Compliance

Is Drata Enough to Automate SOC 2 Compliance Completely?

No. Drata automates about 80% of SOC 2 through infrastructure APIs, then flags the rest and waits for you. This article explains what Drata automates, the 20% it leaves manual (application screenshots plus the attestations only a person can answer), and how Vera, an agent that runs continuous compliance, closes the gap alongside Drata or in place of the platform-plus-consultant stack.

November 2, 202510 min read
DrataSOC 2Compliance AutomationEvidence CollectionScreenshotsManual Evidence
Is Drata Enough to Automate SOC 2 Compliance Completely?

No, Drata is not enough to automate SOC 2 compliance completely. Drata pulls about 80% of SOC 2 evidence through API integrations (AWS, Okta, GitHub, HRIS), then marks the rest "manual" and waits for you to go do it. Auditors still require application evidence for controls like CC6.1 (logical access), CC7.2 (change management), and CC8.1 (system operations), and they still require the periodic attestations only a person can confirm. That is 40 to 80 hours of unbilled work per audit that a dashboard does not touch. Screenata closes it with Vera, an agent who runs the program: she scans the same infrastructure Drata reads, captures the application evidence a dashboard can't see, DMs your team for sign-off, and files signed, traceable artifacts. Vera works alongside Drata or replaces the platform-and-consultant stack entirely.


Why Isn't Drata Enough to Automate SOC 2 Completely?

"Compliance automation" gets misread as "set it and forget it." A SOC 2 Type II audit is proof of operating effectiveness over a period of time, and much of that proof lives where an API cannot reach.

Drata is good at infrastructure automation. It connects to AWS, GitHub, Okta, and Rippling to verify that databases are encrypted, MFA is on, and employees have signed their policies. It is bounded by what those APIs expose. When a control requires a human to log into a custom dashboard, confirm a setting the API doesn't surface, or sign off on a review, Drata marks the control "manual" and stops. A dashboard flags the work; it does not do the work.

The 20% Manual Gap, Explained

The manual gap is the set of Trust Services Criteria that require visual or process-based evidence. For most SaaS companies it includes:

  • CC6.1 (Logical Access): proving that a "Viewer" role cannot reach the "Admin" settings in your own app.
  • CC7.2 (Change Management): documenting that a specific emergency patch was approved before it deployed.
  • CC8.1 (System Operations): capturing that internal monitoring dashboards were reviewed by the security team.

The Part Everyone Forgets: Attestations

The gap is not only screenshots. A large share of it is a people problem: access reviews, exception approvals, and vendor sign-offs that no camera and no API can produce. Someone has to ask the right person, wait for an answer, and file the proof. A dashboard can only flag the control and wait. That chasing is the single most common reason a program marketed as "fully automated" is red the week before an audit.


What Does Drata Automate vs. What Stays Manual?

To see why a dashboard alone isn't enough, look at the breakdown of a typical SOC 2 audit.

Compliance areaAutomated by Drata?How it worksWhat stays manual
Cloud infrastructureYesAPI connection to AWS/Azure/GCPDeep config settings not in the API
Personnel and HRYesIntegration with Rippling/Gusto/OktaManual offboarding of legacy systems
Policy managementPartialDocument editor and signature trackingProving policies are followed in-app
Endpoint securityYesMDM integrations (Jamf/Kandji)Non-standard device verification
Application UI controlsNoRequires manual uploadUI permission testing (CC6.1)
Workflow processesNoRequires manual uploadChange-approval proof (CC7.2)
Periodic attestationsNoFlagged as due onlyA person confirms; someone chases them

Why Can't Drata's APIs Capture the Rest?

APIs are built for data exchange between systems, not for observing how a human uses your software or for extracting a decision that lives in someone's head. Most proprietary SaaS apps never build a "compliance API" that would let a dashboard query internal permission states or historical UI configurations.

The Problem With Point-in-Time API Checks

An API can tell Drata that a user has "Role ID: 4." An auditor doesn't care about the ID; they want to see that "Role ID: 4" actually blocks access to the credit-card screen. Since a dashboard cannot look at your screen, the work falls to a person: log in as that role, navigate to the restricted page, capture the "Access Denied" result, and upload it. Repeat every quarter, for every control the API can't reach. That is the 40 to 80 hours a dashboard leaves on your plate.


How Vera Closes the Gap End to End

Vera runs the compliance program as an agent instead of a dashboard you log into and feed. She scans your infrastructure read-only, scopes your control matrix, drafts policies grounded in what she finds, and works the controls on a schedule. For the 20% a dashboard flags, she does the collection herself.

Her evidence mix is the honest breakdown: about 70% fully API-automated, roughly 9% automated screenshots (the browser extension plus a vision model scoring the capture), about 9% guided capture, and around 5% ingested from your inbox. Zero percent comes from a human uploading files into a dashboard. Screenshots are one of several ways she collects evidence, and the one a dashboard's APIs can never reach, not the identity of the product.

Step by Step to Full Coverage

  1. Identify the gap. Whether Drata flags CC6.1 as manual or Vera scopes it from your matrix, the control gets picked up rather than parked.
  2. Collect the evidence. For an infrastructure control Vera reads it over API. For an application control she runs the test through the Screenata browser extension, which captures timestamped screenshots, a DOM snapshot, and metadata, and a vision model scores the result against the control.
  3. Chase what only a person can answer. For an access review or exception, she DMs the right teammate in Slack or Teams, reminds at 24 hours, escalates to you at 48, and files their reply as evidence when it lands.
  4. Sign and trace it. Every artifact is hashed, timestamped (RFC 3161), and signed, and links back through a control test to a policy claim. If you run Drata, she syncs the pack into the matching control; if not, the audit vault is the source of truth.

Example: Automating CC6.1 With and Without Vera

CC6.1 is one of the most common manual hurdles in a SOC 2 audit. It requires proof that access to protected information is restricted to authorized users.

The Drata-only approach (manual)

  • A compliance manager asks a developer to screenshot the user-permission table.
  • The developer takes five screenshots, blurs some emails by hand, and saves them as image files.
  • The manager pastes them into a document with a narrative and uploads it to Drata.
  • Total time: about 45 minutes per test, repeated every quarter.

The way Vera does it

  • The control comes due. Vera runs the "CC6.1 Logical Access" test against a "Viewer" account.
  • She attempts an admin-only action; the app returns "Access Denied." The extension captures the modal, the role settings, and the URL, with a DOM snapshot and a signed timestamp. PII is redacted at capture.
  • Vera assembles the audit-ready pack, writes the narrative, links it to CC6.1, and, if you're on Drata, pushes it to the control.
  • Total hands-on time: a couple of minutes, most of it your review.

How Much Does Closing the Gap Change?

Moving from "80% automated" to full coverage changes both the hours and the cost.

MetricDrata only (manual gap)Drata plus Vera
Prep time per quarter60+ hoursMinutes of review
Evidence qualityInconsistent, human errorStandardized, signed, traced
Auditor review time2 to 3 weeksDays
Risk of a gap discoveryHigh, missing screenshotsLow, continuous capture
AttestationsYou chase themVera chases them in Slack
Cost of complianceHigh labor cost$499/month subscription

The cost, in plain numbers

Drata alone still needs a vCISO or consultant (roughly $2K to $5K a month) to write policies, decide what to fix, and run the program the dashboard only monitors. With the audit, a traditional first year lands around $85K. Vera replaces both the platform and the consultant: Screenata is $499 a month for SOC 2 Type II, with Type I from $299, bringing a typical first year to around $18K. You get 20+ native integrations, 489+ checks, and 27+ agent tools across Slack, email, the CLI and a Claude Code MCP, and GitHub pull-request reviews.


The Attestation Problem No Dashboard Solves

Plenty of SOC 2 controls can only be satisfied by a human answering a question:

  • Did the quarterly access review actually happen, and did the right managers sign off?
  • Who approved this production exception, and why?
  • Was this vendor reviewed before it was onboarded?
  • Did offboarding revoke access in every downstream system?

A dashboard flags these and waits. Someone then has to remember, chase colleagues across Slack and email, gather the answers, and upload the proof, every quarter. Vera does the chasing: she DMs the right person, reminds at 24 hours, escalates at 48, and files the reply the moment it lands, with the whole thread visible. On access reviews she schedules and orchestrates the review and chases the reviewers, while the final judgment stays with your team.


Best Practices for End-to-End SOC 2 Automation

Map your manual controls early

Filter your Drata controls by "evidence source: manual." These cause the most stress in the audit window. Point Vera at them first so they're covered continuously, not scrambled at the deadline.

Insist on verifiable provenance

Auditors are skeptical of static screenshots that could be edited. Vera's packs carry NTP-synced timestamps proving the test happened in the window, a DOM snapshot proving the UI existed as shown, and the identity of who ran or attested to the test. An auditor can re-derive the policy claim behind any artifact and verify the signature with a free CLI.

Run on a schedule, not a scramble

Instead of collecting once a year, let Vera capture a logical-access check every month. If a developer breaks a permission, you have a record of when it happened and when it was fixed, turning a potential audit failure into a self-corrected observation.


Frequently Asked Questions About Drata and Complete SOC 2 Automation

Is Drata enough for SOC 2 compliance?

Drata is enough to monitor infrastructure, but not to run the program end to end. It automates about 80% of evidence through APIs, then flags the rest as manual and waits, which is 40 to 80 hours a quarter of screenshots and attestation chasing. Vera does that work.

What SOC 2 evidence does Drata not automate?

Application UI testing (CC6.1), workflow approvals (CC7.2), vulnerability-dashboard review (CC8.1), custom internal tools, and every periodic attestation that needs a human answer. A dashboard marks these manual; Vera captures the application evidence and chases the attestations.

How do you automate the remaining 20%?

With an agent that does the collection rather than a tool that flags it. Vera captures application workflows through the browser extension, generates signed evidence packs, chases sign-off in Slack, and, if you're on Drata, syncs the pack back so the control shows as covered.

Does Drata have built-in screenshot automation?

Its "Autopilot" captures some cloud-config screenshots via API, but it cannot log into your application or record custom UI workflows, and it does not chase attestations. That is the operating work Vera does.

How much time does this save?

For a mid-market SaaS company with 40 to 50 manual controls, Vera absorbs the 80 to 120 hours per audit cycle that would otherwise go to screenshotting, formatting, chasing sign-offs, and uploading, and she keeps the evidence current between audits.


Key Takeaways

  • Drata is not enough for full automation. It monitors infrastructure well but leaves a 20% gap in application controls and attestations, does not write your policies, and does not tell you what to fix.
  • The gap is expensive. Manual work runs 40 to 80 hours a quarter, and you still pay a $2K to $5K/month consultant for policies and audit prep.
  • APIs have limits. A dashboard can't see your UI, so it can't prove your internal permissions actually work, and it can't confirm a review happened.
  • A dashboard flags the work; Vera does it. She scans the same infrastructure, captures the application evidence, chases attestations in Slack, and files signed, traceable artifacts, alongside Drata or in place of it. A typical first year is around $18K versus roughly $85K for the traditional stack.
  • Auditors prefer signed, traceable evidence. Verifiable provenance and a claim-to-evidence chain reduce follow-up questions and shorten the window.

Learn More About SOC 2 Automation

Connect and see

See your SOC 2 with your real systems.

Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.