Drata SOC 2 Automation Gaps: What Evidence Still Requires Manual Screenshots
Drata automates infrastructure monitoring via APIs, but it cannot capture application-level evidence that requires UI verification. This article details the specific SOC 2 automation gaps—such as logical access tests and change management workflows—that still force teams to collect manual screenshots, and how AI agents now close this gap.
Drata has revolutionized compliance by automating infrastructure checks, but SOC 2 audits still require screenshots, application-level evidence, and process documentation that APIs cannot capture. While Drata handles AWS configurations and employee background checks seamlessly, automation gaps remain for custom application workflows. Teams often discover too late that they must still spend 40–80 hours manually collecting screenshots for controls like logical access and change management. This article breaks down exactly where Drata’s automation stops and how to fill those gaps with automated evidence collection tools.
What Are the Main Drata SOC 2 Automation Gaps?
Answer: The primary automation gaps in Drata (and similar GRC tools like Vanta) are application-level controls and process workflows that do not have public APIs. While Drata automates infrastructure (cloud providers, MDM, HRIS), it cannot "see" inside your custom SaaS application to verify role-based access, specific UI error messages, or manual operational processes.
These gaps typically fall into three categories:
- Logical Access Verification (CC6.1): Proving that a non-admin user is actually blocked from admin features (requires "Access Denied" screenshots).
- Change Management Workflows (CC7.2): Visual proof of pull request approvals or deployment pipelines if not fully integrated via API.
- System Operations (CC8.1): Dashboard screenshots from tools that lack deep API integrations with Drata.
Why Can't Drata Automate Application Evidence?
Drata relies on API integrations to collect evidence. It connects to AWS, GitHub, Okta, and Google Workspace to query configurations (e.g., "Is Multi-Factor Authentication enabled?").
However, auditors often require "Test of Design" and "Test of Operating Effectiveness" evidence that proves a control works from a user's perspective. An API can say that a user has the "Viewer" role, but an auditor wants a screenshot showing that the "Viewer" cannot see the "Delete Database" button. Drata cannot log in to your application, navigate the UI, and capture these screenshots.
The "Last Mile" Problem
This limitation creates a "Last Mile" problem in compliance. You automate 80% of the audit with Drata, but the remaining 20%—the manual screenshots—accounts for 90% of the pre-audit panic and human error.
Where Traditional SOC 2 Automation Stops
To understand what you still need to do manually (or automate with an evidence agent like Screenata), compare the capabilities of GRC platforms versus the requirements of a Type II audit.
| Feature | Drata / Vanta (GRC Platforms) | Manual Gaps (Requires Screenshots) |
|---|---|---|
| Infrastructure Security | ✅ Automated (Checks AWS/Azure APIs) | None |
| Employee Onboarding | ✅ Automated (Checks HRIS/MDM) | None |
| Logical Access (CC6.1) | ⚠️ Partial (Checks Okta groups) | ❌ Manual: Screenshot of "Access Denied" screen for unauthorized users. |
| Change Management (CC7.2) | ⚠️ Partial (Checks GitHub branch protection) | ❌ Manual: Screenshots of specific PR comments or UI-based deployment triggers. |
| Vulnerability Scanning | ⚠️ Partial (Checks scanner integration) | ❌ Manual: Screenshots of "Zero High Vulnerabilities" dashboard if API fails. |
| User Access Reviews | ✅ Automated (Lists users) | ❌ Manual: Evidence of the review process if done outside the GRC tool. |
Which Specific SOC 2 Controls Does Drata Miss?
If you are preparing for an audit, pay close attention to these specific controls. These are the most common areas where Drata users are surprised by requests for manual evidence.
1. CC6.1 – Logical Access (Role-Based Access Control)
The Drata Check: Verifies that an Access Control Policy exists and that employees are assigned to groups in the Identity Provider (IdP). The Audit Gap: Auditors need positive assurance that the access control works. Required Evidence:
- Screenshot of an Admin user accessing the settings page.
- Screenshot of a Standard user attempting to access the same page and receiving a 403/Access Denied error.
2. CC7.2 – Change Management (System Changes)
The Drata Check: Verifies that branch protection rules are on and PRs are merged. The Audit Gap: Complex deployment workflows often involve steps outside of GitHub (e.g., a manual approval in a separate dashboard or a Slack notification). Required Evidence:
- Screenshots of the deployment pipeline in tools like Jenkins or ArgoCD if the integration is limited.
- Visual proof of emergency change ticket approvals.
3. CC8.1 – System Operations (Vulnerability Management)
The Drata Check: Verifies that a scanner (like Inspector or Trivy) is active. The Audit Gap: Auditors want to see the specific scan results for a sample period, often requiring a visual confirmation of the dashboard state. Required Evidence:
- Screenshot of the vulnerability dashboard showing no critical issues open for >30 days.
How to Automate the Evidence Drata Misses
Answer: To close the gap left by Drata, teams use AI evidence agents (like Screenata) that perform "computer use" tasks. These tools record the manual workflow once and then autonomously repeat it to generate audit-ready evidence packs.
Step-by-Step Automation Workflow
- Identify the Gap: Pinpoint the controls Drata has flagged as "Manual Upload."
- Record the Flow: Use an AI agent to record a human performing the test (e.g., logging in as a Viewer and trying to access Admin settings).
- Automate Capture: The agent replays this interaction, capturing timestamped screenshots and DOM elements.
- Sync to Drata: The agent generates a PDF report and uploads it directly to the specific Drata control via API.
This approach ensures that your "Manual" controls are just as automated as your infrastructure controls.
Do Auditors Accept AI-Generated SOC 2 Evidence?
Yes. Auditors accept automated evidence provided it maintains integrity and authenticity. In fact, automated screenshots are often preferred over manual ones because they reduce the risk of human tampering.
To be auditor-ready, the automated evidence must include:
- Timestamps: Synced with a reliable NTP server.
- Source URL: Visible in the screenshot or metadata.
- Chain of Custody: Metadata linking the screenshot to the specific test execution.
- Control Context: Clearly labeled with the Control ID (e.g., CC6.1).
Tools that generate structured Evidence Packs (PDFs containing the screenshots + metadata) satisfy the AICPA's requirements for "sufficient and appropriate" evidence.
Integration: How Screenata Works with Drata
Screenata works alongside Drata if you already have it, but for most startups it is a complete alternative. Beyond evidence collection, Screenata reads your codebase, writes your SOC 2 policies based on your real systems, maps controls to Trust Services Criteria, and acts as your AI compliance officer--replacing both the platform and the consultant.
- If you already use Drata: Screenata fills the application evidence gap and syncs evidence packs to your Drata dashboard.
- If you are starting fresh: Screenata handles the full compliance workflow--infrastructure monitoring, application evidence, policy writing, control mapping, and audit prep. No vCISO or consultant needed.
The Workflow:
- Drata marks Control CC6.1 as "Not Ready" because it lacks evidence.
- Screenata runs a scheduled test of your application's login roles.
- Screenata generates a PDF Evidence Pack.
- Screenata pushes the PDF to Drata via API.
- Drata marks the control as "Ready."
Frequently Asked Questions
Can Drata take screenshots of my application?
No. Drata connects to APIs (like AWS or Jira) to read configuration data. It does not have a browser engine or computer vision capabilities to log in to your SaaS application and capture UI screenshots.
How much time does manual evidence collection take?
For a standard SOC 2 Type II audit, a mid-sized SaaS company typically spends 40 to 80 hours per quarter collecting, formatting, and uploading screenshots for application and process controls.
Does Vanta have the same gaps as Drata?
Yes. Vanta and Drata share the same architectural limitation: they are API-first monitoring tools. Neither tool currently offers native "computer use" agents to navigate and screenshot custom application UIs.
What is the risk of missing these screenshots?
If you fail to provide sufficient evidence for application controls, auditors may list a "Exception" in your final SOC 2 report. This indicates to your customers that your controls were not fully tested or effective, which can degrade trust.
Key Takeaways
- ✅ Drata automates infrastructure, not applications: Expect to manually handle evidence for custom logic and UI-based controls. It also does not write your policies or tell you what to fix.
- ✅ The "20% Gap" is time-consuming: Manual screenshots account for the majority of audit preparation time.
- ✅ Critical controls affected: CC6.1 (Access), CC7.2 (Changes), and CC8.1 (Operations) are the most common gaps.
- ✅ Screenata is a complete alternative: It handles both infrastructure and application evidence, writes policies from your codebase, and acts as your AI compliance officer.
- ✅ The cost difference is significant: Traditional path (Drata + consultant + audit) runs $51K-$110K+. Screenata path runs $15.5K-$24K total.
Learn More About SOC 2 Compliance Automation
- The Bootstrapped Founder's Guide to SOC 2 -- full cost breakdown and what to expect
- Do You Actually Need a vCISO for SOC 2? -- why most startups do not need a consultant anymore
- How to Automate SOC 2 Evidence Collection -- comprehensive SOC 2 automation guide
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.