Controls

Find controls by search terms and filters

List Controls given the provided search terms and filters

🔒 Requires Controls: List Controls permission.

Securitybearer
Request
query Parameters
page
number >= 1
Default: 1

Which page of data are you requesting

limit
number [ 1 .. 50 ]
Default: 20

How many items are you requesting

q
string

Filter data by searching for control names, codes, or descriptions

Example: q=Least-Privileged Policy for Customer Data Access
frameworkTags
Array of strings

Filter data by controls associated with these framework tags

Items Enum: "NONE" "SOC_2" "ISO27001" "CCPA" "GDPR" "HIPAA" "PCI" "SCF" "NIST80053" "NISTCSF" "CMMC" "NIST800171" "MSSSPA" "FFIEC" "ISO27701" "COBIT" "SOX_ITGC" "ISO270012022" "CCM" "CYBER_ESSENTIALS" "ISO270172015" "ISO270182019" "FEDRAMP" "NISTAI" "PCI4" "NISTCSF2" "NIS2" "DORA" "ISO420012023" "DRATA_ESSENTIALS" "NIST800171R3" "CIS8" "CYBER_ESSENTIALS_32" "FEDRAMP20X" "HITRUST" "CUSTOM"
Example: frameworkTags=SOC_2&frameworkTags=ISO27001
frameworkSlug
string

Filter data by controls associated with these custom framework Slug

Example: frameworkSlug=soc2
trustServiceCriterion
string

Filter controls on their Trust Service Criteria

Enum: "AVAILABILITY" "CONFIDENTIALITY" "SECURITY" "PRIVACY" "PROCESS_INTEGRITY" "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES" "BASIC" "DERIVED" "NIST80053_PRIVACY"
Example: trustServiceCriterion=AVAILABILITY
trustServiceCriteria
Array of strings

Filter controls on their Trust Service Criteria

Items Enum: "AVAILABILITY" "CONFIDENTIALITY" "SECURITY" "PRIVACY" "PROCESS_INTEGRITY" "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES" "BASIC" "DERIVED" "NIST80053_PRIVACY"
Example: trustServiceCriteria=AVAILABILITY&trustServiceCriteria=CONFIDENTIALITY
ismsCategory
Array of strings

Filter controls on their ISMS requirements

Items Enum: "CONTEXT_OF_THE_ORGANIZATION" "LEADERSHIP" "PLANNING" "SUPPORT" "OPERATION" "PERFORMANCE_EVALUATION" "IMPROVEMENT"
Example: ismsCategory=CONTEXT_OF_THE_ORGANIZATION&ismsCategory=LEADERSHIP
isms2022Category
Array of strings

Filter controls on their ISMS requirements

Items Enum: "CONTEXT_OF_THE_ORGANIZATION" "LEADERSHIP" "PLANNING" "SUPPORT" "OPERATION" "PERFORMANCE_EVALUATION" "IMPROVEMENT"
Example: isms2022Category=CONTEXT_OF_THE_ORGANIZATION&isms2022Category=LEADERSHIP
isAnnexA2022
boolean

Filter controls on if they are an Annex A requirement

Example: isAnnexA2022=true
rules
Array of strings

Filter controls on their Hipaa rules

Items Enum: "SECURITY" "BREACH_NOTIFICATION" "PRIVACY"
Example: rules=BREACH_NOTIFICATION&rules=PRIVACY
subRules
Array of strings

Filter controls on their Hipaa rules

Items Enum: "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES"
Example: subRules=GENERAL_RULES&subRules=ADMINISTRATIVE_SAFEGUARDS
pciRequirements
Array of strings

Filter controls on their PCI requirements

Items Enum: "FIREWALL" "PASSWORDS" "DATA_AT_REST_PROTECTION" "DATA_IN_TRANSIT_ENCRYPTION" "MALWARE_PROTECTION" "SECURE_SYSTEM_MANAGEMENT" "ACCESS_RESTRICTION" "SYSTEM_ACCESS_CONTROL" "PHYSICAL_ACCESS_CONTROL" "NETWORK_ACCESS_MONITORING" "VULNERABILITY_TESTING" "INFORMATION_SECURITY_POLICY"
Example: pciRequirements=FIREWALL&pciRequirements=ACCESS_RESTRICTION
chapters
Array of strings

Filter controls on their GDPR chapters

Items Enum: "PRINCIPLES" "RIGHTS_OF_THE_DATA_SUBJECT" "CONTROLLER_AND_PROCESSOR" "TRANSFERS_OF_PERSONNEL_DATA_TO_THIRD_COUNTRIES_OR_INTERNATIONAL_ORGANIZATIONS"
Example: chapters=CONTROLLER_AND_PROCESSOR&chapters=PRINCIPLES
statutes
Array of strings

Filter controls on their CCPA statutes

Items Enum: "INDIVIDUAL_RIGHTS" "SERVICE_PROVIDER" "SECURITY"
Example: statutes=INDIVIDUAL_RIGHTS&statutes=SERVICE_PROVIDER
regulations
Array of strings

Filter controls on their CCPA regulations

Items Enum: "NOTICES_TO_CONSUMERS" "BUSINESS_PRACTICES_FOR_HANDLING_CONSUMER_REQUESTS" "VERIFICATION_OF_REQUESTS" "SPECIAL_RULES_REGARDING_CONSUMERS_UNDER_16_YEARS_OF_AGE" "NON_DISCRIMINATION" "GENERAL_PROVISIONS" "REQUIRED_DISCLOSURES_TO_CONSUMERS" "SERVICE_PROVIDERS_CONTRACTORS_AND_THIRD_PARTIES" "TRAINING_AND_RECORD_KEEPING"
Example: regulations=BUSINESS_PRACTICES_FOR_HANDLING_CONSUMER_REQUESTS&regulations=NON_DISCRIMINATION
functions
Array of strings

Filter controls on their NIST CSF Functions

Items Enum: "IDENTIFY" "PROTECT" "DETECT" "RESPOND" "RECOVER"
Example: functions=RECOVER&functions=RESPOND
functions2
Array of strings

Filter controls on their NIST CSF 2.0 Functions

Items Enum: "GOVERN_GV" "IDENTIFY_ID" "PROTECT_PR" "DETECT_DE" "RESPOND_RS" "RECOVER_RC"
Example: functions2=GOVERN_GV&functions2=IDENTIFY_ID
sections
Array of strings

Filter controls on their MSSSPA Section

Items Enum: "MANAGEMENT" "NOTICE" "CHOICE_AND_CONSENT" "COLLECTION" "RETENTION" "DATA_SUBJECTS" "DISCLOSURE_TO_THIRD_PARTIES" "QUALITY" "MONITORING_AND_ENFORCEMENT" "SECURITY"
Example: sections=DATA_SUBJECTS&sections=CHOICE_AND_CONSENT
controlFamilies
Array of strings

Filter controls on their NIST SP 800-171 Control Family

Items Enum: "AUDIT_AND_ACCOUNTABILITY" "CONFIGURATION_MANAGEMENT" "IDENTIFICATION_AND_AUTHENTICATION" "INCIDENT_RESPONSE" "MEDIA_PROTECTION" "PERSONNEL_SECURITY" "PHYSICAL_PROTECTION" "SECURITY_ASSESSMENT" "SYSTEM_AND_COMMUNICATIONS_PROTECTION" "SYSTEM_AND_INFORMATION_INTEGRITY" "ACCESS_CONTROL" "AWARENESS_AND_TRAINING" "MAINTENANCE" "RISK_ASSESSMENT"
Example: controlFamilies=ACCESS_CONTROL&controlFamilies=PERSONNEL_SECURITY
controlClasses
Array of strings

Filter controls on their NIST SP 800-171 Control Class

Items Enum: "TECHNICAL" "OPERATIONAL" "MANAGEMENT"
Example: controlClasses=TECHNICAL
iso27701
Array of strings

Filter controls on their ISO27701 requirements

Items Enum: "PIMS_SPECIFIC_REQUIREMENTS" "PIMS_SPECIFIC_GUIDANCE" "ANNEX_B_CONDITIONS_FOR_COLLECTION_AND_PROCESSING" "ANNEX_B_OBLIGATIONS_TO_PII_PRINCIPLES" "ANNEX_B_PRIVACY_BY_DESIGN_AND_PRIVACY_BY_DEFAULT" "ANNEX_B_PII_SHARING_TRANSFER_AND_DISCLOSURE" "ANNEX_A_CONDITIONS_FOR_COLLECTION_AND_PROCESSING" "ANNEX_A_OBLIGATIONS_TO_PII_PRINCIPALS" "ANNEX_A_PRIVACY_BY_DESIGN_AND_PRIVACY_BY_DEFAULT" "ANNEX_A_PII_SHARING_TRANSFER_AND_DISCLOSURE"
Example: iso27701=ANNEX_A_CONDITIONS_FOR_COLLECTION_AND_PROCESSING
cobit
Array of strings

Filter controls on their COBIT requirements

Items Enum: "EVALUATE_DIRECT_AND_MONITOR" "ALIGN_PLAN_AND_ORGANIZE" "BUILD_ACQUIRE_AND_IMPLEMENT" "DELIVER_SERVICE_AND_SUPPORT" "MONITOR_EVALUATE_AND_ASSESS"
Example: cobit=ALIGN_PLAN_AND_ORGANIZE
soxitgc
Array of strings

Filter controls on their SOX requirements

Items Enum: "PROGRAM_DEVELOPMENT" "CHANGE_MANAGEMENT" "SYSTEM_OPERATIONS" "ACCESS_MANAGEMENT"
Example: soxitgc=PROGRAM_DEVELOPMENT
controlBaselines
Array of strings

Filter controls on their NIST SP 800-53 Control Baseline

Items Enum: "TECHNICAL" "OPERATIONAL" "MANAGEMENT"
Example: controlBaselines=OPERATIONAL
cmmcClasses
Array of strings

Filter controls on their NIST SP 800-53 Control Baseline

Items Enum: "TECHNICAL" "OPERATIONAL" "MANAGEMENT"
Example: cmmcClasses=MANAGEMENT
domains
Array of strings

Filter controls on their FFIEC Domains

Items Enum: "CYBER_RISK_MANAGEMENT_AND_OVERSIGHT" "THREAT_INTELLIGENCE_AND_COLLABORATION" "CYBERSECURITY_CONTROLS" "EXTERNAL_DEPENDENCY_MANAGEMENT" "CYBER_INCIDENT_MANAGEMENT_AND_RESILIENCE"
Example: domains=CYBERSECURITY_CONTROLS
assessmentFactors
Array of strings

Filter controls on their FFIEC Assessment Factors

Items Enum: "GOVERNANCE" "RISK_MANAGEMENT" "RESOURCES" "TRAINING_AND_CULTURE" "THREAT_INTELLIGENCE" "MONITORING_AND_ANALYZING" "INFORMATION_SHARING" "PREVENTATIVE_CONTROLS" "DETECTIVE_CONTROLS" "CORRECTIVE_CONTROLS" "CONNECTIONS" "RELATIONSHIP_MANAGEMENT" "INCIDENT_RESILIENCE_PLANNING_AND_STRATEGY" "DETECTION_RESPONSE_AND_MITIGATION" "ESCALATION_AND_REPORTING"
Example: assessmentFactors=GOVERNANCE
articles
Array of strings

Filters controls by their NIS 2 Articles

Items Enum: "GOVERNANCE" "RISK_MANAGEMENT" "REPORTING"
Example: articles=GOVERNANCE
doraChapters
Array of strings

Filters controls by their DORA Standards

Items Enum: "REGULATION" "ICT_RMF_RTS"
Example: doraChapters=ICT_RMF_RTS
drataFunctions
Array of strings

Filters controls by their Drata Essentials Function

Items Enum: "PROTECT" "RECOVER" "RESPOND" "IDENTIFY" "DETECT" "GOVERN"
Example: drataFunctions=DETECT
iso420012023
Array of strings

Filters controls by their ISO42001 Sections

Items Enum: "RESOURCES_FOR_AI_SYSTEMS" "INTERNAL_ORGANIZATION" "AI_SYSTEM_LIFE_CYCLE" "ASSESSING_IMPACTS_OF_AI_SYSTEMS" "DATA_FOR_AI_SYSTEMS" "INFORMATION_FOR_INTERESTED_PARTIES_OF_AI_SYSTEMS" "USE_OF_AI_SYSTEMS" "THIRD_PARTY_AND_CUSTOMER_RELATIONSHIPS" "POLICIES_RELATED_TO_AI" "SUPPORT" "OPERATION" "CONTEXT_OF_THE_ORGANIZATION" "PERFORMANCE_EVALUATION" "PLANNING" "LEADERSHIP" "IMPROVEMENT"
Example: iso420012023=AI_SYSTEM_LIFE_CYCLE
nist800171r3ControlFamilies
Array of strings

Filter controls on their NIST SP 800-171 R3 Control Family

Items Enum: "INCIDENT_RESPONSE" "SUPPLY_CHAIN_RISK_MANAGEMENT" "MEDIA_PROTECTION" "AUDIT_AND_ACCOUNTABILITY" "ACCESS_CONTROL" "PHYSICAL_PROTECTION" "CONFIGURATION_MANAGEMENT" "SYSTEM_AND_COMMUNICATIONS_PROTECTION" "IDENTIFICATION_AND_AUTHENTICATION" "PLANNING" "MAINTENANCE" "RISK_ASSESSMENT" "SYSTEM_AND_INFORMATION_INTEGRITY" "SECURITY_ASSESSMENT_AND_MONITORING" "SYSTEM_AND_SERVICES_ACQUISITION" "AWARENESS_AND_TRAINING" "PERSONNEL_SECURITY"
Example: nist800171r3ControlFamilies=ACCESS_CONTROL&nist800171r3ControlFamilies=PERSONNEL_SECURITY
nist800171r3ControlClasses
Array of strings

Filter controls on their NIST SP 800-171 R3 Control Class

Items Enum: "OPERATIONAL" "MANAGEMENT" "TECHNICAL"
Example: nist800171r3ControlClasses=TECHNICAL
cisSafeguards
Array of strings

Filter controls on their NIST SP 800-171 R3 Control Class

Items Enum: "SERVICE_PROVIDER_MANAGEMENT" "DATA_PROTECTION" "DATA_RECOVERY" "CONTINUOUS_VULNERABILITY_MANAGEMENT" "APPLICATION_SOFTWARE_SECURITY" "ACCESS_CONTROL_MANAGEMENT" "INVENTORY_AND_CONTROL_OF_SOFTWARE_ASSETS" "NETWORK_INFRASTRUCTURE_MANAGEMENT" "EMAIL_AND_WEB_BROWSER_PROTECTIONS" "NETWORK_MONITORING_AND_DEFENSE" "AUDIT_LOG_MANAGEMENT" "SECURE_CONFIGURATION_OF_ENTERPRISE_ASSETS_AND_SOFTWARE" "INVENTORY_AND_CONTROL_OF_ENTERPRISE_ASSETS" "MALWARE_DEFENSES" "SECURITY_AWARENESS_AND_SKILLS_TRAINING" "PENETRATION_TESTING" "ACCOUNT_MANAGEMENT" "INCIDENT_RESPONSE_MANAGEMENT"
Example: cisSafeguards=ACCESS_CONTROL_MANAGEMENT
cyberEssentialsRequirements
Array of strings

Filter controls on their Cyber Essentials v3.2 Requirements

Items Enum: "MALWARE_PROTECTION" "DEVICE_UNLOCKING_METHOD" "FIREWALLS" "PASSWORD_BASED_AUTHENTICATION" "SECURITY_UPDATE_MANAGEMENT" "SCOPE" "ADMINISTRATIVE_ACCOUNTS" "SECURE_CONFIGURATION" "USER_ACCESS_CONTROL"
Example: cyberEssentialsRequirements=FIREWALLS
fr20xKSIs
Array of strings

Filter controls on their FedRAMP 20x Requirements

Items Enum: "POLICY_AND_INVENTORY" "SERVICE_CONFIGURATION" "MONITORING_LOGGING_AND_AUDITING" "CHANGE_MANAGEMENT" "CLOUD_NATIVE_ARCHITECTURE" "THIRD_PARTY_INFORMATION_RESOURCES" "IDENTITY_AND_ACCESS_MANAGEMENT" "INCIDENT_REPORTING" "CYBERSECURITY_EDUCATION" "RECOVERY_PLANNING"
Example: fr20xKSIs=CHANGE_MANAGEMENT
hitrustDomains
Array of strings

Filter controls on their HITRUST Requirements

Items Enum: "EDUCATION_TRAINING_AND_AWARENESS" "DATA_PROTECTION_AND_PRIVACY" "PHYSICAL_AND_ENVIRONMENTAL_SECURITY" "AUDIT_LOGGING_AND_MONITORING" "INFORMATION_PROTECTION_PROGRAM" "TRANSMISSION_PROTECTION" "THIRD_PARTY_ASSURANCE" "RISK_MANAGEMENT" "ACCESS_CONTROL" "PASSWORD_MANAGEMENT" "VULNERABILITY_MANAGEMENT" "BUSINESS_CONTINUITY_AND_DISASTER_RECOVERY" "MOBILE_DEVICE_SECURITY" "INCIDENT_MANAGEMENT" "ENDPOINT_PROTECTION" "CONFIGURATION_MANAGEMENT" "NETWORK_PROTECTION" "PORTABLE_MEDIA_SECURITY" "WIRELESS_SECURITY"
Example: hitrustDomains=ACCESS_CONTROL
userIds
Array of numbers

User Ids of Control Owners

Example: userIds=1
isOwned
boolean

Filter controls on if they have a control owner

Example: isOwned=true
isReady
boolean

Filter controls on if they are ready

Example: isReady=true
isAnnexA
boolean

Filter controls on if they are an Annex A requirement

Example: isAnnexA=true
isArchived
boolean

Filter to controls that are or are not archived

Example: isArchived=false
isMonitored
boolean

Filter to controls that are or are not monitored

Example: isMonitored=false
hasEvidence
boolean

Filter to controls with or without evidence

Example: hasEvidence=true
hasPolicy
boolean

Filter to controls with or without policy

Example: hasPolicy=true
hasPassingTest
boolean

Filter to controls with at least one passing test

Example: hasPassingTest=true
excludeIds
Array of numbers

Exclude controls by array of id

Example:
excludeRequirementId
number

Exclude controls if they are mapped to this requirement id

Example:
requirementId
number

Only include controls if they are mapped to this requirement id

Example:
excludeTestId
number

Exclude controls if they are mapped to this test id

Example:
testId
number

Only include controls if they are mapped to this test id

Example:
hasTicket
string

Only include controls if they associted to a task management ticket

Enum: "IN_PROGRESS" "ARCHIVED"
Example: hasTicket=0
connectionId
number

This will be filled in automatic when using a taskManagementStatus.

reviewersIds
Array of numbers

User Ids of Control Reviewers

Example: reviewersIds=1
taskOwnersIds
Array of numbers

User Ids of TaskOwners

Example: taskOwnersIds=1
workspaceId
number

ID of the workspace associated with the controls

Example: workspaceId=1
Responses
200
400

Malformed data and/or validation errors

401

Invalid Authorization

402

You must upgrade your plan to use this feature

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/controls
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": "123",
      • "name": "Databases Monitored and Alarmed",
      • "code": "DCF-1002",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
      • "slug": "databases-monitored-and-alarmed",
      • "workspaceId": 2,
      • "archivedAt": "2025-07-01T16:45:55.246Z",
      • "frameworkTags": [
        • "SOC_2",
        • "CCPA"
        ],
      • "hasEvidence": false,
      • "hasOwner": false,
      • "isMonitored": false,
      • "topics": [
        • 1,
        • 2
        ],
      • "isReady": "true",
      • "hasTicket": "true"
      }
    ],
  • "page": 1,
  • "limit": 10,
  • "total": 100
}
Find control external evidence by control id
Get all mapped external evidence to a control


🔒 Requires Controls: Map External Evidence permission.


Securitybearer 
Request 
path Parameters
id
required
number
 
query Parameters
page
number  >= 1 
 Default:  1
Which page of data are you requesting


 
limit
number  [ 1 .. 50 ] 
 Default:  20
How many items are you requesting


 
excludeIds
Array of numbers
Exclude external evidence by array of id


 
 Example:  
Responses 
200
Public Api


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/controls/{id}/external-evidence
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": "123",
      • "name": "Compelling ExternalEvidence",
      • "description": "This is very good evidence",
      • "file": "/path/to/file.pdf",
      • "url": "https://url.com",
      • "createdAt": "2021-06-02",
      • "renewalDate": "2020-07-06",
      • "renewalScheduleType": "ONE_YEAR",
      • "isExpired": false
      }
    ],
  • "page": 1,
  • "limit": 10,
  • "total": 100
}
Get external evidence document download url by document id
Get signed download link for external evidence


🔒 Requires Controls: Map External Evidence permission.


Securitybearer 
Request 
path Parameters
id
required
number
 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/external-evidence/{id}/download
Request samples 
Response samples 
application/json
{}
Upload external evidence document by control id
Upload external evidence to map to a control


🔒 Requires Controls: Map External Evidence permission.


Securitybearer 
Request 
path Parameters
id
required
number
 
workspaceId
required
number
The Workspace ID associated to the Account


 
Request Body schema: 
required
file
string <binary> 
Accepted file extensions: .pdf, .docx, .odt, .doc, .xlsx, .ods, .pptx, .odp, .gif, .jpg, .jpeg, .png, .json, .csv, .md, .markdown, .txt, .zip


 
url
string <uri>   <= 768 characters 
The url to the evidence


 
filename
string  <= 191 characters 
The name of the evidence


 
base64File
string
JSON string with external evidence in Base64 format.


 
description
string  <= 30000 characters 
The description of the evidence


 
creationDate
required
string <date-time> 
Creation date


 
renewalDate
required
string
Report renewal date


 
renewalScheduleType
required
string
The renewal date schedule type of report


 Enum: "ONE_MONTH" "TWO_MONTHS" "THREE_MONTHS" "SIX_MONTHS" "ONE_YEAR" "CUSTOM" "NONE"  
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


413
The file was too large to upload


500
Internal server error


503
Third party system was unavailable


post/workspaces/{workspaceId}/controls/{id}/external-evidence
Request samples 
No sample
Response samples 
application/json
{
  • "id": "123",
  • "slug": "databases-monitored-and-alarmed",
  • "externalEvidence": "ExternalEvidenceResponseDto[]"
}
Find control by control id
List all the information for a specific control


🔒 Requires Controls: Get Control permission.


Securitybearer 
Request 
path Parameters
controlId
required
number
 
workspaceId
required
number
The Workspace ID associated to the Account


 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/workspaces/{workspaceId}/controls/{controlId}
Request samples 
Response samples 
application/json
{
  • "id": "123",
  • "name": "Databases Monitored and Alarmed",
  • "code": "DCF-1002",
  • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
  • "question": "Does the organization implement tools to monitor its databases and notify appropriate personnel of incidents based on predetermined criteria?",
  • "activity": "1. Ensure tools are implemented to monitor databases",
  • "slug": "databases-monitored-and-alarmed",
  • "archivedAt": "2025-07-01T16:45:55.246Z",
  • "lastUpdatedBy": "User",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "fk_control_template_id": "123",
  • "hasEvidence": true,
  • "hasPolicy": true,
  • "isReady": "true",
  • "hasTicket": "true"
}
Edit control of the account
Edit control


🔒 Requires Controls: Update Control permission.


Securitybearer 
Request 
path Parameters
controlId
required
number
 
workspaceId
required
number
The Workspace ID associated to the Account


 
Request Body schema: application/json
required
name
required
string  <= 191 characters 
The name of the control


 
description
required
string  <= 30000 characters 
The description of the control


 
question
string  <= 768 characters 
The question of the control


 
code
string  <= 20 characters 
The control code


 
activity
string  <= 768 characters 
The activity of the control


 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/workspaces/{workspaceId}/controls/{controlId}
Request samples 
application/json
{
  • "name": "Good Control Name",
  • "description": "A very good description",
  • "question": "A very good question",
  • "code": "DRA-69",
  • "activity": "A very good activity"
}
Response samples 
application/json
{
  • "id": "123",
  • "name": "Databases Monitored and Alarmed",
  • "code": "DCF-1002",
  • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
  • "question": "Does the organization implement tools to monitor its databases and notify appropriate personnel of incidents based on predetermined criteria?",
  • "activity": "1. Ensure tools are implemented to monitor databases",
  • "slug": "databases-monitored-and-alarmed",
  • "archivedAt": "2025-07-01T16:45:55.246Z",
  • "lastUpdatedBy": "User",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "fk_control_template_id": "123",
  • "hasEvidence": true,
  • "hasPolicy": true,
  • "isReady": "true",
  • "hasTicket": "true"
}
Get control evidence download url by control id
Download zip with all control evidence


🔒 Requires Controls: Download All Control evidence permission.


Securitybearer 
Request 
path Parameters
controlId
required
number
 
workspaceId
required
number
The Workspace ID associated to the Account


 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/workspaces/{workspaceId}/controls/{controlId}/evidence/download
Request samples 
Response samples 
application/json
{}
Find control mapped requirements by control id
Get all mapped requirements from a control id


🔒 Requires Controls: Get Control permission.


Securitybearer 
Request 
path Parameters
id
required
number
 
query Parameters
page
number  >= 1 
 Default:  1
Which page of data are you requesting


 
limit
number  [ 1 .. 50 ] 
 Default:  20
How many items are you requesting


 
frameworkTag
string
Filter data by controls associated with these framework tags


 Enum: "NONE" "SOC_2" "ISO27001" "CCPA" "GDPR" "HIPAA" "PCI" "SCF" "NIST80053" "NISTCSF" "CMMC" "NIST800171" "MSSSPA" "FFIEC" "ISO27701" "COBIT" "SOX_ITGC" "ISO270012022" "CCM" "CYBER_ESSENTIALS" "ISO270172015" "ISO270182019" "FEDRAMP" "NISTAI" "PCI4" "NISTCSF2" "NIS2" "DORA" "ISO420012023" "DRATA_ESSENTIALS" "NIST800171R3" "CIS8" "CYBER_ESSENTIALS_32" "FEDRAMP20X" "HITRUST" "CUSTOM"  
 Example:  frameworkTag=SOC_2&frameworkTag=ISO27001
excludeIds
Array of numbers
Exclude notes by array of id


 
 Example:  
frameworkSlug
string
Filter data by controls associated with these framework slugs. This parameter is intended to be used only for custom frameworks


 
 Example:  frameworkSlug=slug
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/controls/{id}/requirements
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": "1213123",
      • "name": "CC1.1",
      • "description": "The entity demonstrates a commitment to integrity and ethical values.",
      • "longDescription": "The entity demonstrates a commitment to integrity and ethical values.",
      • "additionalInfo": "The entity demonstrates a commitment to integrity and ethical values.",
      • "additionalInfo2": "The entity demonstrates a commitment to integrity and ethical values 2.",
      • "additionalInfo3": "The entity demonstrates a commitment to integrity and ethical values 3.",
      • "isReady": "true",
      • "rationale": "This requirement is not needed.",
      • "archivedAt": "2020-07-06",
      • "frameworkName": "SOC 2",
      • "controls": "ControlReadyType[]",
      • "totalInScopeControls": 6,
      • "frameworkId": 1
      }
    ],
  • "page": 1,
  • "limit": 10,
  • "total": 100
}
Find control owners by control id
Get control owners for a control


🔒 Requires Controls: Get Control permission.


Securitybearer 
Request 
path Parameters
id
required
number
 
query Parameters
page
number  >= 1 
 Default:  1
Which page of data are you requesting


 
limit
number  [ 1 .. 50 ] 
 Default:  20
How many items are you requesting


 
q
string
User first name, or last name, or email, or full name


 
 Example:  q=John Doe
frameworkSlug
string
Filter data by controls associated with this framework slug


 
 Example:  frameworkSlug=soc2
includeUserIds[]
Array of numbers or null  non-empty 
A set of users to return


 
 Example:  includeUserIds[]=1&includeUserIds[]=2&includeUserIds[]=3
excludeIds
Array of numbers
Exclude users by array of id


 
 Example:  
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/controls/{id}/owners
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1,
      • "entryId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "jobTitle": "CEO",
      • "avatarUrl": "https://cdn-prod.imgpilot.com/avatar.png",
      • "drataTermsAgreedAt": "2025-07-01T16:45:55.246Z",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "page": 1,
  • "limit": 10,
  • "total": 100
}
Add control owners by control id
Add control owners


🔒 Requires Controls: Manage Control Owners permission.


Securitybearer 
Request 
path Parameters
id
required
number
 
Request Body schema: application/json
required
ownerIds
required
Array of numbers
Array of owner ids


 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/controls/{id}/owners
Request samples 
application/json
{
  • "ownerIds": [
    • 1,
    • 2,
    • 3
    ]
}
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1,
      • "entryId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "jobTitle": "CEO",
      • "avatarUrl": "https://cdn-prod.imgpilot.com/avatar.png",
      • "drataTermsAgreedAt": "2025-07-01T16:45:55.246Z",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "page": 1,
  • "limit": 10,
  • "total": 100
}
Add a new control to the account
Create a new custom control


🔒 Requires Controls: Create Control permission.


💎 Requires your account have the Custom Controls feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
Request Body schema: 
required
name
required
string  <= 191 characters 
The name of the control


 
description
required
string  <= 30000 characters 
The description of the control


 
code
required
string  <= 20 characters 
The control code


 
question
string  <= 768 characters 
The question of the control


 
activity
string  <= 768 characters 
The activity of the control


 
externalEvidenceMetadata
string
JSON string of metadata of uploaded evidence


 
reportIds
Array of numbers
Array of report IDs


 
policyIds
Array of numbers
Array of policy IDs


 
requirementIds
Array of numbers
Array of requirement IDs


 
owners
Array of numbers
Array of owner IDs


 
testIds
Array of numbers
Array of control test IDs


 
externalEvidence
Array of strings <binary> 
External evidence files


 
base64Files
string
JSON string with array of external evidence in Base64 format.


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


413
The file was too large to upload


500
Internal server error


503
Third party system was unavailable


post/workspaces/{workspaceId}/controls
Request samples 
No sample
Response samples 
application/json
{
  • "id": "123",
  • "name": "Databases Monitored and Alarmed",
  • "code": "DCF-1002",
  • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
  • "question": "Does the organization implement tools to monitor its databases and notify appropriate personnel of incidents based on predetermined criteria?",
  • "activity": "1. Ensure tools are implemented to monitor databases             2. Ensure notifications based on specific criteria are sent to the appropriate personnel             3. Escalate incidents appropriately",
  • "slug": "databases-monitored-and-alarmed",
  • "archivedAt": "2025-07-01T16:45:55.246Z",
  • "frameworkTags": [
    • "SOC_2"
    ],
  • "hasEvidence": false,
  • "isMonitored": false,
  • "hasOwner": false,
  • "policies": "PolicyResponsePublicDto[]",
  • "reports": "ReportControlResponsePublicDto[]",
  • "externalEvidence": "ExternalEvidenceResponsePublicDto[]",
  • "controlTests": "ControlTestResponsePublicDto[]",
  • "frameworkRequirements": "FrameworkRequirementsResponsePublicDto[]",
  • "lastUpdatedBy": "User",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "fk_control_template_id": "123",
  • "owners": "UserCardResponsePublicDto[]"
}
Remove external evidence by external evidence id
Delete external evidence


🔒 Requires Controls: Delete Mapped External Evidence permission.


Securitybearer 
Request 
path Parameters
id
required
number
 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


delete/external-evidence/{id}
Request samples 
Response samples 
application/json
{
  • "id": "123",
  • "slug": "databases-monitored-and-alarmed",
  • "externalEvidence": "ExternalEvidenceResponseDto[]"
}
Bulk delete control owners by control ids and owner ids
Bulk delete control owners


🔒 Requires Controls: Manage Control Owners permission.


Securitybearer 
Request 
Request Body schema: application/json
required
ownerIds
required
Array of numbers
Array of owner ids


 
controlIds
required
Array of numbers
Array of control ids


 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


delete/controls/owners
Request samples 
application/json
{
  • "ownerIds": [
    • 1,
    • 2,
    • 3
    ],
  • "controlIds": [
    • 1,
    • 2,
    • 3
    ]
}
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1,
      • "entryId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "jobTitle": "CEO",
      • "avatarUrl": "https://cdn-prod.imgpilot.com/avatar.png",
      • "drataTermsAgreedAt": "2025-07-01T16:45:55.246Z",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "page": 1,
  • "limit": 10,
  • "total": 100
}
Get notes by control ID
List all the notes associated with a given control


🔒 Requires Controls: Get Control Note permission.


Securitybearer 
Request 
path Parameters
controlId
required
number
 
workspaceId
required
number
The Workspace ID associated to the Account


 
query Parameters
page
number  >= 1 
 Default:  1
Which page of data are you requesting


 
limit
number  [ 1 .. 50 ] 
 Default:  20
How many items are you requesting


 
excludeIds
Array of strings
Exclude Notes by IDs


 
 Example:  
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/workspaces/{workspaceId}/controls/{controlId}/notes
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": "72c9c910-ef35-4a1c-bfdf-9898063ba77b",
      • "comment": "Another note about our Acceptable Use Policy.",
      • "createdAt": "2024-11-18T22:53:51.064Z",
      • "updatedAt": "2024-11-18T22:53:51.064Z",
      • "owner": {}
      },
    • {
      • "id": "7bb294c8-0087-4b8a-ab50-2c003e18cbcb",
      • "comment": "Our <b>Acceptable Use Policy</b> needs to be flushed out.",
      • "createdAt": "2024-11-18T22:52:54.157Z",
      • "updatedAt": "2024-11-18T22:52:54.157Z",
      • "owner": {}
      }
    ],
  • "page": 1,
  • "limit": 10,
  • "total": 100
}
Create a control note
Create a note for a given control


🔒 Requires Controls: Create Control Note permission.


Securitybearer 
Request 
path Parameters
controlId
required
number
 
workspaceId
required
number
The Workspace ID associated to the Account


 
Request Body schema: application/json
required
comment
required
string  <= 191 characters 
The text of the note


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/workspaces/{workspaceId}/controls/{controlId}/notes
Request samples 
application/json
{
  • "comment": "Note comment"
}
Response samples 
application/json
{
  • "id": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
  • "comment": "This is a good comment",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "entryId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "jobTitle": "CEO",
    • "avatarUrl": "https://cdn-prod.imgpilot.com/avatar.png",
    • "drataTermsAgreedAt": "2025-07-01T16:45:55.246Z",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}
Get control notes by note ID
Gets a note associated with a given control, by note ID


🔒 Requires Controls: Get Control Note permission.


Securitybearer 
Request 
path Parameters
controlId
required
number
 
noteId
required
string
 
workspaceId
required
number
The Workspace ID associated to the Account


 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/workspaces/{workspaceId}/controls/{controlId}/notes/{noteId}
Request samples 
Response samples 
application/json
{
  • "id": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
  • "comment": "This is a good comment",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "entryId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "jobTitle": "CEO",
    • "avatarUrl": "https://cdn-prod.imgpilot.com/avatar.png",
    • "drataTermsAgreedAt": "2025-07-01T16:45:55.246Z",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}
Update a control note
Update a note for a given control


🔒 Requires Controls: Update Control Note permission.


Securitybearer 
Request 
path Parameters
controlId
required
number
 
noteId
required
string
 
workspaceId
required
number
The Workspace ID associated to the Account


 
Request Body schema: application/json
required
comment
required
string  <= 191 characters 
The text of the note


 
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/workspaces/{workspaceId}/controls/{controlId}/notes/{noteId}
Request samples 
application/json
{
  • "comment": "Note comment"
}
Response samples 
application/json
{
  • "id": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
  • "comment": "This is a good comment",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "entryId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "jobTitle": "CEO",
    • "avatarUrl": "https://cdn-prod.imgpilot.com/avatar.png",
    • "drataTermsAgreedAt": "2025-07-01T16:45:55.246Z",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}
Delete a control note
Delete a note for a given control


🔒 Requires Controls: Delete Control Note permission.


Securitybearer 
Request 
path Parameters
controlId
required
number
 
noteId
required
string
 
workspaceId
required
number
The Workspace ID associated to the Account


 
Responses 
200
Successful


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


delete/workspaces/{workspaceId}/controls/{controlId}/notes/{noteId}
Request samples 
Response samples 
application/json
{
  • "statusCode": 0,
  • "message": "string",
  • "code": 0,
  • "debugInfo": {
    • "name": "string",
    • "message": "string",
    • "stack": "string"
    }
}