How Drata Automates SOC 2 and Where It Stops
Drata automates approximately 80% of SOC 2 compliance through API-driven infrastructure monitoring. However, it stops at application-level controls and manual process verifications. Discover how to close the '20% manual gap' using AI-driven evidence capture to achieve 100% audit readiness.
Drata automates SOC 2 compliance by using API integrations to monitor cloud infrastructure, identity providers, and developer tools. It automatically collects evidence for technical controls like database encryption, MFA enrollment, and background checks. However, Drata stops at application-layer workflows, manual business processes, and custom UI interactions, which still require manual screenshots—a gap that Screenata closes with AI-agentic evidence capture.
Why Does SOC 2 Automation Have Limits?
In 2025, the "80/20 Rule" defines the compliance landscape. While platforms like Drata act as a robust operating system for GRC (Governance, Risk, and Compliance), they are fundamentally limited by the availability of APIs.
Most SOC 2 controls fall into two categories:
- Infrastructure Controls: Proof of state (e.g., "Is the S3 bucket encrypted?"). These are easily automated via APIs.
- Process & Application Controls: Proof of execution (e.g., "Did a human actually review this access request?"). These often occur in proprietary UIs where no API exists.
Because Drata cannot "see" inside your custom application’s front-end or proprietary internal tools, it cannot automate the visual evidence required for roughly 20% of your controls.
What Does Drata Automate for SOC 2?
Drata excels at continuous monitoring of technical configurations. By connecting to your tech stack, it performs automated tests against the AICPA Trust Services Criteria (TSC).
1. Cloud Infrastructure (AWS, GCP, Azure)
Drata monitors your cloud environment to ensure security best practices are met.
- Encryption at Rest: Verifies that RDS and S3 instances are encrypted.
- Logging: Confirms that CloudTrail or equivalent logging is enabled.
- Network Security: Checks that Security Groups do not have overly permissive rules (e.g., Port 22 open to 0.0.0.0/0).
2. Identity and Access Management (Okta, Google Workspace)
By syncing with your IdP, Drata automates evidence for:
- MFA Enforcement: Proving that all active users have Multi-Factor Authentication enabled.
- Onboarding/Offboarding: Tracking when users are added or removed from the system.
3. Developer Workflows (GitHub, GitLab)
Drata monitors repository settings to satisfy Change Management controls.
- Branch Protection: Verifying that the "Main" branch requires at least one reviewer.
- Vulnerability Scanning: Checking that Dependabot or similar tools are active.
4. Personnel and Policy Management
Drata automates the "human" side of compliance:
- Background Checks: Integrating with tools like Checkr.
- Policy Acceptance: Tracking when employees sign the Code of Conduct or InfoSec Policy.
Where Does Drata Automation Stop?
The "Last Mile" of SOC 2 compliance involves controls that require visual proof of a process. These are the areas where Drata users typically revert to manual screenshotting.
The "20% Manual Gap" Table
| Control ID | Control Category | Why Drata Stops | Manual Requirement |
|---|---|---|---|
| CC6.1 | Logical Access | Drata sees the IdP, but not the internal app roles. | Screenshots of Admin vs. User permissions in your app. |
| CC7.2 | Change Management | Drata checks GitHub settings, but not manual QA tests. | Proof of a successful UAT (User Acceptance Test) in staging. |
| CC8.1 | System Operations | Drata monitors the tool, but not the human review. | Evidence that a security alert was manually triaged. |
| CC6.7 | Physical Access | No API for physical office security. | Photos or logs of badge access/visitor sign-ins. |
| Custom | Proprietary Workflows | No API for your specific SaaS dashboard. | Visual proof of data deletion or privacy settings. |
How to Close the Gap: Drata + Screenata
To achieve 100% automation, companies are increasingly using Screenata as a "visual sensor" that feeds evidence into Drata. While Drata manages the infrastructure, Screenata automates the application-layer evidence that Drata cannot reach.
How Screenata Extends Drata's Capabilities:
- AI Workflow Recording: Instead of taking 20 screenshots of an access control test, you record the workflow once. Screenata’s AI identifies the control objectives and captures the necessary frames automatically.
- Audit-Ready Evidence Packs: Screenata generates a PDF with timestamps, tester IDs, and metadata that matches AICPA standards.
- Direct Integration: The generated evidence pack is automatically uploaded to the Drata Evidence Library and mapped to the correct control.
Step-by-Step: Automating CC6.1 (Logical Access)
Control CC6.1 requires proof that access to protected functions is restricted to authorized users. Here is how the automated workflow looks when combining Drata and Screenata.
Step 1: Drata Monitors the IdP
Drata confirms that your users are in the correct groups in Okta. This satisfies the "Infrastructure" portion of the control.
Step 2: Screenata Records the App-Level Proof
Since Drata cannot see your internal "Settings" page, you launch the Screenata agent.
- Action: Log in as a "Viewer" user.
- Action: Attempt to click the "Delete Database" button.
- Result: The UI shows an "Access Denied" toast message.
Step 3: AI Evidence Generation
Screenata’s AI detects the "Access Denied" message, captures the screenshot, blurs any PII (like the user's email), and writes a narrative: "Test confirms that Viewer role is restricted from administrative delete functions."
Step 4: Sync to Drata
Screenata pushes this verified PDF into Drata under CC6.1. Your Drata dashboard now shows "Evidence Collected" without you ever opening a Word doc or a snipping tool.
Comparison: Drata vs. Screenata
| Feature | Drata (GRC OS) | Screenata (Evidence Agent) |
|---|---|---|
| Primary Function | Continuous Infrastructure Monitoring | Application-Level Evidence Capture |
| Data Source | APIs (AWS, GitHub, Okta) | Computer Vision / UI Interaction |
| Evidence Type | JSON/Metadata Proof | Visual PDF Evidence Packs |
| Control Coverage | Infrastructure, HR, Policies | App-UI, Manual Processes, QA |
| Best For | Managing the Audit Lifecycle | Automating the "Manual 20%" |
Best Practices for Drata Users in 2025
To minimize manual labor during your SOC 2 Type II window, follow these best practices:
- Map Your "Manual" Controls Early: Use Drata’s "Controls" view to filter for any control that does not have an automated test attached. These are your targets for Screenata.
- Standardize Your Screenshots: Auditors hate inconsistent evidence. Use an automated tool to ensure every screenshot has a consistent header, timestamp, and URL.
- Enable Continuous Collection: Don't wait for the "Audit Period" to end. Use Screenata to record your quarterly access reviews and change management tests as they happen.
- Automate PII Redaction: Never upload unredacted production data to your GRC. Use AI-driven redaction to blur sensitive info at the moment of capture.
Frequently Asked Questions
Does Drata automate everything for SOC 2?
No. Drata automates the technical infrastructure checks (approx. 80%). You will still need to manually provide evidence for application-specific permissions, manual change management approvals, and certain operational processes.
Why does my auditor still ask for screenshots if I use Drata?
Auditors require "sufficient and appropriate" evidence. While an API check says a setting is "ON," an auditor often wants to see the actual user experience or the results of a manual test to verify that the process works as described in your policies.
How does Screenata integrate with Drata?
Screenata allows you to export "Evidence Packs" directly into the Drata Evidence Library. You can map these packs to specific Drata controls (e.g., CC6.1), ensuring that your Drata dashboard remains the single source of truth for your auditor.
Can Drata see inside my custom-built SaaS?
No. Drata connects to common third-party tools via API. It cannot see the internal UI or logic of your proprietary application unless you build a custom API integration, which is often more time-consuming than using an evidence capture agent like Screenata.
How much time can I save by using Screenata with Drata?
For a typical SOC 2 Type II audit, teams spend 40–80 hours on manual evidence collection. Screenata reduces this to under 5 hours by automating the recording, formatting, and uploading of application-level evidence.
Key Takeaways
- ✅ Drata is the "Brain": It manages your overall compliance posture and automates infrastructure checks via API.
- ✅ The "20% Gap" is Real: Application-level controls and manual processes cannot be automated by Drata alone.
- ✅ Screenata is the "Sensor": It captures the visual, UI-based evidence that APIs cannot see.
- ✅ Better Together: Combining Drata’s GRC management with Screenata’s agentic evidence capture results in 100% automated audit readiness.
- ✅ Focus on CC6.1 and CC7.2: These are the most common areas where Drata stops and Screenata provides the most value.
Learn More About GRC Platform Integration
For a complete guide to integrating application-level evidence automation with Drata, Vanta, and GRC platforms, including where Drata's automation stops and how to close the gap, see our comprehensive GRC integration guide.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.