Spent twenty years being the person a company calls when its security posture is a question mark. Then he stopped answering the call and built the answer instead.
Stas Bojoukha runs Compyl out of an office on Irving Place in Manhattan, three blocks from Union Square, where fifty-seven employees build software meant to answer a question he spent two decades failing to answer cleanly: what, exactly, is our risk right now. Not a slide deck answer. Not a quarterly answer. An answer you can point to.
He came to this the slow way. Before Compyl, Bojoukha was a Chief Information Security Officer, three times over, at organizations spanning banking, real estate and energy trading - Rabobank, Cushman & Wakefield, SEFE Marketing & Trading. Each stop handed him the same job under a different letterhead: manage a security team, keep the auditors satisfied, and when a board member asked "are we exposed," give an answer that wasn't a shrug dressed up in jargon. He carries six certifications for the trouble - CISSP, CISA, CISM, GSEC, CEH, ISO 27001 Lead Auditor - the full alphabet of a profession built on proving you know what you're doing on paper, which is its own kind of irony for a man whose whole thesis is that paper compliance isn't enough.
The founding story has a specific hinge, and it isn't a garage or a whiteboard epiphany. At one point in his CISO career, Bojoukha built an internal compliance tool for a heavily regulated client. It worked. It ran for six years. Eventually it broke down, the way internal tools built by one overworked security team tend to. When that same client went looking for a replacement, nothing on the market did what the old homemade tool had done. That gap - between what enterprises actually need to track risk and what vendors were selling them - became Compyl, which Bojoukha founded in 2020, mid-pandemic, with co-founder Simon Shaddock.
Compyl bills itself as a unified governance, risk and compliance platform - the kind of category that sounds dry until you remember every company above a certain size is drowning in it. Bojoukha's argument, repeated in interviews and on conference stages from Boston to Tampa, is unglamorous and probably correct: most breaches are not the work of sophisticated adversaries. They're phishing emails somebody clicked, servers nobody patched, cloud storage buckets left open by accident. The tooling meant to catch these things is fragmented across a dozen dashboards that don't talk to each other. Compyl's pitch is one pane of glass - real-time, automated, tied to frameworks like SOC 2, HIPAA, ISO 27001 and NIST 800-53 - instead of a security team manually stitching spreadsheets together at 11pm before an audit.
The company doubled its customer base for two consecutive years running into 2025, with triple-digit annual recurring revenue growth, which is the kind of number that gets a Series A closed. In June 2025, Compyl raised $12 million led by Venture Guides, with existing backers Contour Venture Partners, Armory Square Ventures, NVP Capital, Alpine Meridian Ventures, Brooklyn Bridge Ventures and Zelkova Ventures all returning. Venture Guides partner Anton Simunovic took a board seat. Total funding to date sits at $13.7 million.
Bojoukha has been candid, in interviews like the one with The Pipeline Press, about how badly Compyl's early sales calls went. The team would "feature dump" - walk prospects through a list of capabilities without first figuring out what was actually broken in that buyer's world. It's a common enough startup mistake, but a particularly pointed one for a founder whose entire value proposition rests on understanding a customer's problem better than they do. The fix wasn't a script. It was repositioning Compyl as a customizable GRC solution shaped around a given company's actual regulatory footprint, rather than a fixed feature set - closer to how Bojoukha himself used to build tools, one enterprise at a time, when he was still the one holding the CISO title.
That practitioner's instinct shows up again in how he talks about running the company itself. Bojoukha has said he tries to be transparent with employees about where Compyl stands - including the hard parts - rather than sanding down the message for morale. It reads less like a management philosophy borrowed from a book and more like the habit of someone who spent years being the person in the room who had to tell executives the truth about their exposure, whether they wanted to hear it or not.
Bojoukha was born in Klaipeda, a port city in Lithuania, then part of the Soviet Union, and moved to Canada with his family at age six. He picked up networking work early - doing infrastructure jobs for the Toronto District School Board while he was still a student there, years before he'd formalize any of it with a security credential. He studied Applied Information System Security at Sheridan Institute of Technology and Advanced Learning in Oakville, Ontario, in a program that was, at the time, the first of its kind in Canada dedicated specifically to information security. His father was a serial entrepreneur across a handful of ventures, which is either a tidy explanation for why Bojoukha eventually started his own company or just a fact that happens to be true. He doesn't lean on it either way in interviews.
The near-term roadmap includes an AI-powered "Compliance Copilot," which Compyl targeted for a third-quarter 2025 release, aimed at automating more of the manual monitoring work that used to eat a CISO's week. Beyond that, Bojoukha has talked about expanding into the Asia-Pacific region and pushing further into regulated industries like healthcare and fintech by 2026 - sectors where the cost of a compliance blind spot is measured in more than embarrassment.
Off the clock, or as close to off the clock as a Series A founder gets, Bojoukha has mentioned the ferry to Red Hook, Brooklyn as a favorite spring outing - the skyline view from the water, and the barbecue once you're off it. It's a small detail, but it fits a person whose professional identity is built entirely around noticing what's easy to overlook.
Built a compliance tool as a CISO that ran for six years - and became the seed of Compyl when a former client came looking for something just as good and found nothing on the market.
Early Compyl sales calls were "feature dumps" that didn't land - the team had to relearn how to listen to a buyer's actual problem before pitching a fix.
Believes most breaches trace back to basics - phishing, unpatched servers, cloud misconfigurations - not sophisticated attacks.
Prefers being upfront with employees about company challenges over softening the message.
Father was a serial entrepreneur across multiple ventures.
Favorite spring outing in New York: the ferry to Red Hook, Brooklyn, for the skyline and the barbecue.
Traces how two decades running security programs convinced Bojoukha the tooling itself was the problem.
How Compyl plans to spend its new funding, from the Compliance Copilot to APAC expansion.
Bojoukha's argument that phishing and misconfigurations, not sophisticated hacks, drive most incidents.
Bojoukha's early life and how it shaped a practical, no-frills approach to building a company.
The compliance tool Bojoukha built as a CISO, and how its eventual failure sparked Compyl's founding customer relationship.
How Compyl's early sales approach evolved from listing features to solving buyer problems.
Why Bojoukha believes unsexy enterprise problems make for durable startups.
Details on the AI feature Compyl is building to automate compliance monitoring.
Examines Compyl's growth trajectory ahead of its Series A.
How deep technical credentialing shaped Bojoukha's product instincts as a founder.