Vanta: Securing the Internet
Christina Cacioppo’s company is the established leader in automated compliance monitoring. Its ambitions span the web.
Actionable insights
If you only have a couple of minutes to spare, here's what investors, operators, and founders should know about Vanta.
Vanta is an architect of trust. At its core, the company makes it easier for businesses to trust one another. It does so by automatically monitoring a business’s performance relative to compliance standards like SOC 2.
Christina Cacioppo created the category. Before Vanta, getting SOC 2 certified required tens of thousands of dollars and months of work. Cacioppo recognized technology could automate much of the work and radically reduce cost and effort.
It scaled in near-silence (and continues to grow). Cacioppo built an impressive business with little funding or fanfare, not wanting to alert others to the opportunity. Vanta had reached a $10 million run rate when it raised a Series A from Sequoia Capital.
Automated compliance has become a hot space. Though Vanta managed to stay under the radar for several years, other businesses have awoken to the space’s potential. Competitors are raising bumper rounds to try and close the gap.
Vanta’s mission is to secure the internet. It doesn’t see itself as just an easy way to get SOC 2 certified. Already, the company provides support for HIPAA, GDPR, ISO 27001, and beyond. Its greater mission is to help make online business safer.
This piece was written as part of The Generalist's partner program. You can read about the ethical guidelines I adhere to in the link above. I always note partnerships transparently, only share my genuine opinion, and commit to working with organizations I consider exceptional. Vanta is one of them.
Our brains work hard to assess the trustworthiness of another person. We observe the sturdiness of their gaze, listen to their voice's timbre. We consider their age, gender, wealth, and weight. We heed what they say and what they seem to hide. Did they pick at their nails as they spoke? Did they scratch their nose? And what was that movement, that little dart: a flinch, a sneeze, a cough, a tell?
We do this difficult work, drawing in hundreds of real-time signals because almost every worthwhile interaction comes after trust has been established. Friendships, relationships, and partnerships all rely on some measure of it.
Businesses have the same need for trust. But when it comes to securing it, they cannot rely on the same swirling broth of sensory and extra-sensory information humans do. So, what can they do? In the place of instinct, there is auditing. And rather than psychology, there are standards of compliance, the largest of which is called “SOC 2.”
Behind the aridity of the acronym, this is what SOC 2 really is: a document in which a business says, “This is who I am. These are all the things I do to stay safe. This is why you can trust me.”
Though that might sound simple, getting to the point of trust for a business used to be a complicated and costly endeavor. The experts I spoke with shared that a complex SOC 2 process might take eight months, costing north of $50,000. Since large enterprises typically require proof of data hygiene to work with another company, smaller businesses found themselves in a fiendish conundrum we might call a “SOC 22.” The steep price of an audit could put a business in financial trouble, but failing to pay for one meant no new customers, no revenue, and financial risk, all the same. For the lucky, compliance was a cumbersome cost-suck; for the ill-starred, it could be an existential strain.
This was the way of the world, and it served no one save the auditors themselves. They thrived on high fees, opaque processes, and unwavering demand. Then, something happened.
Every industry that has undergone technological upheaval has a before and after moment. Online payments can be divided into time before and after Stripe. Venture capital existed pre and post-AngelList. In compliance, there is a “BV” and “AV”: Before Vanta and After Vanta.
Founded in 2017 by Christina Cacioppo, Vanta is the quintessential disruptor. It has axially altered the way companies prepare for security audits, reducing the timeline from months to weeks. It has also created a brand new category and changed the cost structure of an entire industry, lowering prices by as much as 90%. In the process, Cacioppo and her team have constructed a remarkably winning business – hitting a $10 million revenue run rate before raising its Series A from Sequoia Capital. Even as fast-followers have entered the space, Vanta has gone from strength to strength, logging insane customer growth and establishing itself as the standard bearer for the industry.
Vanta’s success means there is a clear line of sight to significant financial success in the short-to-medium term. Yet the company has only just begun its climb towards Cacioppo’s true goal: to secure the internet. If Vanta is successful, businesses may be able to establish trust in just a fraction of the time it takes now, a profound change.
In today’s piece, we’ll tell Vanta’s story and chart its future. In doing so, we’ll cover:
Origins. Before starting Vanta, Christina Cacioppo learned to study businesses at Union Square Ventures. She also built plenty of products of her own before uncovering the opportunity in automated compliance.
Product. Vanta shifts the compliance process from a reactive one to a proactive one. By connecting with a company’s different tools, it seamlessly monitors security practices and suggests improvements. When auditing time arrives, most of the work is done.
Model. By turning to technology, Vanta has reduced the cost of SOC 2 certification. That hasn’t stopped it from growing. It grew its customer base by 220% last year after a sterling 2020.
Culture. Christina Cacioppo is a Midwestern assassin – incredibly nice but not to be underestimated. She has built a business in her image, replete with good-spirited operators who want to win.
Risks. Despite being the market leader, Vanta hasn’t always touted its positioning. As competitors flood behind them, Cacioppo and company will need to invest in messaging. That may require a new round of capital.
Future. Right now, audits are point-in-time assessments. Does that make sense given the dynamism of the tech sector? In the future, companies may demonstrate trustworthiness on a near-continuous basis.
Let’s get going.
Learn how the best businesses and investors win. Every Sunday, we send an email that explains the business world’s most important innovations and the stories behind them. Join 64,000+ today.
Origins: The category creator
For some founders, their transformational business idea arrives like a bolt of lightning. They are illuminated, changed, and compelled in a single dramatic moment.
This is not one of those stories. Before founding Vanta, Christina Cacioppo tried to start several other businesses, tinkering with messaging and online education products, trialing different approaches to see what worked and why. Vanta itself was the product of a prolonged period of study that touched on many other markets and ideas. In her research-driven approach, Cacioppo represents a different kind of founder, someone who treats the entrepreneurial role with an anthropologist's humaneness and observational abilities.
Beginning
The daughter of two Ohio State professors, Christina Cacioppo’s initial ambition was to follow in their footsteps. “I wanted to be a professor until I was twenty or twenty-one,” she noted in our conversation. While majoring in economics at Stanford, Cacioppo began questioning that goal. Though researching the division of labor in Tanzanian households had been a stimulating, important topic worthy of her thesis, Cacioppo felt frustrated that it had ended with a paper. After all, nothing had been built.
Cacioppo stayed an extra year in Palo Alto, receiving a Master’s degree in Management Science and Engineering. She spent much of the time focused on design thinking at Stanford’s famed d.School. After graduating, she took a six-month design internship at Deutsche Telekom in Berlin. After it finished, she traded Germany for New York City, feeling it was the right place for whatever was to come next. As it happened, it wouldn’t take long for Cacioppo to land a job at one of the country’s most prestigious venture capital firms.
Learning
Cacioppo had subscribed to a blog called “AVC.” The website belonged to a general partner at Union Square Ventures, Fred Wilson. Each day, Wilson chronicled his work as a venture capitalist and shared his thoughts on the tech industry. It is almost a rite of passage to subscribe to Wilson’s blog at some point during one’s first forays into tech. It remains influential.
In late March of 2010, Wilson shared a short post, “Bidding Andrew Goodbye.” In it, he thanked USV’s outgoing analyst, Andrew Parker, and noted the firm planned to staff a replacement. To apply, candidates should send links to their web presence. Cacioppo remembered reading that and wondering: “What does that even mean?”
Still, she was intrigued. At what she describes as the “eleventh hour,” she sent three links to USV’s team, including a personal website she’d started to keep track of her travels and the books she’d read. It proved an impactful instinctive decision; USV hired Cacioppo as their newest analyst.
The succeeding two and a half years were influential for Cacioppo and the business she later founded. During that period, USV took an anthropological approach to venture capital, focusing on the changes new technologies and companies made to human behavior rather than obsessing over theoretical market size. Cacioppo learned that companies like Foursquare could not be easily rationalized a priori. What was the TAM for “checking in” to coffee shops, apartment buildings, and offices?
“I learned that market sizing in a spreadsheet is always going to be too rational,” Cacioppo said. “I think if you’re good at market sizing, you don’t end up building a business like Vanta.” To gauge the potential for a truly novel idea, Cacioppo discovered that keen observation was necessary.
Tinkering
In 2013, after studying hundreds of businesses at USV, Cacioppo decided it was time to try and build one of her own. With that in mind, she left the venture firm, using the bonus money she’d received to support herself.
Though she knew she wanted to start a business, Cacioppo wasn’t sure exactly what that business should be. “Few people can go into a dark room and then emerge with a great idea. That wasn’t me,” she said. Cacioppo decided she would learn by doing, tinkering toward a viable business. She started by teaching herself to code, then building tools that might help others. Along the way, she experimented with all manner of apps, widgets, and websites. Navigate to Cacioppo’s personal site – the updated version of the one that helped her land the job at USV – and you’ll find dozens of side projects attempted at some point, a testament to Cacioppo’s absurd generativeness.
Cacioppo looks back on the most significant project she worked on during this period with a chuckle. With her friend Matt Spitz, a former eBay engineer, Cacioppo created a social messaging business that she affectionately calls “our owl app.” Hoot was a simple way for users to send video messages to each other, not unlike Snapchat. (Its domain name? www.getitwhileitshoot.com; regrettably defunct today.)
Rather than starting with iOS, Cacioppo and Spitz sought to win over the underserved Android market. “That was a bad bet,” Cacioppo recalled. Though Hoot received tens of thousands of downloads, it never achieved a breakout trajectory. It also didn’t seem to be a particularly strong fit with the founding pair’s interests. Cacioppo remembered: “We worked on it for four or five months, and then we were just like, ‘What are we doing?’”
After nearly two years of experimenting, Cacioppo’s runway was reaching its end. It was time to find a job. While Spitz joined Dropbox, Cacioppo tried to navigate a sale for Hoot. “I called up corporate development at various startups to see if they wanted our ‘promising mobile app’” she recalled with a smile. In the end, Hoot’s buyer came from outside traditional tech circles. “We sold our owl app to a teenage entrepreneur in Kentucky for $20,000.” After the acquisition had closed, Cacioppo joined her former co-founder, becoming a product manager at Dropbox.
For many would-be entrepreneurs, the result of years of dedicated work might have felt underwhelming. Had it been worth leaving a high-profile, well-compensated job in venture capital to tinker with owl-themed social media? An epigraph above the list of projects on Cacioppo’s website illustrates how she seems to have framed this period – and reminds us of the growth-mindset great entrepreneurs tend to have. It reads, “The function of the overwhelming majority of your artwork is simply to teach you how to make the small fraction of your artwork that soars.”
Cacioppo had made art. It would soon allow her to soar.
Managing
Though Cacioppo had built plenty of projects, she’d never managed a team. Dropbox would give her that chance. After the cloud storage business acquired Hackpad in 2014, it broke ground on a new project: Paper. A collaboration tool in the vein of Google Docs, albeit with a more artful interface, Paper represented Dropbox’s big bet of the mid-2010s, an attempt to break out of its storage silo.
After joining as a junior product manager, Cacioppo was soon given the reins over the internal organization, directly managing other PMs and broadly overseeing a group that grew from less than ten employees to eighty. “It was our team for a while,” Cacioppo said, “We got to make the decisions.” She also got to experience the challenges of running a growing team.
While trying to expand Paper’s userbase, Cacioppo first encountered the problem that would lead her to found Vanta. Paper was a popular tool within Dropbox, but it struggled to find a user base beyond the company’s walls. Cacioppo remembered just two external users outside that used it religiously: one was an engineer’s mother who didn’t know Google Docs existed, the other was a manager’s girlfriend. After a break-up, the girlfriend churned.
To try and drum up new business, Cacioppo approached the firm’s account managers about distributing Paper to companies already using or about to sign up for Dropbox accounts. By tying the two together, Paper would begin to build a user base composed of dynamic, trendy startups rather than the nuclear family of employees.
It didn’t work. Dropbox’s legal team explained to Cacioppo that while Dropbox had undergone various security validations, Paper hadn’t. They told her that it hadn’t been pen-tested and wasn’t SOC 2 compliant. “I remember thinking, ‘what do those words mean?’” Cacioppo said.
While it would take a little longer for her to dig into the muddy waters of compliance, the upshot was clear: Paper couldn’t pursue Dropbox customers without voiding existing contracts. The subsidiary would have to undergo its own compliance procedures – a process that might last 18 months, Cacioppo was told – or it would need to find customers of its own. That closed the matter. “I kind of forgot about it,” Cacioppo said.
After two years at Dropbox, Cacioppo felt it was time to try her hand again at founding a company.
Testing
Though Cacioppo didn’t have a business idea in mind, she brought more experience and knowledge to the table in late-2016 than she had almost four years earlier.
Teaming up with fellow Dropbox alumnus Erik Goldman, the pair set out to explore without the burden or benefit of venture funding. As Cacioppo said, “We were convinced we shouldn’t raise a bunch of money.”
It wasn’t an easy process. “There were a couple of months of utter confusion,” Cacioppo said as she and Goldman wrestled with collaboration tooling and voice programming ideas. Eventually, a more structured investigation process won out, with the pair agreeing to pick two areas to investigate deeply. Cacioppo chose to continue researching workspace collaboration – “I went down the wiki path,” she said – picking security as her second focus.
“It was a really naive interest,” Cacioppo recalled. “It seemed important and strange, and I couldn’t explain it. It was also a little cool.” As she noticed how many large security businesses there were, Cacioppo’s venture capital brain whirred into overdrive, sensing opportunity.
Conversations with industry experts helped her frame the security landscape. As she remembered, the space could be subdivided into two essential tasks: securing information and demonstrating that security to others. “A lot of the people that are good at the securing don’t like showing,” Cacioppo realized. She thought there was something to that.
In discussions with startups, she heard about the SOC 2 compliance process, remembering how “terrible” it had seemed while managing Paper. Though she sensed there was a way to improve how companies passed the necessary standards, Cacioppo was sure there must be a reason why no one had renovated the industry yet – “there are rarely $20 bills on the sidewalk.”
She landed on two rationales for the backwardness of the space. For one thing, it was a services industry. Large auditing firms dominated and had little incentive to innovate, given the lucrativeness of the work. Secondly, it appeared to be a variable process, with each SOC 2 certification requiring a slightly different skillset. Cacioppo and Goldman decided to test that second assumption; if SOC 2 could be standardized, it could also be automated with code.
Cacioppo had heard from friends at the company that Segment's team was struggling with SOC 2 compliance. As an experiment, she created a spreadsheet outlining the steps Segment should take. Rather than hearing that it was insufficiently tailored, Cacioppo discovered the team was grateful for the direction. To further stress the potential for standardization, she created a copy of the spreadsheet, changed the company’s name, and sent it to friends at the email collaboration startup, Front. To her surprise, it was equally effective.
Soon, other companies began reaching out. They’d heard about the spreadsheet and wanted it for their own SOC 2 process. What had seemed fiendishly irregular was demonstrably standardizable and in hot demand. It was time to step on the gas.
Building
In late 2017, Cacioppo accepted a spot in the next Y Combinator batch. The funding arrived not a moment too late — she and Goldman were down to their last $50,000.
They arrived at the accelerator with a name: Vanta. True to their roots, they’d landed on the moniker through structured experimentation, sending a list of short words to about seventy friends, asking them which appealed most. Vanta, easily pronounceable and spellable, won out, and Cacioppo secured the domain for “the price of a small car.”
A $3 million round soon followed Y Combinator’s funding, with seed funds and angels contributing. Despite attracting tenured investors, Vanta succeeded in slipping under the radar, a barebones website with Times New Roman font one of the few signs of its existence.
According to Cacioppo, that was a strategic decision. The firm’s low profile had done little to dampen demand, with Vanta receiving one to two emails a day from companies looking for help with SOC 2 compliance. That interest translated into real revenue: in the first five months of Vanta’s existence, the company surpassed $500,000 in sales, all of it managed by Cacioppo. From her time at USV, Cacioppo knew how unusual that immediate, scalding hot product-market fit was. “Someone will figure out this is a good business,” Vanta’s CEO remembers thinking, “So how big of a lead can we get?”
The answer to that question proved to be “a significant one.” Over the next three years, Vanta scaled in near-silence. By early-2021, the company had hit a $10 million run rate without raising a Series A. It might have continued to grow off its balance sheet, but as competitors eventually entered the fray, Cacioppo recognized the value in accelerating. Not only would fresh funding open up new marketing opportunities, it would be a further proof point for potential hires. Though she enjoyed the look of shock on recruits’ faces when she disclosed Vanta’s numbers, finding a prestigious venture partner would undoubtedly increase the top of the funnel.
It didn’t take long. On a bike ride in Palo Alto, Sequoia Capital’s Andrew Reed got an email. Dylan Field, the founder of Figma, had connected him to Christina Cacioppo, suggesting the two connect as soon as possible. Reed remembered thinking that if Field was confident enough to make an introduction without a double-opt-in, this was someone he should meet.
The following day, a Friday, Reed and Cacioppo went for a hike in Woodside. “Very quickly, it became clear that she was a Sequoia caliber founder,” Reed recalled, highlighting her charisma and uncommon fluency in every aspect of the business. Cacioppo pulled out her laptop and showed Reed the numbers at the end of their discussion. “It was clearly a breakout company,” he noted.
As Reed set about conducting rapid diligence, Cacioppo did the same. She asked Reed for references while he began asking portfolio founders that used Vanta for thoughts. Both emerged more confident in a union. Cacioppo was impressed by the speed at which Reed’s references returned her calls, especially over a weekend; Reed quickly heard that Vanta was not only used by businesses but beloved, boasting an impressive NPS score.
By that Tuesday, Sequoia had offered to lead Vanta’s Series A. In May, the details were announced: Cacioppo and her team had raised $50 million on a $450 million pre-money valuation. It represented a fitting achievement for an entrepreneur who started her founding journey nearly a decade earlier.
Understand the world's most consequential tech companies before they IPO. Don't miss our next email.
Product: Architects of trust
Vanta’s success can be expressed concisely: it addresses a fundamental business need – trust – simply, elegantly, and cost-efficiently. While this is an apt description of what Cacioppo and company have built, we must take a closer look at the product to grasp its power.
Explaining SOC 2
At the beginning of this piece, we briefly explained that SOC 2 is a standard of compliance used to help companies trust each other. We can add some detail to this description.
More specifically, SOC 2 was developed by the American Institute of CPAs (AICPA) to codify the treatment of customer data and score the security risk of a given vendor. As part of a SOC 2 process, a company must prove that it conducts background checks on employees, password protects company laptops, configures cloud services safely, and many more tedious but essential practices.
Sarah Scharf, Vanta’s Head of Product and Brand Marketing, explained that SOC 2 is not dissimilar to the American college system’s “Common Application,” but for the companies. A single document is accepted and understood by organizations of different sizes, from startups to behemoths like Google and Facebook.
As we’ll see, Vanta’s product extends far beyond SOC 2, but this represents the company’s beachhead.
Automating compliance
Historically, companies have struggled to receive their certificate of SOC 2 compliance. Andrew Reed mentioned he had seen many a Sequoia business hit the same hurdle: “They realize, ‘Oh, shoot, before we can sell to this customer and get revenue, we need to handle this.’ Then everything gets pushed out by nine months.”
Vanta has upended this process. Rather than getting surprised by a months-long engagement with an auditor and a big bill, Cacioppo’s product automates the compliance process. This fundamentally changes a company’s security posture from reactive to proactive.
How does Vanta do this? It starts by connecting to a company’s services, including platforms like AWS, Heroku, Google Suite, Slack, Datadog, Linear, Asana, Gusto, and many others. Vanta’s solution monitors and runs checks on these tools, ensuring they are safely set up. It creates no friction for employees but builds a picture of a business’s internal data practices.
Using this information, Vanta can gauge audit readiness and identify security gaps that should be addressed. It can also sync existing processes like employee onboarding to ensure appropriate measures are taken. It’s worth noting there are many more useful features as part of a robust suite, reflecting Vanta’s headstart in the industry.
In and of itself, the information Vanta surfaces is beneficial for a business, highlighting best practices and identifying vulnerabilities. It is even more tangibly valuable in the context of an audit. Rather than starting from scratch, customers can share the information collected by Vanta with a recommended auditing firm like Insight Assurance, greatly simplifying the certification process and reducing the cost.
Beyond SOC 2
The risk of starting a business around a specific standard like SOC 2 is that it's easy to get stuck. Cacioppo said: “SOC 2 is a hair-on-fire problem today, but how do you expand?”
To build the value of the platform and grow Vanta’s TAM, Cacioppo has been aggressive in growing the firm beyond SOC 2. In July of last year, the company announced support for two significant new compliance processes: ISO 27001 and HIPAA. Three months later, it followed up with two further additions: GDPR and PCI DSS.
Though these standards are each significant in their own right, the details matter less than what it says about Vanta as a company. Cacioppo and the team have built a robust tech platform capable of flexing to meet different compliance processes. Rather than being just a SOC 2 servicer, Cacioppo explained that the message to customers is: “We’re the way you monitor.” By Vanta’s estimation, it has reduced the burden of ISO 27001 by 80% and HIPAA by 85%; it reportedly saves weeks on other certifications.
Playing fair
Vanta is capable of conducting SOC 2 audits themselves. The firm could hire in-house auditors and manage the process from end to end. The fact that Vanta doesn’t do this indicates its commitment to play by the rules as it sees them. According to Ari Shahdadi, Vanta’s Head of People, Partnerships, and Legal, this is a “clear violation.”
That hasn’t stopped competitors, however. Some of the bloated auditing firms Vanta disrupted responded by tacking technology onto their services. While that might seem like an attractive option for customers – a one-stop shop – it poses a real risk, according to Shahdadi. “There’s the potential that their audits will be invalidated,” he said.
Vanta's product is designed to reduce security risks, not add them. Nor does it seek to make enemies of auditors, with Cacioppo noting that Vanta sees them as “partners.” “Building trust with them is important,” she added.
Model: Better, faster, cheaper
Andrew Gulrajani remembers what SOC 2 certification used to involve. Over four years at Deloitte, he contributed to plenty of compliance processes, often feeling frustrated by their inefficiency. “We always said these projects could be a lot simpler,” he remembered.
After hearing an ad for Vanta on Guy Raz’s “How I Built This” podcast, Gulrajani reached out to Cacioppo on LinkedIn. Based on what he heard, Vanta was tackling the issues with the compliance process head-on. He found that initial assessment to be accurate, discovering that Vanta not only represented an improvement on the status quo but a radical disruption. As we’ll learn, that disruption is allied with a strong revenue model that empowers smaller businesses.
Leveling the playing field
Vanta charges an annual, recurring fee. Unlike traditional players, however, Vanta costs a fraction of the price. By shifting the workload from auditors to computers, Cacioppo succeeded in reducing the cost by as much as 90%. Processes that might have once run up a $50,000 tab can routinely cost just $5,000. Months long engagements are compressed to mere weeks.
While this makes for a compelling product, it has also fundamentally changed the customer landscape for B2B startups. Andrew Reed explained that by simplifying and reducing the cost of compliance, Vanta “evens the playing field” for insurgents to compete for large clients. Suddenly vying to serve a large public company does not require a massive outlay.
Impressive traction
Given Vanta’s value proposition, it is perhaps unsurprising to learn that it’s growing quickly. While Cacioppo declined to share exact figures beyond the fact that Vanta had reached a $10 million run rate by its Series A, she shared a graph demonstrating how effectively momentum has increased.
Cacioppo added that Vanta’s customer count increased 220% over the past year. Given its already strong traction, this will likely translate into formidable revenue. That’s without factoring in growth with existing customers. Vanta’s newer offerings like GDPR and HIPAA also increase net dollar retention.
Culture: On a mission
Vanta’s initial success may have been down to discovering a product the market wanted. But over the years ahead, much of its success will depend on building a winning culture.
Midwestern assassins
A brief description of a movie I would like to see:
A classic Midwesterner finds themselves ensnared in a game of espionage. To extricate themselves, they agree to work as a contract killer. Thanks to their non-threatening wholesomeness, they turn out to be effective. After all, who would suspect a good-natured Ohioan?
This is how I think of Christina Cacioppo. Ask anyone for a description, and the word “Midwestern” crops up remarkably quickly, more a characterization of temperament than a statement of fact. However, beneath that genuine, soft-spoken demeanor is an operator with extraordinary horsepower and rare vision.
Not only did Cacioppo invent a category from scratch, she has shown incredible flexibility in leading her business. Reed stressed this skill as a core part of her strength. “She just picks up stuff so quickly,” he said, enumerating the roles she had filled at some point during Vanta’s life, including finance, sales, and partnerships.
Reed argued that while some founders hire to address their weaknesses, that is simply a “necessary but insufficient step to be a great CEO.” Cacioppo has assembled an impressive team with diverse talents, but she has also been willing to pinch hit. “She has a true growth mindset,” Reed remarked.
Vanta appears to be a company in Cacioppo’s image. When asked about Vanta’s culture, Sarah Scharf said, “It’s an incredibly nice company. Everyone who works here is generally a kind person and helpful.” Boris Logvinsky, Head of Product, noted the presence of a “no assholes rule,” while also pointing to a certain endearing bookishness that prevailed. To emphasize the latter point, he mentioned that Matt Spitz – Cacioppo’s co-founder at Hoot and Vanta’s current Head of Engineering – had written a limerick about the procurement process. Cacioppo later tweeted it.
“That was very Vanta,” Logvinsky said.
Divine discontent
Jeff Bezos famously referred to customers as “divinely discontented.” Their desire for more, better, faster constantly pushes Amazon to raise its game in his estimation.
Every great business I’ve studied also exhibits this characteristic, and Vanta is no different. Though its existing product is already robust and market-leading, the team relentlessly looks for ways to improve. Logvinksy pointed to this as a core characteristic. “I think we’ve built a culture that pushes harder on each other,” he said.
Interestingly, when I asked Cacioppo why she had gone with Sequoia for Vanta’s Series A, her answer rhymed. “They push,” she said, “And we always push ourselves.”
A true mission
Vanta’s existence is a testament to Cacioppo’s research and acuity. It is also her response to a significant societal problem: data breaches. In 2017, the year Vanta was founded, Equifax exposed the information of more than 163 million customers. The same year, Uber was hacked, revealing information for 57 million users. Since then, Reddit, Quora, Typeform, the United States Postal Service, Microsoft, and, of course, Facebook have all experienced significant breaches. Those incidences have emphasized the need to safeguard the digital world better.
For Vanta’s team, solving this problem provides real motivation. “The company is incredibly mission-driven in the purest sense of the word,” Sarah Scharf remarked. “People believe in securing the internet.”
Risks: Coming for the king
In the last couple of years, others have awoken to the opportunity in compliance monitoring. Incumbents have updated their offerings and reduced their prices, while insurgents have looked to follow in Vanta’s footsteps.
The result is that Vanta’s risks seem to be relative. There is strong product-market fit, plenty of room to grow, and obvious sectoral tailwinds around the expansion and codification of the internet economy. The question becomes: will Cacioppo’s company be the one to benefit? Or will it surrender its lead?
Innovation risk
“Anyone that says there are moats in SaaS is lying,” Ari Shahdadi said. “It’s an execution business.”
Though Vanta has the first-mover advantage and, as such, has had more time to develop a robust and mature product, others are capable of catching up. If the company wishes to remain the trusted default of SOC 2 and beyond, it will need to keep pushing and innovating on product.
So far, Cacioppo has acted savvily on this front. As mentioned, the company added support for HIPAA, GDPR, and other standards in 2021. While this is a good indication the company is willing and able to innovate, arguably, these extensions should have arrived sooner. Vanta has been in market since 2018, and though it wished to maintain a low profile, it might have benefitted from casting a broader shadow.
Sequoia’s investment is predicated on Vanta’s ability to stay ahead of the chasing pack. Reed mentioned that among the characteristics the firm looks for in an investment, “at the top of the list is an emerging market leader.” In his words, that’s because 50% of revenue, 75% of profits, and 80% of eventual market cap redound to the leader. He agreed that wasn’t always the case, adding a qualification: “There are plenty of markets where the first to market doesn’t win. There are not many markets where the first and most innovative company doesn’t win.”
Vanta will need to ensure it is both.
Capitalization risk
So far, Vanta has raised a total of $53 million. That represents a modest sum for a nearly five-year-old business with stellar numbers. Though achieving rapid growth with relatively little funding is a desirable trait, Vanta must ensure it does not give its competitors a capital advantage.
Several rivals have raised tens of millions more, despite arriving to market years later and with seemingly lesser traction. Their ability to do so is a testament to the opportunity Vanta showcased. Cacioppo will receive little succor from this fact if late arrivals succeed in closing the gap.
Though Vanta did not share its fundraising plans, I would expect the business to secure a large Series B in the near term. Cacioppo won’t want to surrender Vanta’s frugal, capital-efficient roots but is more than shrewd enough to recognize when to change tack. It may be a particularly opportune time: though many private market darlings are discovering that prior rounds overvalued them, Vanta’s conservatism, continued growth, and established backers mean it should have little trouble with a raise.
Messaging risk
Vanta will want to spend a portion of its next round on messaging. As Reed remarked, “[Vanta] hasn’t been a wildly marketed product. For a long time, they under-invested in distribution and over-invested in product development.”
The lingering effect of keeping its light under a bushel is that potential customers may not have heard of Vanta. When it comes time to find a compliance solution, they search on Google, visit a few forums, and compare offerings. Vanta’s market-leading position and longer track record may not always be clear in that process.
Again, the company seems to be aware of this – and is having fun finding its voice. In September of last year, Vanta unveiled a billboard at the SaaStr conference. The team had just one day to come up with the copy, and Head of Product and Brand Marketing Sarah Scharf coined the winner:
“Compliance that doesn’t SOC 2 much.”
Her creation went viral.
If Vanta can message its personality and humor at scale, it has a strong chance of standing out in the traditionally dull world of compliance.
Stay one step ahead of the most important trends shaping the future. Our work is designed to help you think better and capitalize on change.
Future: Securing the internet
Vanta’s mission is an audacious one: to secure the internet. Though the business has accomplished a great deal already, when viewed in relation to that ambition, it’s clear that Cacioppo expects much more. In ten years, we may think of Vanta less as a disruptor and category creator and more as a piece of fundamental digital infrastructure. It’s time to look at what Vanta may become and enable.
Continuous trust
Audits are a point-in-time analysis. They tabulate a company’s state of affairs, assess the information, and document the results. This cadence makes little sense in technology, where data changes from one moment to the next. As Boris Logvinsky, Vanta’s Head of Product, remarked, “You would never buy an API that gave you one data point a month.”
If Vanta continues to grow its influence on the compliance industry, it may amend or upend this practice. Continuous, real-time checks could replace point-in-time analyses. Cacioppo described this potential end-state as a “security status page,” not unlike the uptime and availability pages that some websites showcase. “You want it to be monitored,” she said, “Sometimes it’s red, sometimes it’s green. That’s what a company’s security posture should be. It shouldn’t be a screenshot.”
Does this spell the end of the auditor? Cacioppo doesn’t think so. “You need a bunch of judgment in a few places,” she noted. “There are some things robots can’t check.” For example, is a computer best positioned to assess whether a company hires qualified candidates? It might help, but ultimately, at least in the medium-term, a human auditor provides better judgment.
Andrew Reed agreed. Because there’s sensitive data at stake, “a little bit of friction is a good thing,” in his view. Though humans will remain in the loop on some tasks, Vanta can still deliver security insights near-continuously, fundamentally changing how businesses evaluate one another.
Minimizing damage
Vanta’s success could have a societal impact by reducing data breaches' frequency and severity. As Sarah Scharf noted, there was once a time when losing a credit card represented a terrifying ordeal. You would call your bank immediately, shut down the card in question, and wait for a replacement. Today, it’s mostly a non-event. Apart from a momentary inconvenience, there’s little jeopardy or risk of losing money. Cards are quickly shut down, and banks cover fraudulent charges.
Vanta wants to execute this same maneuver for user data. Making compliance available and affordable ensures that even smaller businesses can appropriately guard sensitive information. The product’s recommendations for companies of all sizes establish best practices and protections. “If we’re successful, getting hacked should be much less stressful,” Scharf said. There should also be fewer of them, given that so many occur because of avoidable human error – detectable by Vanta’s system.
Unblocking economic opportunity
The final potential impact of Vanta’s success is also the most profound. “The level of the company’s mission is unblocking economic opportunity for startups,” Andrew Reed said. “It sounds like a totally over-the-top description of what Vanta does but it’s true.”
SOC 2 and other standards are valuable but can exert a meaningful burden on immature businesses. Vanta’s greatest legacy may be that it has helped thousands of companies take on new customers, earn fresh revenue, and grow. As it scales, that impact will only become more significant.
Among humans, trust is hard to gain and easy to lose. It may take months, or perhaps even years, for one person to trust another. Historically, that has been true for businesses, too. Demonstrating trustworthiness took time, effort, and no little money. With Vanta, Christina Cacioppo created a solution to this fundamental problem. It is a rare business, as a result, not only a category creator but an architect of trust.
The Generalist’s work is provided for informational purposes only and should not be construed as legal, business, investment, or tax advice. You should always do your own research and consult advisors on these subjects. Our work may feature entities in which Generalist Capital, LLC or the author has invested.