YesPress Profile — Security & Compliance
The machine that makes auditors irrelevant - and security teams look like heroes.
Christina Cacioppo sold Beanie Babies on eBay at age 11. Then Girl Scout cookies. Then she built a $4 billion company to sell something nobody wanted to talk about: compliance. Turns out, everyone needed it.
There is a particular kind of problem that only founders and therapists fully understand: the problem that is so unglamorous, so obviously necessary, and so universally avoided that whoever solves it will be rich and right, in that order.
Christina Cacioppo found hers at Dropbox, buried in spreadsheets, policy documents, and an auditor's checklist that seemed designed by someone who hated the person filling it out. Getting a SOC 2 certification - the gold-standard security audit required by most enterprise software buyers - took months of manual work, scattered evidence collection, and a kind of institutional dread that made everyone in the building slightly worse at their actual jobs.
She left Dropbox. She taught herself to code. She co-founded Vanta in 2018 with a simple thesis: security compliance should not require a spreadsheet the size of a suburb.
The investors were not impressed. Cacioppo estimated the total addressable market for SOC 2 automation at around $100 million. Many passed. One suggested the category simply wasn't investable. Today, Vanta's valuation alone is $4.15 billion. The irony is not lost on anyone, except possibly the investors who passed.
The last thing she sold before founding Vanta was Girl Scout cookies. She had zero professional sales experience. She built a company with 15,000 customers.
On Christina Cacioppo's origin storyHere is how enterprise software sales worked before Vanta: a startup would pitch a Fortune 500 company, survive the pricing conversation, and then receive a security questionnaire. Hundreds of questions. Does your company have a written information security policy? When was it last reviewed? Do you perform background checks on contractors? Who has access to production systems?
For a 40-person startup, answering this questionnaire was like being asked to produce your tax returns, medical records, and a comprehensive memoir - simultaneously, in a specific format, reviewed by an external auditor who billed by the hour. The process could stretch six to twelve months. Deals were lost while compliance teams scrambled. Engineers were pulled off product work to gather screenshots. Lawyers charged more to review audit reports than some startups had in the bank.
SOC 2 was not the only framework. There was also ISO 27001 (favored in Europe), HIPAA (for anything touching health data), PCI DSS (for payment processing), FedRAMP (for selling to the US government), HITRUST, GDPR, and roughly three dozen more. Each one slightly different. Each one requiring its own paper trail.
"Security compliance was one of those problems that everyone knew was broken, but nobody thought was worth fixing."
Cacioppo had spent time at Union Square Ventures before Dropbox. She had seen hundreds of startups stumble not on product or market, but on the operational friction of becoming a company that large organizations would trust. She had also watched that friction cost deals, delay expansions, and demoralize teams. When she left Dropbox in 2017 to teach herself to code, compliance automation was already in the back of her mind - not as a passion, but as a problem too expensive to leave unsolved.
Economics and Management Science graduate from Stanford. Former VC at Union Square Ventures. Former product lead at Dropbox. At age 11, ran a Beanie Baby resale operation on eBay using grocery store money orders - a detail she considers a "not-good cocktail party trick." At age 30, co-founded Vanta. The through-line is a tolerance for unglamorous problems and a belief that most boring things are only boring because nobody has made them fast yet.
Vanta connects to a company's existing tools - AWS, Google Workspace, GitHub, Okta, Salesforce, Slack, and 400+ others - and continuously pulls evidence of security controls. When an auditor asks whether multi-factor authentication is enforced, Vanta already has the screenshot. When a questionnaire asks whether access reviews happen quarterly, Vanta has logged every one. When a customer wants to know if your data is encrypted at rest, Vanta's Trust Center shows it in real time.
The pitch is simple: what used to take six months of manual work can be compressed into weeks. And instead of a one-time audit that immediately starts going stale, Vanta turns compliance into a continuous posture - monitoring 1,400+ automated checks every hour.
The product has expanded well beyond SOC 2. Today, Vanta supports 37+ compliance frameworks across security, privacy, and government standards. It has added vendor risk management (which companies use to vet their own suppliers), questionnaire automation (so customers can answer the very questionnaires that once consumed their teams), and a public Trust Center that companies can share with enterprise buyers like a living audit report.
The latest evolution is what Vanta calls an Agentic Trust Platform - effectively, an AI that functions as a continuous GRC (Governance, Risk, and Compliance) engineer. The AI monitors the compliance program, flags gaps before auditors do, automates routine tasks, and drafts responses to security questions. It works around the clock in a way that human compliance teams cannot.
Continuous monitoring across 37+ frameworks. SOC 2, ISO 27001, HIPAA, FedRAMP, GDPR - automated evidence, continuous tests, audit-ready in weeks.
A 24/7 AI GRC engineer with full program awareness. Proactive gap detection, automated routine tasks, and questionnaire drafting that never sleeps.
AI-powered vendor onboarding and continuous monitoring. Know your suppliers' security posture before they become your problem.
Automates the security questionnaires customers send you. Your team answers 288 questionnaires a year on Growth tier - the AI does it instead.
A public-facing compliance status page. Send it to enterprise buyers before the questionnaire even arrives.
Turns fragmented risk data into a real-time, actionable map. Know what's exposed, ranked by impact, not alphabetical order.
Vanta's first 600 customers came without a marketing team. No demand generation, no brand campaigns, no SEO strategy. Word-of-mouth through startup networks - particularly Y Combinator's alumni community - did the work. One founder told another. The first customer referral program was essentially: this thing saved us six months, you should use it.
By the time Vanta raised its Series A in May 2021, it was already at $10 million in ARR. That made it an unusually mature company for an A round - most companies raise Series A to prove product-market fit. Vanta raised it to scale what it had already figured out.
The growth from there was steep. $80 million ARR by June 2023. $152 million by end of 2024. $220 million by July 2025. Every year, roughly doubling.
The customer count followed. Four thousand customers by 2022. Seven thousand by early 2024. Fifteen thousand by early 2026. The platform has now guided more than 10,000 companies through their first compliance audit cycle - an experience that, for many, required hiring a consultant for six figures and waiting a year before Vanta existed.
Vanta has raised from some of the most recognized names in enterprise software - and notably, from the companies whose own platforms Vanta integrates with deeply.
The customer base spans from seed-stage startups trying to close their first enterprise deal to established companies managing dozens of frameworks across multiple geographies. Notable names include:
International growth has been notable - customers outside the US grew 90% year-over-year in FY2024, as compliance requirements expanded globally under GDPR, NIS2, DORA, and Australia's Essential Eight framework.
The compliance industry has a structural problem: it runs on point-in-time reviews. An auditor visits, examines evidence from a sample period, and issues a certification that is immediately out of date. The company changes its infrastructure. New employees join. A vendor is added. The certification, issued six weeks ago, no longer fully reflects reality.
Vanta's original contribution was continuous monitoring - checking the actual state of a company's controls every hour rather than once a year. The AI layer adds something more significant: continuous reasoning. Instead of monitoring whether controls exist, the AI asks whether they are working, whether they are sufficient for upcoming requirements, and whether they would survive the next audit unscathed.
Vanta AI Agent 2.0, launched in late 2025, operates as what the company describes as a "24/7 GRC engineer." It has full awareness of a company's compliance program, can proactively flag gaps before auditors do, draft responses to security questionnaires, and execute routine compliance tasks without human instruction. For a compliance team stretched across too many frameworks and too many vendors, it is effectively a force multiplier - doing the work of several analysts in the background while the humans focus on judgment calls.
The agentic platform does not replace human judgment. It replaces the 40-hour week of evidence gathering that preceded it.
On Vanta's AI directionThe acquisitions underscore the strategic direction. Vanta bought Riskey in July 2025 to strengthen AI-powered vendor risk monitoring - continuously evaluating the security posture of a company's suppliers rather than asking them to fill out an annual questionnaire. Earlier, it acquired Trustpage to improve how companies communicate compliance to customers. The pattern: automate every touchpoint in the trust supply chain.
#1 Most Innovative Security Company - Fast Company, 2024
Forbes Cloud 100 - two consecutive years (2023 and 2024)
IDC MarketScape Leader in GRC Software, 2025
FedRAMP 20x Low Authorization - first cohort to achieve, 2025
Great Place to Work certified - 93% employee satisfaction (vs. 57% national average)
$10M to $220M ARR in four years
The company is remote-first, with hubs in San Francisco, New York, Sydney, Dublin, and London. Employees are called Vantans - a name that reads simultaneously as a team identifier and a small philosophical statement: you are not just an employee, you are someone who believes that trust should be easier to prove.
The six core values are worth examining, because they are less slogans than operating principles:
That last one is particularly telling for a compliance company. The entire product proposition is that Vanta does exactly what it promises - monitors what it says it monitors, reports what it finds, and prepares companies for audits that will check whether reality matches the documentation. In an industry built on the gap between what companies claim and what they practice, "do what it says on the tin" is not a soft value - it is the product.
Team size has grown to approximately 1,766 employees as of early 2026, with headcount roughly doubling between 2024 and 2025. The company has hosted VantaCon, its annual conference, since 2024 - an event focused on the intersection of security, compliance, and AI that has become a gathering point for the GRC community.
Vanta's Series B in 2022 was notable not just for its size, but for its roster of strategic investors: Atlassian, HubSpot, Workday, and CrowdStrike each invested not just money but platform credibility. These are companies whose software sits in the tech stacks of the same enterprises that Vanta helps make compliant. The investment creates a reinforcing loop - Vanta integrates deeply with each platform and becomes the compliance layer that makes enterprise adoption of all of them easier.
CrowdStrike's involvement is particularly significant. As one of the leading endpoint security platforms, CrowdStrike integration means Vanta can pull evidence of endpoint protection directly into compliance evidence without manual screenshots or exports. The two companies market to the same buyers. The partnership is not ceremonial.
In September 2025, Vanta added Carahsoft as a distribution partner, enabling sales through NASA SEWP V and The Quilt government contracts. Combined with FedRAMP authorization, this positions Vanta to serve federal agencies and public sector contractors for whom compliance is not optional - it is a contract requirement.
Christina Cacioppo ran a Beanie Baby resale business on eBay at age 11, purchasing money orders at the grocery store specifically so her parents would not notice she was operating a small enterprise.
She can still name all the original Beanie Babies. Legs the Frog. Splash the Whale. And many more. She describes this as "a not-good cocktail party trick."
The last thing Cacioppo sold before founding Vanta was Girl Scout cookies. Zero professional sales experience. Fifteen thousand customers later.
Vanta's first 600 customers arrived entirely through word-of-mouth. No marketing team. No proper website. Founders telling founders about a tool that made the most tedious part of their job disappear.
When Vanta was founded, Cacioppo estimated the total addressable market at $100M. Many investors passed. Vanta's current valuation is $4.15 billion. The market was approximately 41x larger than estimated.
Vanta's name is a play on "advantage" - specifically the trust and competitive advantage that comes from being demonstrably secure. The name carries the product pitch inside it.
The deeper argument behind Vanta is not about compliance. It is about what compliance represents: a proof mechanism for trust between organizations that cannot fully see inside each other. When a startup sells software to a bank, the bank cannot audit the startup's code. It cannot inspect the startup's servers. It cannot verify that the startup's employees follow security protocols. The audit - SOC 2, ISO 27001, HIPAA, whichever applies - is the substitute for that visibility. It is the trust infrastructure of the B2B software economy.
If that infrastructure is broken - if audits take a year, if evidence is collected manually, if certifications go stale immediately - then the cost of trust is high enough to distort the market. Enterprise buyers hesitate. Startups lose deals they should win. Security work gets done in bursts around audit dates rather than continuously. The audit becomes a performance rather than a proof.
Vanta's contention is that this does not have to be true. That continuous, automated compliance is possible - not just more convenient, but actually more accurate, because it reflects the real state of a company's security posture rather than a point-in-time snapshot assembled under deadline pressure.
That thesis has attracted 15,000 customers, $504 million in funding, and a $4.15 billion valuation. The investors who initially passed on a $100 million TAM have, presumably, adjusted their frameworks accordingly.
Christina Cacioppo left venture capital to teach herself to code. She built a company to solve a problem she found personally aggravating. The Beanie Baby business was more profitable per unit, but the market was smaller. In this one, the market was bigger than anyone - including her - thought. That is usually how it goes with problems everyone knows are broken but nobody thought were worth fixing.
The audit was always a proof of trust. Vanta made that proof automatic. That turns out to be a $4 billion idea.