Skip to main content

Create and Publish Custom Tests

Create custom tests in Drata to monitor controls that are not covered by Drata's out-of-the-box tests, using your own logic and integrations.

⚠️ Select your experience

The steps depend on your interface version. Select a link to skip to the instructions for your version.

Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.

Instructions for the New Experience ⬇️

Custom tests let you monitor your environment using your own logic, so compliance checks reflect how your organization actually operates. You can create, review, and publish custom tests from the Monitoring page, then map them to controls once they're ready.

Once published, custom tests run automatically and generate audit-visible evidence.

Prerequisites

  • At least one infrastructure or custom connection enabled (for example, AWS, GCP, or Azure)

  • One of the following roles:

    • Admin

    • Information Security Lead

    • Workspace Manager

    • Control Manager

    • DevOps Engineer

  • Your account has not reached the maximum number of custom tests. Draft and published versions count as a single test

  • A Drata Advanced plan or higher

Understand These Concepts Before Creating a Custom Test

Before creating a custom test, it's helpful to think through the decisions below. While you don't need to follow this order exactly when creating the test, making these decisions ahead of time can make building the test easier and more predictable.

  1. Define the intent: Decide what risk or requirement you want to validate and what outcome represents compliance.

  2. Select the provider and accounts: Choose the system and the connected accounts to determine what data is available for evaluation.

  3. Create a condition group: Define the type of resources being evaluated by selecting a service and resource type. Each condition group represents one logical data set.

  4. Narrow the scope (optional): Use filtering criteria to include or exclude specific resources before rules are applied, such as limiting the test to production resources or excluding tagged items.

  5. Define conditions (rules): Specify what must be true for each resource using attributes, operators, and values.

  6. Add additional condition groups (if needed): Add another condition group when you need to evaluate a different service, resource type, or independent logic.

  7. Select the evaluation threshold: Choose how strict the test should be by determining how results from all condition groups roll up into a single pass or fail outcome.

    • All results must pass: Every condition group must pass for the test to pass (recommended for most compliance use cases)

    • At least one result must pass: The test passes if any condition group passes

    • Only one result may fail: Allows limited failure without failing the entire test

Condition Groups, Conditions, and Filters (How They Work Together)

This is the most important concept to understand when building custom tests. A condition group defines:

  • One service

  • One resource type

  • A set of rules applied to that resource

  • (Optional) Filtering criteria

Displays the condition group

Use multiple condition groups when:

  • You need to evaluate different resource types

  • You want different logic applied to different resources

  • You want results to be evaluated independently, then rolled up by the logic threshold

Example: One condition group evaluates S3 buckets. Another condition group evaluates EBS volumes.

Available resources depend on:

  • Selected provider

  • Selected service

  • Data available in your environment

Once a resource is used for a service, that service will no longer appear when adding another condition group.

⚠️ If you change the selected service or resource after configuring conditions, the test may reset and require reconfiguration.

Each condition includes:

  • Attribute: The data field being checked

  • Operator: How the value is compared

  • Value: What the attribute is compared against

Use multiple conditions when:

  • Multiple requirements must be true for the same resource

  • You want to enforce stricter checks on the same resource type

Example:

  • Encryption equals true

  • Public access equals false

Filtering criteria narrow the scope of a condition group before conditions are evaluated. Use filtering criteria when:

  • Only certain resources should be evaluated

  • Some resources should be excluded by tag, label, name, or property

  • You want to reduce noise without excluding results after the fact

Example: Evaluate all S3 buckets except those tagged with DrataExclude.

Advanced Editor (Optional)

Use the Advanced editor to write complex queries instead of selecting attributes, operators, and values manually.

The Advanced editor supports:

  • Nested logic

  • Array-based evaluations

  • Complex filtering

This is recommended for users familiar with structured data and JSON-like logic.

Create a Custom Test

  1. Go to Monitoring

  2. Select Create test

  3. Enter a test name and description

    • The name must be unique

    • Both appear in audit evidence

  4. Continue to create the test

  5. Complete Logic details

    • Evaluation threshold

    • Category

    • Provider and accounts

  6. For each condition group:

    • Select a service and resource

    • Add conditions (attribute, operator, value). Optionally, you can use the advanced editor instead.

    • Add filtering criteria if needed

  7. Save your configuration

While building a custom test, select the info icon to open the Resource Guide and explore available services, resources, and their attributes.

Displays the resource guide

After saving, the test is created as a draft.

Save as Draft

  • Draft tests can run and return results

  • Draft tests do not affect control readiness

  • Draft tests are not auditor-facing

This allows you to validate logic safely. Draft test runs are logged as Autopilot Draft Test events.

Publish the Test

When ready:

  • Open the draft test and select Publish, or

  • Select one or more draft tests from the Monitoring table and publish in bulk

After publishing:

  • The draft label is removed

  • The test can be mapped to controls

  • Tickets can be created

  • Audit evidence is generated automatically

ℹ️ Test logic and exclusions carry over; draft history and notes do not.

What Happens Next

  • The test runs automatically

  • Results appear in Monitoring

  • You can map the test to controls

  • Evidence becomes available for audits

Instructions for the Classic Experience ⬇️

Learn how to create, publish, and edit custom tests. You can create your own tests on the Monitoring page to leverage the data Drata pulls from your systems to monitor your organization's needs. View the Role Administration & RBAC article to learn who has access to the Monitoring page.

Prerequisite

  • At least one Infrastructure connection or custom connections enabled (AWS, GCP, or Azure).

  • You are assigned one of the following Drata roles: Admin, Information Security Lead, Workspace Manager, Control Manager, or DevOps Engineer.

  • You have not reached the maximum number of custom tests allowed.

    • Note: A tooltip within the app indicates if you have reached the maximum number of custom tests. If a published custom test has a draft version, both published and draft versions are considered one test.

Create custom tests

Note: All custom published or draft tests are run by Autopilot daily.

To create custom tests, go to your Monitoring page and select Create test. Enter the test details and continue. The test name and description are included in the daily generated evidence that auditors have access to.

Test names must be unique within your account.

Monitoring page showing the Create test button

After continuing, a draft of your test is created, and you are redirected to the Test Builder page.

On the Test Builder page, you can configure the details of the test and access additional resources before publishing it. You can create your custom test on either the Builder tab or Advanced editor tab. In general, the main sections on the Test Builder page are Logic details and Condition Group.

  • Builder tab: Create simple custom tests that do not need access to properties (or data) within an array.

  • Advanced editor tab: Create more complex tests. With this tool, you can design tests to assess nested properties within arrays and other intricate data structures.

    • Before diving into the Advanced Editor, we recommend familiarizing yourself with the overall process of creating custom tests. Comprehensive documentation on the complete flow of custom tests is available on this page. However, if you're ready to explore the Advanced Editor in detail, go to Advanced editor in the Test Builder help article to learn more.

To understand the types of data each resource contains, you can utilize our Resource Guide. For more information about the Resource Guide, go to Resource Guide for custom tests.

Logic details

ℹ️ Note: The Logic details section must be configured in order for you to continue building out the rest of your test. After entering the required details within the Logic details, the rest of the test will be displayed.

For the logic details section, select the evaluation threshold.

  • All results must pass: (Recommended) This means every condition group you've configured in the Test Builder must pass for the overall test to pass.

  • At least one result must pass: This means only one of the condition groups you've configured in the test builder must pass for the overall test to pass.

  • Only one result may fail: This means only one condition group can fail (with the rest passing) for the overall test to pass.

Select a provider and accounts to move on to the next steps.

Condition Group

For each condition group, select a resource you want your test to evaluate.

The available resources depend on what provider was selected in the previous section, Logic details, and what service was selected under the Condition Group section.

Condition group configuration showing service and resource type selection

After selecting a resource, you can configure the conditions and add additional filtering criteria.

  • The condition fields are: attribute, operator, and value. The options in your attributes are pulled from your account. Select an attribute, then an operator, and then a value.

  • The filtering criteria is where you can configure what is included or excluded in the condition group.

You can add multiple condition groups, filtering criteria, and conditions.

Multiple condition groups and filtering criteria configuration

Resource availability note: Once all of the available resources for a given service have been utilized, that service will no longer appear as a service option for the next condition group you add.

For example, if the Redshift service available resource was RedshiftCluster and the RedshiftCluster was used in a condition group, the next condition group you create will not display Redshift as an option for services.

Resource automatically resetting note: After selecting all of the configurations for a test, if you then update the service to anything other than "All services" or the resource, the rest of the test will reset and you will have to enter the new configurations details based on the newly selected filters.

Tags or labels

For certain resources, Drata also pulls in the tags or labels. You can use these attributes in your conditions or as a filtering criteria. Select the attribute depending on the provider you selected.

  • AWS: !Tags

  • GCP: !Labels

  • Azure: !Tags

Now, you can select the operator. After selecting the operator, you can enter the key name that is associated with the tag or label. For example, in the following image, we configured a test for a Buckets resource in AWS to verify if Encryption exists on all buckets, but we want to exclude all the buckets that contain a tag with key "{your key name}".

Tags or labels filtering example with DrataExclude key configuration

Note: Custom tag properties only evaluate the information in the key, not the value.

Another example is when you have tagged certain resources with DrataExclude so that you can filter those resources out on your existing Drata tests, you can include DrataExclude in the value so that you exclude those resources out as well.

After you set your configurations, save the draft and continue. You will be redirected to that test drawer. The test is still a draft test.

Once a test is in draft mode, an initiation of an autopilot run so that you can view the results of your draft test. The test runs are logged on the Event Tracking page as Autopilot Draft Test types.

Event Tracking page showing Autopilot Draft Test log entry

Draft test overview

To view your draft tests:

  1. Go to Monitoring page.

  2. Select the Drafts tab on the table.

    Monitoring page Drafts tab showing draft tests

  3. These are all of your draft tests.

The test details drawer has the following sections:

  • Test info: Includes Test name, description, status, and test logic.

  • Last test result: The status of the last test result and when it was tested.

  • Ticket management: Once published, includes the ability to create tickets. You cannot create and map tickets in a draft test.

  • Test history: Includes the raw test evidence.

  • Control info: Once published, includes the ability to map controls. You cannot map controls in a draft test.

  • Internal notes: Includes the ability to add comments from others for better collaborative notes.

Troubleshoot failed test result

After the test runs, your test result might have failed. You can include or exclude resources that might have failed your test. Select the resources to exclude and then submit your reasons.

Excluding resources from a failed test result

An excluding tab will appear next to the included tab that shows all of the excluded resources.

Publish custom test

To publish the test, select publish test. When you publish your test, the test history and internal notes will not carry over. The test logic and exclusions will carry over.

Publish test button on the draft test details drawer

After publishing the test, the test name will not have the draft indicator. With the published test, you can create tickets under the Ticket management section and map controls under Control info.

PDF version of your custom test for auditors

  1. Select the See Raw Test Evidence button under Test history on your test details drawer to view the related log in the Event Tracking page.

    • Or, you can also go directly to the Event Tracking page and search for your event log.

  2. Select the related event and download the Raw Evidence and Event Details .pdf.

Event Tracking page showing Raw Evidence and Event Details PDF download

A PDF is downloaded and contains information about your custom test including exclusions of resources, the reason for exclusion, test logic in JSON format, and the raw JSON response for the test.

Edit your custom test

To edit your custom test, go to Edit a Custom Test.

Related Articles
Resource Guide for custom tests
Monitoring Overview
Filter and search tests in Monitoring (New Experience)
Manage Tests in Monitoring Page
View and Manage Test Details (New Experience)
Did this answer your question?