Should I upgrade to Drata Foundation 50-Employee Cap and Framework Limits now?
Determine whether Drata Foundation is sufficient for early compliance work based on its current employee cap, framework restrictions, and upgrade triggers versus starting on a higher tier.
Blockers
- Lock-in via capability/50-fte-cap
- Lock-in via capability/one-pre-mapped-framework
- Lock-in via framework/soc-2
- Lock-in via framework/iso-27001
- Lock-in via framework/cyber-essentials
- Lock-in via framework/hipaa
- Lock-in via framework/gdpr
- Lock-in via capability/api-access
- Lock-in via capability/core-automation
- Lock-in via capability/any-available-framework
- breaking_change_in: package/drata-foundation → package/drata-advanced
Who this is for
- cost-sensitive
- small-team
- compliance
Candidates
Start on Drata Foundation
As of 2026-03-18, Drata's official plans page lists "Drata Foundation" as the entry GRC tier, with no public dollar price. Foundation includes up to 50 FTE and 1 pre-mapped framework limited to SOC 2, ISO 27001, Cyber Essentials, HIPAA, or GDPR. If you expect to exceed 50 FTE or need broader framework choice, that is the main trigger to move up.
When to choose
Use this when your company is at or under 50 FTE and your near-term compliance target is exactly one of the included framework options. It is the lower-scope starting point when you want to get audit-ready without paying for broader framework flexibility up front.
Tradeoffs
Lowest apparent scope and likely lowest contract cost, but the hard 50-FTE cap and single-framework inclusion create a clear expansion boundary. You keep core automation and API access, but not the higher-tier configurability.
Cautions
Do not start here if you already know you need a framework outside the included list, or if headcount will cross 50 FTE during the initial compliance program. Drata's plans page does not publish list pricing, so budgeting still requires a sales conversation.
Start on Drata Advanced or above
As of 2026-03-18, Drata's official plans page shows "Drata Advanced" and "Drata Enterprise" as higher GRC tiers, with no public list pricing. Advanced includes everything in Foundation and lets you use any available framework rather than staying within Foundation's shortlist. The main reason to start higher is to avoid a likely migration if your compliance scope already extends beyond Foundation's framework limits.
When to choose
Use this when you expect multi-framework expansion, need a non-Foundation framework from the start, or want to avoid a likely mid-program tier migration. It is the safer starting point when compliance scope is already broader than one mainstream startup framework.
Tradeoffs
Higher tier likely means higher contract cost, but it reduces the risk of re-scoping around framework restrictions and adds more customization. It is better aligned to a scalable GRC program than a one-framework starter implementation.
Cautions
If your only near-term goal is one included Foundation framework and you are comfortably under 50 FTE, Advanced may be premature. Public pricing is not posted, so confirm contract deltas and add-on structure directly with Drata before choosing a higher tier.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "Should I upgrade to Drata Foundation 50-Employee Cap and Framework Limits now?"