Overview
RansomLeak's Drata integration pushes training-completion records into a Drata Custom Connection, where a Custom Test you build maps them to your controls. You connect once, and your security-awareness evidence stays current between audits instead of being assembled by hand.
What lands in Drata, on every completion and an hourly sync:
- A record per person and training path
- Mapped to controls by your Custom Test
- Every framework tag, including NIS2
- Current within about a minute
The connection is one-directional. RansomLeak writes records into the Custom Connection you own and never reads your other Drata data. Employees take the training on the RansomLeak platform, and completion flows to Drata as evidence.
What it evidences
Each record carries the frameworks tagged on the training path, and your Custom Test turns those records into a pass or fail on the controls you choose. RansomLeak does not drop tags, so newer frameworks come through too.
| Framework | Awareness-training control |
|---|---|
| SOC 2 | CC1.4 (workforce competence and security awareness) |
| ISO 27001 | A.7.2.2 (information security awareness, education, and training) |
| NIS2 | Article 21(2)(g) (basic cyber hygiene and security training) |
| HIPAA | § 164.308(a)(5) (security awareness and training) |
| PCI DSS | Requirement 12.6 (security awareness program) |
Because the mapping lives in your Custom Test, you decide which records satisfy which controls. A single training path tagged for several frameworks can support all of them at once.
Connect Drata
You set up a Custom Connection in Drata, hand RansomLeak the keys to it, then map the records with a Custom Test. It takes a few minutes and no engineering.
-
In Drata, create a Custom Connection with a resource for training records, and mint an API key with the Custom Connections Data scope. Note the Connection ID and Resource ID.
-
In RansomLeak, go to Admin → Integrations → Drata and paste the API key, Connection ID, and Resource ID. Select Connect, and the first sync posts your current records.
-
Back in Drata, build a Custom Test on the records (for example, a person passes when their training status is complete) and map it to your controls.
You need the Manage Integrations permission in RansomLeak and rights in Drata to create a Custom Connection and an API key. For help during setup, email support@ransomleak.com.
How the sync works
RansomLeak posts one record per person and training path. Each record upserts on a stable key, so a later sync updates the same record rather than duplicating it. People are matched by work email.
| In RansomLeak | In Drata |
|---|---|
| A person completes a training path | Their record updates to complete, with the completion date, on the next sync. |
| A new person is enrolled in a path | A record is created so the Custom Test can track them. |
| Training is reassigned on a new cycle | The record reflects the new due date and status. |
- On every completion, within about a minute
- An hourly sync as a safety net
- A manual sync whenever you want
Permissions and data handling
The connection uses a Drata API key scoped to Custom Connections Data. It is one-directional and writes only the record fields the Custom Test needs.
- Directory fields only, never passwords or secrets
- The API key is encrypted at rest
- Disconnect forgets the key on our side
The API key stays yours: disconnecting removes it from RansomLeak, and you can revoke it in Drata at any time. For how RansomLeak handles data, see the privacy policy and the security and compliance page.
Frequently asked questions
Does RansomLeak integrate with Drata?
Yes, and it is live. Completed training streams into a Drata Custom Connection as records, and a Custom Test maps them to your security-awareness controls. That keeps evidence for SOC 2, ISO 27001, HIPAA, PCI DSS, and NIS2 current between audits, with no manual export.
How does the Drata integration work?
RansomLeak posts one record per person and training path to a Custom Connection you create in Drata, authenticated with a Drata API key. You then build a Custom Test that asserts on those records, for example that a person is compliant when their training is complete, and map that test to the controls you care about. It is one-directional: RansomLeak writes records and never reads your Drata data back.
Which compliance frameworks does it cover?
RansomLeak sends every framework tag on a training path verbatim, including NIS2, HITRUST, and DORA, and your Custom Test decides which controls each record counts toward. Common mappings are SOC 2 CC1.4, ISO 27001 A.7.2.2, NIS2 Article 21(2)(g), HIPAA Security Awareness and Training, and PCI DSS Requirement 12.6.
What do I need to connect Drata?
Three things from Drata: an API key with the Custom Connections Data scope, and the Connection ID and Resource ID of a Custom Connection you create. You paste all three into RansomLeak, and the first sync runs on its own.
How current is the evidence?
It updates on every completion, usually within about a minute, and an hourly sync reconciles as a safety net. Records upsert on a stable key, so a re-push replaces the existing record rather than creating a duplicate.
How is this different from the Vanta integration?
Vanta connects over OAuth and RansomLeak posts to its own connector with a fixed set of frameworks. Drata uses an API key into a Custom Connection you own, you control the Custom Test and the control mapping, and RansomLeak passes every framework tag through, including NIS2.
Need a hand?
Email support@ransomleak.com and we will help you connect Drata to your tenant.