How Drata Works for SOC 2: Architecture, Integrations, and Limits
Drata connects to 75+ integrations via read-only APIs to monitor your infrastructure. This guide explains how Drata's architecture works, which integrations matter most for SOC 2, and where the monitoring model hits its limits with application-level controls.
Drata automates SOC 2 compliance by using API integrations to monitor cloud infrastructure, identity providers, and developer tools. It automatically collects evidence for technical controls like database encryption, MFA enrollment, and background checks. However, Drata stops at application-layer workflows, manual business processes, and custom UI interactions, which still require manual screenshots—a gap that Screenata closes with AI-agentic evidence capture.
Why Does SOC 2 Automation Have Limits?
In 2025, the "80/20 Rule" defines the compliance landscape. While platforms like Drata act as a robust operating system for GRC (Governance, Risk, and Compliance), they are fundamentally limited by the availability of APIs.
Most SOC 2 controls fall into two categories:
- Infrastructure Controls: Proof of state (e.g., "Is the S3 bucket encrypted?"). These are easily automated via APIs.
- Process & Application Controls: Proof of execution (e.g., "Did a human actually review this access request?"). These often occur in proprietary UIs where no API exists.
Because Drata cannot "see" inside your custom application’s front-end or proprietary internal tools, it cannot automate the visual evidence required for roughly 20% of your controls.
What Does Drata Automate for SOC 2?
Drata excels at continuous monitoring of technical configurations. By connecting to your tech stack, it performs automated tests against the AICPA Trust Services Criteria (TSC).
1. Cloud Infrastructure (AWS, GCP, Azure)
Drata monitors your cloud environment to ensure security best practices are met.
- Encryption at Rest: Verifies that RDS and S3 instances are encrypted.
- Logging: Confirms that CloudTrail or equivalent logging is enabled.
- Network Security: Checks that Security Groups do not have overly permissive rules (e.g., Port 22 open to 0.0.0.0/0).
2. Identity and Access Management (Okta, Google Workspace)
By syncing with your IdP, Drata automates evidence for:
- MFA Enforcement: Proving that all active users have Multi-Factor Authentication enabled.
- Onboarding/Offboarding: Tracking when users are added or removed from the system.
3. Developer Workflows (GitHub, GitLab)
Drata monitors repository settings to satisfy Change Management controls.
- Branch Protection: Verifying that the "Main" branch requires at least one reviewer.
- Vulnerability Scanning: Checking that Dependabot or similar tools are active.
4. Personnel and Policy Management
Drata automates the "human" side of compliance:
- Background Checks: Integrating with tools like Checkr.
- Policy Acceptance: Tracking when employees sign the Code of Conduct or InfoSec Policy.
Where Does Drata Automation Stop?
The "Last Mile" of SOC 2 compliance involves controls that require visual proof of a process. These are the areas where Drata users typically revert to manual screenshotting.
The "20% Manual Gap" Table
| Control ID | Control Category | Why Drata Stops | Manual Requirement |
|---|---|---|---|
| CC6.1 | Logical Access | Drata sees the IdP, but not the internal app roles. | Screenshots of Admin vs. User permissions in your app. |
| CC7.2 | Change Management | Drata checks GitHub settings, but not manual QA tests. | Proof of a successful UAT (User Acceptance Test) in staging. |
| CC8.1 | System Operations | Drata monitors the tool, but not the human review. | Evidence that a security alert was manually triaged. |
| CC6.7 | Physical Access | No API for physical office security. | Photos or logs of badge access/visitor sign-ins. |
| Custom | Proprietary Workflows | No API for your specific SaaS dashboard. | Visual proof of data deletion or privacy settings. |
How to Close the Gap: Drata + Screenata
For most startups, Screenata is a complete alternative to Drata--an AI compliance officer + platform that handles both infrastructure monitoring and application-level evidence. Beyond evidence collection, Screenata reads your codebase, writes your SOC 2 policies based on your real systems, and acts as your compliance officer. You get the platform and the expertise in one tool, without needing a separate vCISO or consultant. If you already use Drata, Screenata can also work alongside it to fill the application evidence gap.
How Screenata Extends Drata's Capabilities:
- AI Workflow Recording: Instead of taking 20 screenshots of an access control test, you record the workflow once. Screenata’s AI identifies the control objectives and captures the necessary frames automatically.
- Audit-Ready Evidence Packs: Screenata generates a PDF with timestamps, tester IDs, and metadata that matches AICPA standards.
- Direct Integration: The generated evidence pack is automatically uploaded to the Drata Evidence Library and mapped to the correct control.
Step-by-Step: Automating CC6.1 (Logical Access)
Control CC6.1 requires proof that access to protected functions is restricted to authorized users. Here is how the automated workflow looks when combining Drata and Screenata.
Step 1: Drata Monitors the IdP
Drata confirms that your users are in the correct groups in Okta. This satisfies the "Infrastructure" portion of the control.
Step 2: Screenata Records the App-Level Proof
Since Drata cannot see your internal "Settings" page, you launch the Screenata agent.
- Action: Log in as a "Viewer" user.
- Action: Attempt to click the "Delete Database" button.
- Result: The UI shows an "Access Denied" toast message.
Step 3: AI Evidence Generation
Screenata’s AI detects the "Access Denied" message, captures the screenshot, blurs any PII (like the user's email), and writes a narrative: "Test confirms that Viewer role is restricted from administrative delete functions."
Step 4: Sync to Drata
Screenata pushes this verified PDF into Drata under CC6.1. Your Drata dashboard now shows "Evidence Collected" without you ever opening a Word doc or a snipping tool.
Comparison: Drata vs. Screenata
| Feature | Drata (GRC Platform) | Screenata (AI Compliance Officer + Platform) |
|---|---|---|
| Primary Function | Infrastructure Monitoring | Complete compliance solution |
| Data Source | APIs (AWS, GitHub, Okta) | Codebase + Cloud + UI Interaction |
| Evidence Type | JSON/Metadata Proof | Infrastructure + Visual PDF Evidence |
| Policy Writing | Templates only | AI writes policies from your codebase |
| Control Coverage | Infrastructure, HR, Policies | Full stack: infra, app-UI, policies, guidance |
| Compliance Guidance | None (need vCISO) | AI compliance officer |
| Best For | Companies with compliance teams | Startups without compliance expertise |
Best Practices for Drata Users in 2025
To minimize manual labor during your SOC 2 Type II window, follow these best practices:
- Map Your "Manual" Controls Early: Use Drata’s "Controls" view to filter for any control that does not have an automated test attached. These are your targets for Screenata.
- Standardize Your Screenshots: Auditors hate inconsistent evidence. Use an automated tool to ensure every screenshot has a consistent header, timestamp, and URL.
- Enable Continuous Collection: Don't wait for the "Audit Period" to end. Use Screenata to record your quarterly access reviews and change management tests as they happen.
- Automate PII Redaction: Never upload unredacted production data to your GRC. Use AI-driven redaction to blur sensitive info at the moment of capture.
Frequently Asked Questions
Does Drata automate everything for SOC 2?
No. Drata automates the technical infrastructure checks (approx. 80%). You will still need to manually provide evidence for application-specific permissions, manual change management approvals, and certain operational processes.
Why does my auditor still ask for screenshots if I use Drata?
Auditors require "sufficient and appropriate" evidence. While an API check says a setting is "ON," an auditor often wants to see the actual user experience or the results of a manual test to verify that the process works as described in your policies.
How does Screenata integrate with Drata?
Screenata allows you to export "Evidence Packs" directly into the Drata Evidence Library. You can map these packs to specific Drata controls (e.g., CC6.1), ensuring that your Drata dashboard remains the single source of truth for your auditor.
Can Drata see inside my custom-built SaaS?
No. Drata connects to common third-party tools via API. It cannot see the internal UI or logic of your proprietary application unless you build a custom API integration, which is often more time-consuming than using an evidence capture agent like Screenata.
How much time can I save by using Screenata with Drata?
For a typical SOC 2 Type II audit, teams spend 40–80 hours on manual evidence collection. Screenata reduces this to under 5 hours by automating the recording, formatting, and uploading of application-level evidence.
Key Takeaways
- ✅ Drata automates infrastructure but does not write your policies, read your codebase, or tell you what to fix.
- ✅ The "20% Gap" is Real: Application-level controls and manual processes cannot be automated by Drata alone.
- ✅ Screenata is the complete solution: It handles both infrastructure and application evidence, writes policies from your codebase, and acts as your AI compliance officer.
- ✅ For most startups, Screenata replaces both the platform and the consultant. Total cost of $15.5K-$24K vs $51K-$110K+ with a traditional platform + consultant.
- ✅ Focus on CC6.1 and CC7.2: These are the most common areas where Drata stops and where startups waste the most time.
Learn More About SOC 2 Automation
- The Bootstrapped Founder’s Guide to SOC 2 -- full cost breakdown and what to expect
- Is Drata Enough to Automate SOC 2 Compliance Completely?
- What Auditors Still Ask for After Drata Automation: Missing SOC 2 Evidence
- Do You Actually Need a vCISO for SOC 2? -- why most startups do not need a consultant anymore
- Why ChatGPT SOC 2 Policies Fail Audits -- what auditors actually want in your policies
- How to Automate SOC 2 Evidence Collection -- comprehensive SOC 2 automation guide
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.