Drata - Viral Audits


Apr 23 | 2190 words, 13467 characters

As I drive down US 80 in SF, there’s a black billboard with the neon words, “Y’all make boring s*** easy!” Below, the source: “Actual Drata customer”.

Barely 3 years old, Drata isn’t even eligible for kindergarten yet.

Despite their tender age, Drata’s rise has been nothing short of meteoric. After exiting stealth at the start of 2021, Drata breezed through their seed, Series A, and Series B funding rounds in 10 months. Quite the speed run.

Today, Drata counts companies such as Notion, Lemonade, Hertz, and Vercel as customers. This is their story.

Funding

Round Date Amount Narrative Lead Investor
Seed Jan 2021 $3.2m Experienced founders Cowboy Ventures
Series A Jun 2021 $25m Rapid sales growth GGV Capital
Series B Nov 2021 $100m Culture, integrations & auditor relationships ICONIQ Growth
Series C Dec 2022 $20m Sales & product expansion GGV Capital, ICONIQ Growth

Founding Story

Drata’s co-founders come from incredibly diverse backgrounds.

Adam Markowitz, CEO, holds a masters in aerospace engineering from USC. Daniel Marashlian, CTO, founded four startups in the past and has been through four distinct acquisitions. Troy Markowitz (Adam Markowitz’s brother), COO/CRO, started his career at McKinsey before transitioning to sales.

Back in 2013, the three came together to start a company called Portfolium, “the LinkedIn for academia”. In 2019, they sold Portfolium to Instructure (NYSE:INST). By mid-2020, the trio were ready for another adventure.

While at Portfolium, the three co-founders were battered with requests for audits and formal documentation of their security controls from schools. So when they came back together, security compliance was at the top of their mind. In particular, the trio decided to start with automating the SOC2 compliance process.

To sell to Universities, we had to prove that their data was safe and secure and we took the time, resources and effort to build a system to automate the process. After the acquisition, myself and the same co-founders came back together in 2020 to start Drata and basically help companies stand up and maintain their security compliance posture, so they could earn the trust of those they want to do business with.

  • Adam Markowitz

Before we talk more about Drata, let’s take a quick detour on what SOC2 is. In the words of Thomas Ptacek, SOC2 is “a big spreadsheet an accounting firm gives you to fill out.”

In the past few years, SOC2 compliance has become one of the most requested infosec certifications. Most enterprise SaaS companies now proudly pin SOC2 compliance badges on their websites.

In a SOC2 audit, companies answer various questions about their security practices. A successful SOC2 audit means that a company has consistent access policies, basic employee authentication security, and low-level risk tracking.

A SOC2 certificate does not mean that a company is secure. SOC2 is about documentation rather than security.

SOC2 encompasses two different types of audits. The first, Type 1, is a long list of questions asking “does your company have Single Sign-On (SSO)”, or “does your company have centralized logging?” Type 1 audits focus on compliance at a specific point in time.

Once a company can say yes to all of these questions (usually in the form of a long series of screenshots), the company is officially SOC2 Type 1 certified.

The SOC2 Type 2 audit is based on the Type 1 report. If a company claims that they use Okta for SSO, the Type 2 audit simply makes sure that the company is still using Okta over the next few months. The way to track it? Screenshots.

So now back to Drata. An average SOC2 verification can take anywhere from months to years to complete. Drata helps automate evidence collection. Rather than manually taking screenshots, Drata can help pull data from various sources and set up checklists for pending tasks. This can be everything from ensuring that employees are using password managers to integrations with ADP and Auth0 to collect evidence and control access.

In focusing on SOC2, Drata was joining a crowded field.

Startups such as Vanta, Strike Graph, Secureframe, OneTrust, Standard Fusion, and ZenGRC were already in the business of helping companies automate the SOC2 audit process. In particular, Vanta had been working on SOC2 since 2017.

But the competition didn’t dissuade Drata. In May 2020, both Adam Markowitz (CEO) and Marashlian (CTO) quit their jobs at Instructure and started Drata the next month.

Ironically, the early days were a bit awkward - Drata itself didn’t have SOC 2 certification yet. Adam brought in his brother, Troy Markowitz, who had previously been the SVP of Sales at Portfolium to run sales at Drata. Troy joined the duo in November 2020 and quickly signed on customers including Spot by NetAppAccel RoboticsAbnormal SecurityChameleon, and Vareto.

By January 2021, Drata finally received its official SOC 2 certification and came out of stealth with a $3.2 million seed round led by Cowboy Ventures.

Product-Market Fit

Unlike most companies that had to fiddle with their product to find product-market fit (PMF), Drata had PMF from day one. In an interview with SV Angels:

We lived and breathed the customer pain points ourselves before we ever decided to go down the path of automating compliance. The business plan that we started with is exactly what we are working on today.

  • Adam Markowitz

Just six months after launching Drata out of stealth, Drata raised a $25 million Series A led by GGV Capital in June 2021. Part of what convinced GGV was Drata’s incredible 100% average month-over-month growth rate.

It wasn’t just Drata.

March 2021 saw Secureframe raise an $18 million Series A led by Kleiner Perkins. After graduating the YC S20 batch, Secureframe saw a 10x increase in revenue growth and more than 100 new customers.

May 2021 saw Vanta raise a $50 million Series A led by Sequoia Capital. At the time, Vanta had over $10 million in annual recurring revenue.

So, Drata’s explosive growth was less about building the right product and more about the market dynamics around SOC2.

This leads to the question - why was 2021 such a pivotal year for SOC2?

First, increased scrutiny of security. Over the past two decades, companies had steadily outsourced software complexity to third parties. From 2020 to 2022, companies increased their dependence on external software vendors by 38%. Today, an average company purchases around 110 different software services.

As part of this shift, larger companies with more comprehensive purchasing policies started requesting security documentation. A company could manually answer each line item and delay the sales process, or they could point at the SOC2 certificate. Choosing SOC2 was an easy choice.

Second, SOC2 had a viral component. It’s pretty hard to think of an auditing processing going viral but every SOC2 audit has a suggestion of “collect SOC2 reports from the company’s vendors”. That means if a company becomes SOC2 compliant, they effectively have heavily encouraged downstream vendors to also become SOC2 compliant. So, one company undergoing an SOC2 audit leads to another 110 companies that consider the SOC2 audit.

Further, as SOC2 gained popularity, it started becoming the default certificate for security. This was another step change - when everyone is familiar with SOC2, there’s an inherent inertia to keep using SOC2. In a survey by A-LIGN, “47% of respondents said [that] SOC 2 was the most important audit, attestation, or assessment for their business.”

Growth

Internally, Drata’s top priorities were, culture, sales, and integrations & relationships.

Culture

On the culture front, Adam Markowitz spent a significant amount of Drata’s seed round press release writing about Drata’s core cultural values. Most startups would use a fundraising announcement to talk about products, roadmap, or company mission. Dedicating space in a fundraising announcement specifically on culture signified a hefty commitment.

Adam’s focus on culture also came through in interviews:

“The speed at which we've been able to execute, I think, is 100% attributed to trust as the foundation of our core values. We’re in the business of trust and our product helps companies build trust with their customers. We breathe, live and sleep trust here.” - Adam at Forbes

“Today, company culture is one of the most understated competitive advantages you could have. Culture is a lasting differentiator.” - Adam at SaaStr

“The success of Drata can be directly attributed to its people – the culture and execution of this team is truly unprecedented. The culture is defined by the values and behaviour of the incredible people here and trust lies at the heart of it all.” - Adam at Technology Magazine

The leadership at Drata had spent 5 years together previously. This foundation paved the way for the rapid growth - younger founding teams might have been plagued with co-founder disagreements or interpersonal issues. The trio also hired on their previous coworkers from Portfolium as early employees at Drata. [0]

Sales

Many of these early employees were in sales. Together, they signed on 100 new customers for Drata in just 45 days after launch.

For Drata’s Series A, the team focused on finding strategic investors. One such investor was Silicon Valley CISO Investments (SVCI). SVCI is an angel syndicate composed of some of the world’s leading CISOs (Chief Information Security Officers).

“It became clear to me right away that Drata is an engineering powerhouse. The solution they’ve developed is well ahead of other market players, and their approach to deep, native integrations provides users with the most advanced automation available.”

  • Philip Martin - Chief Security Officer at Coinbase

With this new connection to security leadership, Data signed on heavy-duty customers such as Abnormal Security, Fullstory, Amplitude, and Netlify.

This emphasis on sales extended to hefty turf war on Reddit. Drata, Secureframe, and Vanta sales reps regularly visited the r/soc and r/cybersecurity subreddits. In “Has anyone used Vanta for SOC2 Compliance?”:

“…are you going to mention to people that you are an AE at Vanta? For a company who works in compliance, this is not very honest or transparent.”

“Weird how this Drata rep deleted his account after I offered a trial against them. Highly encourage everyone to trial the two tools against each other and make a decision after that.”

Integrations & Relationships

While Vanta, Secureframe, and Strike Graph started before Drata, Drata made significant headway by being the first to offer integrations with third parties like ADP, AWS, and Asana. Though the engineering costs were high, these efforts meant Drata could claim they had the most comprehensive suite of integrations. Compared to their more established competitors, Drata has anywhere from 2-10x more integrations. These integrations also help automate and speed up the SOC2 process for Drata customers.

Another key investment by Drata has been their relationship with auditors. On Drata’s menu bar is an “Auditors” button listing all of Drata’s auditor partners. And in Reddit threads, auditors have commented on the attention Drata pays their auditors.

“I’m answering this from an Auditor’s perspective: Vanta is awful, their tests for the controls are often not comprehensive for us to accept as evidence and actively discourage communication between the auditor and client, as they believe their platform fully “automates” the process of auditing frameworks (I mostly do SOC 2 audits).  Drata is much nicer, more comprehensive with their monitoring of controls, and are also releasing an auditor portal soon so additional evidence requests from the auditor can stay completely within the platform.”

In November 2021, just four months after their Series A round, Drata raised a $100 million Series B led by ICONIQ Growth. 16 months after founding, they were worth $1 billion.

Expansion

Drata’s series B was the finale of a string of Drata’s funding announcements in 2021.

For 2022, they focused on growing into their new $1 billion valuation. This meant doubling down on their sales efforts - and poaching customers from competitors.

A notable example is Notion. Vanta’s Series A announcement in May 2021 had a prominent quote from Notion’s COO, Akshay Kothari. Yet by the end of 2022, Notion had switched over to Drata.

Drata also invested heavily into customer case studies. Jonathan Jaffe, Lemonade CISO, personally gave a video testimonial on Drata. By the end of 2022, Drata had 35 customer case studies - ranging from saving Thnks 100 hours for their ISO 27001 Certification to handling SOC2 for HeadsUp.

Drata’s 2022 year in review video is full of glowing customer references.

On the product side, Drata expanded support to 14+ compliance frameworks including ISO 27001, GDPR, HIPAA, PCI DSS, and CCPA. They also expanded their international reach by adding French, Spanish, and German.

Leadership-wise, Drata promoted Troy Markowitz to COO in November 2022. In his place, they brought in Adam Aarons, previous CRO of Okta. [1] By hiring Aarons, Drata broadcasted that they would continue to invest heavily into sales and growth.

In December 2022, Drata raised a $200 million Series C, led by ICONIQ Growth and GGV Capital.

Conclusion

All in all, Drata’s story has been a case study in blitz-scaling in the midst of stiff competition.nIt’s now the highest valued security startup at $2 billion - even higher than Vanta’s $1.6 billion valuation.

[0] A small list of early employees at Drata from Portfolium -

[1] We previously talked about Okta within our Auth0 and On Authentication piece.