Drata Release Notes

Connect Orca Security with Drata to sync vulnerability findings for continuous compliance and to automate evidence collection plus stay audit-ready.

Security teams detect vulnerabilities quickly.
The harder part is proving that vulnerability monitoring controls operate consistently across the environment.
Security teams track and remediate findings inside their vulnerability scanners. At the same time, compliance teams must demonstrate that those monitoring controls are operating effectively across frameworks like SOC 2 and ISO 27001.
When detection and compliance live in separate systems, that proof becomes manual.
Exports. Screenshots. Spreadsheet reconciliation. Evidence collected right before an audit.
That process slows teams down and introduces risk as environments scale.
The Orca Security Vulnerability Scanning integration with Drata connects vulnerability findings directly into Drata’s Continuous Compliance workflows. Security teams continue managing detection and remediation in Orca, while vulnerability data automatically syncs into Drata to support control monitoring and audit evidence.

The Gap Between Detection and Continuous Compliance

Most organizations do not struggle to detect vulnerabilities.
They struggle to demonstrate that vulnerability monitoring controls operate consistently over time.
Security teams leverage vulnerability management capabilities in cloud security platforms like Orca Security to triage and remediate findings.
Without integration, teams often need to:

• Export vulnerability reports for audit evidence
• Manually map findings to compliance controls
• Track remediation timelines outside the compliance system
• Recreate documentation during every audit cycle

These disconnected workflows create operational overhead and fragmented visibility into risk.
Drata is an Agentic Trust Management Platform that unifies governance, risk, compliance, and assurance into one system of record. Integrating vulnerability data from Orca connects technical risk detection directly to continuous control monitoring.

Connecting Orca Security to Continuous Compliance

Orca Security finds and prioritizes your most critical cloud risks, including vulnerabilities, malware, misconfigurations, lateral movement risks, IAM risks, and sensitive data at risk.
With the Drata integration, vulnerability findings automatically sync into Drata to support monitoring tests and SLA tracking tied to vulnerability management controls.
Security teams continue managing remediation directly in Orca.
Compliance teams gain visibility into vulnerability data within Drata to support compliance monitoring, evidence collection, and audit preparation.
Control monitoring reflects the most recent vulnerability data synced from Orca rather than relying on point-in-time audit evidence.

Why This Matters as Programs Scale

As organizations grow, security and compliance programs grow with them.

• Cloud assets expand.
• Vulnerability findings increase.
• Audit scope grows.
• Customer security reviews become more detailed.

Managing these processes through exports and spreadsheets introduces delays and operational risk.
Drata continuously monitors controls across the environment through Continuous Compliance and Integrated Risk Management. Integrating Orca extends that monitoring layer by bringing vulnerability data directly into the control monitoring process.
That shift creates measurable operational improvements.

Continuous Control Monitoring

Vulnerability findings support monitoring tests and SLA tracking tied to vulnerability management controls.
Teams can demonstrate that vulnerabilities are being identified and addressed according to policy without manually compiling reports.

Reduced Manual Coordination

Teams eliminate repetitive tasks such as:

• Exporting vulnerability reports for audits
• Reconciling spreadsheets across security and compliance systems
• Collecting last-minute evidence before an audit

Instead of preparing for audits in bursts, teams maintain an always audit-ready posture.

Stronger Audit and Customer Assurance

When auditors request evidence of vulnerability monitoring controls, teams can show continuous control monitoring supported by vulnerability data synced from Orca.
When customers ask how cloud risk is managed, teams can demonstrate oversight supported by continuously updated vulnerability data.
Continuous Compliance helps organizations maintain Continuous Trust.

Now Generally Available

Organizations using Orca Security for vulnerability monitoring can now connect vulnerability findings directly into Drata.

• Security detection and remediation remain in Orca.
• Vulnerability data syncs into Drata.
• Compliance monitoring remains continuous.

The Orca Security Vulnerability Scanning integration is now generally available.
Visit our Help Center for setup instructions and configuration guidance, or connect with the Drata team to learn more.

Original source Report a problem

Drata's updated Potential Issues feature flags invalid entries, surfaces deeper conflicts, and enables automated resolution to support continuous compliance.

The Challenge: Manual Cleanup Slows Down Compliance

Growing knowledge bases introduce risk: duplicate entries, conflicting responses, and unclear content delay reviews and reduce audit readiness. For GRC teams, outdated or inconsistent entries undermine trust and increase the manual burden. Especially when AI-powered automation relies on this content to help you with mundane day-to-day work

Without automation, teams are stuck reacting to errors instead of enforcing accuracy across their trust workflows.

The Solution: Automated Governance for Knowledge Base Integrity

Drata's enhanced Potential Issues feature brings automated oversight to your knowledge base. It supports audit-ready, scalable trust by reducing manual cleanup and increasing visibility.

Entry-Level Issue Detection

Automatically identify problems within single entries:

• Invalid Entry: No usable content
• Invalid Question: Question unclear or irrelevant
• Invalid Answer: Answer content is unclear or incorrect
• Conflicted Answer: Answer and comments are misaligned

These insights help teams maintain accurate, audit-aligned responses.

Enhanced Group Classification

This also groups related entries and applies labels to clarify risk:

• Duplicate Entries: Content duplication
• Conflicting Entries: Contradictory answers

This reduces ambiguity and supports faster, more confident remediation.

Configurable Resolution Options

Users can address issues through:

• Manual review in the UI
• Bulk resolution

AI-powered resolution follows organization-defined rules and maintains traceability. Unresolved issues remain visible for manual follow-up.

Role-Based Outcomes

GRC Manager or Security Engineer

Eliminate manual investigation of KB inconsistencies. Automate identification and cleanup for faster resolution.

Outcome: Increased efficiency and reduced evidence risks.

Head of GRC / VP of Security

Ensure content governance at scale. Maintain oversight without increasing headcount.

Outcome: higher quality data and more confidence deploying AI tooling on top of it

The Impact: Scalable, Trust-Aligned Knowledge

With this enhancement, Trust Center enables:

• Real-time oversight of content inconsistencies and issues
• Automated governance of entries and groups
• AI-Powered cleanup to ensure your data is accurate

Why It Matters: Continuous Compliance Requires Clean Data

With this updated feature, Trust Center ensures your knowledge base remains aligned, validated, and ready to supercharge your Security, GRC, and go-to-market teams.It's governance at the content layer—powered by AI.

Explore how Drata supports knowledge governance and continuous compliance.

Book a demo now.

Original source Report a problem

A roundup of Drata’s latest releases, from the new Drata experience and internal audits to expanded AI automation, vulnerability integrations, and platform improvements built to help GRC teams scale trust faster.

Continuous Compliance

This month marks the broad rollout of the new Drata experience, now available for all customers. Built from extensive feedback across real-world GRC programs, the updated interface focuses on reducing time-to-task and improving operational clarity.

Key capabilities unlocked with the new experience include:

• Modern Framework Architecture for multi-framework and multi-workspace environments
• Improved audit and evidence workflows with clearer object relationships
• Enhanced tables and navigation designed for large datasets
• More actionable insights and remediation visibility

For new tenants, the new experience is now the default—marking a major evolution of the Drata platform as programs scale.

Automate evidence, reduce audit prep, stay ready year-round.

Compliance programs break down when evidence collection, monitoring, and remediation live across disconnected tools. This month, Drata introduced platform updates that strengthen continuous compliance—giving teams better visibility into control health, faster remediation, and expanded automation across cloud infrastructure and vulnerability monitoring.

Drata Test Library

Drata introduced a centralized Test Library featuring 1,000+ new infrastructure tests across AWS, Azure, and GCP. Teams can now browse, discover, and bulk provision automated tests directly within the platform. Each test continuously monitors infrastructure configurations and surfaces failures in real time, helping teams expand automation coverage without writing custom checks.

Insights with MTTR

The Insights dashboard now includes Mean Time to Resolution (MTTR) tracking for failed monitoring tests. This provides teams with clearer visibility into remediation performance—helping identify bottlenecks, assign ownership faster, and reduce time spent resolving control failures.

Internal Audits in Drata

Drata now supports end-to-end internal audits directly within the platform. Teams can create internal audit programs, assign auditors, collect evidence, and track remediation without relying on spreadsheets or external tools. With a built-in evidence viewer and structured workflows, collaboration between internal audit teams and compliance owners stays centralized and traceable.

Vendor & Internal Risk Management

Streamline assessments, centralize reviews, and strengthen oversight.

Risk management is only effective when teams can coordinate reviews, documentation, and remediation in one place. This month’s updates introduce stronger workflows for vendor risk, internal audits, and data visibility.

Vulnerability Scanning Integrations: Upwind and Orca Security

Drata now integrates with Upwind Security and has released Orca Security Vulnerability Scanning integration as generally available. These integrations automatically import vulnerability findings into Drata, enabling continuous monitoring of security issues tied to compliance controls. Instead of manually tracking vulnerabilities across tools, teams gain a unified view of risk and automated evidence collection tied to vulnerability management requirements.

Embedded Trust Centers for Vendor Reviews

Drata now supports embedded Trust Centers within third-party profiles, giving security teams immediate awareness of a vendor’s available assurance resources. Teams can see whether a vendor maintains a Trust Center and identify the types of security documentation and artifacts available. This helps reviewers quickly understand what evidence may exist and streamline vendor communication during assessments.

TPRM Workflow Enhancements

Additional updates to third-party risk workflows include:

• Custom questionnaire subject lines
• Expanded email sending limits
• Enhanced SOC 2 field support
• Improved vendor filtering

Together, these improvements help teams manage vendor communication and documentation more efficiently as vendor ecosystems grow.

Automated Governance

Operationalize compliance workflows across teams.

As compliance programs grow, governance becomes harder to coordinate across policies, controls, risks, and people. This month’s updates introduce new capabilities that simplify operational governance and reduce manual work.

Self-Serve Bulk Import

Teams can now perform bulk creation and updates for Risks, Controls, Trainings, and Background Checks directly in Drata using CSV imports. AI-powered column mapping and data transformation make it easier to migrate large datasets without SQL scripts or support tickets, significantly reducing onboarding friction for large programs.

Control Page Action Panel

A new Control Action Panel surfaces control readiness blockers in one centralized workspace. From this panel, teams can quickly see:

• Failed monitoring tests
• Overdue evidence
• Missing approvals
• Policy dependencies

Instead of navigating across multiple pages, users get a focused view of what needs attention to restore control readiness.

Enhanced Tables, Search, and Custom Fields

Drata introduced high-performance search with OpenSearch and fuzzy matching, along with support for searching custom fields across Vendors, Risks, and Controls. Combined with customizable table columns and saved preferences, these improvements make it easier to operate large GRC datasets and find the information teams need quickly.

Security Assurance

Prove trust faster across customers, auditors, and stakeholders.

Security assurance isn’t just about audits—it’s about demonstrating trust across your ecosystem. This month’s updates focus on reducing friction in security reviews and scaling assurance workflows through automation.

AI Trust Center Item Generation

AI can now generate Trust Center item descriptions automatically using existing documentation and knowledge base entries. Instead of manually writing each item, teams can generate descriptions with one click and review them before publishing—dramatically reducing the time required to launch a Trust Center.

What’s Coming Next

Drata continues expanding automation, AI capabilities, and platform scalability to support modern GRC programs. Upcoming updates will focus on deeper automation across risk management, expanded integrations across the security ecosystem, and continued evolution of the new Drata experience.

From continuous compliance to automated governance and scalable security assurance, every release is designed to help teams turn trust into a business accelerator. Try it for yourself—schedule a demo today.

Original source Report a problem

Drata unveils Agentic TPRM Assessment, empowering organizations to evaluate vendor risk faster while maintaining the rigor required for defensible security decisions.

Drata is expanding its Agentic Trust Management Platform with Agentic TPRM Assessment, a new capability designed to help security and GRC teams evaluate third-party risk with more speed, rigor, and consistency.

Organizations today depend on hundreds or even thousands of vendors to operate and innovate. Each of those vendors introduces potential risk, and evaluating that risk has become increasingly complex as supply chain threats grow and regulatory expectations expand.

Despite this growing complexity, most third-party risk management (TPRM) programs still rely on fragmented tools, manual processes, and point-in-time reviews. Security teams spend hours gathering documentation, reviewing questionnaires, and interpreting lengthy audit reports before determining whether a vendor meets internal standards.

As vendor ecosystems continue to grow, this approach creates bottlenecks and inconsistent decision-making across organizations.

Security teams often feel forced to choose between reviewing all vendors quickly or reviewing a subset of vendors thoroughly.

Agentic TPRM Assessment removes that tradeoff.

By combining structured governance with AI-assisted evidence analysis, Drata helps organizations evaluate vendor risk faster while maintaining the rigor required for defensible security decisions.

Why Third-Party Risk Management Needs a New Approach

For many organizations, third-party risk management has become one of the most resource-intensive workflows within the security program.

Security teams routinely spend weeks reviewing vendor materials. They must gather documentation across vendor portals and email threads, analyze audit reports and security policies, interpret questionnaire responses, and reconcile conflicting evidence.

Even when these processes are well defined, they remain difficult to scale. Vendor assessments often depend on individual reviewer interpretation, which means two analysts may evaluate the same vendor differently.

At the same time, third-party breaches continue to rise, making vendor oversight a critical component of enterprise security programs.

“Third-party risk is one of the most pressing challenges for every CISO. Agentic TPRM Assessment will fundamentally change how organizations operationalize third-party risk management — bringing rigor, consistency, and scale. Using Agentic AI, security teams can run assessments in minutes, achieve a more accurate risk posture across the supply chain, and operate at AI speed.”
Scott Roberts
Chief Information Security Officer, UiPath

Introducing Agentic TPRM Assessment

Agentic TPRM Assessment brings AI-assisted analysis directly into TPRM workflows while keeping security teams fully in control of the review process.

Instead of relying solely on questionnaires or vendor self-attestations, Drata analyzes real vendor security documentation and evaluates that evidence against structured assessment criteria defined by the organization.

The system analyzes all types of vendor evidence—including lengthy documents, Trust Center materials, and questionnaire responses—and evaluates that evidence against predefined criteria.

Security teams review the findings, validate the analysis, and make the final risk decision.

This approach helps organizations complete vendor assessments faster while maintaining oversight and accountability.

The result is faster vendor assessments, higher-quality analysis, and more defensible risk decisions.

How Agentic TPRM Assessment Works

Generate Structured Assessment Criteria with AI

Drata helps teams quickly establish structured vendor evaluation criteria aligned with vendor risk tiers.

AI can generate draft criteria based on common third-party risk considerations. Security teams review and customize these criteria before applying them across vendor assessments.

This makes it easier to scale consistent evaluation standards across their entire vendor ecosystem.

Automatically Collect Vendor Security Documentation

Drata can automatically collect vendor documentation from Drata Trust Centers, including audit reports, policies, certifications, and other security artifacts.

This reduces the time security teams spend locating and requesting documentation before a review even begins.

Evaluate Vendor Evidence Against Defined Criteria

Once documentation is collected, the system analyzes vendor evidence and evaluates that evidence against predefined assessment criteria.

Each criterion receives one of four structured outcomes:

• Met
• Partially Met
• Not Met
• Inconclusive

Security analysts review each proposed outcome, validate the findings, and document additional observations before confirming the final assessment.

This structured evaluation model helps reduce subjectivity in TPRM decisions while preserving analyst judgment.

Generate Targeted Follow-Up Questions

Vendor documentation does not always provide enough information to fully evaluate a security control.

When evidence gaps appear, Agentic TPRM Assessment can generate targeted follow-up questions for vendors.

Security teams review and approve each question before it is sent, ensuring the process remains efficient while maintaining full oversight.

Produce Executive-Ready Assessment Reports

At the end of an assessment, Drata generates a structured summary that includes:

• Criteria outcomes
• Supporting evidence citations
• Analyst observations
• Residual risk scoring

These reports provide stakeholders with a clear and defensible record of how third-party risk decisions were made and help organizations demonstrate consistent evaluation during internal reviews or audits.

AI as a Co-Pilot for TPRM Teams

Drata’s AI is designed to support security professionals—not replace them.

Agentic TPRM Assessment acts as an intelligence layer that helps teams analyze evidence faster, highlight potential gaps earlier in the review process, and make more informed decisions.

Every AI-generated finding remains fully reviewable.

Security teams can:

• Override outcomes
• Add analyst observations
• Track identified risks in the centralized risk register
• Approve final vendor decisions

This human-in-the-loop model ensures organizations maintain governance and accountability while benefiting from automation where it matters most.

The impact is direct: vendor assessments complete faster, evidence is analyzed more consistently, and risk decisions become easier to defend during audits.

Security teams can scale vendor oversight without increasing headcount, allowing analysts to spend less time on manual document review and more on addressing real security risks.

Built with Enterprise Design Partners

Agentic TPRM Assessment was shaped in collaboration with enterprise design partners who helped Drata validate real-world workflows and refine how agentic analysis supports security teams.

These early programs reinforced a common challenge across organizations: vendor risk reviews are difficult to scale while maintaining rigorous analysis.

By partnering closely with enterprise design partners, Drata was able to build the TPRM Agent with direct input from organizations managing complex, large-scale vendor risk programs—ensuring the solution addresses real-world pain points like scalability, workflow fragmentation, and audit readiness from day one. This collaboration accelerated product maturity, reduced iteration cycles, and resulted in a more robust, enterprise-grade solution that integrates seamlessly into existing security and compliance ecosystems while delivering faster, more actionable third-party risk insights.

“Agentic TPRM Assessment will transform how we run third-party reviews. By ingesting live Trust Center evidence and producing criteria based evaluations, Drata eliminates the tedious back-and-forth with vendors and lets our team focus only on real risk—ultimately accelerating reviews and giving our procurement team the confidence to move faster.”
Sheron Chakalakal
Head of GRC, UiPath

Part of the Drata Trust Management Platform

Agentic TPRM Assessment is a core capability within the Drata Trust Management Platform, which unifies governance, risk management, compliance, and assurance into a continuous system of trust.

Within the platform, organizations can:

• Monitor internal controls continuously
• Manage third-party risk programs
• Maintain centralized risk registers
• Share security posture through Trust Centers
• Produce audit-ready evidence on demand

Together, these capabilities help organizations move from fragmented oversight to continuous, evidence-driven trust management.

The Future of Third-Party Risk Management

Third-party ecosystems will only continue to grow—and with them, the complexity of managing risk.

The future of third-party risk management requires systems that can evaluate security evidence at scale, standardize risk decisions, and provide leaders with clear visibility into vendor security posture.

Agentic TPRM Assessment represents a massive step toward that future.

By combining AI-assisted evidence analysis with structured governance and human oversight, Drata enables organizations to transform third-party risk management from a slow, manual process into a scalable and defensible security capability.

Want to See Agentic TPRM Assessment in Action?

Watch the demo above or book a demo to see how Drata can help your team modernize third-party risk management.

Original source Report a problem