clients provide us with external third-party reports of scans. Drata could have something in place for real-time monitoring so that we could actually see the vulnerabilities directly instead of requesting external vulnerability scans for the platforms or cloud containers one uses.
The thing with Drata is you cannot open multiple tabs on the same interface or the same desktop. When you come out of Drata's Audit Hub, you will have to go back into the client interface and then return to another request. There is a lot of time-consuming activity happening in the tool. When I come out of Drata's Audit Hub, I would like to go to the previous phase I visited without being completely kicked out of the interface.
I have been using Drata since September 2022. My firm has a partnership with Drata, but I am unsure about it.
In terms of stability, the product has been very smooth. Stability-wise, I rate the solution an eight out of ten.
It is a scalable solution. As far as just seeing the other compliances are concerned in the tool, and since it is not the only compliance tool I use for auditing, I can say that when I compare tools, Drata is fine.
I would not want to talk about my experience with the product's support team extensively, but I can give the technical support a rating of six out of ten. There was a time during the initial stages of my work when I found a lot of data to convert into PDFs or download in an Excel format, and a lot of metadata was coming out. When I reached out to Drata's support team, they said the metadata that was coming out was not their issue but something from my end. The issue eventually vanished, but it was never fixed. I stopped seeing the heavy data again on my interface, but it was never properly received by the tool's support team. I only had one such customer support requirement.
I rate the technical support a six or seven out of ten.
Neutral
I have experience with multiple compliance platforms like Vanta and Secureframe.
With the product's initial setup phase, I honestly faced some issues while the clients gave us auditors access to set up cards or read-only access. I have seen a lot of back and forth for multiple clients, and even though the clients tell us that they have given us access, we don't receive it. We don't get Drata's invitation sometimes. I think there is a bit of work, but it is not difficult. It is easy to use the tool to log in to your work emails or Google, but I found some errors in the auditor assignments and access assignments.
In terms of security posture management, as far as I am exposed to Drata, I can say that the tool has some automated tests. The autopilot feature in the tool is really helpful for verifying things, and the client's data is in sync with Drata. The tool has continuous monitoring and it provides me with real-time data on every aspect of the firm's internal security, which is also an add-on.
The tool is really user-friendly. I believe there is always room for improvement.
I do not work on integration processes. We actually have a dedicated team for it, and my team focuses only on testing.
I recommend the product to those who plan to use it since it is a seamless and easy tool to use.
I think going with what is on the interface to view could be the best thing to know more, explore more, and get to the things you want to get to.
I rate the tool an eight out of ten.
