When users create an online account, engage with a social media posting, or go shopping online, they share data about themselves. Sometimes, the data being shared can be harmless. However, sensitive data like social security numbers, credit card information, and email addresses pose risks. According to a 2019 survey, 94% of Americans believe businesses should be doing more to protect customer data. As of 2022, 71% of global consumers were reported to have “a degree of concern” with privacy.

Despite this, the same 2022 survey showed that 82% of global citizens were willing to share their data for pragmatic reasons; the desire to access the benefits of sharing data with companies without compromising sensitive data has contributed to the cybersecurity market being valued at $2 trillion as of 2022, which comprises everything from cloud security to network security to identity management.

Within this, the subsegment of security known as governance, risk, and compliance (GRC) was valued at $47.2 billion in 2022. For companies that store and/or access sensitive personal information, demonstrating compliance with standard compliance frameworks can be a pre-requisite to doing business with other companies and is occasionally even required by law, such as when health data is involved. Commonly requested or required compliance frameworks include System and Organization Controls 2 (SOC 2), the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR) in the EU, among others.

For many companies, getting up to par and maintaining compliance standards can be costly and painful. Because compliance is a firm-wide requirement, many employees must set aside time to collect evidence of compliance within their specific job functions. As an organization scales, so does its complexity, leading to additional parameters to track.

This pain point can be solved by automation, and that’s where Drata comes in. Drata provides a solution for startups to automate evidence collection and tests, manage multiple frameworks simultaneously without added effort, and achieve continuous compliance. Drata is intended to enable companies to more easily maintain compliance standards via automation so they can dedicate more of their time, energy, and focus on their core product.

Founded in 2020, Drata’s founding team was comprised of Adam Markowitz (CEO), Daniel Marashlian (CTO), and Troy Markowitz (COO).

While in school, Adam Markowitz wanted to become a rocket scientist, receiving his master's in astronautical engineering from the University of Southern California. When applying for engineering positions in 2008, he discovered that bringing a portfolio of his previous engineering projects differentiated him from other candidates, landing him a position as an aerospace engineer at Aerojet Rocketdyne that same year. He worked on the main combustion chamber of the Space Shuttle program until NASA retired the program in 2011 when he became one of 3.4K engineers who were laid off.

Adam Markowitz credits this moment as the catalyst for his “plunge” into entrepreneurship. Reflecting on his experience preparing his portfolio for job interviews and being sent to career fairs as a recruiter while working at Aerojet Rocketdyne, he realized that candidates needed a simple way to assemble digital portfolios that showcased their engineering talents. When he applied to SpaceX with one such digital portfolio and received immensely positive feedback, he decided to start a company to help students succeed by better showcasing their achievements to prospective employers.

As a result, he launched Portfolium in 2014 with Marashlian, who would later join him at Drata and who had previously been the co-founder of several companies including RapidEngage, TweetPhoto, and Pelotonics. As with those other companies, Marashlian became co-founder and CTO of Portfolium. Portfolium would eventually come to be used by millions of students at more than 3.6K academic institutions that it worked. This caught the eye of Instructure, an edtech SaaS company, that acquired Portfolium in 2019 for $43 million.

At Portfolium, Adam Markowitz and Marashlian found they often faced a significant hurdle when forming a new partnership: compliance. Schools, legally obligated to protect sensitive student information, would ask the Portfolium team to prove the security of their platform. The team spent hundreds of hours preparing documents as a result, eventually developing internal software tools to assist with this process.

After serving as a VP and GM at Instructure for a little more than a year following the Portfolium acquisition, Adam Markowitz founded Drata in June 2020 to bring similar tools to market in order to help companies automate their compliance processes. He was joined by Marashlian and his brother Troy Markowitz, who had previously been Senior VP of Sales at Portfolium. the trio announced a $3.2 million seed round, led by Cowboy Ventures, in January 2021. Within 45 days, Drata had acquired its first 100 customers, and it reached 70+ employees within 10 months of its launch.

Companies preparing for auditing for compliance have traditionally compiled every single piece of information manually. For instance, for each of the 80 to 100 security controls relevant to a SOC 2 report, team members might take notes in an Excel spreadsheet, take and organize screenshots, save copies of emails, and annotate codebases.

The complexity of coordinating this data collection is compounded by the fact that for many types of audits, evidence collection must happen continuously for the duration of the audit. This adds up to hundreds of hours of work that teams must dedicate to adhering to compliance standards; time that could be more productively spent serving the company's core products or business functions.

Drata’s product is intended to automate compliance processes to save time. Drata supports more than 18 of the most commonly used compliance frameworks as of December 2023, including SOC 2, HIPAA, and ISO 27001. With more than 100 integrations and counting including integrations with Cloudflare, Duo, and MongoDB, Drata can easily connect and ensure that the codebase always meets compliance standards. Drata’s API contains clear instructions to help reduce the friction of implementation for engineers.

Startups

Source: Drata

Drata’s platform has a product line particularly tailored to startups looking to navigate compliance frameworks including SOC 2, HIPAA, GDPR, and ISO 27001, the best-known standard for information security and management systems.

Drata walks startups through compliance and automates “almost all of the manual processes” as well as startups’ existing compliance systems. Drata provides “real-time visibility into [startups’] security postures through automated control monitoring, centralized dashboards, and reports that automatically pull data from [startups’] existing systems”.

Scale

Source: Drata

Drata also serves companies looking to automate compliance and risk management as they scale their businesses. Drata provides an “extensive library” of automated GRC controls, with pre-mapped control across all compliance frameworks. Drata also claims it can save companies up to 80% of their time applying automated controls for various compliance frameworks.

Drata also offers automated risk management and custom controls, with end-to-end risk assessments and treatment workflows offered within Drata’s platform. Features include the ability to flag items and assign risk scores, as well as automated evidence collection by means of custom controls that can be mapped to tests.

Drata also allows its customers to scale its GRC capabilities along with their businesses by utilizing a single sign-on that can host a number of compliance workspaces with different frameworks and controls but shared access to vendors, assets, and personnel.

Audit Hub

Source: Drata

Drata’s Audit Hub allows users to streamline auditing processes with advanced tools and workflows. The hub makes it possible to conduct interactions and data gathering all in one place between users and their auditors, preventing back-and-forth communication and the risk of misplacing crucial evidence. It is intended to enable users to work together with their auditors in real time, thus speeding up the audit process and reducing errors while working within Drata’s platform.

Trust Center

Source: Drata

In what Drata describes as a “fast pass to vendor security reviews”, the trust center is intended to accelerate sales cycles with faster security reviews and an easy way to display relevant security information to potential partners and/or customers. The trust center automatically pulls in security documents and information including “subprocessors, controls, policies, and reports”, and users can control what remains private.

Users can also use the trust center to display security reports “like vulnerability assessments and penetration test summaries, certifications and attestations, security policies, and the automated controls already monitored within Drata.”

Risk Management

Source: Drata

Drata allows users to automatically match risk with 150+ pre-mapped controls, which is intended to help users “put risk management on autopilot”. It provides tools for teams to “manage end-to-end risk assessments and treatment workflows, and automate testing within a single platform.” Users are alerted to new or evolving risks and can use Drata to help develop a treatment plan, align assessment scores, and create risk-related tasks through an integration Drata offers with Jira, an issue and project tracking software provider.

Third-Party Risk

Source: Drata

According to Drata, 83% of companies face negative consequences from existing third-party risk management (TRPM) processes. Drata allows users to automatically populate and update vendor directories to provide “a complete picture of your vendor ecosystem and the risks they pose”.

Centralizing vendor information in one place is also intended to allow users to streamline risk management processes and thereby reduce human error via greater automation. The platform also provides the capability of proactively monitoring vendor security via security reviews, custom security questionnaires for vendors, and easy prioritization of actions according to urgency.

Automated Access Reviews

Source: Drata

Drata allows its customers to conduct automated, regular user access reviews directly within Drata. Companies using Okta can connect to thousands of systems to centralize user access data across an organization. The automation of such reviews is intended to reduce unauthorized access and the risk of data breaches while remaining compliant.

Open API

Source: Drata

Drata’s Open API allows users to connect their security programs “without compromising automation” by enabling integrations to endpoints or solutions such as security training solutions and background check providers, among others.

Customer

Any companies that want to have their compliance processes automated can leverage Drata to save time and reduce costs. Drata classifies its customers into three main types: startups, companies that have reached scale, and auditors.

Startups

Source: Drata

Startups seeking SOC 2 Compliance (or some other framework) for the first time can work with Drata to streamline the process. Patrick de la Garza, VP of Engineering at PolicyDock, a digital insurance company, discussed how preparing the documents himself would have become a full-time commitment that his company could not afford. For startups like PolicyDock, de la Garza commented that “having everything in a centralized location … made everything a lot simpler”, estimating that it has saved his company about 6 months in the SOC 2 compliance process.

Notable startups using Drata as of December 2023 include Airbase, Fivetran, Notion, Vercel, Calendly, and Superhuman.

Scale

For companies that have already received some certifications, Drata assists with automating the evidence collection for the next renewal period or expanding to other compliance frameworks, especially as a company scales and increases in the complexity of its product offering.

Wes Charlton, Director of Engineering at Thnks, an online workplace gratitude platform, described pursuing ISO and SOC 2 certifications simultaneously. He reported that one of Drata’s main benefits is “the continual investment in security and security controls”, highlighted by continual monitoring of Thnks’s security posture. Charlton said that it took about 200 hours of work to achieve SOC 2 compliance without Drata. With Drata, that time was cut in half.

Some clients also use Drata for their custom frameworks or to streamline processes. Fivetran’s Chief Information Security Officer, Tom Conklin, described leveraging Drata’s custom framework system to pursue SOC 1 certification, a less common compliance framework. This feature allowed Fivetran’s team to reduce audit time by 50%.

Auditors

Drata began by selling its software to companies but has since expanded to partner with auditors directly. The Drata Auditor Alliance Platform enables auditors to familiarize themselves with Drata’s mechanisms and processes, and auditors receive training about how to use Drata most effectively to simplify and save time on their audits. Furthermore, Drata has a pool of auditors who provide expert advice relating to niche compliance topics and provide feedback on Drata’s product offerings.

Market Size

The global compliance software market was estimated to be valued at $32.1 billion in 2022 and was projected to grow to $74.8 billion by 2028. As data requirements become ever more complex and expansive, the need for compliance software continues to grow. A 2023 report on the state of compliance software found that a growing percentage of surveyed organizations expect to spend more time on risk compliance management, while 63% of respondents expect to spend more money on IT compliance and risk management.

Meanwhile, 62% of respondents were already using software to monitor security controls and report on their compliant posture, with a further 35% seeking to evaluate such software in the future. Therefore, the software compliance market is set to grow among two dimensions: (1) existing companies are increasingly adopting some form of compliance software, and (2) new companies entering the space will expand the pool of customers.

Vanta: According to a senior compliance officer at a leading manufacturing firm, Vanta is widely considered to be the market leader in the compliance automation space. Vanta offers a similar suite of integrations and frameworks to Drata. Founded in 2017, Vanta is an automated security monitoring platform that, like Drata, helps companies get SOC 2, HIPAA, or ISO 27001 certified. Backed by Y Combinator and Sequoia Capital, Vanta reached $10 million in ARR by 2021 and had 5K customers in April 2023. It has raised a total of $203 million in funding, with its most recent round being a $110 million Series B in June 2022 that valued the company at $1.6 billion.

SecureFrame: SecureFrame, founded in 2020, is another company with a similar set of product offerings as Drata and Vanta. It may have fewer frameworks than Drata or Vanta, but offers a similar number of integrations (150+). SecureFrame integrates with major cloud providers. It raised a $52 million Series B in February 2022 at an undisclosed valuation; it also reported at the time of that raise that its ARR had grown 10x and customers had grown 7x in 2021. It has raised a total of $78.5 million in funding as of December 2023.

A-Lign: A familiar name in compliance, A-Lign, founded in 2009, released its solution to A-scend in June 2023, which claims to be the only complete, end-to-end service that streamlines the compliance process. Notably, this product is available free of charge (with a premium tier available for further support). Although its compliance automation segment is new, its core business services notable customers including T-Mobile, Raymond James, and other large clients. It has raised a total of $54.5 million in funding as of December 2023.

Drata operates on a subscription-based business model. At one point, the company offered two pricing plans that scaled based on the number of employees: a Pro tier ($20/user/month) and an Enterprise tier ($30/user/month). At the time, Drata only offered SOC 2 compliance certifications, and the main difference between the tiers was that Enterprise had greater customizability over data collection.

Drata has since removed pricing information from its website. One third-party report stated that Drata has three pricing editions as of 2023: a $7.5K per year starter tier, a $15K per year growth tier, and an enterprise tear with custom pricing, but it’s unclear what the source of this number is and what is included in these packages. According to an article published by Drata in May 2022, the cost of a SOC 2 Type 2 Audit for a small company can cost between $12K to $20K and a mid-sized company can cost $30K to $100K.

Drata acquired its first 100 customers within 45 days. For Drata’s first 10 months, company revenue grew at 69% month-over-month, and the company reached 70 employees by the end of its first year. In 2022, the company announced that it would support an additional 13 compliance frameworks in addition to SOC 2 certification and reached over 2K clients, ending the year at around 300 employees. In June 2023, Drata announced that it had earned“the overall first-ranked Momentum Leader position for Cloud Compliance, Vendor Security and Privacy Assessment, and IT Asset Management” from G2 for the summer of 2023.

Drata has raised a total of $328.2 million in funding as of December 2023. It raised a $200 million Series C in December 2022 which valued the company at $2 billion, led by GGV Ventures and ICONIQ Growth, with support from Alkeon Capital, Cowboy Ventures, and Salesforce Ventures, as well as prominent angels including LinkedIn’s Jeff Weiner and Snowflake’s Frank Slootman. This round occurred a little more than a year after its $100 million Series B in November 2021 which valued the company at $1 billion, implying that its value had doubled within the intervening 13-month period.

The New Wave of Data Reliance in Business

Despite a downturn in venture funding in 2023, AI startups were at the forefront of funding activity. In June 2023, Harmonic reported that 1K AI startups had been founded since ChatGPT’s launch (and this is likely underreported). In October 2023, AngelList reported that fully 24% of all Q3 investment activity on its platform was in AI/ML startups. In August 2023, AI startup Hugging Face achieved a $4.5 billion valuation.

At the same time, 40% of firms are discussing investing more in AI, with a further 28% making it a priority at board meetings. A fundamental ingredient of the AI space is data, particularly proprietary data, which requires protection. Companies, large and small, will likely be increasingly motivated to find ways to improve their security posture to mitigate data leakage, which is increasingly costly to their business models. This could benefit the market that Drata operates in.

High Costs Data Breaches

Consumer pressure may cause companies to take compliance increasingly seriously. Companies that use security automation save $1.8 million on average according to a 2023 report on the cost of data breaches. For publicly traded companies, shares slipped 7.5% on average after a significant data breach according to a May 2023 report.

Meanwhile, 60% of organizations reported increasing prices after a data breach, indicating that the costs end up being passed on to consumers. That, in combination with the consequences of consumers potentially having sensitive information exposed, may continue to increase pressure for companies to adopt tools like Drata to protect data and manage risk.

International Expansion

In April of 2023, Drata announced a partnership with Distology, a distributor of cybersecurity in the EMEA region. In 2022, Drata added compliance support in Spanish, French, and German. European compliance law tends to be less fragmented than compliance law in the United States, which features many different requirements depending on industry and business operations. Drata supports GDPR, which is the primary compliance framework in the European Union, and Europeans value data protection as a fundamental right, suggesting further opportunities to automate compliance for companies seeking to tap into the European market.

Competitive Landscape

Drata’s industry is fiercely competitive, with several players that offer a strong suite of integration support. Many of Drata’s competitors offer a similar suite of compliance frameworks and additional integration as well, which may make differentiation difficult. One head of compliance who was a customer of Drata reported being impressed with how quickly the Drata team would respond to feature requests, often within hours or a day. However, Drata will have to continue to find to retain and expand differentiation to win and keep market share.

Limits to automation

Despite the success of automation in compliance, some aspects of compliance still require manual input and expertise. There could be a limit to how far Drata’s automation solutions could be effective unless it develops sufficiently AI-powered solutions that it can continue to expand its product functionality.

With companies increasingly relying on sensitive data, combined with mounting consumer pressure and the high business costs associated with a data breach, ensuring that a company has a continuously secure compliance posture is ever more important. Evidence of compliance with regulations and best security practices must be collected continuously, before being submitted for review to an auditing firm or used internally. However, this process, if conducted manually is time-consuming and painful. Drata’s platform offers a suite of tools to automate compliance tasks and data protection so that its users can focus on their core business.