It's a Tuesday morning at a Series B SaaS startup. The head of security is drinking cold brew at her standing desk. A buyer's procurement team has just emailed a 312-question security questionnaire with a Friday deadline. She does not panic. She opens a browser tab.
The tab is Vanta. Inside it, evidence is already being collected from her AWS account, her Okta tenant, her GitHub org, her Jamf-managed laptops. Policies are versioned. Controls are tested. Auditors are waiting in a shared workspace. The questionnaire she just received is being answered, mostly, by a model trained on her own documentation. By lunch she sends it back. By Friday the contract is signed.
A decade ago this scene was science fiction. Compliance was a slow, paper-shuffling priesthood. Vanta is the company that decided the priesthood had to go.
01 / Who they are nowThe quiet utility
Vanta is not loud. It does not put its name on a stadium. Its homepage is mostly black text on cream paper, which is roughly how serious people prefer their security vendors to look. And yet, by April 2026, more than 16,000 companies pay Vanta to handle the part of their business that nobody enjoys and everybody needs.
If you have ever signed up for a SaaS product and noticed a small grey badge that says "SOC 2 Type II," there is a reasonable chance Vanta got it there. The platform now manages compliance against SOC 2, ISO 27001, HIPAA, PCI, GDPR, HITRUST, USDP, NIST AI RMF and a long tail of custom frameworks. It is, by any honest accounting, the operating system for trust at most modern software companies.
CrowdStrike is an investor. So is Sequoia. So is Wellington. The $150M Series D it closed in July 2025 set the valuation at $4.15B, roughly double where it stood a year earlier. The line on the chart is doing the thing investors like the line on the chart to do.
02 / The problem they sawTrust is the new tax
Here is the part Vanta noticed before anyone else: trust had become a tax on every transaction. Every enterprise buyer wanted proof. Every regulator wanted documentation. Every breach in the news added another paragraph to the next vendor questionnaire. Sellers were spending months proving things about themselves instead of building things for their customers.
The standard response was to hire a compliance manager, retain a Big Four auditor, and bury the engineering team in screenshots of access logs. The standard response cost between $50,000 and $250,000 per framework. It worked, in the same way that copying a textbook by hand works.
Christina Cacioppo, the company's CEO, had lived this from the inside. As a product manager on Dropbox Paper, she had watched her team get pulled off shipping to produce evidence for SOC 2. The audit eventually passed. She quit anyway. Then she spent the better part of a year interviewing security leads about what they actually did all day. The honest answer was: paperwork.
03 / The founders' betSoftware eats the auditor
In the winter of 2018 Cacioppo joined Y Combinator's batch with co-founder Erik Goldman and a thesis that sounded, at the time, slightly unhinged: connect to a company's systems, watch them continuously, and produce the evidence an auditor needs in real time. No screenshots. No spreadsheets. No nine-month preparation runway.
Most software is sold on the promise of doing something new. Vanta was sold on the promise of doing something old in a way that finally did not insult anybody's intelligence. That turned out to be a much better promise.
The seed round was a modest $3M. The pitch was specific: SOC 2 for startups, automated, in weeks instead of months. The market was specific too. YC alone produced hundreds of new companies a year, all of whom would eventually need a SOC 2 to close their first enterprise deal. Vanta sold to that batch first and then to the next one and then to the rest of the industry.
Vanta, in years
04 / The productA platform that watches
Vanta works less like a piece of software and more like a slightly nosy roommate. It plugs into the dozens of systems a company already uses - AWS, GitHub, Okta, Jamf, Google Workspace, Snowflake, on and on - and quietly inspects them for the controls a framework requires. If something drifts out of compliance, it tells you. If an auditor needs proof a control was in place last March, it has the receipts.
There are now five product surfaces. Compliance Automation is the original. Trust Center is the public-facing page that lets a buyer self-serve security information without anyone exchanging a single PDF. Vendor Risk Management lets you assess everyone you depend on with the same machinery. Questionnaire Automation drafts your answers. Vanta AI ties it all together with agents that read policies, summarize controls and flag risk before an auditor does.
05 / The proofThe line that keeps going up
The numbers, when you line them up, are unsubtle.
Vanta ARR, in millions of dollars
Customer count has tracked similarly: 7,000 at the start of FY24, 12,000+ by mid-2025, 14,000+ by year end, 16,000 by April 2026. The customer list has graduated too. What started as a YC alumni network now includes Atlassian, Quora, Ramp, Modern Treasury, Autodesk and CrowdStrike itself - companies that buy Vanta and then write checks to it.
06 / The missionSecuring the boring
The company's stated mission is to "secure the internet and protect consumer data." That is the polite version. The honest version is closer to: make the work of trust so cheap and so continuous that no company has an excuse to skip it. Compliance, in the Vanta worldview, is not a project. It is a setting on the application, turned to "on" by default.
There is a deeper bet underneath the product roadmap. Cacioppo and her team believe that as software becomes more autonomous - agents writing code, models touching customer data, AI making decisions a human used to make - the demand for evidence will only grow. The NIST AI RMF framework Vanta now supports did not exist when the company was founded. Whatever framework comes after it will not exist when this paragraph is written. The platform is built to absorb them.
07 / Why it matters tomorrowThe trust layer
The internet has lost something. Anyone who has clicked "I agree" on a cookie banner in the last five years knows this. Trust used to be assumed. Now it has to be proven, constantly, in machine-readable form. The question is not whether the trust layer of the internet gets built. The question is who builds it.
Vanta is making the case that the trust layer should look less like a regulator and more like a utility - always on, mostly invisible, occasionally embarrassing if you forget to pay the bill. That is a calmer kind of ambition than most $4 billion software companies will admit to. It is also probably the right one.
Back to the head of security at her standing desk. The questionnaire is answered. The cold brew is gone. She closes the tab and goes back to whatever she was working on before the procurement team interrupted her. Somewhere in the background, Vanta is still watching. Somewhere a new framework is being drafted. Somewhere a buyer is about to ask for proof. The tab will be waiting.
The audit, it turns out, can be a quiet thing.