Drata Release Notes

Continuous Compliance

Compliance programs break down when evidence collection, monitoring, and remediation live across disconnected tools. This quarter, Drata introduced platform updates that strengthen continuous compliance—giving teams better visibility into control health, faster remediation, and expanded automation across cloud infrastructure and vulnerability monitoring.

CCPA 2026 Framework Updates

Drata now supports updated CCPA 2026 requirements directly within the platform, aligning to new CPPA rules for privacy risk assessments, cybersecurity audits, ADMT governance, and Sensitive Personal Information. Teams can operationalize these requirements alongside existing frameworks by mapping them to controls, policies, and evidence—reducing duplication and maintaining a unified view of compliance as regulations evolve.

ISO 27701:2025 Framework Support

Drata now supports ISO 27701:2025 as the latest standard for Privacy Information Management Systems, extending ISO 27001 to clarify controller and processor responsibilities and strengthen privacy governance. Programs can enable the updated framework and map their privacy controls and evidence to stay aligned with evolving expectations.

Drata Test Library

The new Drata Test Library introduces a centralized catalog of 1,000+ infrastructure tests across AWS, Azure, and GCP. Teams can:

• Browse and discover prebuilt tests
• Bulk provision automated checks directly within Drata
• Continuously monitor infrastructure configurations and surface failures in real time

This helps programs expand automation coverage quickly—without custom rules or scripts.

Test Library – Multi-Provider Support for Imported Tests

Imported infrastructure tests can now run across multiple providers (AWS, Azure, and their organizational structures) from a single configuration. Instead of duplicating tests per environment, teams run one test across multiple providers and accounts, simplifying setup, improving consistency in control monitoring, and increasing coverage across complex cloud footprints.

Insights with MTTR

The Insights dashboard now includes Mean Time to Resolution (MTTR) tracking for failed monitoring tests. This gives teams clearer visibility into remediation performance so they can identify bottlenecks, assign ownership faster, and reduce time spent resolving control failures.

Internal Audits in Drata

Drata now supports end-to-end internal audits directly within the platform. Teams can create internal audit programs, assign auditors and owners, collect and review evidence with a built-in viewer, and track remediation work without spreadsheets or external tools. Workflows and evidence stay centralized and traceable, improving collaboration between internal audit teams and control owners.

Custom Pre-Audit Packages (Audit Hub)

Within Audit Hub, teams can now configure pre-audit evidence packages with fine-grained control. Teams can:

• Decide whether to include a pre-audit package (or not)
• Select specific evidence categories (control mapping, connections, vendors, assets, personnel, infrastructure access, and more)
• Update or regenerate packages as audit scope or requirements change

Drata automatically regenerates packages when attributes or categories change and removes outdated versions so auditors always see the latest, least-privilege view of your environment.

Cloud Connection Scoping Across AWS, Azure, and GCP

Cloud monitoring is easier to scale when Drata mirrors how your environments are actually organized via:

• AWS & AWS Organizational Units: Automatically synchronize accounts under your AWS Organization into Drata for centralized compliance monitoring, including data from Security Hub, GuardDuty, Config, Inspector, and Macie.
• Azure Management Groups: Connect multiple Azure subscriptions via Management Groups for read-only infrastructure visibility and continuous evidence collection, with support for tagging-based inclusion/exclusion.
• GCP Integration (Script Setup): Connect at the organization or project level using an automated script or Terraform, so IAM users and infrastructure resources feed into access reviews and monitoring with one setup.

This improves performance, clarifies environment boundaries, and keeps monitoring aligned with the right accounts, subscriptions, and projects.

Custom Fields for Framework Requirements

Drata’s Custom Fields now extend to framework requirements, in addition to risks, controls, vendors, and personnel. Teams can store implementation notes, owners, scores, and other structured metadata directly on requirement records for both out-of-the-box and custom frameworks, all searchable in the requirements index and exportable through standard reporting.

Vendor & Internal Risk Management

Risk management is only effective when teams can coordinate reviews, documentation, and remediation in one place. This quarter’s updates introduce stronger workflows for third-party risk, vulnerability monitoring, and vendor review visibility.

Agentic TPRM Assessment

Agentic TPRM Assessment brings an AI-powered, criteria-driven, evidence-first model to third-party security reviews. The TPRM Agent:

1. Ingests vendor documentation (SOC 2 reports, policies, questionnaires, Trust Center artifacts, and more)
2. Maps that evidence to your predefined security and risk criteria
3. Produces standardized outcomes (Met, Partially Met, Not Met, Inconclusive) with cited sources and residual risk scoring

Your team reviews findings, validates analysis, adds observations, and makes the final decision. The agent does the assessment work; humans remain the decision-makers.

Key benefits include higher quality, criteria-based assessments across all vendors, faster reviews and onboarding by eliminating manual document review, scalable coverage without additional headcount, and audit-ready, evidence-linked outputs for every assessment.

Embedded Trust Centers for Vendor Profiles

Drata now supports embedded Trust Centers within third-party profiles, giving reviewers immediate awareness of a vendor’s available assurance resources. Teams can see whether a vendor maintains a Trust Center and what types of security documentation and artifacts are available—speeding up evidence discovery and reducing back-and-forth during assessments.

TPRM Workflow Enhancements

To support scaling Agentic TPRM Assessment, Drata released several workflow improvements around communication and documentation, including custom questionnaire subject lines, expanded email character limits, enhanced AI SOC 2 field support/summaries, and improved vendor filtering. Together, these updates make it easier to manage vendor communication, track progress, and keep large vendor ecosystems organized.

Vulnerability Scanning Integrations: Upwind and Orca Security

Drata now integrates with Upwind Security and has released Orca Security Vulnerability Scanning integration as generally available. These integrations automatically import vulnerability findings into Drata, tie issues to compliance controls and risk workflows, and provide a unified view of vulnerability risk and evidence across tools.

Rename Vendor Security Reviews

You can now rename Security Reviews, SOC report reviews, and uploaded reviews to match real-world projects, systems, or engagements. Custom titles appear consistently across the review page header and vendor Security Reviews table, making it easier to scan vendor portfolios, align reviews with business context, and keep reporting clear for stakeholders and auditors.

Automated Governance

As compliance programs grow, governance becomes harder to coordinate across policies, controls, risks, and people. This quarter’s updates introduce new capabilities that simplify operational governance and reduce manual work.

Self-Serve Bulk Import

Teams can now perform bulk creation and updates for Risks, Controls, Trainings, and Background Checks directly in Drata using CSV imports. AI-powered column mapping and data transformation make it easier to migrate large datasets without SQL scripts or support tickets, significantly reducing onboarding friction for large programs.

Control Page Action Panel

A new Control Action Panel surfaces control readiness blockers in one centralized workspace. From this panel, teams can quickly see failed monitoring tests, overdue evidence, missing approvals, and policy dependencies. Instead of jumping across multiple pages, users get a focused view of what needs attention to restore control readiness.

Enhanced Tables, Search, and Custom Fields

Drata introduced high-performance search powered by OpenSearch and fuzzy matching, plus the ability to search across custom fields on vendors, risks, and controls. Combined with customizable table columns and saved preferences, these improvements make it easier to operate large GRC datasets and quickly find the information teams need.

Bulk CSV Import for Custom Tasks

Bulk Import for Custom Tasks brings the same scale and structure to task creation. Teams can now:

• Upload a CSV, paste from existing spreadsheets, or type rows directly into a guided, spreadsheet-style sheet
• Mix one-time and recurring tasks in the same import
• Link tasks to controls or risks
• Validate titles, task types, owners, due dates, and schedules in real time before creation

This makes it significantly easier to stand up recurring reviews, operational checklists, and cross-functional workflows without one-by-one task creation.

Security Assurance

Security assurance isn’t just about audits—it’s about demonstrating trust across your ecosystem. This quarter’s updates focus on reducing friction in security reviews and scaling assurance workflows through automation.

AI Trust Center Item Generation

AI can now generate Trust Center item descriptions automatically using existing documentation and knowledge base entries. Instead of manually writing each item, teams can generate descriptions with one click, review them, and publish—dramatically reducing the time required to launch or expand a Trust Center.

Portal-Agnostic Questionnaire Parsing (Chrome Extension)

Throughout Q1, Drata expanded portal-agnostic questionnaire capabilities via the Chrome Extension, enabling teams to import and answer security questionnaires from virtually any portal. Now they can pull questions from proprietary or unsupported vendor portals, generate responses using centralized Trust Center and AIQA content, and paste answers back into the original portal. This eliminates manual copy-paste workflows and enables faster, more consistent responses across customer environments.

Content Collections for AI-Generated Responses

With Content Collections, GRC teams can precisely control what data powers AI-generated questionnaire responses. You can filter your Trust Library by product, framework, tags, or content type, and AI Questionnaire Assistance will reference only content from that collection—ensuring every answer is relevant, consistent, and audit-ready. The result: faster questionnaire completion, higher accuracy, and full confidence in what your AI is using behind the scenes.

Evidence Library Sync to Trust Center

Evidence Library Sync automatically pushes selected evidence from Drata’s Evidence Library into the SafeBase Trust Library over a secure, one-way connection. Any updates you make in Drata are reflected in the Trust Library, while SafeBase controls what’s actually published to your external Trust Center. This keeps external stakeholders aligned with the latest, reviewed artifacts—without double-managing documents across tools.

Multi-Select Answers in AI Questionnaire Assistance

“Select all that apply” questions are now fully supported in AI Questionnaire Assistance (AIQA). Reviewers can choose multiple valid answers for a single prompt, so multi-select questions are handled correctly without manual editing. The feature is live for all AIQA customers with no configuration required, improving answer quality and reducing friction on more complex questionnaires.

What’s Coming Next

Drata continues expanding automation, AI capabilities, and platform scalability to support modern GRC programs. Upcoming work will focus on deeper automation across risk management and third-party workflows and expanded integrations across the security ecosystem. From continuous compliance to automated governance and scalable security assurance, every release is designed to help teams turn trust into a business accelerator. Book a demo to learn more about the continuous evolution of the new Drata experience.

Original source

See how customers are discovering the New Drata Experience—faster workflows, clearer insights, and a more intuitive way to manage compliance at scale.

A new interface only matters if it improves how teams actually work.

That’s exactly what our customers are understanding as they explore the New Drata Experience.

Released in February, it represents a fundamental shift in how GRC teams navigate, act, and scale their programs. Early feedback signals how it’s something bigger than a redesign, offering smoother navigation, clearer workflows, and far less time spent digging through information. And that’s only the beginning.

Here’s how customers are experiencing it.

The Challenge — Remove GRC Speed Bumps

GRC teams don’t struggle because of a lack of tools—they struggle because of friction between them.

Navigation that requires too many clicks. Workflows that break context. Data that lives across tables, reports, and spreadsheets. Teams are forced to hunt for answers instead of acting on them.

As programs grow, so does the problem:

• Reviews take longer because context is scattered
• Manual updates and imports slow down progress
• Teams rely on spreadsheets to fill workflow gaps
• Time-to-action stretches when it should shrink

The result? Compliance becomes reactive instead of continuous.

The Solution — A More Intuitive, Action-Driven Experience

The New Drata Experience changes how teams move through compliance work—bringing navigation, context, and action together into a single, unified flow.

For many teams, the biggest shift is immediate.

“ The UI feels a lot smoother, and the cleanup of the left-side navigation makes the experience easier to work through.”
Micah Colwell
Systems Engineer, HealthLink Dimensions, LLC

“ The interface looks a lot more friendly than the previous version. It feels easier to navigate and work in.”
Dan Abraham
Security Analyst, Calgary Flames

“ The new user experience feels like a whole new generation of the product.”
Saeed Elahi
Head of Cyber Risk & Assurance, Tenable

Behind these positive reactions is a system designed for how teams actually work:

• Smarter navigation reduces friction and eliminates feature hunting
• Persistent panels and detail pages keep context visible while you act
• Configurable tables with saved preferences adapt to each team’s workflow
• Powerful search and filtering surface the right data instantly
• Bulk import capabilities eliminate days of manual work and support tickets

These capabilities make it easier to find what you need and allow teams to move through tasks without unnecessary friction.

Persona Use Cases — Connect Work to Real Outcomes

Director of Compliance

• Instantly sees what’s changed across controls and tests
• Avoids manual follow-ups with clearer visibility into readiness

Unlocks: faster oversight and stronger audit confidence.

GRC Manager / Security Engineer

• Bulk imports risks, controls, or training evidence in minutes instead of days
• Customizes tables and workflows without relying on spreadsheets
• Quickly identifies and resolves failed tests

Unlocks: faster resolution and dramatically reduced manual effort.

VP of Security / Head of GRC

• Gains consistency across workflows and teams
• Scales programs with configurable, enterprise-grade infrastructure
• Monitors trends like remediation time and control readiness

Unlocks: a system that scales with complexity and supports continuous compliance.

The Impact — Early Feedback, Real Results

While the rollout is still in progress, early reactions point to a consistent theme: the experience is simply easier to work in. It helps our customers get more done, faster.

“ I like the new look of the platform and I’m looking forward to using it more once everything is fully rolled out.”
Chad Peterson
Strategic Advisor, Doxy.me

The impact is readily apparent across customer feedback. Users report faster navigation and less time searching, quicker movement from insight to action, and reduced reliance on spreadsheets. And most importantly, greater confidence in day-to-day workflows.

And in many cases, tasks that once took days—like bulk updates or evidence imports—can now be completed in minutes.

Why It Matters — A Foundation for Modern GRC

This isn’t just a better interface—it’s a better way to operate.

The New Drata Experience makes it even easier to enjoy continuous compliance instead of point-in-time audits and scalable workflows that grow with your program. It enables faster, more confident decision-making powered by future-ready automation and AI-driven insights.

It’s a shift from managing compliance to actually operating it.

Explore how the New Drata Experience helps GRC teams automate with clarity, accountability, and control. Book a demo now.

Original source