The Aikido integration enables security and compliance teams to sync both vulnerability and cloud posture data from Aikido into Drata as mapped evidence for SOC 2 and ISO 27001 controls. It connects Drata to Aikido either through an API Key (for CSPM) or Client Credentials (for Vulnerability Scanning), depending on your intended use case.
Note: This integration is created by Drata's partner integration, Aikido. For any questions regarding this connection, please contact Aikido. Learn more about partner connections
Prerequisites
Must have Admin, Information Security Lead, DevOps Engineer, or Workspace Manager roles in Drata.
Must have an active Aikido account.
For CSPM
Must have the ability to create an API key in Drata with specific permissions and scopes.
For Vulnerability Scanning
Must have the ability to create Client Credentials in Aikido’s settings.
Aikido provides a public REST API integration for credential generation.
Permissions & Data Table for CSPM
Permission/Scope | Why It’s Needed | Data Accessed (Read/Write) |
|
Controls
| Allows Aikido to read and manage Drata controls, map external evidence, and update linked compliance data. | Control and evidence data (Read/Write) |
|
| Identifies available Drata workspaces for integration and mapping. | Workspace IDs (Read) |
|
| Enables linking of evidence to SOC 2 and ISO 27001 frameworks and requirements. | Framework and requirement metadata (Read) |
|
Permissions & Data Table for Vulnerability Scanning
Permission/Scope | Why It’s Needed | Data Accessed (Read/Write) |
Issues | Allows Drata to import vulnerability issue data. | Vulnerability records (Read) |
Clouds | Grants access to Aikido’s cloud metadata to map vulnerabilities to cloud assets. | Cloud posture context (Read) |
Repositories | Enables retrieval of repository and dependency data tied to vulnerabilities. | Repository and dependency metadata (Read) |
Containers | Allows scanning of container-based workloads for vulnerabilities. | Container metadata (Read) |
Basics | Required for Aikido to verify account and connection status. | Account and configuration metadata (Read) |
Step-by-Step Setup for CSPM
Step 1: Create a Drata API Key
Log in to Drata with an Admin account.
Navigate to Settings → API Keys.
Select Create New Key and configure it as follows:
Name:
Aikido SecurityExpiration:
Never ExpiresAllowed IP Address: Leave blank
Under Scopes, set Access to
Custom.Expand each section and enable:
Controls
Controls list: Read
Add control: Write
Map external evidence: Read, Write
Delete mapped external evidence: Write
Workspaces
List workspaces: Read
Frameworks
List frameworks: Read
List framework requirements: Read
Save and copy the API Key.
Expected outcome: You now have a valid Drata API Key configured with all necessary permissions for the Aikido integration.
Step 2: Complete the Connection in Aikido
Log in to your Aikido account at https://app.aikido.dev/login.
Navigate to Settings → Integrations → Drata.
Select Add Drata Integration.
Paste the API Key you generated in Drata.
Choose your Drata Workspace from the dropdown menu.
Click Save.
Expected outcome: Aikido is now connected to Drata, ready to sync daily evidence reports.
Step 3: Verify
Once the connection is complete:
Aikido automatically generates a daily PDF report of vulnerabilities.
The report is synced to Drata as Miscellaneous Evidence.
A control with the code AIKIDO is created and automatically linked to relevant SOC 2 and ISO 27001 requirements.
You can find these controls on the Controls page.
Step-by-Step Setup for Vulnerability Scanning
Step 1: Create Client Credentials in Aikido
Log in to your Aikido account.
Navigate to Settings → Aikido Public REST API Integration.
Review the list of existing API integrations:
If you already have a private app with the required permissions, you can reuse it.
Otherwise, click Add Client to create a new one.
Give the client a name, select Private App Type, and enable the following permissions:
issues:readclouds:readrepositories:readcontainers:readbasics:read
Generate the credentials and copy your Client ID and Client Secret.
Expected outcome: You now have a valid Client ID and Client Secret for connecting Aikido to Drata.
Step 2: Configure Vulnerability Filters (Optional)
Before connecting, you can filter which vulnerabilities Drata imports:
Severity of vulnerabilities: Select from Critical, High, Medium, Low.
Drata recommends selecting at least Critical and High for compliance relevance.
First Seen On: Select a start date to import only vulnerabilities discovered on or after that date.
Drata imports up to 1,000 vulnerabilities per connection per day, ordered from Critical → Low severity.
Expected outcome: Your import filters are configured for compliance-focused vulnerability data.
Step 3: Complete the Connection in Drata
In Drata, go to Connections → Available Connections.
Search for Aikido (Vulnerability Scanning) and select Connect.
The Aikido authentication widget will appear. Follow the prompts to authenticate your account.
Enter your Aikido Client ID.
Enter your Aikido Client Secret.
Upon successful authentication, Drata will automatically finalize and confirm the connection.
Expected outcome: Aikido is now connected to Drata, and daily vulnerability data will begin syncing automatically.
Important Notes
Partner Integration: Managed by Aikido, not Drata.
Security: Drata API Key must be securely generated and stored; no credentials are shared from Drata to Aikido.
Learn more about Drata Integration at Aikido.
Partner Offers & Discounts
Drata has direct partnership with Aikido for first time and new customers. Get 25% off your first year of Aikido by visiting https://app.aikido.dev/partner/drata.
Check out more partner offers and discounts.