Vanta lands $40M to automate cybersecurity compliance

Vanta, a security compliance automation startup, today announced that it raised $40 million in an extension of its Series B funding round that closed in June, which valued the company at $1.6 billion. Notably, CrowdStrike invested in the extension along with a number of individual investors.

CEO Christina Cacioppo tells TechCrunch that the new cash will be used to support Vanta’s customer acquisition, product R&D and go-to-market efforts. It brings the company’s total capital raised to $203 million.

Cacioppo founded Vanta in 2016 to — in her words — “help companies achieve and maintain a strong security posture.” Previously a professor at the School of Visual Arts in New York, Cacioppo co-founded Nebula Labs, a software development house, before joining Dropbox as a product manager on Dropbox Paper.

“With massive breaches on the rise — like Uber, Sony, Equifax — companies understand that proving their security is a must to doing business. Why? Because enterprises won’t buy a product that is not secure and regulators will crack down on any company with a weak security posture,” Cacioppo told TechCrunch via email. “The problem is emerging companies lack the resources and expertise in-house to properly secure their perimeter, leaving them open to incoming threats and penalties for non-compliance, and they have no way to prove to their customers that their critical business assets are safe from threats.”

Vanta offers services designed to enable businesses to meet regulations, compliance standards and laws, like HIPAA and GDPR. The company provides workflows and controls for various apps and services to ensure compliance, allowing auditors to complete audits within Vanta and delivering alerts and guidance via email and apps like Slack.


Vanta recently began offering what it calls “Trust Reports,” which aim to summarize a company’s compliance position. Image Credits: Vanta

Behind the scenes, a monitoring engine collects data from Vanta customers’ software-as-a-service app and cloud stack and runs analyses to surface potential security threats. Cacioppo explained: “A customer’s journey in Vanta is guided by data-driven insights from the thousands of companies that have used Vanta to build and demonstrate their security. Each new customer benefits from the experience of all previous Vanta customers.”

Certainly, compliance is a tricky field — one many companies struggle with. A 2021 survey from The Harris Poll found that nearly two-thirds (63%) of organizations see compliance issues as critical barriers to growth. In a separate study from Telos, an IT cybersecurity firm, organizations reporting having to comply with an average of 13 different IT security and privacy regulations and spend $3.5 million annually on compliance activities, with audits taking close to two months each fiscal quarter.

That’s been good for business. San Francisco-based Vanta, which employs more than 350 people, now has a customer base numbering north of 4,000 organizations that includes brands like Quora, Modern Treasury and Autodesk. When asked, Cacioppo didn’t reveal annual recurring revenue figures — save for that revenue has grown “significantly faster” than Vanta’s valuation.

“Vanta continues to drive innovation in the space by building beyond ‘check the box compliance’ to a scalable set of security tools that help address the risks inherent in running businesses in the cloud,” Cacioppo said, citing a report from Polaris Market Research that predicts the enterprise governance, risk and compliance software market will be worth $96.98 billion by 2028. “‘Growth at all costs’ has never been our MO. [I] bootstrapped the company until it hit $10 million annual recurring revenue to make sure there was strong product-market fit and the company could stand on its own … The metrics that investors are scrutinizing now — burn rate, capital efficiency, gross margins — are ones Vanta has always excelled at.”

The challenge for Vanta will be beating back competitors in the increasingly crowded risk and compliance space. Just in May, Kintent, a startup providing enterprise compliance and security solutions, raised $18 million in venture capital. Earlier this year, Secureframe landed $56 million for its platform that automates an enterprise’s compliance with standards like HIPAA and SOC 2. Other rivals include Ethyca, Ketch, Soveren and Anecdotes, the last of which secured $25 million in its Series A.

There’s cash to go around, fortunately. Investors poured $5.1 billion into governance, risk and compliance startups in Q2 2021, a 113% increase from Q2 2020, according to Crunchbase data cited by The Wall Street Journal. In the first 10 weeks of 2022 alone, funding reached nearly $1 billion — spurred by international sanctions and data privacy legislation like the California Consumer Privacy Act.

In an emailed statement, CrowdStrike CTO Michael Sentonas said: “Compliance is no longer a siloed function — it’s a boardroom priority and an essential component of the modern security stack. We invested in Vanta because they created a way for every company, large and small, to achieve and maintain compliance by automating the process end-to-end.”