What Does Drata Automate for SOC 2? (And What Requires Manual Screenshots)
Drata automates 80% of SOC 2 compliance through APIs (AWS, Okta, GitHub, HRIS) but cannot capture application screenshots or UI workflows. This article breaks down exactly what Drata automates, what evidence collection remains manual, and how to automate screenshot-based evidence for SOC 2 audits.
Drata automates 80% of SOC 2 evidence collection through API integrations with your tech stack (AWS, GCP, Azure, Okta, GitHub, HRIS). However, Drata cannot automate application screenshots, UI workflow documentation, or visual verification of controls in your software. The remaining 20% requires manual screenshot evidence collection—typically 40–80 hours per SOC 2 audit. This article explains exactly what Drata automates, what remains manual, and how AI-powered screenshot automation eliminates the manual gap.
Why Does Drata Leave a 20% Manual Gap in SOC 2 Audits?
Drata automates SOC 2 evidence collection for infrastructure controls through API integrations, but SOC 2 auditors require visual proof for application-level controls. When a control requires screenshots of your application's UI—such as testing role-based access or documenting change management workflows—Drata marks it as a "Manual Task."
Without screenshot automation, teams spend 40–80 hours per quarter manually collecting evidence: taking screenshots, formatting them into PDFs, and uploading to Drata. This manual evidence collection is time-consuming, error-prone, and doesn't scale as your company grows or adds more SOC 2 controls.
What SOC 2 Evidence Does Drata Automate?
Drata automates SOC 2 evidence collection for approximately 75–80% of Trust Services Criteria (TSC) through API integrations. Here's exactly what Drata automates and which SOC 2 controls benefit from automation.
1. Cloud Infrastructure Monitoring
Drata connects to your Cloud Service Provider (CSP) to verify that databases are encrypted, S3 buckets are private, and MFA is enabled for root accounts.
- Controls Impacted: CC6.1, CC6.6, CC7.1.
- Evidence Type: JSON metadata and configuration snapshots via API.
2. Personnel and HRIS Integration
By syncing with tools like Rippling, Gusto, or BambooHR, Drata automatically tracks employee onboarding, background checks, and security awareness training completion.
- Controls Impacted: CC1.1, CC1.2, CC1.4.
- Evidence Type: Employment records and training certificates.
3. Identity and Access Management (IAM)
Drata monitors Okta, Google Workspace, and Azure AD to ensure that only authorized users have access to critical systems and that offboarding happens instantly when an employee leaves.
- Controls Impacted: CC6.1, CC6.3.
- Evidence Type: User lists and access logs.
4. Policy Management and Acknowledgment
Drata provides a library of SOC 2-compliant policy templates and automates the distribution and digital signing process for all employees.
- Controls Impacted: CC1.1, CC2.1, CC5.2.
- Evidence Type: Version-controlled PDFs with signature timestamps.
What SOC 2 Evidence Does Drata NOT Automate?
Drata cannot automate SOC 2 evidence for application-level controls that require visual proof or screenshots. This "20% manual gap" consists of UI-based controls, workflow documentation, and custom tooling that lack API access.
1. Application-Specific Logic and UI Verification
Drata cannot log into your software to verify that a "Delete" button triggers a confirmation modal or that a "Viewer" role actually lacks "Admin" permissions within your UI.
- The Gap: You must manually record yourself testing these features and upload the video or screenshots.
2. Manual Process Walkthroughs
Controls related to physical security (e.g., office badge logs), certain change management approvals, or vendor risk assessments that happen via email or Slack are not automatically captured.
- The Gap: Auditors require "Evidence Packs" showing the sequence of the process, which Drata cannot generate on its own.
3. Custom Internal Tooling
If your company uses proprietary internal dashboards or niche SaaS tools without a public API, Drata cannot monitor them.
- The Gap: These remain "Manual Tasks" in your Drata dashboard indefinitely.
4. Visual Proof of Security Features
While Drata can check if a database is encrypted via API, it cannot "see" if your application displays a "Secure" badge or masks PII (Personally Identifiable Information) in the user profile view.
- The Gap: Visual confirmation is often required to satisfy the "Confidentiality" and "Privacy" criteria of SOC 2.
Comparison: Drata vs. Screenata (The Sensor vs. The OS)
To understand how to achieve 100% automation, it is helpful to view Drata as the Operating System and Screenata as the Visual Sensor.
| Feature | Drata (GRC Platform) | Screenata (Evidence Automation) |
|---|---|---|
| Primary Source | APIs & Integrations | Browser UI & Workflows |
| Infrastructure | Fully Automated | Not Applicable |
| Application UI | Manual Task | Fully Automated (AI Agents) |
| Evidence Format | Log Data / JSON | Audit-Ready PDF Evidence Packs |
| Control Mapping | All SOC 2 TSCs | Application-Level TSCs (CC6.1, CC7.2, etc.) |
| Human Effort | Low (for APIs) | Low (for Manual Processes) |
How Do You Automate the Manual Evidence Drata Can't Capture?
Screenshot automation tools close the 20% gap by automatically capturing application UI evidence and syncing it to Drata. Screenata uses AI agents to record and document UI-based workflows, turning 40 hours of manual SOC 2 screenshot collection into 5 minutes of automated evidence generation.
Step 1: Identify "Manual Tasks" in Drata
Review your Drata dashboard for any controls marked as "Manual" or requiring "File Upload." These are typically controls like CC6.1 (Logical Access) or CC7.2 (Change Management).
Step 2: Record the Workflow with Screenata
Instead of taking individual screenshots, you launch the Screenata browser extension and perform the test once. For example, log in as a "User" and attempt to access the "Settings" page.
Step 3: AI-Powered Evidence Generation
Screenata’s AI agent identifies the elements on the screen, extracts text via OCR, and blurs any sensitive PII. It then generates a structured PDF Evidence Pack that includes:
- Standardized timestamps.
- Control ID mapping (e.g., "Mapped to CC6.1").
- Step-by-step narratives.
- Verifiable metadata (DOM snapshots and hashes).
Step 4: Direct Export to Drata
Once the Evidence Pack is generated, it is automatically pushed into the Drata Evidence Library or attached directly to the relevant control, moving the status from "Manual" to "Completed."
Example Use Case: CC6.1 – Logical Access Controls
The Problem: Drata can see that a user is in your Okta group, but it cannot prove that your application actually restricts that user’s access to the "Billing" section.
The Manual Way (Without Screenata):
- Log in as a "Standard User."
- Navigate to the Billing page.
- Take a screenshot of the "Access Denied" message.
- Open Word, paste the screenshot, add a timestamp, and export as PDF.
- Upload the PDF to Drata.
- Repeat every quarter.
The Automated Way (With Screenata + Drata):
- Trigger the "Access Test" workflow in Screenata.
- The AI agent records the "Access Denied" screen and generates the PDF instantly.
- Screenata syncs the PDF to Drata CC6.1.
- Total time: 60 seconds.
Why Auditors Prefer the Drata + Screenata Combination
Auditors are increasingly wary of "loose" screenshots (individual PNG files) because they lack context and are easily manipulated. By combining Drata’s system logs with Screenata’s verifiable evidence packs, you provide a "defense-in-depth" proof of compliance.
1. Chain of Custody
Screenata evidence includes cryptographic hashes that prove the screenshots haven't been altered since the moment of capture.
2. Contextual Accuracy
While Drata provides the what (the system configuration), Screenata provides the how (the user experience). This dual-layer proof is the "gold standard" for Big 4 auditors.
3. Standardized Reporting
Every piece of evidence generated by Screenata follows the AICPA SOC 2 reporting format, making it easier for auditors to review and approve your controls quickly.
Best Practices for Achieving 100% SOC 2 Automation
To maximize your ROI on compliance tooling in 2026, follow this implementation roadmap:
- Integrate Everything in Drata First: Connect your AWS, GitHub, Okta, and HRIS immediately. This handles your 80% baseline.
- Tag Your "Visual Controls": Identify the 20% of controls that require UI proof. Common candidates are CC6.1, CC6.7, CC7.2, and CC8.1.
- Create "Golden Workflows" in Screenata: For every manual control, record a "Success State" workflow. Screenata will use this as a template for future evidence collection.
- Enable Continuous Evidence Collection: Don't wait for the audit window. Set Screenata to capture UI evidence monthly. This prevents "control drift" where a UI update accidentally breaks a security feature.
- Use the Drata Evidence Library: Store all Screenata-generated packs in Drata’s central library for easy mapping to multiple frameworks (e.g., mapping one Screenata test to both SOC 2 and ISO 27001).
Frequently Asked Questions About Drata and SOC 2 Evidence Automation
Does Drata automate SOC 2 screenshots?
No. Drata's "Autopilot" feature can capture some cloud configuration screenshots via API, but it cannot log into your application or record custom UI workflows. For application-level screenshot evidence, you need dedicated screenshot automation like Screenata.
What SOC 2 controls does Drata NOT automate?
Drata cannot automate controls requiring application screenshots: CC6.1 (logical access/RBAC), CC7.2 (change management UI workflows), CC8.1 (vulnerability dashboards), and custom internal tools. These remain "Manual Tasks" in Drata.
How much manual work remains with Drata alone?
Typical SaaS companies spend 40–80 hours per SOC 2 audit cycle on manual screenshot collection, PDF formatting, and evidence uploads for the 20–30 controls Drata cannot automate.
Can Drata and Screenata work together?
Yes. Drata is the GRC platform (compliance "OS"), while Screenata automates screenshot evidence collection (visual "sensor"). Screenata evidence packs automatically sync to Drata, moving manual tasks to "completed" status.
Does Drata work with other compliance frameworks besides SOC 2?
Yes. Drata supports ISO 27001, HIPAA, and PCI DSS. However, the same 20% screenshot gap exists across all frameworks. Screenata supports cross-framework evidence mapping for all Drata-supported standards.
Key Takeaways
- ✅ Drata automates the "API-Layer": It is the best tool for monitoring cloud infrastructure, HRIS, and identity providers.
- ✅ The "20% Gap" is real: Application-level controls and manual processes still require visual proof that Drata cannot capture.
- ✅ Screenata automates the "UI-Layer": It uses AI agents to record workflows and generate audit-ready PDF Evidence Packs.
- ✅ Integration is seamless: Screenata evidence packs sync directly into Drata, moving manual tasks to "completed" status automatically.
- ✅ Auditors trust structured evidence: Moving from static screenshots to verifiable Screenata packs reduces audit friction and increases trust.
Learn More About SOC 2 Automation
For a comprehensive guide to automating SOC 2 evidence collection, including how to close the 20% manual gap left by Drata and other GRC platforms, see our complete SOC 2 automation guide.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.