Getting Started with Drata: Complete SOC 2 Setup Guide

We have guided dozens of organizations through Drata implementations, and it remains one of the most streamlined paths to SOC 2 readiness we recommend. A well-run Drata setup — integrations connected, agent deployed, policies in place, controls mapped — can be fully configured in one to two weeks with focused effort. This guide walks through every stage of that process, from initial workspace configuration through audit readiness, with the platform-specific instructions and configuration recommendations we share with our own clients.

This playbook is designed for compliance leads and engineering teams that have recently purchased Drata or are evaluating the platform during a trial. Every section follows the recommended setup order, with specific decisions explained and common configuration mistakes we see teams make flagged throughout.

Implementation Timeline Overview

In our experience, Drata's implementation is one of the fastest in the GRC platform category. The following timeline assumes a team of one compliance lead with part-time engineering support — which is how most of our clients start.

Phase	Timeline	Key Activities
Workspace setup and framework selection	Day 1	Create workspace, select SOC 2 framework, configure company profile
Cloud and identity integrations	Days 1-3	Connect AWS/GCP/Azure, identity provider, HR platform
Agent deployment	Days 3-7	Deploy Drata agent to all employee endpoints
Remaining integrations	Days 4-7	Code repositories, endpoint management, monitoring, vulnerability scanning
Policy configuration	Days 5-10	Customize and publish policy templates
Personnel onboarding	Days 7-10	Invite employees, assign roles, trigger training and acknowledgments
Control review and gap remediation	Days 10-14	Review control status, address failing controls, verify evidence flow

Step 1: Workspace Setup and Framework Selection

Initial Configuration

When you first log into Drata, you will configure your workspace with foundational company information. We walk our clients through this step-by-step:

1. Company profile: Enter your company name, legal entity, industry, headcount, and primary location. This information populates your system description and determines which controls and integrations are most relevant.

2. Framework selection: Select SOC 2 as your primary framework. Drata supports 35+ frameworks — if you plan to pursue ISO 27001, HIPAA, or other frameworks alongside SOC 2, we recommend enabling them now so controls are cross-mapped from the start. For most first-time organizations, starting with SOC 2 Security criterion only is the approach we advise.

3. Trust Service Criteria selection: Choose which criteria to include in your SOC 2 scope. Security (Common Criteria) is mandatory. Add Availability, Processing Integrity, Confidentiality, or Privacy based on your customer requirements and business model.

4. Audit period: Set your intended audit observation period dates. For Type I, this is a point-in-time date. For Type II, this defines the start and end of your observation window. Setting this early helps Drata track evidence collection against your timeline.

Configuration Recommendations

• Start with Security only unless customers have specifically requested additional criteria. We tell clients this regularly: you can add criteria in future audit cycles without losing existing evidence, so there is no reason to over-scope your first audit.
• Enable multi-framework mapping if you anticipate ISO 27001 or HIPAA within the next twelve months. In our experience, cross-framework mapping is significantly more efficient when enabled from the start rather than retrofitted later.
• Set realistic audit dates — if you have not yet engaged an auditor, estimate conservatively and adjust later. We see teams create unnecessary stress by setting aggressive dates before their program is actually ready.

Step 2: Connect Cloud Infrastructure Integrations

Cloud provider integrations are the highest-priority connections because they provide evidence for the largest number of SOC 2 controls. We always advise clients to start here.

AWS Integration

Drata's AWS integration uses a CloudFormation stack or IAM role to scan your AWS environment:

1. Navigate to the Integrations page and select AWS
2. Choose your connection method (we recommend CloudFormation for simplicity)
3. Deploy the CloudFormation template in your AWS account — this creates a read-only IAM role that grants Drata permission to scan your configuration
4. Verify the connection and run the initial scan

The AWS integration monitors security groups, S3 bucket policies, encryption settings, IAM configurations, CloudTrail logging status, and other security-relevant settings across your AWS services.

GCP Integration

For Google Cloud Platform:

1. Create a service account with the required read-only roles
2. Enable the APIs that Drata needs to scan your environment
3. Provide the service account credentials to Drata
4. Run the initial scan to verify connectivity

Azure Integration

For Microsoft Azure:

1. Register an application in Microsoft Entra ID
2. Assign the Reader role at the subscription level
3. Provide the application credentials to Drata
4. Verify the connection and initial scan results

Post-Connection Verification

After connecting your cloud provider, review the initial scan results on your Drata dashboard. You will likely see several failing controls related to cloud configuration — unencrypted storage buckets, overly permissive security groups, or disabled logging. We tell clients not to panic at this stage. These are expected findings that you will remediate during the gap resolution phase, and they are exactly why you connected the integration early.

Step 3: Connect Identity Provider

Your identity provider integration is critical because it provides evidence for access management controls — user provisioning, MFA enforcement, and role-based access. In our experience, this is where many teams underestimate the cleanup work involved.

Supported Identity Providers

Drata integrates with major identity providers including:

• Google Workspace: Syncs user accounts, MFA status, admin roles, and device management
• Okta: Pulls user directory, MFA enrollment, application assignments, and group memberships
• Microsoft Entra ID (Azure AD): Syncs users, MFA configuration, conditional access policies, and group assignments
• JumpCloud: User directory, MFA status, and device management
• OneLogin: User provisioning, MFA configuration, and application assignments

Configuration Steps

1. Navigate to Integrations and select your identity provider
2. Authenticate with admin credentials and grant Drata the required read permissions
3. Verify the user roster imports correctly — every employee should appear in Drata's personnel list
4. Confirm MFA enforcement status is accurately reflected for all users

Common Issues

• MFA showing as non-compliant: If employees use hardware security keys or authenticator apps not directly visible to your identity provider, you may need to configure Drata to recognize alternative MFA methods. We see this frequently with teams using YubiKeys.
• Service accounts appearing as users: Exclude service accounts from the personnel roster if they are not human users. Drata allows you to categorize accounts appropriately — and we recommend doing this cleanup immediately rather than letting it linger.
• Contractor status: Mark contractors appropriately in Drata so they follow the correct compliance requirements. We advise establishing a clear contractor classification policy before onboarding begins.

Step 4: Deploy the Drata Agent

The Drata agent runs on employee endpoints (laptops and desktops) to verify device compliance — disk encryption, screen lock, firewall, OS updates, and antivirus status. In our experience, agent deployment is the step most likely to stall if not managed proactively.

Deployment Strategy

Approach	Best For	Effort
MDM-managed deployment	Organizations with Jamf, Kandji, Intune, or similar MDM	Low — push via MDM silently
Self-service installation	Small teams without MDM	Moderate — employees install individually
Hybrid	MDM for managed devices, self-service for BYOD	Moderate — covers both scenarios

Deployment Steps

1. Download the Drata agent package for macOS, Windows, and Linux from the Drata dashboard
2. Distribute via your MDM tool or send installation instructions to employees
3. Employees install the agent and authenticate with their company email
4. The agent begins reporting device compliance status to Drata within minutes

Endpoint Compliance Requirements

The Drata agent checks for the following baseline requirements:

• Disk encryption enabled (FileVault on macOS, BitLocker on Windows)
• Screen lock configured (we recommend a five-minute timeout)
• Firewall enabled
• OS version current (within supported update window)
• Antivirus/endpoint protection running (if applicable to your security policy)

Achieving 100% Coverage

Every employee device that accesses company systems must have the Drata agent installed. Track deployment progress on the Drata personnel dashboard, which shows which employees have installed the agent and which devices are compliant. We advise following up individually with employees who have not installed within one week — and escalating to their managers after two weeks if needed.

---

---

Step 5: Connect Remaining Integrations

After cloud, identity, and endpoint integrations are established, connect the remaining tools in your stack. We recommend tackling these in priority order based on control coverage.

Code Repository Integration

Connect GitHub, GitLab, or Bitbucket to provide evidence for change management controls:

• Branch protection rules on production branches
• Code review requirements (pull request approvals)
• Deployment documentation and change records

Verify that your main production branches require at least one approving review before merge and that direct commits to production branches are blocked. We cannot stress this enough — this is one of the most common audit findings we see.

HR Platform Integration

Connect BambooHR, Gusto, Rippling, or your HR system to synchronize:

• Employee roster with hire dates and termination dates
• Department and role assignments
• Onboarding and offboarding event tracking

Monitoring and Vulnerability Scanning

Connect your monitoring and security scanning tools:

• Monitoring: Datadog, PagerDuty, or other alerting tools for system operations evidence
• Vulnerability scanning: Snyk, Qualys, Crowdstrike, or other scanning tools for vulnerability management evidence

Integration Prioritization

If your team's bandwidth is limited, we recommend prioritizing integrations in this order:

1. Cloud provider (highest control coverage)
2. Identity provider (access management controls)
3. Code repository (change management controls)
4. HR platform (personnel security controls)
5. Endpoint management/MDM (endpoint compliance evidence)
6. Monitoring tools (system operations controls)
7. Vulnerability scanning (vulnerability management controls)

Step 6: Configure Policies

Drata provides customizable policy templates that satisfy SOC 2 requirements. Configuring policies involves reviewing templates, customizing them for your organization, and distributing them for employee acknowledgment. What we tell clients is that policy configuration is where many teams either rush and create audit risk, or overthink and lose momentum — the right approach is thorough but efficient.

Required Policies

Policy	Purpose	Customization Level
Information Security Policy	Overarching security governance	Moderate — update roles, responsibilities, and organizational structure
Access Control Policy	User provisioning and access management	Moderate — align with your identity provider and access review cadence
Change Management Policy	Infrastructure and application change control	High — must reflect your actual deployment process
Incident Response Plan	Security incident detection and response	Moderate — customize escalation contacts and communication channels
Risk Assessment Policy	Risk identification and management methodology	Low — template is generally sufficient
Data Classification Policy	Data handling categories and requirements	Moderate — define your specific data categories
Acceptable Use Policy	Employee guidelines for system usage	Low — template is generally sufficient
Vendor Management Policy	Third-party security assessment	Moderate — align with your vendor review cadence
Business Continuity and Disaster Recovery Plan	Recovery procedures and testing	High — must reflect your actual infrastructure and recovery capabilities
Human Resources Security Policy	Background checks, training, offboarding	Moderate — align with your HR processes

Policy Configuration Process

1. Review each template in the Drata policy library
2. Customize sections that reference your specific organizational structure, tools, and processes
3. Route policies to management (CTO, CEO, or security lead) for formal approval
4. Publish policies and trigger employee acknowledgment workflows
5. Track acknowledgment completion in Drata's personnel dashboard

Common Mistakes

• Not customizing templates: We see this constantly — teams use templates verbatim without adapting them to their organization, and it creates real audit risk. Your auditor will verify that policies reflect actual practices.
• Skipping management approval: Policies must have documented approval from management before distribution. We recommend getting this sign-off in writing, not just verbally.
• Delaying acknowledgment tracking: Start employee policy acknowledgment workflows as soon as policies are approved. In our experience, this is the step most likely to cause last-minute compliance gaps because employees procrastinate on reading and signing policies.

Step 7: Personnel Onboarding and Training

Inviting Employees

1. Import your employee roster from the connected HR platform (or manually if no HR integration)
2. Assign compliance roles — identify who is responsible for security, compliance, engineering, and HR functions
3. Send Drata invitations to all employees who need to complete compliance tasks

Security Awareness Training

Drata integrates with security training providers and offers built-in training modules. We recommend setting aggressive but realistic deadlines:

1. Assign security awareness training to all employees
2. Set a completion deadline (we recommend two to three weeks from assignment)
3. Track completion progress on the personnel dashboard
4. Follow up with employees who miss the deadline — 100% completion is required, and we advise escalating to managers after the first missed deadline

Background Checks

Verify that background checks are on file for all employees:

1. Connect your background check provider if Drata supports integration
2. Upload background check documentation for employees screened through other providers
3. Document any exceptions for existing employees who were not screened and establish a plan for future hires — we always recommend documenting a clear exception rationale and forward-looking policy rather than trying to retroactively screen your entire team

Step 8: Control Review and Gap Remediation

After all integrations are connected and policies are in place, conduct a comprehensive review of your Drata compliance dashboard. This is the stage where we spend the most hands-on time with clients, because gap remediation is where real security improvements happen.

Dashboard Review

Drata organizes controls by Trust Service Criteria category. We recommend reviewing each category and identifying:

• Passing controls: Evidence is flowing automatically and meeting requirements
• Failing controls: Configuration issues, missing evidence, or non-compliant settings
• Needs attention: Manual evidence required or pending human action

Common Gaps and Remediation

Common Gap	Remediation Action	Typical Effort
MFA not enforced for all users	Enable MFA requirement in identity provider	1-2 hours
Cloud storage not encrypted	Enable default encryption on S3 buckets/Cloud Storage/Blob Storage	1-2 hours
No audit logging configured	Enable CloudTrail/Cloud Audit Logs/Azure Activity Logs	1-2 hours
Branch protection not enabled	Configure branch protection rules on production repositories	30 minutes
Missing vulnerability scanning	Deploy and configure a vulnerability scanner	2-4 hours
Incomplete employee training	Send reminders and escalate to managers	1 week
No formal risk assessment	Conduct risk assessment using Drata's risk module	4-8 hours

Audit Readiness Checklist

Before engaging your auditor, we recommend verifying the following in Drata:

• All integrations are connected and evidence is flowing
• Drata agent deployed to 100% of employee devices
• All policies approved and acknowledged by all employees
• Security awareness training completed by all employees
• Risk assessment documented
• Vendor inventory populated with security assessments for critical vendors
• Access review completed and documented
• All control categories showing passing status on dashboard

Key Takeaways

• We consistently see Drata fully configured for SOC 2 in one to two weeks, making it one of the fastest GRC platform implementations we recommend
• Prioritize integrations in order of control coverage: cloud provider, identity provider, code repository, HR platform, endpoint management, monitoring, vulnerability scanning
• We strongly recommend deploying the Drata agent to all employee endpoints via MDM for the most efficient rollout — self-service deployments always take longer than expected
• Customize policy templates to reflect your actual organizational processes — we cannot emphasize this enough, as verbatim templates are one of the most common audit findings we see
• Start employee training and policy acknowledgment workflows as soon as policies are approved — do not wait until the last minute
• Use the Drata compliance dashboard to identify and remediate gaps before engaging your auditor, not after
• 100% completion on agent deployment, training, and policy acknowledgment is required for a clean audit — there are no shortcuts here

Frequently Asked Questions

How long does Drata implementation take compared to other platforms?

What we tell clients is that Drata's implementation typically takes one to two weeks for initial setup, which is among the fastest we have seen across GRC platforms. Vanta runs on a similar timeline of one to two weeks. Secureframe tends to take two to three weeks due to a more detailed initial configuration process. In our experience, the speed differences between platforms are marginal — all major platforms can be operational within a few weeks. The more significant time investment is the broader compliance program (policies, training, risk assessment, remediation) that runs in parallel with platform setup, and that is where advisory support makes the biggest difference.

Does Drata support frameworks beyond SOC 2?

Yes, and this is something we factor into our recommendations for clients with multi-framework roadmaps. Drata supports 35+ compliance frameworks including ISO 27001, HIPAA, PCI DSS, GDPR, SOC 1, NIST CSF, NIST 800-53, and others. If you enable multiple frameworks during initial setup, Drata cross-maps controls automatically — a single control implementation satisfies requirements across all enabled frameworks. We consistently advise clients to enable multi-framework mapping from day one if they anticipate adding ISO 27001 or HIPAA within the next twelve months.

What if Drata does not have a native integration for a tool in our stack?

Based on what we see across our client base, this comes up fairly often. Drata provides API-based custom integrations and manual evidence upload options for tools without native integrations. You can upload screenshots, export files, and documents as manual evidence for controls that cannot be automated. Over time, Drata adds new integrations based on customer demand. What we recommend is evaluating whether the manual evidence burden is acceptable for your team's capacity — if you find yourself uploading manual evidence for more than a handful of controls, it may be worth considering whether a platform with broader integration coverage would better serve your needs.

Can we use Drata for a SOC 2 Type II audit?

Absolutely, and this is how most of our clients ultimately use the platform. Drata fully supports both Type I and Type II audits. For Type II, Drata continuously collects evidence throughout your observation period (six to twelve months) and organizes it chronologically for your auditor. The platform monitors for evidence gaps and alerts you if any integrations disconnect or manual tasks are overdue. When fieldwork begins, your auditor accesses the Drata audit center to review all evidence organized by control category and observation period. In our experience, having continuous evidence collection in place from the start dramatically reduces the stress of Type II fieldwork.

How does Drata's pricing compare to other SOC 2 platforms?

Based on what we see in client engagements, Drata's pricing is comparable to Vanta and Secureframe at similar company sizes — typically $10,000-$12,000 per year for organizations under twenty-five employees, scaling to $20,000-$30,000 for organizations with one hundred to two hundred fifty employees. Pricing increases with headcount and additional frameworks. We always recommend requesting a quote from Drata with your specific requirements for an accurate comparison, and we are happy to help our clients evaluate proposals from multiple platforms side by side.