Drata moves into compliance as code
Drata
The oak9 deal matters because it turns Drata from a tool that documents controls after systems are live into one that can catch problems while engineers are still writing cloud infrastructure. Drata’s core product already watches SaaS apps, cloud accounts, and employee devices to collect audit evidence. oak9 extends that into infrastructure as code, so misconfigurations can be flagged in pull requests and mapped back to frameworks like SOC 2, ISO 27001, HIPAA, and PCI DSS before release.
-
This changes the buyer and the workflow. Traditional compliance automation is used mainly by GRC and IT teams preparing for audits. Compliance as code pulls engineering and DevOps into the product earlier, at the point where Terraform or cloud configs are created, which makes Drata useful in day to day software delivery instead of only during audit prep.
-
It also gives Drata a path to higher contract value through a broader stack. Harmonize added access governance, including onboarding, offboarding, and device management automation for distributed teams. Combined with SafeBase on trust centers and oak9 on developer security, Drata is assembling more pieces of a full GRC system rather than a single SOC 2 workflow.
-
The competitive implication is that compliance vendors are converging on security operations, but from different starting points. Vanta and Secureframe still center the product on automated evidence collection across 35 plus and 20 plus frameworks respectively, plus trust centers and questionnaires. Drata is pushing harder into pre production controls, where the product has to fit engineering workflows, not just auditor workflows.
The next phase is a move from audit automation to continuous control enforcement across code, identity, vendors, and customer trust. If Drata keeps integrating these acquisitions into one workflow, it can become the operating layer where a company both proves compliance and prevents non compliant changes from shipping in the first place.