DRATA

Adam Markowitz had a front-row seat to compliance hell. As the founder of a previous health tech startup, he spent months manually collecting evidence for SOC 2 and HIPAA audits — taking screenshots of security settings, documenting access controls, filling out questionnaires.

The process was entirely manual, mindlessly repetitive, and had to be redone every year.

His brother Troy Markowitz and friend Daniel Marashlian had similar experiences. Every startup that wanted to sell to enterprises needed SOC 2 compliance (a security framework), and achieving it typically meant hiring consultants at $50,000-$100,000, assigning engineers to collect evidence for weeks, and praying that nothing changed between when you collected the screenshot and when the auditor reviewed it.

They founded Drata in January 2020 with a simple insight: most compliance evidence is just proof that security controls are configured correctly. And since those controls exist in software systems (AWS, Google Workspace, GitHub, Jira), you can check them automatically via API.

Instead of a human taking a screenshot to prove multi-factor authentication is enabled, Drata connects to the identity provider and verifies it continuously. The compliance audit becomes a live dashboard instead of a binder full of screenshots.

Drata charges annual subscriptions based on the number of compliance frameworks supported and the size of the organization. Pricing starts around $12,000-$15,000 per year for startups doing a single SOC 2 audit and scales into six figures for large enterprises managing multiple frameworks (SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, etc.).

The value proposition is clear: companies spend $50,000-$150,000 on consultants and hundreds of engineer-hours on manual compliance annually. Drata replaces most of that with software that costs less and runs continuously.

The ROI calculation sells itself.

The platform integrates with 100+ tools (AWS, Azure, GCP, Okta, GitHub, Jira, Slack, HR systems) to automatically collect compliance evidence. This means customers don't need to change their existing workflows — Drata observes what they're already doing and maps it to compliance requirements.

Drata Compliance Automation — the core platform that continuously monitors security controls across 100+ integrations and maps evidence to compliance frameworks like SOC 2, ISO 27001, HIPAA, GDPR, and PCI DSS. Drata Trust Center — a public-facing page that companies can share with prospects to show their compliance status and security posture, replacing back-and-forth security questionnaire exchanges.

Drata Risk Management — tools for identifying, assessing, and tracking security risks with automated workflows for remediation. Drata Vendor Risk Management — automated assessment and monitoring of third-party vendor security posture.

Drata AI Compliance Assistant — uses AI to help answer security questionnaires and generate policy documents automatically.

Drata grew through the startup ecosystem. Every SaaS company selling to enterprises eventually needs SOC 2 compliance, which means every startup is a potential customer.

Drata became the default recommendation in founder communities — YC companies told other YC companies, one startup's security team recommended Drata to their friends at other startups.

The sales cycle is short because the pain is immediate. A startup loses a deal because a prospect requires SOC 2?

That startup signs up for Drata the next day. The motivation is revenue — compliance is a gate to enterprise sales, not an abstract security exercise.

Partnership with audit firms was strategic. Drata works directly with audit firms who can use the platform to conduct more efficient audits.

This creates a two-sided network: companies use Drata to prepare for audits, auditors use Drata to conduct them faster. Everyone wins.

The compliance automation market is getting crowded fast. Vanta (Drata's most direct competitor) raised similar amounts of funding and targets the same customers.

Secureframe, Sprinto, and other startups are also in the space. Differentiation is increasingly difficult when every platform connects to the same integrations and automates the same frameworks.

Expansion beyond startups is the growth challenge. Drata's core market is startups and mid-market companies doing their first SOC 2 audit.

Enterprise organizations have existing GRC (governance, risk, and compliance) platforms from vendors like ServiceNow, RSA, and OneTrust. Moving upmarket means competing against entrenched vendors with deep relationships.

AI could disrupt the category. If AI assistants can automatically fill out security questionnaires, generate policies, and collect compliance evidence without a dedicated platform, the need for specialized compliance software could diminish.

Drata is adding AI features to stay ahead, but the risk is real.

ICONIQ Growth led the Series C at a $3 billion valuation. GGV Capital led the Series B.

Cowboy Ventures was an early investor. Alkeon Capital, Salesforce Ventures, and Greylock Partners participated in growth rounds.

The company has raised $328 million total across multiple rounds.