The Product Person - Drata: Viral Audits
As I drive down US 80 in SF, there’s a black billboard with the neon words, “Y’all make boring s*** easy!” Below, the source: “Actual Drata customer”. Barely 3 years old, Drata isn’t even eligible for kindergarten yet. Despite their tender age, Drata’s rise has been nothing short of meteoric. After exiting stealth at the start of 2021, Drata breezed through their seed, Series A, and Series B funding rounds in 10 months. Quite the speed run. Today, Drata counts companies such as Notion, Lemonade, Hertz, and Vercel as customers. This is their story. FundingFounding StoryDrata’s co-founders come from incredibly diverse backgrounds. Adam Markowitz, CEO, holds a masters in aerospace engineering from USC. Daniel Marashlian, CTO, founded four startups in the past and has been through four distinct acquisitions. Troy Markowitz (Adam Markowitz’s brother), COO/CRO, started his career at McKinsey before transitioning to sales. Back in 2013, the three came together to start a company called Portfolium, “the LinkedIn for academia”. In 2019, they sold Portfolium to Instructure (NYSE:INST). By mid-2020, the trio were ready for another adventure. While at Portfolium, the three co-founders were battered with requests for audits and formal documentation of their security controls from schools. So when they came back together, security compliance was at the top of their mind. In particular, the trio decided to start with automating the SOC2 compliance process.
Before we talk more about Drata, let’s take a quick detour on what SOC2 is. In the words of Thomas Ptacek, SOC2 is “a big spreadsheet an accounting firm gives you to fill out.” In the past few years, SOC2 compliance has become one of the most requested infosec certifications. Most enterprise SaaS companies now proudly pin SOC2 compliance badges on their websites. In a SOC2 audit, companies answer various questions about their security practices. A successful SOC2 audit means that a company has consistent access policies, basic employee authentication security, and low-level risk tracking. A SOC2 certificate does not mean that a company is secure. SOC2 is about documentation rather than security. SOC2 encompasses two different types of audits. The first, Type 1, is a long list of questions asking “does your company have Single Sign-On (SSO)”, or “does your company have centralized logging?” Type 1 audits focus on compliance at a specific point in time. Once a company can say yes to all of these questions (usually in the form of a long series of screenshots), the company is officially SOC2 Type 1 certified. The SOC2 Type 2 audit is based on the Type 1 report. If a company claims that they use Okta for SSO, the Type 2 audit simply makes sure that the company is still using Okta over the next few months. The way to track it? Screenshots. So now back to Drata. An average SOC2 verification can take anywhere from months to years to complete. Drata helps automate evidence collection. Rather than manually taking screenshots, Drata can help pull data from various sources and set up checklists for pending tasks. This can be everything from ensuring that employees are using password managers to integrations with ADP and Auth0 to collect evidence and control access. In focusing on SOC2, Drata was joining a crowded field. Startups such as Vanta, Strike Graph, Secureframe, OneTrust, Standard Fusion, and ZenGRC were already in the business of helping companies automate the SOC2 audit process. In particular, Vanta had been working on SOC2 since 2017. But the competition didn’t dissuade Drata. In May 2020, both Adam Markowitz (CEO) and Marashlian (CTO) quit their jobs at Instructure and started Drata the next month. Ironically, the early days were a bit awkward - Drata itself didn’t have SOC 2 certification yet. Adam brought in his brother, Troy Markowitz, who had previously been the SVP of Sales at Portfolium to run sales at Drata. Troy joined the duo in November 2020 and quickly signed on customers including Spot by NetApp, Accel Robotics, Abnormal Security, Chameleon, and Vareto. By January 2021, Drata finally received its official SOC 2 certification and came out of stealth with a $3.2 million seed round led by Cowboy Ventures. Product-Market FitUnlike most companies that had to fiddle with their product to find product-market fit (PMF), Drata had PMF from day one. In an interview with SV Angels:
Just six months after launching Drata out of stealth, Drata raised a $25 million Series A led by GGV Capital in June 2021. Part of what convinced GGV was Drata’s incredible 100% average month-over-month growth rate. It wasn’t just Drata. March 2021 saw Secureframe raise an $18 million Series A led by Kleiner Perkins. After graduating the YC S20 batch, Secureframe saw a 10x increase in revenue growth and more than 100 new customers. May 2021 saw Vanta raise a $50 million Series A led by Sequoia Capital. At the time, Vanta had over $10 million in annual recurring revenue. So, Drata’s explosive growth was less about building the right product and more about the market dynamics around SOC2. This leads to the question - why was 2021 such a pivotal year for SOC2? First, increased scrutiny of security. Over the past two decades, companies had steadily outsourced software complexity to third parties. From 2020 to 2022, companies increased their dependence on external software vendors by 38%. Today, an average company purchases around 110 different software services. As part of this shift, larger companies with more comprehensive purchasing policies started requesting security documentation. A company could manually answer each line item and delay the sales process, or they could point at the SOC2 certificate. Choosing SOC2 was an easy choice. Second, SOC2 had a viral component. It’s pretty hard to think of an auditing processing going viral but every SOC2 audit has a suggestion of “collect SOC2 reports from the company’s vendors”. That means if a company becomes SOC2 compliant, they effectively have heavily encouraged downstream vendors to also become SOC2 compliant. So, one company undergoing an SOC2 audit leads to another 110 companies that consider the SOC2 audit. Further, as SOC2 gained popularity, it started becoming the default certificate for security. This was another step change - when everyone is familiar with SOC2, there’s an inherent inertia to keep using SOC2. In a survey by A-LIGN, “47% of respondents said [that] SOC 2 was the most important audit, attestation, or assessment for their business.” GrowthInternally, Drata’s top priorities were, culture, sales, and integrations & relationships. Culture On the culture front, Adam Markowitz spent a significant amount of Drata’s seed round press release writing about Drata’s core cultural values. Most startups would use a fundraising announcement to talk about products, roadmap, or company mission. Dedicating space in a fundraising announcement specifically on culture signified a hefty commitment. Adam’s focus on culture also came through in interviews:
The leadership at Drata had spent 5 years together previously. This foundation paved the way for the rapid growth - younger founding teams might have been plagued with co-founder disagreements or interpersonal issues. The trio also hired on their previous coworkers from Portfolium as early employees at Drata. [0] Sales Many of these early employees were in sales. Together, they signed on 100 new customers for Drata in just 45 days after launch. For Drata’s Series A, the team focused on finding strategic investors. One such investor was Silicon Valley CISO Investments (SVCI). SVCI is an angel syndicate composed of some of the world’s leading CISOs (Chief Information Security Officers).
With this new connection to security leadership, Data signed on heavy-duty customers such as Abnormal Security, Fullstory, Amplitude, and Netlify. This emphasis on sales extended to hefty turf war on Reddit. Drata, Secureframe, and Vanta sales reps regularly visited the r/soc and r/cybersecurity subreddits. In “Has anyone used Vanta for SOC2 Compliance?”:
Integrations & Relationships While Vanta, Secureframe, and Strike Graph started before Drata, Drata made significant headway by being the first to offer integrations with third parties like ADP, AWS, and Asana. Though the engineering costs were high, these efforts meant Drata could claim they had the most comprehensive suite of integrations. Compared to their more established competitors, Drata has anywhere from 2-10x more integrations. These integrations also help automate and speed up the SOC2 process for Drata customers. Another key investment by Drata has been their relationship with auditors. On Drata’s menu bar is an “Auditors” button listing all of Drata’s auditor partners. And in Reddit threads, auditors have commented on the attention Drata pays their auditors.
In November 2021, just four months after their Series A round, Drata raised a $100 million Series B led by ICONIQ Growth. 16 months after founding, they were worth $1 billion. ExpansionDrata’s series B was the finale of a string of Drata’s funding announcements in 2021. For 2022, they focused on growing into their new $1 billion valuation. This meant doubling down on their sales efforts - and poaching customers from competitors. A notable example is Notion. Vanta’s Series A announcement in May 2021 had a prominent quote from Notion’s COO, Akshay Kothari. Yet by the end of 2022, Notion had switched over to Drata. Drata also invested heavily into customer case studies. Jonathan Jaffe, Lemonade CISO, personally gave a video testimonial on Drata. By the end of 2022, Drata had 35 customer case studies - ranging from saving Thnks 100 hours for their ISO 27001 Certification to handling SOC2 for HeadsUp. Drata’s 2022 year in review video is full of glowing customer references. On the product side, Drata expanded support to 14+ compliance frameworks including ISO 27001, GDPR, HIPAA, PCI DSS, and CCPA. They also expanded their international reach by adding French, Spanish, and German. Leadership-wise, Drata promoted Troy Markowitz to COO in November 2022. In his place, they brought in Adam Aarons, previous CRO of Okta. By hiring Aarons, Drata broadcasted that they would continue to invest heavily into sales and growth. In December 2022, Drata raised a $200 million Series C, led by ICONIQ Growth and GGV Capital. ConclusionAll in all, Drata’s story has been a case study in blitz-scaling in the midst of stiff competition. It’s now the highest valued security startup at $2 billion - even higher than Vanta’s $1.6 billion valuation. [0] A small list of early employees at Drata from Portfolium -
Enjoyed this? Please share it with a friend or two. |
Older messages
Wiz: Visible Vulnerabilities
Wednesday, April 19, 2023
Breaking down how Wiz went from COVID idea to $10 billion
Snyk: Shift left security
Wednesday, April 19, 2023
Catching the shift-left security wave and building a generational security platform
Nirav Tolia on Growing Nextdoor and the Path to Monetization
Wednesday, January 4, 2023
Inside are 5 actionable insights from former CEO and co-founder of Nextdoor, Nirav Toilia
The Rise and Fall of FTX – Part Three
Monday, December 26, 2022
FTX's presidential tokens, FTX.US, Serum, Blockfolio, and Alameda's risky bets in 2020.
The Rise and Fall of FTX - Part Two
Tuesday, December 13, 2022
Building a crypto exchange, the early days of FTX, the magic beans token (FTT), and Binance vs FTX.
You Might Also Like
Daily Coding Problem: Problem #1647 [Medium]
Tuesday, December 24, 2024
Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are
Sentiment Analysis, Topological Sort, Web Security, and More
Tuesday, December 24, 2024
Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the
🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make
Tuesday, December 24, 2024
Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a
😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative
Tuesday, December 24, 2024
Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI
Mapped | The Top Health Insurance Companies by State 🏥
Tuesday, December 24, 2024
In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power
The Stanford Grad Who Forgot How To Think
Tuesday, December 24, 2024
Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 24, 2024? The
The next big HDMI leap is coming
Tuesday, December 24, 2024
Sora side hustles; Casio's tiny watch comes to the US -- ZDNET ZDNET Tech Today - US December 24, 2024 Ecovacs Deebot T30S Combo robot vacuum and mop The next big HDMI leap is coming next month -
⚙️ Robo-suits
Tuesday, December 24, 2024
Plus: The data center energy surge
Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
Tuesday, December 24, 2024
THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest
Edge 459: Quantization Plus Distillation
Tuesday, December 24, 2024
Some insights into quantized distillation ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏