Compliance
What Does Drata Automate for SOC 2? Control-by-Control Breakdown
A control-by-control walkthrough of what Drata handles via API (MFA checks, encryption configs, employee onboarding) versus what it flags and waits on (application access tests, custom-tool reviews, change approvals, periodic attestations). Includes specific CC control IDs and how Vera, an agent that runs continuous compliance, does the work a dashboard leaves manual.

Drata automates about 80% of SOC 2 evidence through API integrations with your stack (AWS, GCP, Azure, Okta, GitHub, HRIS). It cannot capture application evidence, produce workflow documentation, or confirm the attestations a person has to answer, so it flags those and waits. That remaining 20% is typically 40 to 80 hours per audit that a dashboard does not touch. This breakdown covers exactly what Drata automates, what it leaves manual, and how Vera, an agent who runs continuous compliance, does the work a dashboard only flags, alongside Drata or in place of the platform-plus-consultant stack.
Why Does Drata Leave a 20% Manual Gap?
Drata automates infrastructure evidence over API, but auditors require more than configuration state. When a control needs proof of how your application behaves (testing role-based access, documenting a change-management workflow) a dashboard has no API to query, so it marks the control a "manual task."
Without an agent doing that work, teams spend 40 to 80 hours per quarter collecting evidence by hand: taking screenshots, formatting PDFs, chasing sign-offs, and uploading. That manual burden is error-prone and grows every time you add a control or a framework. A dashboard flags the work; it does not do the work.
What SOC 2 Evidence Does Drata Automate?
Drata automates roughly 75 to 80% of Trust Services Criteria through read-only API integrations. Here is what it covers and which controls benefit.
1. Cloud Infrastructure Monitoring
Drata connects to your cloud provider to verify that databases are encrypted, S3 buckets are private, and MFA is enabled for root accounts.
- Controls impacted: CC6.1, CC6.6, CC7.1.
- Evidence type: JSON metadata and configuration snapshots via API.
2. Personnel and HRIS Integration
By syncing with Rippling, Gusto, or BambooHR, Drata tracks employee onboarding, background checks, and security-awareness training completion.
- Controls impacted: CC1.1, CC1.2, CC1.4.
- Evidence type: employment records and training certificates.
3. Identity and Access Management
Drata monitors Okta, Google Workspace, and Azure AD to confirm that only authorized users have access and that offboarding happens when someone leaves.
- Controls impacted: CC6.1, CC6.3.
- Evidence type: user lists and access logs.
4. Policy Management and Acknowledgment
Drata provides policy templates and tracks distribution and digital signing across employees.
- Controls impacted: CC1.1, CC2.1, CC5.2.
- Evidence type: version-controlled PDFs with signature timestamps.
What SOC 2 Evidence Does Drata NOT Automate?
Drata cannot produce evidence for application-level controls that require visual proof or a human answer. This 20% consists of UI-based controls, workflow documentation, custom tooling, and periodic attestations.
1. Application Logic and UI Verification
Drata cannot log into your software to confirm that a "Delete" button triggers a confirmation modal or that a "Viewer" role actually lacks "Admin" permissions in your UI.
- The gap: someone has to run the test and capture the result.
2. Manual Process Walkthroughs
Physical-security checks (badge logs), certain change approvals, and vendor reviews that happen over email or Slack are not captured automatically.
- The gap: auditors want an evidence pack showing the sequence of the process, which a dashboard cannot assemble on its own.
3. Custom Internal Tooling
If your team uses proprietary dashboards or niche SaaS without a public API, a dashboard cannot monitor them.
- The gap: these stay "manual tasks" in the dashboard indefinitely.
4. Periodic Attestations
Access reviews, exception approvals, and vendor sign-offs can only be confirmed by a person.
- The gap: a dashboard flags the review as due and waits; someone has to chase the humans and file the answer.
Drata vs. Vera, Control by Control
View Drata as an infrastructure monitoring dashboard and Vera as the agent that runs the whole program.
| Capability | Drata (monitoring dashboard) | Vera (agent that runs the program) |
|---|---|---|
| Primary source | APIs and integrations | Same scans plus application capture and attestations |
| Infrastructure | Fully automated | Fully automated via integrations |
| Application UI | Flagged manual | Captured and scored |
| Attestations | Flagged as due | Chased in Slack and filed |
| Policy writing | Templates you fill in | Drafted from your attested reality |
| Evidence format | Log data and JSON | Signed, traced PDF packs |
| Control mapping | All SOC 2 TSCs | All SOC 2 TSCs plus readiness scoring |
How Vera Does the Work Drata Can't
Vera runs the compliance program as an agent. She scans your infrastructure read-only, scopes your control matrix, drafts policies grounded in what she finds, and works the controls on a schedule. For the 20% a dashboard flags, she does the collection: she captures application evidence through the Screenata browser extension, chases attestations in Slack or Teams, and files signed, traceable artifacts.
Her evidence mix is the honest breakdown: about 70% fully API-automated, roughly 9% automated screenshots (the browser extension plus a vision model scoring the capture), about 9% guided capture, and around 5% ingested from your inbox. Zero percent comes from a person uploading files into a dashboard. Screenshots are one of several ways she collects evidence, and the one an API can never reach, not the identity of the product.
Step 1: Identify the manual tasks
Review your Drata dashboard for controls marked manual or requiring a file upload, typically CC6.1 (Logical Access) or CC7.2 (Change Management). Point Vera at those.
Step 2: Capture the workflow
Instead of taking screenshots by hand, Vera runs the test once through the browser extension. For example, log in as a "User" and attempt to reach the "Settings" page.
Step 3: Generate signed evidence
Vera identifies the elements on screen, extracts text, and redacts PII, then produces a structured evidence pack that includes:
- Standardized timestamps.
- Control-ID mapping (for example, mapped to CC6.1).
- Step-by-step narratives.
- Verifiable metadata (a DOM snapshot and cryptographic hashes).
Step 4: Export to the dashboard
The pack is pushed into the Drata evidence library or attached to the relevant control, moving its status from manual to completed.
Example: CC6.1, Logical Access Controls
The problem: Drata sees that a user is in your Okta group, but it cannot prove your application actually restricts that user from the "Billing" section.
The manual way, without Vera
- Log in as a "Standard User."
- Navigate to the Billing page.
- Screenshot the "Access Denied" message.
- Paste it into a document, add a timestamp, export a PDF.
- Upload the PDF to Drata.
- Repeat every quarter.
The way Vera does it
- The control comes due. Vera runs the access test against a "Standard User" account.
- The agent captures the "Access Denied" screen, redacts PII, and generates the signed pack instantly.
- Vera syncs the pack to Drata under CC6.1.
- Total hands-on time: about a minute, most of it your review.
Why Auditors Prefer Vera's Evidence Packs
Auditors are wary of loose screenshots, individual image files with no context that are easy to alter. By combining Drata's system logs with Vera's signed packs, you give them a chain of custody.
1. Chain of Custody
Every pack includes cryptographic hashes and a signed manifest proving the evidence hasn't been altered since capture, with NTP-synced timestamps proving the test happened in the audit window.
2. Traceable Context
A dashboard gives the "what" (the system configuration). Vera adds the "how" (the user experience) and ties every artifact back through a control test to a specific policy claim. An auditor can start from a policy sentence and follow it to the signed evidence, then verify the signature with a free CLI.
3. Standardized Reporting
Every pack follows the same AICPA-aligned format and is OCR'd, so an auditor can search hundreds of pages for a phrase like "Access Denied" instead of parsing five one-off formats. That consistency is what shortens audit windows.
What the Whole Thing Costs
Drata alone still needs a vCISO or consultant (roughly $2K to $5K a month) to write policies, decide what to fix, and run the program the dashboard only monitors. With the audit, a traditional first year lands around $85K. Vera replaces both the platform and the consultant: Screenata is $499 a month for SOC 2 Type II, with Type I from $299, bringing a typical first year to around $18K. You get 20+ native integrations, 489+ checks, and 27+ agent tools across Slack, email, the CLI and a Claude Code MCP, and GitHub pull-request reviews.
Best Practices for Full SOC 2 Coverage
- Connect everything in Drata first. Wire up AWS, GitHub, Okta, and your HRIS to cover the 80% baseline.
- Tag your visual controls. Identify the 20% that need UI proof, commonly CC6.1, CC6.7, CC7.2, and CC8.1, and hand them to Vera.
- Let Vera run the tests on a schedule. Capture each control continuously so a UI change that breaks a permission shows up as a self-corrected observation, not an audit failure.
- Redact at capture. Vera blurs PII at the moment of capture, before anything is filed or synced.
- Reuse evidence across frameworks. One Vera test can map to SOC 2 and ISO 27001 at once, so you collect once and satisfy several standards.
Frequently Asked Questions About Drata and SOC 2 Compliance Automation
Does Drata automate SOC 2 screenshots?
No. Its "Autopilot" can capture some cloud-config screenshots via API, but it cannot log into your application or record custom UI workflows. Application evidence is captured by an agent like Vera.
What SOC 2 controls does Drata NOT automate?
Controls requiring application evidence: CC6.1 (logical access/RBAC), CC7.2 (change management UI workflows), CC8.1 (vulnerability dashboards), custom internal tools, and every periodic attestation. A dashboard flags these; Vera does them.
How much manual work remains with Drata alone?
Typical SaaS companies spend 40 to 80 hours per SOC 2 cycle on manual screenshot collection, PDF formatting, attestation chasing, and uploads for the controls a dashboard cannot automate.
Can Vera work with Drata?
Yes. If you already use Drata, Vera does the application-level and attestation work it flags, then syncs signed packs back so the control shows as covered. For teams starting fresh, Vera runs the full program on its own.
Does this apply to other frameworks?
Yes. Drata supports ISO 27001, HIPAA, and PCI DSS, and the same 20% gap exists across all of them. Vera captures the manual evidence for each and reuses it across frameworks.
Key Takeaways
- Drata automates the API layer. It is a capable tool for monitoring cloud infrastructure, HRIS, and identity providers.
- The 20% gap is real. Application controls, custom tools, and periodic attestations still require proof a monitoring dashboard cannot produce.
- A dashboard flags the work; Vera does it. She captures application evidence, chases attestations in Slack, and files signed, traceable packs.
- Vera syncs back to the dashboard. Evidence packs push into Drata and move manual tasks to completed, or the audit vault stands alone if you don't keep a dashboard.
- Auditors trust signed, traceable evidence. Verifiable provenance and a claim-to-evidence chain reduce audit friction. A typical first year runs around $18K versus roughly $85K for the traditional stack.
Learn More About SOC 2 Automation
For a comprehensive guide to automating SOC 2 evidence collection, including how Vera closes the 20% manual gap a dashboard leaves, see our complete SOC 2 automation guide.
Connect and see
See your SOC 2 with your real systems.
Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.