
Revenue
$95.00M
2024
Valuation
$2.00B
2024
Growth Rate (y/y)
61%
2024
Funding
$328.00M
2024
Revenue

Growing to 7,000 customers (up 55% YoY) and expanding internationally (100% YoY growth in EMEA), Sacra estimates Drata's annual recurring revenue grew to $95M in 2024, up 61% YoY from $59M in 2023.
Compare to Vanta at $100M in ARR as of the end of 2023, valued at $2.45B in their July 2024 Series C ($353M total raised) for a 24.5x forward revenue multiple, and broader GRC platforms like AuditBoard at $200M in ARR in early 2024, up 33% YoY, at the time of their acquisition by Hg for $3B (15x revenue multiple) and Workiva (NYSE: WK) at $734M revenue in projected 2024 revenue, up 17% YoY, valued at $4.9B for a 7x multiple.
Drata generates revenue primarily through SaaS subscriptions ($13.5K ACV), with pricing based on company size and framework coverage. Enterprise customers utilizing multiple compliance frameworks and add-on modules like Risk Management and Trust Center represent higher-value contracts.
The company's revenue mix spans from high-growth startups to large enterprises, with notable customers including Notion, OpenAI, PagerDuty, and Lemonade. International expansion has been particularly strong, with customer growth outside the US outpacing domestic growth. Approximately 25-30% of Drata's customer base is now international.
Valuation
Drata has raised a total of $328M across multiple funding rounds since its founding in 2020. The company reached a $2B valuation in December 2022 with its $200M Series C round for a 66x forward revenue multiple on $30M in 2022 ARR.
The round was co-led by ICONIQ Growth and GGV Capital. Notable investors include Salesforce Ventures, Alkeon Capital, and Microsoft CEO Satya Nadella. The Series C doubled Drata's valuation from its previous round just one year earlier.
Product
As of the mid-2010s, startups getting SOC 2 certified to start selling into the enterprise had to go through 6-12 month in-person audits by accounting firms, with $50-100K in upfront fees—creating the opportunity for companies like Vanta (2016), Thoropass (2019), Secureframe (2020) and Drata (2020) to automate the manual work of collecting application logs and documenting permissions, charging on a SaaS basis with ~$13.5k ACV based on a company’s size and number of certifications.
Drata connects to 1) SaaS apps like GitHub, 2) cloud providers, and 3) employee devices to continually collect data security configurations and access permissions, centralizing it in one dashboard to track an organization’s progress towards different certifications with pre-built templates for quickly filling out forms.
The platform continuously monitors an organization's security controls and automatically collects evidence to prove compliance. When a company connects Drata to their tech stack (GitHub, AWS, Okta, etc.), it automatically verifies security configurations, user access, and endpoint settings. For example, Drata checks if all AWS S3 buckets are encrypted, if two-factor authentication is enabled for all users, and if employee laptops have screen locks and disk encryption enabled.
Drata has expanded beyond SOC 2 to support over 20 compliance frameworks including ISO 27001, HIPAA, and GDPR. The platform includes policy templates, automated evidence collection, and a dashboard showing real-time compliance status. Companies can manage multiple frameworks simultaneously, with Drata cross-mapping controls so a single implemented security measure can satisfy requirements across different standards.
Business Model
Drata is a SaaS compliance automation platform that helps companies achieve and maintain security certifications like SOC 2, ISO 27001, HIPAA, and GDPR. The company generates revenue through annual subscriptions, with pricing based on company size and number of compliance frameworks needed.
The platform connects to a customer's tech stack through 170+ integrations and an optional agent to continuously monitor security controls and automatically collect evidence. This automation reduces the manual work of preparing for audits by up to 80-90%.
The company targets both high-growth startups needing quick compliance for enterprise sales and larger organizations managing multiple frameworks. Drata differentiates itself through extensive automation capabilities, strong auditor relationships, and highly-rated customer support that guides companies through the compliance process.
Recent acquisitions of SafeBase, oak9, and Harmonize have expanded Drata's platform into trust centers, developer security, and access governance.
Competition
Drata operates in the rapidly growing compliance automation and trust management market, competing primarily with other automated compliance platforms while also facing competition from traditional GRC solutions and point products.
Automated compliance platforms
The direct competitor landscape is led by Vanta, which reached $100M ARR and 7,000+ customers in 2024. Vanta differentiates through its 300+ integrations and earlier market entry (founded 2017). Secureframe, launched around the same time as Drata in 2020, competes through competitive pricing and strong integration capabilities, though with fewer total integrations than Vanta. Newer entrants like Sprinto and TrustCloud target smaller companies with lower-cost offerings and freemium models.
Enterprise GRC platforms
Traditional GRC vendors like OneTrust (which acquired Tugboat Logic) offer broader solutions combining privacy, security, and compliance capabilities. These platforms typically target larger enterprises and can be more complex to implement but provide comprehensive coverage across multiple risk and compliance domains. AuditBoard, primarily known for SOX compliance, has also expanded into IT compliance through acquisition.
Point solutions and alternatives
Many organizations still rely on manual spreadsheet-based processes and consulting services for compliance. Cloud providers like AWS offer native compliance tools (AWS Audit Manager) for their ecosystems. An emerging category of specialized vendors focuses on specific aspects of compliance - companies like SafeBase (acquired by Drata) for trust centers, and various tools for vendor risk management, security questionnaires, and policy management.
TAM Expansion
By expanding into employee access management via their acquisition of Harmonize (April 2024) and developer security via their acquisition of oak9 (May 2024), Drata is aiming to become a full-stack governance, risk and compliance (GRC) platform—the IBM OpenPages or ServiceNow GRC for tech companies—with the upside of higher ACV and a stickier, less transactional product.
From a pure SOC 2 compliance provider (2021), Drata has expanded to 23 frameworks, adding support in 2024 for FedRAMP for companies that sell into government agencies like DoD and ISO 42001 for companies building AI products to certify that customer data isn’t exposed or leaked.
Drata has tailwinds from the increasing regulatory complexity around data security and privacy, plus growing enterprise demands for vendor security assurance. The company has opportunities to expand beyond pure compliance automation into broader trust and security infrastructure.
Enterprise security and compliance automation
The core compliance automation market is growing as more companies face multiple regulatory frameworks. Beyond SOC 2, companies increasingly need to comply with HIPAA, GDPR, ISO standards and emerging AI regulations. Drata's platform approach positions them to capture this expanding compliance scope. The global GRC software market is projected to reach $15B by 2025.
Trust infrastructure and vendor risk
Drata's acquisition of SafeBase signals expansion into trust infrastructure - helping companies showcase their security posture to customers and partners. This creates network effects as more companies join Drata's trust ecosystem. The vendor risk management space represents a natural extension, as enterprises seek to automate security reviews of their vendors.
Developer-centric security
Through acquisitions like oak9, Drata is moving into "compliance as code" - embedding security and compliance checks directly into development workflows. This opens up the DevSecOps market as companies shift left on security. The acquisition of Harmonize.io adds capabilities in access governance and AI-powered anomaly detection, expanding Drata's footprint in identity security.
Geographic expansion
With 25-30% of customers already outside the US and 100% YoY growth in EMEA, international markets present significant growth potential. Regulatory frameworks vary by region, creating opportunities for Drata to become the global standard for automated compliance.
Risks
Compliance automation commoditization: As more players enter the compliance automation space and existing competitors like Vanta expand their feature sets, Drata's core value proposition risks becoming commoditized. The rapid pace at which competitors are matching features (often within months) suggests diminishing technological barriers to entry. This could lead to price pressure and reduced margins, particularly in the SMB segment where cost sensitivity is high.
Integration dependency risk: Drata's platform relies heavily on integrations with third-party tools (170+ integrations) to gather compliance evidence. Changes in APIs, deprecation of services, or strategic decisions by key integration partners could disrupt Drata's ability to maintain continuous monitoring. The recent acquisitions of companies like SafeBase and oak9 increase this complexity, potentially creating technical debt in maintaining a growing integration surface.
Funding Rounds
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
View the source Certificate of Incorporation copy. |
News
DISCLAIMERS
This report is for information purposes only and is not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. Nothing in this report constitutes investment, legal, accounting or tax advice or a representation that any investment or strategy is suitable or appropriate to your individual circumstances or otherwise constitutes a personal trade recommendation to you.
This research report has been prepared solely by Sacra and should not be considered a product of any person or entity that makes such report available, if any.
Information and opinions presented in the sections of the report were obtained or derived from sources Sacra believes are reliable, but Sacra makes no representation as to their accuracy or completeness. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a determination at its original date of publication by Sacra and are subject to change without notice.
Sacra accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that liability arises under specific statutes or regulations applicable to Sacra. Sacra may have issued, and may in the future issue, other reports that are inconsistent with, and reach different conclusions from, the information presented in this report. Those reports reflect different assumptions, views and analytical methods of the analysts who prepared them and Sacra is under no obligation to ensure that such other reports are brought to the attention of any recipient of this report.
All rights reserved. All material presented in this report, unless specifically indicated otherwise is under copyright to Sacra. Sacra reserves any and all intellectual property rights in the report. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of Sacra. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any report is strictly prohibited. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of Sacra. Any unauthorized duplication, redistribution or disclosure of this report will result in prosecution.