The Generalist - Vanta: Securing the Internet

Hello friends,

What SaaS company scaled in near-silence before raising a $50 million Series A from Sequoia Capital?

The answer? Vanta.

In today’s piece, we unpack the story of a category-creating business that has achieved breakout traction with minimal funding. (Specifically, a $10MM run rate before that Series A.) In the process, we’ll explore the massive opportunity in compliance and security, how Vanta disrupted an industry, and what it means to secure the internet. We’ll also touch on Vanta’s absurd traction and tell the behind-the-scenes story of that Sequoia round.

This piece was written as part of The Generalist's partner program. You can read about the ethical guidelines I adhere to in the link above. I always note partnerships transparently, only share my genuine opinion, and commit to working with organizations I consider exceptional. Vanta is one of them.

VANTA: SECURING THE INTERNET

Actionable insights

If you only have a couple of minutes to spare, here's what investors, operators, and founders should know about Vanta.

• Vanta is an architect of trust. At its core, the company makes it easier for businesses to trust one another. It does so by automatically monitoring a business’s performance relative to compliance standards like SOC 2.
• Christina Cacioppo created the category. Before Vanta, getting SOC 2 certified required tens of thousands of dollars and months of work. Cacioppo recognized technology could automate much of the work and radically reduce cost and effort.
• It scaled in near-silence (and continues to grow). Cacioppo built an impressive business with little funding or fanfare, not wanting to alert others to the opportunity. Vanta had reached a $10 million run rate when it raised a Series A from Sequoia Capital.
• Automated compliance has become a hot space. Though Vanta managed to stay under the radar for several years, other businesses have awoken to the space’s potential. Competitors are raising bumper rounds to try and close the gap.
• Vanta’s mission is to secure the internet. It doesn’t see itself as just an easy way to get SOC 2 certified. Already, the company provides support for HIPAA, GDPR, ISO 27001, and beyond. Its greater mission is to help make online business safer.

***

Our brains work hard to assess the trustworthiness of another person. We observe the sturdiness of their gaze, listen to their voice's timbre. We consider their age, gender, wealth, and weight. We heed what they say and what they seem to hide. Did they pick at their nails as they spoke? Did they scratch their nose? And what was that movement, that little dart: a flinch, a sneeze, a cough, a tell?

We do this difficult work, drawing in hundreds of real-time signals because almost every worthwhile interaction comes after trust has been established. Friendships, relationships, and partnerships all rely on some measure of it.

Businesses have the same need for trust. But when it comes to securing it, they cannot rely on the same swirling broth of sensory and extra-sensory information humans do. So, what can they do? In the place of instinct, there is auditing. And rather than psychology, there are standards of compliance, the largest of which is called “SOC 2.”

Behind the aridity of the acronym, this is what SOC 2 really is: a document in which a business says, “This is who I am. These are all the things I do to stay safe. This is why you can trust me.”

Though that might sound simple, getting to the point of trust for a business used to be a complicated and costly endeavor. The experts I spoke with shared that a complex SOC 2 process might take eight months, costing north of $50,000. Since large enterprises typically require proof of data hygiene to work with another company, smaller businesses found themselves in a fiendish conundrum we might call a “SOC 22.” The steep price of an audit could put a business in financial trouble, but failing to pay for one meant no new customers, no revenue, and financial risk, all the same. For the lucky, compliance was a cumbersome cost-suck; for the ill-starred, it could be an existential strain.

This was the way of the world, and it served no one save the auditors themselves. They thrived on high fees, opaque processes, and unwavering demand. Then, something happened.

Every industry that has undergone technological upheaval has a before and after moment. Online payments can be divided into time before and after Stripe. Venture capital existed pre and post-AngelList. In compliance, there is a “BV” and “AV”: Before Vanta and After Vanta.

Founded in 2017 by Christina Cacioppo, Vanta is the quintessential disruptor. It has axially altered the way companies prepare for security audits, reducing the timeline from months to weeks. It has also created a brand new category and changed the cost structure of an entire industry, lowering prices by as much as 90%. In the process, Cacioppo and her team have constructed a remarkably winning business – hitting a $10 million revenue run rate before raising its Series A from Sequoia Capital. Even as fast-followers have entered the space, Vanta has gone from strength to strength, logging insane customer growth and establishing itself as the standard bearer for the industry.

Vanta’s success means there is a clear line of sight to significant financial success in the short-to-medium term. Yet the company has only just begun its climb towards Cacioppo’s true goal: to secure the internet. If Vanta is successful, businesses may be able to establish trust in just a fraction of the time it takes now, a profound change.
​
In today’s piece, we’ll tell Vanta’s story and chart its future. In doing so, we’ll cover:

• Origins. Before starting Vanta, Christina Cacioppo learned how to study business at Union Square Ventures. She also built plenty of products of her own before discovering the opportunity in automated compliance.
• Product. Vanta shifts the compliance process from a reactive one to a proactive one. By connecting with a company’s different tools, it seamlessly monitors security practices and suggests improvements. When auditing time arrives, most of the work is done.
• Model. By turning to technology, Vanta has reduced the cost of SOC 2 certification. That hasn’t stopped it from growing. It grew its customer base by 220% last year after a sterling 2020.
• Culture. Christina Cacioppo is a Midwestern assassin – incredibly nice but not to be underestimated. She has built a business in her image, replete with good-spirited operators who want to win.
• Risks. Despite being the market leader, Vanta hasn’t always touted its positioning. As competitors flood behind them, Cacioppo and company will need to invest in messaging. That may require a new round of capital.
• Future. Right now, audits are point-in-time assessments. Does that make sense given the dynamism of the tech sector? In the future, companies may demonstrate trustworthiness on a near-continuous basis.

Let's get going.

See you soon,

Mario