Compliance
Can Drata Fully Automate SOC 2? What It Covers and What It Misses
Drata connects to AWS, GitHub, and Okta to monitor infrastructure controls. It does not write policies, capture application evidence, chase attestations, or do the work it flags. This breakdown covers exactly what Drata automates, what it leaves on your plate, and how Vera, an agent that runs continuous compliance, closes the gap alongside Drata or in place of the platform-plus-consultant stack.

No, Drata cannot fully automate SOC 2. Drata pulls roughly 80% of SOC 2 evidence through read-only API monitoring of your infrastructure (AWS encryption, GitHub branch protection, Okta MFA), which is real and useful coverage. But a dashboard's job ends where the API ends: it cannot capture application screenshots, it cannot chase the attestations only a person can answer, it does not write your policies, and it does not do the work it flags as "manual." That remaining 20% is where the audit stress lives. Screenata closes it with Vera, an agent that runs the compliance program directly. She scans the same infrastructure Drata reads, captures the application evidence a dashboard can't see, DMs your team for sign-off, and files every artifact as signed, traceable evidence. Vera works alongside Drata if you already have it, or replaces the platform-and-consultant stack if you're starting fresh.
What Drata Automates, and Where It Stops
Drata is good at one thing: connecting to your infrastructure, identity providers, and developer tools over API and continuously checking their configuration. That covers most of the technical baseline of a SOC 2 audit. The trouble starts with controls that live behind your own UI or inside your team's day-to-day operations, where no API can see. A dashboard can flag those, but it cannot satisfy them.
What Drata Automates for SOC 2 (about 80%)
- Infrastructure controls: AWS, GCP, and Azure configurations, encryption at rest, backup verification.
- Identity and access: Okta, Google Workspace, and Azure AD user provisioning and MFA status.
- Code management: GitHub and GitLab commit history, branch protection, pull-request approvals.
- HR and training: BambooHR and Gusto background checks, employee onboarding, security-training completion.
- Monitoring and logging: CloudWatch, Datadog, and Splunk log collection and retention.
What Drata Leaves to You (the other 20%)
- Application screenshots: UI role permissions, access-control tests, interface security.
- Workflow documentation: manual approval steps, change-management sign-offs, incident-response walkthroughs.
- Custom internal tools: admin dashboards, database consoles, and support tools without an API.
- Application-level testing: RBAC validation, permission boundaries, feature-level access controls.
- Attestations: the access reviews, exception approvals, and vendor sign-offs a human has to confirm.
Why a Dashboard Can't Close the Gap on Its Own
Drata monitors systems by querying their APIs. When a control is visual (UI permissions, a workflow approval, a scanner dashboard at a point in time), the API has nothing to return, so Drata marks the control "manual evidence required" and waits for you. That waiting is the whole limitation. A dashboard flags the work; it does not do the work. Closing the gap has traditionally meant a person taking screenshots, writing narratives, chasing colleagues for sign-off, and uploading PDFs, every quarter, for every periodic control.
What Screenshots Does SOC 2 Require That Drata Can't Capture?
SOC 2 auditors want visual proof of how your application actually behaves. Even with perfect infrastructure monitoring, they need to see that your software enforces the controls your policies describe. These are the high-friction Trust Services Criteria where a dashboard stops.
Which SOC 2 Controls Need Application Evidence?
- CC6.1 (Logical Access): proving that a "Viewer" role in your app cannot reach the "Billing" or "Admin" settings.
- CC7.2 (Change Management): documenting the approval of an emergency hotfix that bypassed the standard API-tracked pull-request flow.
- CC8.1 (System Operations): capturing that a vulnerability scanner shows zero critical findings at a specific moment, reviewed by a human.
- Custom internal tools: any dashboard your team built for support or database work that has no Drata-compatible API.
| Control category | Drata capability | What remains after Drata |
|---|---|---|
| Infrastructure | Automated via API | None |
| HR and training | Automated via API and portal | None |
| App-level RBAC | Not supported | Application evidence of user permissions |
| Change management | Partial (GitHub/GitLab API) | Proof of the deployment approval outside the repo |
| Custom internal tools | None | Guided walkthroughs and signed packs |
| Periodic attestations | Flagged only | A person confirms; someone chases them |
How Vera Closes the Gap Drata Leaves
Vera runs the compliance program as an agent instead of a dashboard you log into and feed. She scans your infrastructure read-only, scopes your control matrix, drafts policies grounded in what she finds, and then works the controls on a schedule. For the 20% Drata flags, she does the actual collection: she captures application evidence through guided workflows and the Screenata browser extension, DMs the right person for the attestations a dashboard can only mark as due, and files everything as signed, audit-grade artifacts.
The Evidence Mix, Honestly
The evidence mix is the honest breakdown of how she covers a program: about 70% fully API-automated, roughly 9% automated screenshots (the browser extension plus a vision model scoring the capture), about 9% guided capture, and around 5% ingested from your inbox. Zero percent comes from a human uploading files into a dashboard. Screenshots are not the product; they are one of several ways Vera collects evidence, and they are the differentiating piece a dashboard's APIs can never reach. If you keep Drata, Vera pushes her signed packs into it so the control shows as covered. If you don't, the audit vault is the source of truth.
The Workflow, Control by Control
- A control comes due. Whether Drata flags CC6.1 as "manual" or Vera scopes it from your matrix directly, the control gets picked up rather than parked.
- Vera collects the evidence. For an infrastructure control she reads it over API. For an application control she runs the test through the extension: it captures timestamped screenshots, a DOM snapshot, and metadata, and a vision model scores the result against the control. PII is redacted before anything is filed.
- Vera chases what only a person can answer. For an access review or an exception approval, she DMs the right teammate in Slack or Teams, reminds them at 24 hours, escalates to you at 48, and files their reply as evidence when it lands.
- Vera signs and traces it. Every artifact is hashed, timestamped (RFC 3161), and signed, and it links back through a control test to a specific policy claim. If you run Drata, she syncs the pack into the matching control.
Automating CC6.1 (Logical Access), Two Ways
The objective: prove that access to sensitive functions is restricted by role.
The Drata-only way (manual)
- A security engineer logs into production.
- They take five screenshots: the user list, the role settings, and the "Access Denied" screen.
- They paste those into a document, add captions, and export a PDF.
- They upload the PDF to Drata and write a description.
- Time spent: about 45 minutes, repeated every quarter, easy to forget.
The way Vera does it
- The control comes due. Vera runs the test against a "Viewer" account and attempts an admin-only delete.
- The app returns "Access Denied." The extension captures the modal, the role settings, and the URL, with a DOM snapshot and a signed timestamp.
- Vera assembles the evidence pack, writes the narrative, links it to CC6.1, and, if you're on Drata, pushes it to the control.
- You approve. Hands-on time: a couple of minutes, most of it review.
Drata Alone vs. Drata Plus Vera
| Metric | Drata (standalone) | Drata plus Vera |
|---|---|---|
| Coverage | About 80%, infrastructure only | Full coverage across layers |
| Who closes the gap | You | Vera |
| Manual effort | 40 to 80 hours per quarter | Minutes of review |
| Evidence type | API JSON data | API data plus signed, traced packs |
| Attestations | You chase them | Vera chases them in Slack |
| Policies | Templates you fill in | Drafted from your attested reality |
| Between audits | Dashboard drifts red | Vera keeps running |
The Attestation Problem No Dashboard Solves
Most discussion of the 20% gap fixates on screenshots, but a large part of it is a people problem, not a capture problem. Plenty of SOC 2 controls can only be satisfied by a human answering a question:
- Did the quarterly access review actually happen, and did the right managers sign off?
- Who approved this production exception, and why?
- Was this vendor reviewed before it was onboarded?
- Did offboarding revoke access in every downstream system?
A dashboard's only move here is to flag the control and wait. Someone then has to remember it, chase three colleagues across Slack and email, gather the answers, and upload the proof, every quarter, for every periodic control. That chasing is unbillable, easy to drop, and the single most common reason a program marketed as "fully automated" is red the week before an audit. Vera does the chasing: she DMs the right person, reminds at 24 hours, escalates at 48, and files the reply the moment it lands, with the whole thread visible. On access reviews she schedules and orchestrates the review and chases the reviewers; the final judgment stays with your team.
A Week in Vera's Compliance Cadence
Continuous compliance is a schedule, not a scramble before the audit. Once Vera is running, a normal week looks like this, whether she sits alongside Drata or stands on her own:
- At 6:30 AM she posts a Slack briefing: current readiness, which controls need attention, and anything she escalated overnight.
- Mid-week, an offboarding control comes due. She DMs the IT lead to confirm app access was revoked, captures the disabled-account screenshot, and files both as a signed pack.
- When a control needs application proof, she runs the RBAC test, captures the denial, signs the pack, and, if you're on Drata, syncs it into the matching control.
- By week's end she runs a full cloud and repo scan, catches a new storage bucket without encryption, and opens the remediation ticket for a human to apply.
The dashboard, if you keep one, stays the surface your auditor logs into. Vera is the teammate doing the work that keeps it green between audits.
What Full Automation Actually Costs
If you run Drata alone, you still pay for the labor it leaves behind. The realistic path is the platform plus a vCISO or consultant (roughly $2K to $5K a month) to write policies, decide what to fix, and run the program the dashboard only monitors. Add the audit itself and a traditional first year lands around $85K.
Where Vera changes the math
Vera replaces both the platform and the consultant. Screenata is $499 a month for SOC 2 Type II, with Type I from $299, and the agent does the operating work a consultant would otherwise bill for. That brings a typical first year to around $18K instead of roughly $85K. You get 20+ native integrations, 489+ checks, and 27+ agent tools, surfaced where the work happens: Slack, email, the CLI and a Claude Code MCP, and GitHub pull-request reviews.
Best Practices for Reaching Full Coverage
- Map your manual controls early. Filter your Drata controls by "manual evidence required." You'll usually find gaps in Logical Access (CC6 series), Change Management (CC7/CC8), and the periodic attestations. Point Vera at those first.
- Keep evidence current between audits. Don't wait for the window to open. Let Vera capture access tests and change-management proof on a schedule so a broken permission shows up as a self-corrected observation, not an audit failure.
- Redact at capture. Never let unredacted production data reach your GRC. Vera blurs PII at the moment of capture, before anything is filed or synced.
- Standardize the narrative. Uniform, OCR'd evidence lets an auditor search hundreds of pages for a phrase like "Access Denied" instead of parsing five formats from five people. That consistency is what shortens audit windows.
Frequently Asked Questions About Drata and SOC 2 Automation
Can Drata capture screenshots for SOC 2 audits?
No. Drata is API-based and cannot capture your application's UI. For controls that require visual proof (CC6.1, CC7.2, CC8.1), a dashboard flags the control and waits. Vera captures that evidence through the browser extension and files it as a signed pack.
Do SOC 2 auditors accept automated evidence?
Yes, and they tend to prefer it, because Vera's packs carry verifiable provenance that loose screenshots lack: NTP-synced timestamps proving the test happened in the window, a DOM snapshot proving the UI existed as shown, and the identity of who ran or attested to the test. An auditor can re-derive the policy claim behind any artifact and verify the signature with a free CLI, no Screenata account required.
Does Vanta have the same limitation as Drata?
Yes. Vanta, Drata, and Secureframe all rely on APIs, so the same 20% gap exists across every dashboard. They monitor and flag; none of them do the application capture or the attestation chasing on their own. Vera works the same way alongside any of them.
How much time does this save?
For a mid-market SaaS company with 40 to 50 manual controls, Vera absorbs the 80 to 120 hours per audit cycle that would otherwise go to screenshotting, formatting, chasing sign-offs, and uploading, and she keeps the evidence current between audits instead of letting the dashboard drift.
Does Vera write the policies too?
Yes, and this is a second thing a dashboard leaves to you or your consultant. Vera scans your infrastructure to pre-fill a readiness questionnaire, you attest to what she found, and a deterministic generator composes each policy from your attestations, so every sentence ties to a claim, a control test, and a signed evidence artifact. Same input produces the same policy language, which is what lets an auditor re-derive it rather than trust an AI's prose.
Why doesn't Drata just build this?
Drata's model is the dashboard: connect to thousands of vendors over API and monitor state. Running the program, capturing application evidence, and chasing humans for attestations is a different job, the operating layer rather than the monitoring layer. That is the work Vera does.
Key Takeaways
- Drata is not 100% automated. It monitors infrastructure well, but it does not see your application UI, write your policies, chase attestations, or do the work it flags.
- The 20% gap is real work. Application-level controls like CC6.1 and CC7.2, plus the periodic attestations, are the most time-consuming part of a SOC 2 audit.
- A dashboard flags the work; Vera does it. She scans the same infrastructure, captures the application evidence, chases sign-off in Slack, and files signed, traceable artifacts, whether she runs alongside Drata or in place of it.
- Auditors prefer signed, traceable packs. Verifiable provenance and a claim-to-evidence chain reduce follow-up questions and shorten the window.
- The cost difference is large. The traditional platform-plus-consultant path runs around $85K in the first year; the Vera path is closer to $18K.
Learn More About SOC 2 Automation
- The Bootstrapped Founder's Guide to SOC 2 covers the full cost breakdown and what to expect.
- Do You Actually Need a vCISO for SOC 2? explains why most startups no longer need a consultant.
- Why ChatGPT SOC 2 Policies Fail Audits shows what auditors actually want in your policies.
- How to Automate SOC 2 Evidence Collection is the comprehensive automation guide.
- Top Drata Alternatives for SOC 2 Automation in 2026 compares Drata with Vanta, Screenata, Secureframe, and others.
Connect and see
See your SOC 2 with your real systems.
Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.