Compliance · Beta
Drata
API integration
Ship Compliance features without building the integration. Full Drata API access via Proxy, normalized data through Unified APIs, and 160+ MCP-ready tools for AI agents — all extensible to your exact use case.
Built for specific customer use cases. Issues are resolved quickly.
Talk to usUse Cases
Why integrate with Drata
Common scenarios for SaaS companies building Drata integrations for their customers.
Automate User Access Reviews for SOC 2 Compliance
Identity governance and IAM platforms can pull Drata's user directory — including roles, identities, and compliance status — to orchestrate quarterly access reviews without manual CSV exports or screenshot gathering.
Sync Employee Compliance Status into Your Platform
HR, onboarding, or security awareness training tools can read user-level compliance data from Drata to surface which employees have completed background checks, signed policies, or finished required training — directly inside your product.
Surface Company-Wide Audit Readiness in Your Dashboard
GRC, risk management, or MSP platforms can pull company-level compliance posture from Drata so their users see a real-time snapshot of audit health alongside data from other tools, without switching contexts.
Flag Non-Compliant Users Across Connected Systems
Security platforms can fetch Drata's user list and cross-reference roles and identity data against actual infrastructure permissions, automatically identifying ghost accounts, over-permissioned users, or employees missing required compliance steps.
Enrich Incident Response with Personnel Context
SIEM and incident response tools can look up individual Drata users by ID to pull compliance context — role assignments, background check status, agreed terms — when investigating security events tied to specific employees.
What You Can Build
Ship these features with Truto + Drata
Concrete product features your team can ship faster by leveraging Truto’s Drata integration instead of building from scratch.
Compliance-Aware User Directory Sync
Continuously import Drata users with their roles, identities, and compliance metadata into your platform using the Unified User Directory API so your customers always have a current personnel view.
Automated Quarterly Access Review Reports
Pull all Drata users and their role assignments on a schedule, then generate access review reports that auditors can sign off on without manual data gathering.
Employee Compliance Status Widget
Embed a per-user compliance summary — background checks, document signatures, Drata terms agreement — directly in your product's employee profile pages by fetching individual users by ID.
Audit Readiness Dashboard Card
Display a company-level compliance health indicator sourced from Drata's company info endpoint, giving your users instant visibility into their organization's overall posture.
Non-Compliant Employee Alert Pipeline
Compare Drata's user list against your system's records to automatically flag and notify admins about employees who are missing required compliance steps like background checks or policy acknowledgments.
SuperAI
Drata AI agent tools
Comprehensive AI agent toolset with fine-grained control. Integrates with MCP clients like Cursor and Claude, or frameworks like LangChain.
list_all_drata_users
List drata users matching optional filters. Returns: id, email, firstName, lastName, jobTitle, roles, avatarUrl, drataTermsAgreedAt, createdAt, backgroundChecks, documents, and identities per user record.
get_single_drata_user_by_id
Get the full detail of a single drata user by id. Returns: id, email, firstName, lastName, jobTitle, roles, avatarUrl, drataTermsAgreedAt, createdAt, backgroundChecks, documents, and identities. Required: id.
list_all_drata_assets
List Drata assets by search terms and filters. Returns: id, name, assetType, assetProvider, owner, device, createdAt, updatedAt, externalId, customFields.
create_a_drata_asset
Manually add a new asset to the Drata account. Returns: id, name, description, assetType, assetProvider, owner, createdAt, customFields. Required: name, description, assetClassTypes, assetType, ownerId.
get_single_drata_asset_by_id
Get a single Drata asset by id. Returns: id, name, description, assetType, assetProvider, owner, device, createdAt, updatedAt, externalId, customFields. Required: id.
update_a_drata_asset_by_id
Update an existing Drata asset by id. Returns: id, name, description, assetType, assetProvider, owner, device, createdAt, updatedAt, customFields. Required: id.
delete_a_drata_asset_by_id
Remove a virtual or manually-added Drata asset by id. This is an unrecoverable operation. Returns an empty 204 response on success. Required: id.
list_all_drata_audits
List audits in a Drata workspace. Returns: id, frameworkType, auditType, isInternalAudit, status, startDate, endDate, completedAt, createdAt, updatedAt, auditors, and internalAuditors for each audit record. Required: workspace_id.
get_single_drata_audit_by_id
Get a single Drata audit by id. Returns: id, frameworkType, auditType, isInternalAudit, status, startDate, endDate, completedAt, createdAt, updatedAt, auditors, internalAuditors, and controls. Required: workspace_id, id.
list_all_drata_audit_requests
List audit requests in Drata for a given workspace and audit. Returns: id, code, title, description, status, auditId, createdAt, updatedAt, owners, and messages. Required: workspace_id, audit_id.
get_single_drata_audit_request_by_id
Get a single audit request in Drata by id. Returns: id, code, title, description, status, auditId, createdAt, updatedAt, owners, messages, and controls. Required: workspace_id, audit_id, id.
create_a_drata_background_check
Create a manual Background Check record in Drata and mark the user as compliant for Background Check requirements. Returns: id, employmentStatus, userId, email, createdAt, updatedAt. Required: userId, url, filedAt.
get_single_drata_company_by_id
Get the Drata company profile, including organization details, security configuration, training settings, and feature entitlements. Returns: accountId, domain, name, legalName, year, securityTraining, hipaaTraining, backgroundCheck, securityReport, agentEnabled, manualUploadEnabled, drataSupportAccess, entitlements, createdAt, and updatedAt.
list_all_drata_workspaces
List Drata workspaces representing different products or business lines with distinct compliance requirements. Returns: id, name, primary, description, createdAt, updatedAt, url, logo, howItWorks, and an optional frameworks array when expanded.
list_all_drata_control_library
List drata Control Library templates with optional field and relational filters. Returns: id, code, controlNumber, name, description, question, activity, domain, category, inUse.
get_single_drata_control_library_by_id
Get a single drata Control Library template by id, with optional expansion of related subcollections. Returns: id, code, controlNumber, name, description, question, activity, domain, category, inUse, testTemplates, policyTemplates, evidenceTemplates, requirementTemplates, controlsUsingTemplate. Required: id.
drata_control_library_import
Provision one or more drata tenant Controls from Control Library templates with all-or-nothing semantics — any invalid input rejects the entire request with no writes. Returns: data (array of per-input provisioning results, each containing inputIndex, controlId, code, status, associations, and customFields). Required: data. Max 100 inputs per request spanning no more than 10 distinct workspaceIds.
list_all_drata_control_notes
List control notes in drata for a given control, with optional filtering and sorting. Returns: id, ownerId, comment, createdAt, updatedAt, and an optional owner object when expanded. Required: workspace_id, control_id.
create_a_drata_control_note
Create a new control note in drata for a given control. Returns: id, ownerId, comment, createdAt, updatedAt, and an optional owner object. Required: workspace_id, control_id, comment.
get_single_drata_control_note_by_id
Get a single drata control note by id. Returns: id, ownerId, comment, createdAt, updatedAt, and an optional owner object when expanded. Required: workspace_id, control_id, id.
update_a_drata_control_note_by_id
Update the comment text of a drata control note. Returns: id, ownerId, comment, createdAt, updatedAt, and an optional owner object. Required: workspace_id, control_id, id, comment.
delete_a_drata_control_note_by_id
Delete a drata control note by id. Returns an empty 200 response on success. Required: workspace_id, control_id, id.
list_all_drata_control_owners
List control owners for a Drata control. Returns: id, email, firstName, lastName, createdAt, updatedAt. Required: workspace_id, control_id.
create_a_drata_control_owner
Add a control owner to a Drata control. Returns: id, email, firstName, lastName, createdAt, updatedAt. Required: workspace_id, control_id, ownerId.
drata_control_owners_modify
Modify all owners for a Drata control, replacing the entire owner set with the provided user IDs. Returns: ownerIds. Required: workspace_id, control_id, ownerUserIds.
delete_a_drata_control_owner_by_id
Delete a control owner from a Drata control by id. Returns: data (remaining owner records), pagination. Required: workspace_id, control_id, id.
list_all_drata_controls
List drata controls in a workspace matching the provided filters. Returns: id, name, code, slug, description, activity, frameworkTags, flags, owners, requirements, testIds, evidenceIds, createdAt, updatedAt. Required: workspace_id.
create_a_drata_control
Create a new custom drata control in a workspace. Returns: id, name, code, slug, description, activity, frameworkTags, flags, owners, requirements, customFields, testIds, evidenceIds, createdAt, updatedAt. Required: workspace_id, name, description, code.
get_single_drata_control_by_id
Get all information for a specific drata control by id. Returns: id, name, code, slug, description, question, activity, frameworkTags, flags, owners, requirements, customFields, testIds, evidenceIds, createdAt, updatedAt. Required: workspace_id, id.
update_a_drata_control_by_id
Update an existing drata control by id. Returns: id, name, code, slug, description, question, activity, frameworkTags, flags, owners, requirements, customFields, testIds, evidenceIds, createdAt, updatedAt. Required: workspace_id, id.
drata_controls_list_requirements
List compliance requirements mapped to a specific drata control. Returns: id, name, description, frameworkName, frameworkTag, frameworkSlug, createdAt, updatedAt, longDescription, rationale, additionalInfo, archivedAt. Required: workspace_id, control_id.
drata_controls_reset_requirement_mappings
Reset multiple drata controls to their original requirement mappings from control templates. Returns: results array with controlId, success, and error for each control reset attempt. Custom controls cannot be reset. Required: workspace_id, controlIds. Max 100 control IDs per request.
drata_controls_perform_action
Perform an action on a drata control — markOutOfScope archives it and markInScope restores it. Returns the updated control object including id, name, code, slug, archivedAt, rationale, flags, owners, requirements, and evidenceIds. Returns 204 with no body when the control is already in the requested state. Required: workspace_id, control_id, action.
drata_controls_compare_requirements
Compare requirements for multiple drata controls between tenant mappings and global template mappings. Returns: controlId, alignedRequirements, userMappedRequirements, and templateMappedRequirements per control. Required: workspace_id, controlIds[]. Max 300 control IDs per request.
list_all_drata_custom_connections
List Drata custom connections matching optional filters. Returns: id, clientAlias, providerTypes, createdAt, updatedAt, createdById per connection. Use expand[] to include createdByUser and customResources sub-objects.
create_a_drata_custom_connection
Create a new Drata custom connection. Returns: id, clientAlias, providerTypes, createdAt, updatedAt, createdById, customResources, createdByUser. Required: name, providerTypes. CUSTOM connections also require schema or sampleData, and displayNameKey.
get_single_drata_custom_connection_by_id
Get a single Drata custom connection by id. Returns: id, clientAlias, description, providerTypes, createdAt, updatedAt, createdById. Use expand[] to include createdByUser and customResources sub-objects. Required: id.
update_a_drata_custom_connection_by_id
Update the alias or description of an existing Drata custom connection. Returns: id, clientAlias, description, providerTypes, createdAt, updatedAt, createdById. Required: id.
delete_a_drata_custom_connection_by_id
Delete a Drata custom connection by id. Returns an empty 204 response on success. Required: id.
list_all_drata_custom_data_records
List Custom Data Records for a Drata Custom Connection resource matching the provided filters. Returns: id, attributes (resource-specific fields), sessionId, createdAt, updatedAt. Required: connection_id, resource_id.
drata_custom_data_records_upsert
Create or update Custom Data records for a Drata Custom Connection resource. Accepts a single object or an array of objects; records with matching IDs are updated and new records are created. Returns: id, statusCode, createdAt, updatedAt, and data. Required: connection_id, resource_id, data.
drata_custom_data_records_list_sessions
List Custom Data Sessions for a Drata Custom Connection resource with optional filtering by status. Returns: id, sessionId, status, createdAt, updatedAt, activatedAt, canceledAt. Required: connection_id, resource_id.
drata_custom_data_records_upsert_session
Insert or update Custom Data records in batches for a specific session in Drata. Records remain inactive until the session is completed via the session action endpoint. Returns: id, statusCode, createdAt, updatedAt, and data. Required: connection_id, resource_id, id, data.
drata_custom_data_records_perform_session_action
Perform an action on a Custom Data record session in Drata. Use `complete` to activate all session data and permanently delete records outside the session, or `cancel` to discard the session's data. Returns: sessionId, status, action, connectionId, resourceId. Required: connection_id, resource_id, session_id, action.
update_a_drata_custom_data_record_by_id
Update an existing Custom Data record in Drata by ID. Returns: id, attributes, sessionId, createdAt, updatedAt. Required: connection_id, resource_id, id, data.
delete_a_drata_custom_data_record_by_id
Delete a Custom Data record in Drata by ID. Returns an empty 204 response on success. Required: connection_id, resource_id, id.
list_all_drata_device_documents
List device compliance documents in Drata for a given device. Returns: id, type, name, fileUrl, createdAt, updatedAt for each document. Required: device_id.
drata_device_documents_upload
Upload a new device compliance document to Drata for a given device as multipart form data. Returns: id, type, name, fileUrl, createdAt, updatedAt. Required: device_id, type.
get_single_drata_device_document_by_id
Get a single device compliance document in Drata by id. Returns: id, type, name, fileUrl, createdAt, updatedAt. Required: device_id, id.
delete_a_drata_device_document_by_id
Delete a device compliance document in Drata by id. Returns an empty 200 response on success. Required: device_id, id.
list_all_drata_devices
List all drata devices. Returns: id, serialNumber, model, macAddress, sourceType, isDeviceCompliant, createdAt, antivirusEnabled, encryptionEnabled, firewallEnabled, and associated asset and compliance data. Optionally filter by externalId, macAddress, serialNumber, sourceType, or personnelId.
drata_devices_list_for_personnel
List drata devices assigned to a specific personnel member. Returns: id, serialNumber, model, macAddress, sourceType, isDeviceCompliant, createdAt, antivirusEnabled, encryptionEnabled, firewallEnabled, and associated asset and compliance data. Required: personnel_id.
get_single_drata_device_by_id
Get a single drata device by id. Returns: id, serialNumber, model, macAddress, sourceType, isDeviceCompliant, antivirusEnabled, encryptionEnabled, firewallEnabled, screenLockTime, complianceChecks, asset, apps, personnelId, and externalId. Required: id.
drata_devices_list_for_connection
List drata devices for a specific custom connection. Returns: id, serialNumber, model, macAddress, sourceType, isDeviceCompliant, createdAt, antivirusEnabled, encryptionEnabled, firewallEnabled, and associated asset and compliance data. Required: connection_id.
drata_devices_list_apps
List apps installed on a specific drata device. Returns: id, installedApp. Required: device_id.
drata_devices_upsert
Create or update a device for a drata custom connection; matches an existing device by serialNumber, macAddress, or externalId and updates it if found, otherwise creates a new one. Returns: id, serialNumber, model, osVersion, isDeviceCompliant, antivirusEnabled, encryptionEnabled, firewallEnabled, createdAt, asset. Required: connection_id, personnelId, platformName, platformVersion.
delete_a_drata_device_by_id
Delete a device from a drata custom connection by id. Returns an empty 204 response on success. Required: connection_id, id.
list_all_drata_events
List Drata events matching the provided filters. Returns: id, type, category, source, description, status, createdAt, userId, connectionId, requestDescription, testName, and testId per event. Optionally filter by type, category, source, workspaceId, userId, connectionId, createdAtStartDate, or createdAtEndDate.
get_single_drata_event_by_id
Get details for a single Drata event by id. Returns: id, type, category, source, description, status, createdAt, userId, connectionId, requestDescription, testName, testId, metadata, user, connection, and issues. Required: id.
drata_events_create_download_job
Create an asynchronous PDF download job for a Drata event. Returns: jobId, status, result, createdAt, completedAt, and errorMessage. Poll the get_download_job method with the returned jobId to check progress and retrieve the download URL. Required: event_id.
drata_events_get_download_job
Retrieve the status and result of a Drata event PDF download job. Returns: jobId, status, result, createdAt, completedAt, and errorMessage. Check result for the pre-signed download URL once status indicates completion. Required: event_id, id.
list_all_drata_evidence_library
List evidence library items in Drata, with optional filters by name and status. Returns: id, name, description, evidenceTemplateCode, createdAt, updatedAt, user, versions, renewalSchema, controls. Required: workspace_id.
create_a_drata_evidence_library
Create a new evidence library item in Drata. Returns: id, name, description, evidenceTemplateCode, createdAt, updatedAt, versions, renewalSchema, controls. Required: workspace_id, name. When attaching an artifact source (file, base64File, url, or ticketUrl), filedAt, renewalScheduleType, and ownerId are also required.
get_single_drata_evidence_library_by_id
Get a specific evidence library item by ID in Drata. Returns: id, name, description, implementationGuidance, evidenceTemplateCode, createdAt, updatedAt, user, versions, renewalSchema, controls. Required: workspace_id, id.
update_a_drata_evidence_library_by_id
Update an existing evidence library item in Drata. Returns: id, name, description, evidenceTemplateCode, createdAt, updatedAt, user, versions, renewalSchema, controls. Required: workspace_id, id. When adding a new artifact source (file, base64File, url, or ticketUrl), filedAt and renewalScheduleType are also required.
delete_a_drata_evidence_library_by_id
Delete an evidence library item by ID in Drata. Returns an empty 204 response on success. Required: workspace_id, id.
drata_evidence_library_get_version
Get a specific version of a Drata Evidence Library item by version ID. Returns: id, name, version, current, filedAt, createdAt, updatedAt, and optionally downloadUrl when expanded. Required: workspace_id, evidence_library_id, id.
list_all_drata_frameworks
List Frameworks in a Drata workspace matching optional filters. Returns: id, name, description, slug, tag, pill, isReady, isEnabled, numInScopeControls, numInScopeRequirements, numReadyInScopeRequirements, color, bgColor, activeLogo, inactiveLogo, createdAt, updatedAt. Required: workspace_id.
create_a_drata_framework
Create a new custom compliance Framework in a Drata workspace. Returns: id, name, description, slug, tag, pill, isReady, isEnabled, numInScopeControls, numInScopeRequirements, numReadyInScopeRequirements, color, bgColor, activeLogo, inactiveLogo, createdAt, updatedAt. Required: workspace_id, name, shortName, description.
update_a_drata_framework_by_id
Update an existing custom compliance Framework in a Drata workspace. Returns: id, name, description, slug, tag, pill, isReady, isEnabled, numInScopeControls, numInScopeRequirements, numReadyInScopeRequirements, color, bgColor, activeLogo, inactiveLogo, createdAt, updatedAt. Required: workspace_id, id.
drata_framework_requirements_list_legacy
(Deprecated) List drata framework requirements across all frameworks matching provided filters. Returns: id, name, description, frameworkName, frameworkTag, category, createdAt, updatedAt. Required: workspace_id. Prefer the list method instead.
drata_framework_requirements_update_legacy
(Deprecated) Update custom field values on a drata framework requirement. Returns: id, name, description, frameworkName, frameworkTag, category, createdAt, updatedAt, customFields. Required: workspace_id, id. Prefer the update method which also supports structural-field changes.
list_all_drata_framework_requirements
List requirements scoped to a specific framework in drata. Returns: id, code, name, description, category, createdAt, updatedAt. Required: workspace_id, framework_id.
create_a_drata_framework_requirement
Create or update one or more requirements on a custom drata framework. Returns: data (array of created requirements each with id, code, name, description, category, createdAt, updatedAt). Required: workspace_id, framework_id, data. Duplicate codes or unknown control IDs fail the entire batch.
update_a_drata_framework_requirement_by_id
Update a custom drata framework requirement including core fields, control mappings, and custom field values. Returns: id, code, name, description, category, controls, createdAt, updatedAt. Required: workspace_id, framework_id, id.
list_all_drata_hris_user_identities
List all active HRIS user identities for a Drata custom HRIS connection. Returns: id, identityId, email, firstName, lastName, jobTitle, managerId, managerName, startedAt, separatedAt, isContractor, createdAt, updatedAt. Required: connection_id.
drata_hris_user_identities_upsert
Create or update one or more HRIS user identities in a Drata custom HRIS connection. Each record is keyed by identityId — existing records are updated, new ones are created; partial updates are supported. Returns an array of per-item results including statusCode, data (id, identityId, email, firstName, isContractor, createdAt, updatedAt), and error. Required: connection_id, identityId (per item). Accepts 1–1000 items per batch.
get_single_drata_hris_user_identity_by_id
Get a single HRIS user identity from a Drata custom HRIS connection by id. Returns: id, identityId, email, firstName, lastName, jobTitle, managerId, managerName, startedAt, separatedAt, isContractor, createdAt, updatedAt. Required: connection_id, id.
delete_a_drata_hris_user_identity_by_id
Soft-delete a Drata HRIS user identity by id. Intended for records submitted in error (e.g. test data or duplicates), not for offboarding — use the upsert endpoint with separatedAt to reflect an employee departure. Returns an empty 204 response on success. Required: connection_id, id.
list_all_drata_monitoring_tests
List Drata monitoring tests within a workspace, optionally filtered by result status, system status, check type, or test source. Returns: id, name, checkResultStatus, checkStatus, testSource, testId, createdAt, updatedAt, lastPassedAt, failedSince. Required: workspace_id.
get_single_drata_monitoring_test_by_id
Get a specific Drata monitoring test by its workspace-scoped testId. Returns: id, name, checkResultStatus, checkStatus, testSource, testId, createdAt, updatedAt, lastPassedAt, failedSince, monitorInstances, controls. Required: workspace_id, id (pass the testId value from the list response, not the internal id field).
update_a_drata_monitoring_test_by_id
Update a Drata monitoring test's name, description, and/or enabled state. Returns: id, name, description, checkResultStatus, checkStatus, testSource, testId, createdAt, updatedAt, lastPassedAt, failedSince, monitorInstances, controls. Required: workspace_id, id (pass the testId value from the list response, not the internal id field).
drata_monitoring_tests_list_exclusions
List exclusions for a specific Drata monitoring test. Returns: id, targetId, targetName, exclusionReason, createdAt, updatedAt, connection, exclusionDesignator. Required: workspace_id, test_id.
drata_monitoring_tests_list_failures
List resources currently failing a specific Drata monitoring test; manually excluded failures are omitted by default unless includeExclusions is set to true. Returns: id, providerName, resourceName, accountName, clientId, resourceArn, organizationalUnitId, region, tags, cause. Required: workspace_id, test_id.
drata_monitoring_tests_list_passes
List resources currently passing a specific Monitoring Test in drata. Returns an empty page for tests that do not emit passing-resource data. Returns: id, providerName, resourceName, accountName, clientId, resourceArn, organizationalUnitId, region, tags, cause. Required: workspace_id, test_id.
list_all_drata_personnel
List Drata personnel records with optional filtering by employmentStatus and complianceStatus. Returns: id, userId, employmentStatus, startedAt, separatedAt, createdAt, updatedAt, user, complianceChecks, and customFields per record.
get_single_drata_personnel_by_id
Get a single Drata personnel record by id. Returns: id, userId, employmentStatus, startedAt, separatedAt, statusUpdatedAt, createdAt, updatedAt, user, reasonProvider, complianceChecks, and customFields. Required: id.
update_a_drata_personnel_by_id
Update a single Drata personnel record by id. Returns the updated record including id, userId, employmentStatus, startedAt, separatedAt, statusUpdatedAt, createdAt, updatedAt, user, reasonProvider, complianceChecks, and customFields. Required: id. Manually updated fields no longer receive automatic IdP/HRIS sync.
drata_personnel_perform_action
Perform a sync-reset action on Drata personnel records. Use reset-sync for specific personnel IDs or reset-sync-all to reset all personnel. Returns: count of affected records. Required: action.
list_all_drata_policies
List published drata policies matching the provided filters. Returns: id, name, status, createdAt, renewalDate, version, subVersion, owner, and groups.
create_a_drata_policy
Create a new drata policy with an initial draft version using file upload (UPLOADED) or an existing external file reference (EXTERNAL). Returns: id, name, status, ownerId, renewalDate, createdAt, and latestVersion. Required: name, ownerId, sourceType, renewalDate, description.
get_single_drata_policy_by_id
Get a specific published drata policy by id. Returns: id, name, status, description, createdAt, renewalDate, publishedAt, approvedAt, version, owner, groups, and controls. Required: id.
update_a_drata_policy_by_id
Modify an existing drata policy by id. Returns: id, name, description, status, createdAt, renewalDate, publishedAt, approvedAt, owner, groups, and controls. Required: id.
drata_policies_assign_owner
Assign an owner to a drata policy by policy_id. Returns an empty 204 response on success. Required: policy_id, userId.
drata_policies_get_approval_configuration
Get the approval configuration for a specific policy in Drata. Returns: reviewGroups, each containing name, tier, consensusRule, timeline, and approvers. Required: policy_id.
drata_policies_add_approval_configuration
Append a new review group tier to the end of a policy's approval sequence in Drata. Returns: name, tier, consensusRule, timeline, approvers. Required: policy_id, name, userIds, consensusRule, timeline. Maximum of 6 tiers per policy.
drata_policies_update_approval_configuration
Update a single review group tier by its 1-based tier position within a policy's approval sequence in Drata. Other tiers are not affected. Returns: name, tier, consensusRule, timeline, approvers. Required: policy_id, id, name, userIds, consensusRule, timeline.
drata_policies_remove_approval_configuration
Remove a single review group tier by its 1-based tier position from a policy's approval sequence in Drata. Remaining tiers are renumbered to stay contiguous. Returns an empty 204 response on success. Required: policy_id, id.
drata_policies_list_actions
List available actions the authenticated user can perform on a specific policy in Drata based on its current state. Returns: action, label, description, payloadSchema. Required: policy_id.
drata_policies_perform_action
Execute an action on a drata policy such as submit for approval, approve, request changes, override approve, publish, discard, or reset to template. Returns: success, newStatus, message. Required: policy_id, action.
drata_policies_list_versions
List policy versions for a specific drata policy with optional filters by status, version number, and current flag. Returns: id, policyVersionStatus, version, current, createdAt, renewalDate, subVersion, updatedAt, policy, requiresAcknowledgment. Required: policy_id.
drata_policies_get_version
Get a specific drata policy version by its ID with optional expansion of owner, SLA configurations, and download URLs. Returns: id, policyVersionStatus, version, current, createdAt, updatedAt, renewalDate, subVersion, type, policy, requiresAcknowledgment. Required: policy_id, id.
list_all_drata_risk_documents
List all documents associated with a specific risk in drata. Returns: id, name, downloadUrl, createdAt. Required: risk_register_id, risk_id.
drata_risk_documents_upload
Upload one or more documents for a specific risk in drata. Returns a documents array where each entry includes id, name, downloadUrl, and createdAt. Required: risk_register_id, risk_id, files. Max 10 files, 25MB each.
get_single_drata_risk_document_by_id
Get a specific risk document in drata by its ID. Returns: id, name, downloadUrl, createdAt. Required: risk_register_id, risk_id, id.
delete_a_drata_risk_document_by_id
Delete a specific risk document in drata by its ID. Returns an empty 204 response on success. Required: risk_register_id, risk_id, id.
list_all_drata_risk_library
List risk library items within a Drata risk register, filterable by riskId, title, or description. Returns: id, riskId, title, description, controls, and categories per item. Required: risk_register_id.
get_single_drata_risk_library_by_id
Get a single Drata risk library item by id within a risk register. Returns: id, riskId, title, description, controls, and categories. Required: risk_register_id, id.
drata_risk_library_copy_to_register
Copy risk library items from the Drata risk library to a risk register by specific IDs or predefined groups. Returns data containing an array of copied risk items with id, riskId, title, description, and registerId per record. Required: bulkActionType, riskIds, riskGroups, registerId.
list_all_drata_risk_notes
List risk notes for a specific risk in drata. Returns: id, comment, createdAt, updatedAt, owner. Required: risk_register_id, risk_id.
create_a_drata_risk_note
Create a new note for a specific risk in drata. Returns: id, comment, createdAt, updatedAt, owner. Required: risk_register_id, risk_id, comment.
get_single_drata_risk_note_by_id
Get a single risk note by id for a specific risk in drata. Returns: id, comment, createdAt, updatedAt, owner. Required: risk_register_id, risk_id, id.
update_a_drata_risk_note_by_id
Update a specific risk note by id in drata. Returns: id, comment, createdAt, updatedAt, owner. Required: risk_register_id, risk_id, id, comment.
delete_a_drata_risk_note_by_id
Delete a specific risk note by id in drata. Returns an empty 204 response on success. Required: risk_register_id, risk_id, id.
list_all_drata_risk_registers
List all drata Risk Registers associated with the account. Returns: id, name, description, owners, workspaces, createdAt, updatedAt. Supports filtering by name, ownerIds, and workspaceIds, and expanding the workspaces sub-object.
create_a_drata_risk_register
Create a new drata Risk Register. Returns: id, name, description, owners, workspaces, createdAt, updatedAt. Required: name.
get_single_drata_risk_register_by_id
Get a single drata Risk Register by id. Returns: id, name, description, owners, workspaces, createdAt, updatedAt. Required: id.
update_a_drata_risk_register_by_id
Update a drata Risk Register by id. Returns: id, name, description, owners, workspaces, createdAt, updatedAt. Required: id.
delete_a_drata_risk_register_by_id
Delete a drata Risk Register by id. Returns an empty 204 response on success. Required: id.
list_all_drata_risks
List risks in a drata Risk Register matching optional filters. Returns: id, riskId, title, status, treatmentPlan, impact, likelihood, score, residualScore, createdAt, updatedAt; expanded sub-collections (controls, categories, owners, reviewers, documents, notes, tickets, tasks, customFields) available via expand[]. Required: risk_register_id.
create_a_drata_risk
Create a new custom risk in a drata Risk Register. Returns: id, riskId, title, status, treatmentPlan, impact, likelihood, score, residualScore, createdAt, updatedAt, riskRegister, and associated sub-collections (controls, categories, owners, reviewers, documents, notes, tickets, tasks, customFields). Required: risk_register_id, title, description.
get_single_drata_risk_by_id
Get detail for a single drata risk by id. Returns: id, riskId, title, status, treatmentPlan, impact, likelihood, score, residualScore, createdAt, updatedAt, controls, categories, owners, reviewers, documents, notes, tickets, tasks, riskRegister, and customFields. Required: risk_register_id, id.
update_a_drata_risk_by_id
Update an existing risk in a drata Risk Register by id. Returns: id, riskId, title, status, treatmentPlan, impact, likelihood, score, residualScore, createdAt, updatedAt, and associated sub-collections (controls, categories, owners, reviewers, documents, notes, tickets, tasks, riskRegister, customFields). Required: risk_register_id, id.
drata_risks_get_insights
Retrieve comprehensive analytics for a drata Risk Register including posture distribution, treatment overview, heatmap, and historical trends. Returns: riskPosture, treatmentOverview, riskHeatmap, categoryBreakdown, scored, remaining, riskOverTime. Required: risk_register_id. Requires Risk Management Pro.
list_all_drata_tasks
List Drata tasks in a workspace matching the provided filters. Returns: id, title, status, taskType, dueDate, assigneeId, createdAt, updatedAt, controls, risks, policies. Required: workspace_id.
create_a_drata_task
Create a new Drata task in a workspace. Returns the created task including id, title, status, taskType, dueDate, assigneeId, createdById, createdAt, updatedAt, controls, risks, and policies. Required: workspace_id, title, dueDate.
get_single_drata_task_by_id
Get details for a specific Drata task by id. Returns: id, title, description, status, taskType, dueDate, completedAt, createdAt, updatedAt, assigneeId, createdById, assignee, createdBy, controls, risks, policies. Required: workspace_id, id.
update_a_drata_task_by_id
Update an existing Drata task by id. Returns the updated task including id, title, status, taskType, dueDate, assigneeId, createdById, createdAt, updatedAt, controls, risks, and policies. Required: workspace_id, id.
drata_tasks_perform_action
Perform a complete or uncomplete action on a Drata task. Returns the updated task including id, title, status, taskType, dueDate, completedAt, assigneeId, createdById, createdAt, and updatedAt. Required: workspace_id, task_id, action.
drata_tasks_list_upcoming
List upcoming tasks in a Drata workspace, sourced from policy renewals, vendor reviews, external evidence due dates, library document renewals, control approvals, and custom tasks. Returns: sourceId, name, taskType, dueDate, status, completedAt, assigneeIds. Required: workspace_id.
list_all_drata_user_documents
List user documents in drata for a specific user, with optional filters by name and type. Returns: id, userId, name, type, fileUrl, renewalDate, createdAt, updatedAt. Required: user_id.
drata_user_documents_upload
Upload a user document to drata as manual compliance evidence for a specific user. Returns: id, userId, name, type, fileUrl, renewalDate, createdAt, updatedAt. Required: user_id, type.
get_single_drata_user_document_by_id
Get the full detail of a drata user document by id. Returns: id, userId, name, type, fileUrl, renewalDate, createdAt, updatedAt. Required: user_id, id.
delete_a_drata_user_document_by_id
Delete a drata user document by id. Returns an empty 204 response on success. Required: user_id, id.
list_all_drata_user_assigned_policies
List assigned policies for a Drata user, tracking acknowledgement of policy versions. Returns: id, acceptedAt, sourceType, policyId, policyVersionId, policy, and policyVersion. Required: user_id.
drata_user_assigned_policies_acknowledge
Acknowledge a Drata user's assigned policy version, recording the date of acceptance. Returns: id, acceptedAt, createdAt, updatedAt, sourceType, policyId, policyVersionId, policy, and policyVersion. Required: user_id, policy_id, and acceptedAt. acceptedAt must be within the last year.
list_all_drata_roles
List drata roles matching the provided filters. Returns: id, role, createdAt, updatedAt, and permissions (when expanded via expand[]).
get_single_drata_role_by_id
Get the full detail of a single drata role by id. Returns: id, role, createdAt, updatedAt, permissions. Required: id.
drata_roles_list_users
List all drata users assigned to a specific role. Returns: id, email, firstName, lastName, jobTitle, createdAt, updatedAt, roles, and optionally backgroundChecks, documents, identities when expanded. Required: role_id.
list_all_drata_vendor_documents
List compliance-related vendor documents for a given vendor in drata. Returns: id, name, type, createdAt, updatedAt, and optionally downloadUrl. Required: vendor_id.
drata_vendor_documents_upload
Upload a compliance-related vendor document (such as a SOC report, bridge letter, or questionnaire) to a vendor in drata. Returns the created document including id, name, type, createdAt, and updatedAt. Required: vendor_id, file.
get_single_drata_vendor_document_by_id
Get a single vendor document by id in drata. Returns: id, name, type, createdAt, updatedAt, and downloadUrl. Required: vendor_id, id.
list_all_drata_vendor_types
List all vendor types configured in Drata. Returns: id, name. Supports optional sorting via sort and sortDir, and total-count inclusion via includeTotalCount.
create_a_drata_vendor_type
Create a new vendor type in Drata. Returns: id, name. Required: name.
update_a_drata_vendor_type_by_id
Update an existing vendor type in Drata by id. Returns: id, name. Required: id, name.
delete_a_drata_vendor_type_by_id
Soft delete a vendor type in Drata by id. Returns an empty 204 response on success. Required: id.
list_all_drata_vendor_security_reviews
List all security reviews for a given vendor in drata, cursor-paginated. Returns: id, status, type, decision, title, requestedAt, reviewDeadlineAt, userId, requesterUserId, user, requesterUser, socReviewForm. Required: vendor_id.
create_a_drata_vendor_security_review
Create a new security review for a given vendor in drata. Returns: id, status, type, decision, title, note, requestedAt, reviewDeadlineAt, userId, requesterUserId, user, requesterUser, socReviewForm. Required: vendor_id, reviewDeadlineAt, securityReviewStatus, securityReviewType.
drata_vendor_security_reviews_create_with_file
Create a new vendor security review in drata with an attached file in a single atomic operation. Returns: id, status, type, decision, title, note, requestedAt, reviewDeadlineAt, userId, requesterUserId, socReviewForm. Required: vendor_id, title, reviewDeadlineAt, securityReviewStatus, securityReviewType, file.
get_single_drata_vendor_security_review_by_id
Get a specific vendor security review by id in drata. For SOC_REPORT reviews the response includes full socReviewForm data. Returns: id, status, type, decision, title, note, requestedAt, reviewDeadlineAt, userId, requesterUserId, user, requesterUser, socReviewForm. Required: vendor_id, id.
update_a_drata_vendor_security_review_by_id
Update a vendor security review in drata. The title field applies to all review types; socForm is only processed when the review type is SOC_REPORT. Returns: id, status, type, decision, title, note, requestedAt, reviewDeadlineAt, userId, requesterUserId, socReviewForm. Required: vendor_id, id.
drata_vendor_security_reviews_upload_questionnaire
Upload one or more security questionnaire files to a vendor in drata. Returns: id, completedBy, recipientEmail, isCompleted, dateSent, isManualUpload, responseId, title. Required: vendor_id, files.
drata_vendor_security_reviews_list_questionnaires
List security questionnaires belonging to a vendor security review in drata. Returns: id, completedBy, recipientEmail, isCompleted, dateSent, isManualUpload, responseId, title. Archived or soft-deleted questionnaires are excluded. Required: vendor_id, security_review_id.
drata_vendor_security_reviews_upload_questionnaire_for_review
Upload one or more security questionnaire files to a vendor for a specific security review in drata. Returns: id, completedBy, recipientEmail, isCompleted, dateSent, isManualUpload, responseId, title. Required: vendor_id, security_review_id, files.
drata_vendor_security_reviews_list_actions
List available actions for a vendor security review in drata based on its current state (e.g. Finalize, Reopen). Returns: action. Required: vendor_id, security_review_id. Currently only SOC report type security reviews are supported.
drata_vendor_security_reviews_perform_action
Execute an action on a vendor security review in drata. Finalize marks the review as complete; reopen returns a completed review to in-progress. Returns: success, newStatus, message. Required: vendor_id, security_review_id, action. Currently only SOC report type security reviews are supported.
list_all_drata_vendors
List Drata vendors matching provided filters. Returns vendor records including id, name, category, risk, status, type, location, hasPii, createdAt, and updatedAt. Supports filtering by category, status, risk, type, impactLevel, and renewalDate.
create_a_drata_vendor
Create a new vendor in Drata. Returns the created vendor object including id, name, category, risk, status, type, hasPii, createdAt, and updatedAt. Required: name.
drata_vendors_get_stats
Retrieve vendor statistics for specified scopes in Drata. Returns aggregated key-count breakdowns including reminder, hasPii, businessUnits, passwordPolicy, status, risk, and impactLevel. Required: expand.
get_single_drata_vendor_by_id
Get a single Drata vendor by id. Returns the full vendor record including id, name, category, risk, status, type, location, hasPii, passwordPolicy, createdAt, and updatedAt. Required: id.
update_a_drata_vendor_by_id
Update Drata vendor details by id. Returns the updated vendor object including id, name, category, risk, status, type, location, cost, createdAt, and updatedAt. Required: id.
delete_a_drata_vendor_by_id
Delete a drata vendor by id. Returns an empty 204 response on success. Required: id.
drata_vendors_list_questionnaires
List questionnaires sent to a drata vendor. Returns: vendorId, sendAt, sentEmail, file, respondedAt, responseId, isManualUpload, completedBy. Required: vendor_id.
drata_vendors_send_questionnaire
Send a questionnaire to a drata vendor contact. Returns: vendorId, sendAt, sentEmail, file, respondedAt, responseId, isManualUpload, completedBy. Required: vendor_id.
drata_vendors_get_questionnaire
Get a specific questionnaire for a drata vendor by id. Returns: vendorId, sendAt, sentEmail, file, respondedAt, responseId, isManualUpload, completedBy. Required: vendor_id, id.
Why Truto
Why use Truto’s MCP server for Drata
Other MCP servers give you a static tool list for one app. Truto gives you a managed, multi-tenant MCP infrastructure across 550+ integrations.
Auto-generated, always up to date
Tools are dynamically generated from curated documentation — not hand-coded. As integrations evolve, tools stay current without manual maintenance.
Fine-grained access control
Scope each MCP server to read-only, write-only, specific methods, or tagged tool groups. Expose only what your AI agent needs — nothing more.
Multi-tenant by design
Each MCP server is scoped to a single connected account with its own credentials. The URL itself is the auth token — no shared secrets, no credential leaking across tenants.
Works with every MCP client
Standard JSON-RPC 2.0 protocol. Paste the URL into Claude, ChatGPT, Cursor, or any MCP-compatible agent framework — tools are discovered automatically.
Built-in auth, rate limits, and error handling
Tool calls execute through Truto’s proxy layer with automatic OAuth refresh, rate-limit handling, and normalized error responses. No raw API plumbing in your agent.
Expiring and auditable servers
Create time-limited MCP servers for contractors or automated workflows. Optional dual-auth requires both the URL and a Truto API token for high-security environments.
Unified APIs
Unified APIs for Drata
Skip writing code for every integration. Use Truto’s category-specific Unified APIs out of the box or customize the mappings with AI.
How It Works
From zero to integrated
Go live with Drata in under an hour. No boilerplate, no maintenance burden.
Link your customer’s Drata account
Use Truto’s frontend SDK to connect your customer’s Drata account. We handle all OAuth and API key flows — you don’t need to create the OAuth app.
We handle authentication
Don’t spend time refreshing access tokens or figuring out secure storage. We handle it and inject credentials into every API request.
Call our API, we call Drata
Truto’s Proxy API is a 1-to-1 mapping of the Drata API. You call us, we call Drata, and pass the response back in the same cycle.
Unified response format
Every response follows a single format across all integrations. We translate Drata’s pagination into unified cursor-based pagination. Data is always in the result attribute.
FAQs
Common questions about Drata on Truto
Authentication, rate limits, data freshness, and everything else you need to know before you integrate.
What operations does the Drata integration support through Truto?
The integration currently supports three read operations: listing all company info, listing all users, and fetching a single user by ID. These map to Truto's Unified User Directory API resources (Users, Roles).
What user data can I pull from Drata via Truto?
Each Drata user record includes fields like email, jobTitle, roles, identities, backgroundChecks, documents, and drataTermsAgreedAt — giving you both identity and compliance-specific metadata per employee.
Does Truto handle authentication with Drata?
Yes. Truto manages the full auth flow for Drata. Your end users connect their Drata account through Truto's embedded linking experience, and Truto handles token management and secure credential storage.
Does Truto handle pagination when listing Drata users?
Yes. Truto abstracts away Drata's pagination logic. When you call list_all_drata_users, Truto manages page cursors and rate limits behind the scenes so you receive a complete dataset through a consistent interface.
Can I write data back to Drata through this integration?
The currently available tools are read-only — list company info, list users, and get a user by ID. Write operations are not included in the current tool set. Contact Truto if you need push capabilities.
How does Drata data map to Truto's Unified User Directory API?
Drata users and their role assignments are normalized into Truto's unified Users and Roles resources. This means you can query Drata user data using the same schema you use for other identity providers connected through Truto.
From the Blog
Drata integration guides
Deep dives, architecture guides, and practical tutorials for building Drata integrations.
Drata
Get Drata integrated into your app
Our team understands what it takes to make a Drata integration successful. A short, crisp 30 minute call with folks who understand the problem.