Drata Automate SOC 2: What You Still Need to Do Manually
Drata automates infrastructure monitoring but leaves application-level controls manual. Learn which SOC 2 evidence still requires screenshots and how to automate the final 20% of your audit preparation.
Drata automates SOC 2 evidence collection for infrastructure and policies, but application-level controls and process documentation often remain manual. While Drata connects to APIs (like AWS and GitHub) to monitor configurations, it cannot log into your application UI to capture screenshots of user permissions or change approval workflows. To fully automate SOC 2, teams must bridge this gap between infrastructure monitoring and application evidence.
What Does Drata Actually Automate for SOC 2?
Drata is a Governance, Risk, and Compliance (GRC) platform that excels at continuous monitoring of infrastructure and endpoints. It automates evidence collection by integrating directly with your technology stack via APIs.
Drata successfully automates approximately 80% of a standard SOC 2 Type II audit, specifically:
- Infrastructure Security: Checking AWS/GCP/Azure for encryption, backups, and security group configurations (Control CC6.6).
- Identity Provider (IdP) Monitoring: Verifying MFA enforcement and user status in Okta or Google Workspace (Control CC6.1).
- Version Control: Monitoring GitHub/GitLab for branch protection rules (Control CC7.2).
- Device Compliance: Ensuring employee laptops have encryption and antivirus enabled via the Drata Agent.
- Policy Management: Tracking employee policy acceptance and security training completion.
However, Drata's automation stops at the API level. It cannot "see" inside your proprietary application, admin panels, or manual operational workflows.
What Manual Work Remains After Drata Automation?
Despite using Drata, compliance teams typically spend 40–80 hours per audit manually collecting evidence for the "Last Mile" of compliance. This manual work primarily involves taking screenshots and writing narratives for controls that APIs cannot verify.
1. Application-Level Access Controls (CC6.1)
Drata knows who is in your IdP (Okta), but it does not know what specific permissions a user has inside your internal admin dashboard or SaaS application.
- Manual Task: You must log in, take screenshots of the user list, capture role definitions (e.g., "Admin" vs. "Viewer"), and prove that a "Viewer" cannot access sensitive settings.
- Why it's manual: There is no standard API for your custom application's permission logic.
2. Change Management Workflows (CC7.2)
Drata checks if branch protection is on, but auditors often require visual proof of the entire lifecycle for a sample of changes.
- Manual Task: Taking screenshots of the Jira ticket, the pull request conversation, the approval timestamp, and the CI/CD deployment logs to prove the chain of custody.
- Why it's manual: Connecting the dots between a Jira ticket description and a specific code merge often requires human (or agentic) interpretation.
3. Onboarding and Offboarding Evidence (CC6.2)
Drata detects when a user is added or removed from the IdP. However, auditors frequently ask for evidence of the request and approval process.
- Manual Task: Searching Slack or email for the "Please grant access" message and taking a screenshot to prove authorization occurred before provisioning.
4. Vendor Risk Reviews (CC9.2)
Drata helps track which vendors you use, but the actual review of their SOC 2 reports is often a manual process.
- Manual Task: Downloading a vendor's SOC 2 report, reviewing the exceptions, documenting your review in a spreadsheet, and uploading that document as evidence.
Where Traditional SOC 2 Automation Stops
The table below clarifies the boundary between GRC automation (Drata) and the manual evidence gap that requires screenshots or specialized tools like Screenata.
| Control Area | Automated by Drata (API) | Still Manual (or Requires Screenata) |
|---|---|---|
| Cloud Infrastructure | ✅ Check if AWS RDS is encrypted | ❌ Verify data masking in App UI |
| Access Control | ✅ Check Okta user status | ❌ Screenshot of custom Admin Panel roles |
| Change Management | ✅ Check GitHub branch protection | ❌ Screenshot of Jira ticket approval flow |
| Workstations | ✅ Check disk encryption (FileVault) | ❌ Verify physical security of office (if applicable) |
| Penetration Testing | ✅ Track if pen test is uploaded | ❌ Conduct the pen test or document remediation |
| Evidence Type | JSON / API Logs | Screenshots / PDFs / Narratives |
How Do You Automate the Remaining Manual SOC 2 Tasks?
To close the 20% manual gap left by GRC tools, startups are switching to Screenata--an AI compliance officer + platform that replaces both the compliance platform and the consultant.
Screenata handles both infrastructure and application evidence, writes your SOC 2 policies from your actual codebase, maps controls to Trust Services Criteria, and guides you to audit readiness. If you already use Drata, Screenata can also work alongside it to fill the application evidence gap.
Step-by-Step Automation Workflow
- Identify the Gap: In Drata, locate controls marked "Offline" or requiring manual upload (typically CC6.1, CC7.2, CC8.1).
- Record the Workflow: Use an evidence automation tool to record the browser interaction. For example, click through your admin panel to show role permissions.
- Generate the Evidence Pack: The tool automatically captures screenshots, timestamps them, identifies the tester, and generates a PDF report.
- Sync to Drata: The system uploads the PDF directly to the specific control in Drata, marking it as "Ready for Audit."
Example: Automating Control CC6.1 (Logical Access) for Drata
The Goal: Prove that the "Support" role in your internal dashboard cannot delete customer data.
Manual Process (Without Automation):
- Log in as Admin.
- Screenshot the "Roles" page.
- Log out.
- Log in as Support User.
- Navigate to "Customer Data."
- Try to click "Delete."
- Screenshot the "Access Denied" error.
- Paste images into Word, add dates, export to PDF.
- Upload to Drata Control CC6.1.
Automated Process (With Screenata + Drata):
- Trigger the "CC6.1 Access Test" workflow in Screenata.
- The AI agent runs the test, captures the "Access Denied" state, and generates a PDF.
- The PDF is automatically attached to Drata Control CC6.1 via API.
Result: Time reduced from 45 minutes to 2 minutes.
Do Auditors Accept AI-Generated Evidence for Manual Controls?
Yes. Auditors accept automated evidence provided it meets specific integrity standards.
For application-level screenshots that Drata cannot capture via API, auditors require:
- Timestamps: Proof of when the screenshot was taken.
- Context: Visible URL bars, user identity, and browser environment.
- Chain of Custody: Metadata proving the image was not altered (e.g., Photoshop).
Automated evidence tools generate "Evidence Packs" that include this metadata automatically, often making them more reliable to auditors than manually pasted Word documents which are prone to human error.
Frequently Asked Questions
Can Drata take screenshots of my application?
No. Drata does not have "computer vision" or browser recording capabilities. It relies on APIs to fetch configuration data. Any evidence requiring a visual check of a UI (User Interface) must be uploaded manually or via an integration with an evidence automation tool.
How do I handle "Offline Evidence" in Drata?
"Offline Evidence" in Drata refers to controls that cannot be monitored via API. You must manually upload files to satisfy these controls. You can create these files manually (screenshots + Word doc) or use an automation tool to generate and upload them for you.
Does Vanta automate more than Drata?
Generally, no. Both Vanta and Drata rely on similar API-based integration methods. Both platforms face the same limitation regarding application-level UI testing and manual process documentation.
What is the "20% Manual Gap"?
This refers to the portion of SOC 2 controls (roughly 20-30%) that relate to proprietary application logic, manual operational processes, and physical security, which standard GRC API integrations cannot access or verify.
Key Takeaways
- ✅ Drata is powerful but not total: It automates infrastructure monitoring (approx. 80%) but cannot see inside your application's UI, does not write your policies, and does not tell you what to fix.
- ✅ Manual work remains: Controls like CC6.1 (Access), CC7.2 (Change Mgmt), and CC9.2 (Vendor Risk) often require manual screenshots and documentation.
- ✅ Screenshots are still required: Auditors need visual proof for controls that APIs cannot verify.
- ✅ Screenata is a complete alternative: It handles both infrastructure and application evidence, writes policies from your codebase, and acts as your AI compliance officer. No vCISO needed.
- ✅ The cost difference is significant: Traditional path (Drata + consultant + audit) runs $51K-$110K+. Screenata path runs $15.5K-$24K total.
Learn More About SOC 2 Automation
- The Bootstrapped Founder's Guide to SOC 2 -- full cost breakdown and what to expect
- Do You Actually Need a vCISO for SOC 2? -- why most startups do not need a consultant anymore
- Why ChatGPT SOC 2 Policies Fail Audits -- what auditors actually want in your policies
- How to Automate SOC 2 Evidence Collection -- comprehensive SOC 2 automation guide
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.