Drata Becoming Full-Stack GRC Platform
Drata
This move pushes Drata from a tool that helps win one audit into the system a security team uses to run compliance every day. The core SOC 2 product already plugs into cloud apps, code repos, HR systems, and employee devices to collect evidence and monitor controls. Adding Harmonize brings employee access governance, and oak9 brings compliance checks into cloud development, so Drata can cover who has access, how systems are built, and whether controls stay in place after the audit ends.
-
The product and revenue logic is straightforward. A startup may begin with one framework at roughly $13.5K ACV, then add more frameworks, risk modules, trust center, access governance, and developer security as it grows. That turns a one time certification need into a broader subscription tied to more teams and more workflows.
-
The closest software comps are moving the same direction. Vanta has used vendor risk, trust center, questionnaire automation, and more frameworks to make compliance a higher frequency product, helping lift revenue per customer to about $18K by mid 2025. Drata is following the same playbook, but through acquisitions that widen its control surface faster.
-
The OpenPages and ServiceNow comparison is about scope, not customer type. Those platforms are built to give large companies one place to map policies, controls, risks, and regulatory tasks across the business. Drata is building a lighter version for tech companies by starting with the systems startups already use, then layering governance and risk workflows on top.
The next step is a shift from compliance automation into operating system for trust. As Drata adds more frameworks, more control owners, and more pre audit and post audit workflows, the product becomes harder to rip out and easier to sell upmarket, especially to tech companies that want enterprise grade GRC coverage without an enterprise software implementation project.