The first version of Vanta‘s product was a color-coded spreadsheet.
Christina Cacioppo and her co-founder had set up desks at Segment’s office in San Francisco, spending weeks eating chocolate-covered pretzels while reading dozens of SOC 2 audit reports and watching how the compliance process actually worked from the inside. When they had enough understanding to build something, they built a spreadsheet. It listed everything Segment needed to do to achieve SOC 2 certification, with red, yellow, and green status indicators. Not software. Not a dashboard. A spreadsheet.
They handed it to Segment and asked three questions: What did I give you? Would you use it? Would you pay for it?
The answers to all three were yes. That was sufficient to build on.
The product that eventually emerged from that spreadsheet serves 12,000 companies in 58 countries and generated approximately $220 million in annual recurring revenue by mid-2025. The July 2025 Series D round led by Wellington Management valued Vanta at $4.15 billion, a 69% jump from its $2.45 billion valuation just twelve months earlier. Total funding reached $504 million.
What Christina Cacioppo had done before she built it was unusual enough to deserve explanation. She graduated from Stanford with a degree in economics and a master’s in management science, not computer science. She joined Union Square Ventures as an analyst. Then she quit a prestigious VC job to teach herself to code. Then she built a voice app for biologists that nobody wanted. Then she spent several months exploring what was actually worth building. Then she got to the spreadsheet in Segment’s office.
A VC Who Quit to Learn to Code
The path to Vanta starts with a tension that Christina Cacioppo lived with for years: she wanted to found a company but didn’t believe she was the kind of person who founded companies.
The belief was not about confidence in her general ability. She had gotten into Stanford, graduated, gotten a job at one of the most prestigious early-stage venture firms in the world, and been effective there. The belief was narrower: founders coded. She couldn’t code. Therefore she wasn’t a founder.
At USV, she spent her days meeting with innovative founders and evaluating companies. The exposure to how real companies got built clarified what she wanted to do. She left USV after a few years, not because it wasn’t good but because she wanted to build something herself. She then taught herself to code. The decision was both practical and philosophical: she didn’t want to wait for a technical co-founder to validate every idea she had, and she wanted to be able to speak with engineering credibility when building a product.
She built a meeting transcription tool. An Alexa skill for biologists. A few other things she later described with fond self-deprecation. None of them worked. Each one taught her something specific about what the market wanted and what she was capable of building.
Eventually she joined Dropbox as a product manager and led Dropbox Paper from a product team of fewer than ten to one of approximately eighty. The Dropbox experience was explicitly educational for her: she wanted to understand what a real company looked like from the inside, what marketing did, how engineering teams were organized, how product priorities were set and defended. She was in it to learn as much as to deliver.
It was during the Dropbox period that the specific insight behind Vanta arrived, not as a flash of insight but as a gradually accumulating frustration.
The Insight: Security as a Business Problem, Not a Technical Problem
When Cacioppo was leading Dropbox Paper, she wanted to distribute the product to enterprise customers who were already using or considering Dropbox. She reached out to customer success managers and started working toward that goal. Then Dropbox’s legal team explained something she hadn’t encountered before: Dropbox had undergone various security validations, but Dropbox Paper had not. Paper hadn’t been through penetration testing. It wasn’t SOC 2 compliant. Until it was, enterprise customers couldn’t use it in environments that required those certifications.
That was the first time she encountered the term SOC 2. She went and read about it. Then she talked to founders and CTOs about it. Then she kept reading.
What she found was a market with a specific structure. The existing tools for managing security compliance, the GRC (governance, risk, and compliance) category, were essentially spreadsheets in a browser. They let companies organize and track compliance requirements but did nothing to actually verify or enforce them. If you needed to confirm that every employee had two-factor authentication enabled, you had to go do that yourself using separate tools and then manually record the evidence. The GRC tool just held the record. It didn’t do the work.
The audit process was more painful still. Getting SOC 2 certified typically took six months to a year, cost $50,000 to $100,000, and involved teams of accountants manually reviewing screenshots of security controls, evidence gathered into folders, and documentation assembled by hand over weeks. The output was a point-in-time certification that said: as of this audit, the company was compliant. Whether it remained compliant a month later was not the auditor’s concern.
The incumbent players had told early explorers of this market that you couldn’t standardize SOC 2 because every report was unique and specific. Christina read the reports. They were different, but they were also not as different as claimed. The controls varied in detail but followed consistent structural patterns. The evidence types that auditors needed were largely predictable. The technology integrations required to gather that evidence continuously, rather than manually and episodically, were achievable.
The investors who heard the early Vanta pitch raised a different objection: this was a small market. Startups didn’t get SOC 2 certifications. The empirical observation was accurate at the time. The vision Cacioppo was pitching was that startups would increasingly need SOC 2 to sell into enterprise customers, that the certification would become a standard expectation rather than an exceptional differentiator, and that if you made getting SOC 2 dramatically cheaper and faster, more startups would get it, which would raise the expectation that all startups would get it, which would drive more demand. The bet was on market creation, not market capture.
That thesis paid out faster than she expected.
The V0 Spreadsheet and the Decision to Move In
The validation approach that Cacioppo used before writing any real software code for Vanta is specific enough to be worth describing precisely.
She and her co-founder did not conduct customer development interviews or send surveys. They went to Segment’s office and stayed there for weeks. They read the actual SOC 2 reports. They watched how the compliance process worked in real time. They built their color-coded spreadsheet from what they saw. They handed it to the Segment team and watched how the team used it.
The three questions they asked, “What did I give you? Would you use it? Would you pay for it?” are deceptively simple. They were designed to surface the most important thing a pre-product startup needed to know: not whether the customer liked the concept, but whether the customer understood what it was, valued it enough to use it, and valued it enough to pay for it. All three had to be yes for the idea to be worth pursuing.
When the answers came back yes, Christina set her alarm for 5:45am every morning and started sending “automated” daily email updates to early customers about their account activity. The emails weren’t automated. She was writing them by hand before dawn. One customer received an email with the wrong company name in it and reached out to report the bug. Cacioppo apologized and said she would fix it. The customer never realized the automated system they were trusting was a human being sending them an email every morning.
This is the version of “do things that don’t scale” that most startup founders describe in retrospect but few implement as rigorously as Vanta did. The manual email was not a cute origin story moment. It was a validation that the customers valued the daily update enough to notice when it was wrong, which confirmed that the information was genuinely useful and that an automated version of the same thing would also be valued. The research justified the engineering investment. The engineering was built on top of demonstrated demand rather than hypothetical demand.
The YC Distribution Network and the First 600 Customers
Vanta launched with an unusual acquisition strategy: they signed their first 600 customers without a proper website and without a marketing team. The marketing hire didn’t come until late 2020.
The distribution channel was the YC network.
Vanta launched as a product specifically targeting YC-backed startups. The YC ecosystem was the concentrated pool of exactly the right customers: technical teams at early-stage companies that needed to close enterprise deals but couldn’t get those deals done without SOC 2 certifications that were too expensive and slow to obtain through traditional channels. Every YC startup that hit the point of trying to sell to a corporate customer with a security review requirement hit the same wall. Vanta was the way through the wall.
The referral dynamics within YC were powerful. Founders talk constantly to each other. When one YC company used Vanta to get SOC 2 certification and close the enterprise deal they had been stuck on, they told other YC founders. The word spread through a network of people with precisely the problem Vanta solved, whose trust in peer recommendations was high.
Within the YC ecosystem, Vanta became the de facto standard. By the time the company became more public about its existence, three-quarters of YC companies were using it. The YC network had done the distribution work that a marketing team would normally do, without the marketing team existing.
The product embedded itself in a self-reinforcing dynamic: Vanta helped startups get SOC 2, SOC 2 became more common as a result of Vanta making it accessible, enterprise customers began expecting SOC 2 from all vendors they evaluated, which created demand for Vanta from every startup trying to sell to enterprise customers, including startups outside the YC ecosystem. Cacioppo described the cycle directly: what happened after Vanta launched and dropped the cost was that more startups started doing SOC 2. The expectation became that more startups would do it. Startups started saying, “My competitor did it. So I had to do it.”
The market Vanta had bet on creating was being created by Vanta’s own existence in it.
$10M ARR Before the Series A, Three Years on Seed
The fundraising story at Vanta is the clearest illustration of what Cacioppo meant when she described her approach as unconventional.
After graduating from the YC W19 batch with seed funding, Vanta made a mistake that nearly derailed the company. They stopped selling to focus on hiring engineers. The reasoning was logical: they had hit revenue milestones, raised a seed round, and wanted to build the team to match the product ambition. What they didn’t account for was what their YC batch peers were doing: selling and hiring simultaneously.
A YC partner pulled Cacioppo into an office several months later with sobering news. Most of the batch had kept selling, kept building, hit a million dollars in ARR, and were pitching investors up and down Sand Hill Road. Vanta hadn’t.
Cacioppo described leaving that meeting appropriately frightened and not wanting to pitch Vanta yet because she didn’t have the confidence in it that it deserved. The response was to restart selling aggressively, hire more carefully than she had been planning to, and get the business to a state that justified the conviction she wanted to have when talking to investors.
When Vanta raised its Series A from Sequoia in May 2021, the company had already passed $10 million in ARR. This was three years after founding and approximately three years after the initial YC seed round. The standard Series A timing in SaaS is after demonstrating $1 million in ARR. Vanta waited until ten times that.
Cacioppo’s explanation was direct: the company was operating at roughly cash flow breakeven on its seed funding, didn’t need to raise, and felt clear-eyed about the opportunity in front of it. The Series A was an acceleration choice, not a survival choice.
Andrew Reed at Sequoia led the Series A and later described the investment as one of the clearest he had ever seen: a company at genuine scale, in a market that was growing structurally, with a founder who understood the product deeply and the customers even more deeply.
From SOC 2 to Trust Management Platform
The product arc from 2018 to 2025 is a story of deliberate expansion from a narrow initial wedge to a comprehensive platform.
SOC 2 was the wedge. It was the most urgent compliance need for startups trying to sell to enterprise customers, the most well-understood certification requirement, and the most manually painful process to complete without software. It was also the compliance framework where the controls were consistent enough to be automated, even if the conventional wisdom said they weren’t.
From SOC 2, Vanta expanded to support over 35 frameworks. ISO 27001, HIPAA, GDPR, FedRAMP, CMMC, NIST standards for AI risk management, SOC 1. Each additional framework extended the addressable market: HIPAA opened the healthcare vertical, GDPR opened European markets, FedRAMP opened US government contracts. The compliance library that Vanta built, the mapping between security controls and framework requirements, became increasingly valuable as a data asset because it had been refined by thousands of real audits.
The Trust Center feature was a strategic shift that moved Vanta from compliance automation into something closer to a public-facing trust marketing tool. A Trust Center was a live, public-facing web page showing an organization’s security posture in real time: which frameworks it was certified under, which controls were passing continuously, when the last audit was completed, what the current status of key security configurations was.
Instead of emailing a static PDF to prospects who asked about your security, you sent them a link to your Trust Center. The information was live. It was verifiable. The prospect could see not just that you had passed a SOC 2 audit at some point in the past but that your systems were continuously monitored and currently in compliance.
This transformed compliance from a cost center into something closer to a marketing asset. A company with a well-maintained Trust Center could use it in sales conversations to reduce the friction of security reviews, accelerate enterprise deals, and differentiate from competitors who were still sending PDFs.
The Questionnaire Problem That AI Finally Solved
One of the persistent costs of selling to enterprise customers was the security questionnaire: a spreadsheet of 200 to 500 questions that enterprise procurement and security teams sent to every vendor they were evaluating. The questions covered every aspect of the vendor’s security posture, and answering them accurately required pulling information from policies, certifications, technical documentation, and audit reports. A thorough response took days. Many companies employed full-time staff just to respond to questionnaires.
The questionnaire problem was adjacent to SOC 2 compliance but not exactly the same. A company could have an excellent SOC 2 and still spend enormous time answering questionnaires because enterprise buyers wanted specific evidence rather than just a certification reference.
Vanta built questionnaire automation. The initial versions were useful but incomplete. The AI-powered questionnaire automation that Vanta launched in 2024 and refined through 2025 crossed a quality threshold that made the product genuinely transformative for the people using it: Vanta AI could automatically draft over 80% of questionnaire responses, and those AI-generated answers were accepted by human reviewers 95% of the time, reducing security review completion times by 81%.
The 95% acceptance rate is the number that matters. An AI tool that drafts responses that humans then edit significantly is helpful but still labor-intensive. A tool that drafts responses that are accepted as-is 95% of the time means the human reviewer’s job is primarily to spot-check rather than to rewrite. That changes the workload from “use AI to help me write responses” to “use AI to respond and verify exceptions.”
Vanta’s questionnaire automation integrated with the underlying compliance data the platform was already maintaining. The AI’s responses were grounded in actual documentation, actual audit results, actual current system configurations. When Vanta AI said yes to a question about two-factor authentication enforcement, it was saying yes because it could verify in real time that the enforcement was active, not because a human had typed a yes answer into a form at some point in the past.
The Market Creation Thesis Paid Out Faster Than Expected
The most important strategic bet in Vanta’s founding story was a market creation bet, not a market capture bet.
When Christina Cacioppo raised her seed round and built the first version of Vanta, the prevailing view among investors was that the market was small because startups didn’t get SOC 2. The counter-thesis she was pitching was that startups would get SOC 2 if it became affordable and fast, and that Vanta’s existence would itself create the market by making the certification accessible.
This thesis has a specific dynamic: if you lower the cost and friction of a thing, more people do the thing, which normalizes the thing, which makes people who don’t do the thing feel competitively disadvantaged, which drives them to do the thing too. Vanta dropped the cost of SOC 2 from $50,000 to $100,000 and six to twelve months to a few thousand dollars and a few weeks. The adoption followed immediately.
By the time the competitive landscape emerged in 2020 and 2021, Vanta had a two-year head start in a market that had gone from “startups don’t do this” to “startups are expected to do this” in large part because of Vanta. The emergence of competitors like Drata, Secureframe, and others was a validation rather than a threat: it confirmed that the market Cacioppo had bet on creating had been created, and it was worth fighting over.
The market creation dynamic compounded in a specific way. Enterprise buyers saw more and more of their startup vendors with SOC 2 certifications. This raised the standard: companies without SOC 2 looked less mature and trustworthy by comparison. The certification that had been optional became expected. The expectation created a large, durable market for whatever made achieving and maintaining the certification less painful.
Vanta’s revenue grew from $0 in 2018 to $10 million ARR by early 2021 on seed funding alone. Then $50 million at Series A, $80 million by mid-2023, $152 million by end of 2024, $220 million by mid-2025. The growth rate is that of a company growing into a market it helped create.
12,000 Customers, 35 Frameworks, and What Comes Next
By July 2025, Vanta served 12,000 organizations in 58 countries. The customer base included companies ranging from seed-stage startups, which Vanta acquired through the YC network and word-of-mouth among founders, to Fortune 50 enterprises, which Vanta reached through the enterprise expansion effort it began in earnest in 2022 and 2023.
Notable customers included Atlassian, Snowflake, Duolingo, Intercom, and Ramp. The enterprise value proposition was distinct from the startup value proposition in specific ways. For a startup, Vanta was about getting compliant fast enough to close enterprise deals. For an enterprise, Vanta was about managing compliance at scale across dozens of frameworks, automating vendor risk reviews, and maintaining continuous compliance posture rather than episodic audit readiness.
Duolingo saved 12 hours weekly and hundreds of thousands of dollars using Vanta’s AI-powered vendor risk management. Snowflake built a Compliance Center on top of Vanta’s infrastructure to accelerate customer due diligence. Atlassian used Vanta to enable over 400 partners to achieve compliance milestones and demonstrate trust through Trust Centers. Ramp eliminated manual spreadsheets by mapping custom controls into Vanta’s continuous monitoring framework.
The Series D announced in July 2025, $150 million from Wellington Management with participation from Goldman Sachs, Sequoia, J.P. Morgan, Craft Ventures, Y Combinator, Atlassian Ventures, and CrowdStrike Ventures, will fund expansion into third-party risk management, government compliance frameworks, and AI governance. The EU AI Act and NIST’s AI Risk Management Framework are creating new compliance requirements for companies building on AI. Vanta’s infrastructure is positioned to become the default platform for managing AI compliance the same way it became the default platform for managing security compliance, because the underlying problem is the same: organizations need to demonstrate that they are doing the right things with sensitive systems, and demonstrating it manually is expensive and slow.
The Vanta AI Agent, launched in 2024 and updated to a 2.0 version in late 2025, functions as what Vanta calls a 24/7 GRC engineer with complete program awareness. It can answer nuanced questions that cross multiple systems, like whether a company’s password policy actually aligns with active system configurations in AWS, provide proactive guidance, collect and validate audit evidence automatically, and surface vendor risk issues before they slow reviews.
Christina Cacioppo’s stated goal is to make zero-touch security reviews a reality through the combined power of questionnaire automation, Trust Centers, and vendor risk management, so buyers get the answers they need, backed with real-time data, before they even ask.
What the Vanta Story Is Really About
The Vanta success story is unusual among the companies in this series because it is a story about a founder who bet explicitly on creating a market rather than entering an existing one, waited three years on seed funding before raising a Series A, and built her initial distribution not through marketing but through embedding herself in the community whose problem she was solving.
The decision to build Vanta’s first product as a spreadsheet that a human ran manually for weeks before writing any software is the most specific illustration of the founding philosophy. The point was not to build something quickly and then learn from user feedback. The point was to understand the problem so thoroughly that what was eventually built was based on genuine insight rather than hypothesis.
The manual 5:45am emails are the same philosophy applied to distribution. Cacioppo didn’t build an automated email system and then validate that users found it valuable. She sent the emails by hand and watched how users responded to them before building the system.
The Series A timing reflects the same pattern at a larger scale. She waited until $10 million ARR, not because she didn’t have investor interest before then but because she wanted to be standing on solid ground before taking in capital that would create expectations she hadn’t yet earned the right to accept.
The investors who said “this is a small market, startups don’t get SOC 2” were making a factual observation at the time. What they were missing was that the market was small partly because the friction was so high, and that removing the friction would structurally change the size of the market. That is the specific insight that makes Vanta interesting: not that it found a market and served it, but that it created a market by making a previously inaccessible thing accessible, and then built a durable business in the market it had created.
Christina Cacioppo graduated from Stanford with an economics degree. She quit a VC job to teach herself to code. She built a voice app for biologists. She set her alarm for 5:45am to send emails that customers thought were automated. She waited three years before raising a Series A. She is now the CEO of a $4.15 billion company that has changed what enterprise B2B software buyers expect from the companies they do business with.
The spreadsheet in Segment’s office was Vanta’s v0. The $220 million in ARR and 12,000 customers across 58 countries is what v0 eventually became.
Leave a Reply