A

Cristina Cacioppo founded Vanta in 2018 to solve a problem most founders didn't even know they had. Compliance. Under her leadership, the company has defined the trust management category, growing to over 15,000 customers. Cheers.

B

Cheers.

A

Good to see you. Good to see you. Tell the Vanta story.

B

We help companies start or build out their security programs and then get credit for all that work through an audit, through a security questionnaire, a trust center. But it's basically like, do all the work to improve your security and then go get credit for that with your customers.

A

All the phantom billboards I see use the word compliance rather than security.

B

Yes.

A

What's going on there?

B

It is one of those where you're like, well, vitamin A painkiller, I think. Right. And I think compliance is SOC2 is a word that no one knows what the heck it means until they deeply know.

A

And then they want this quarter.

B

Exactly. Yeah. And so it's kind of like. And one of the original, like, founding hypotheses of the company is if you want to start a security company for startups, you should actually start a complian company because your customers never ask you for security, but they do ask you for glance.

A

It's like the buying moment for startups. I see.

B

Exactly. And then when you're going through that, you have to implement a bunch of, like, do a bunch of best practices, maybe buy some tooling.

A

Yes.

B

But you don't. Even if you want to, you don't do it before that moment.

A

Yeah, yeah.

B

Because you're doing the thing the customer wants.

A

And I guess at a later stage, the buyer would be split where security would be the CISO versus compliance would be the cfo, gc, something like that.

B

I actually think stripe is like a little. I don't know. And what I see, which is biased but different in that usually compliance is there's this unified GRC governance risk and compliance function and that lives in the ciso. Org. And that will centralize internal audit. It'll centralize enterprise risk.

A

Okay, so you're mostly.

B

You put those teams together.

A

Yes.

B

Third party risk. Those teams are all together in CISO. Org.

A

So you're mostly selling to CISOs. Okay. How did you. You woke up one morning and you decided you were passionate about starting compliance.

B

When I was three years old, it was my first word.

A

Exactly.

B

Yes. We joked in the early days we'd like never be able to pull that story off. I don't know. I heard training businesses are good.

A

I've heard more absurd founding myths. So I think you could Just go for it.

B

Yeah, go. No, the real story is twofold. So one, prior to Vanta, I worked at Dropbox. I worked on what at the time was a new product, Dropbox paper. We were trying to take it to market and didn't take it to market as well as we could have for several reasons, one of which was turned out at the time, all the Dropbox contracts had written into them like, we're secure, we're compliant, we're pen tested, we're xyz. Our new thing had none of those. And so it's like in order to talk to someone with a Dropbox account, which was 100 million people or whatever it was, we had to go through this process. This was Dropbox 2015. So the height of it, Silicon Valley power, year and a half, 10 engineers, no feature building, all that. That all happened. I was not smart enough to then be like, aha, startup idea. Instead, this Dropbox, what are you doing? This sounds bad. It was about a year and a half later just talking to startups and founders about security, trying to figure out, is there a company to be built here? How do you get more startups to care about security? How do you do it? And came across basically companies that either sort of did nothing for security, but felt really badly about it sometimes, but still did nothing. And then companies that had a lot of stuff in place, and the lot of stuff in place was because they'd gotten a questionnaire, they'd gotten SOC2 because of an enterprise customer. And that was kind of the like, oh, that thing. I remember that being crazy and onerous and sort of terrible, but also kind of, if you do it like that is like Pasco collect $200 huge benefit on the other side. And it was kind of the combo of those two.

A

What you're describing, I think is just so commonly the experience in founders who start companies. I mean, it was our experience with Stripe as well, where we had just run into the problem before. But it's funny, I often run into people in university who are excited about starting a startup. That's generally. And obviously there's lots of sexy stories of people who dropped out of college to start something that's generally a bad time because you talk to university students and often they're ideas for companies are pretty half baked.

B

Find My Friends.

A

Yeah, it's Find My Friends. It's like a college textbook exchange app, you know, it's like the five apps, whatever. Whereas so frequently what happens is people go out and they build successful products in the world and they do Dropbox paper or they get some experience. And it turns out there are huge markets available with problem spaces that most normal people have not heard of with things like SOC 2. But you have to kind of spend a while seeing how the value flows in the real world, work to discover them, those big opportunities.

B

Okay, so how do you feel when you go to YC now and you have these founders who've like dropped out and been like, my passion is sales enablement. But they actually kind of do know surprisingly much about it. Kind of.

A

I mean, if you truly manage to learn enough about sales enablement to be, you know, to be able to field a strong product there, then good on you. I just think you're more likely to discover those areas after, you know, five or ten years. What stage is the business at now?

B

We have 15,000 customers. Our growth rate's actually quickened the last couple of years and quarters and months. And so it's been 60% annual plus for the last couple of years since that milestone. So we'll talk number there.

A

Yeah, yeah, yeah, yeah.

B

It's a proper business.

A

Yeah. And you go to market through it's all sold, all sales.

B

Yeah, yeah, yeah. Which is one of the blessings and

A

curses of them with what company sizes.

B

So we do the like we call them the two founders on the couch. But it's like the two founders on the couch are building their thing and someone asks them for and they're working on it on Friday night. Because when else are you going to do the thing? All the way up to at least one member of the Fortune 50.

A

I would have thought that compliance is very different for founders who have never even heard of it, versus companies who have a lot of existing teams here with opinions and stuff built out. So how does that work?

B

That is true. So down market or down market, we're not quite turbotax, but I think that is the kind of experience a founder wants. I see is like, this is high stakes and I don't want to get it wrong. And I don't really know, but just guide me through. That's more of the product experience. And then the output is like, here's a set of controls, but security rules you follow that are monitored on an ongoing basis. And because of that, whenever you're kind of constantly audit ready, you always have everything in place. Great. And so that's sort of the experience a founder wants. But the output is still a security program that's monitored all the time upmarket. I switched on talking to Engineer. It's more datadog for Your compliance controls, you're like, I have my program, I have my thing. But it lives in a spreadsheet, it lives in JIRA custom jira, it lives in something like that. And I want real time dashboards and visibility I see and deviations and if auto remediation and I want that world.

A

Okay, so there's almost like two layers to Vanta. There is what your controls should be and then how the controls are monitored and implemented. And kind of early stage companies want both. Later stage companies may want more of the lab.

B

Exactly, exactly. And then the tie to audit is like great. Well, in some ways it's like if control to be monitored, you just pass the logs to an auditor. It's more complicated than that. But that's the base model.

A

Well, okay, you're getting to a question I had which was like compliance at some level is not a thing you can just buy, it's a thing you have to do. And so if you actually talk about all these rules, like I don't know about SoC2 in particular, but for example, a lot of compliance regimes have this notion of doer and approver being separate for something. And so it's like the, you know, the famous one. Right, exactly. The nuclear submarine, where you know, you have to have the two keys turned simultaneously to launch the pr, I guess in this analogy. And again, Vanta can't do that for you, you have to do this. And so what you do is one for say a startup, you actually just let them know the complete list of things they actually need to do. And I presume there's some, maybe you can talk about, there's some logic of only telling them the stuff that actually applies to them.

B

Yep, exactly.

A

And then there's actually how do you enforce, say separate doers and approvers in something like code review?

B

Yeah, so for something like. So this is where it's the first thing we built and we call it test. So it is advanced but like modeled after unit tests. You're like, turn each of these controls into a unit test.

A

Yes.

B

And so Pull from version GitHub, GitLab, whatever, look at every pull request and check these fields are this thing or some run some logic over it. And that is our test for the control. And so that was kind of again, the first thing we built were these tests. But tests are just ways to prove control.

A

Ah, so you're just a test suite. You're the battery of unit tests for the compliance rules.

B

Exactly.

A

Ah, why don't you just say that? Why don't you just billboard Say that

B

there was a niche audience in San Francisco that would be like, oh, now I understand.

A

Yeah. But I think for the 101 billboards. Oh, what's the controversy with your 101 billboard?

B

Oh, my goodness. How much do we want to do this? We had a great 101 great billboard.

A

I used to drive by it every day.

B

Yeah, yeah. Compliance. It doesn't suck too much. Arguably, you know, hundreds of millions of dollars attributed to that billboard. It's funny, that was just in the, you know, annual savanta and startups. The person who came up with that billboard, very pleased with herself. As she should. As she should be. 100%. Right.

A

Yeah, yeah.

B

Her manager at the time was very skeptical of that billboard users. Yeah, yeah. Is this okay? Are we too far over the line? Anyway, you can guess which one of those people is still advantage today. Not just because of that, but it was a good.

A

It's kind of a cultural test. Exactly.

B

Anyway, so we had this billboard. It was great.

A

For many years.

B

For many years. I used to joke that we've had it locked up for years. Turns out we didn't. And I'm an idiot.

A

Oh, you forgot you were newest.

B

Not even.

A

You should have had a little vantage check for us. I know, it was like.

B

It was like your domain and you're just like, you're not supposed to. Yeah, it was slightly better, but still bad. The agency, we worked with one. I really should have got this. Our contract was just written in crayon and we got lots of people asked about our billboard. We'd introduced them to lots of startups. Some of those startups were also buying with that agency.

A

Wow.

B

And so that startup you introduced to

A

them went and took care of members.

B

They didn't do it on purpose. The agency went to them and was like, oh, we have this great inventory. Would you like it? And then we found out.

A

Okay, that's rough. But people will learn about. People will learn about Vanta in other ways.

B

We do like to market.

A

Yeah, yeah. Okay. And then go back to the other part of the question. So how does the layer work for. You know, the rule book might be a thousand pages long. Compiling that rulebook into the steps that are actually actionable for me because I am not a farm. And so all the farm parts of the rulebook don't apply to me.

B

Yeah. Okay. So the initial send people. So the initial version of it actually was. This is like back when we were founders on a couch, was getting as many soc twos as we could. It's like Salesforce Slack aws. Right, whatever. And actually opening them all and just comparing them and trying to extract what was common and sort of doing it that way. So that was the first cut. What we do now is hopefully more advanced, but there's a bit of. Now that we have probably 30,000 audits completed, we can just go back and be like, okay, for a company that looks like you and for this auditor, locked in, what sorts of controls are there? So we have that input in. Then we can also layer in both for a company in particular and in general, it's like you get questionnaires, what are the themes and the questions you're being asked.

A

Yes.

B

We just launched a new commitments product that ingests contracts and scans the contracts for things that are contracted. So you can. Then you can both pull them out and say, hey, this should be a control.

A

Yes.

B

And God forbid something happens, but you're like, what are my obligations to my customers? And you can just have. You basically have all that structured data. But one of the most important things, they just want to see progression over time and increase maturity over time. And you've probably had this at stripe where you wanted to use some cool new tool that had no security posture and a contingent say, heck that maybe. But one part of it was like, oh, can you just walk this up over time and show me you're making Prague?

A

Yes, yes, yes. Is Soc 2 the main Bible?

B

You know, basically, I mean, we don't. It's funny, we don't break it out by framework anymore because it's all just here. Like, they're all just inputs into the system.

A

Sure. But like, ultimately you need to comply with some specific things.

B

Right, but like, yes, most customers will come to us for that. First, number two is ISO2701, which is if you part, like demand European enterprises.

A

Okay.

B

Yeah. And so if you're, if you're a European company selling to Europeans, you will start with that. If you're a European, start selling to Americans, you'll start with Soc 2.

A

Okay.

B

Australia.

A

How aligned are they?

B

I think our official mapping is like 60ish, 65%.

A

Okay.

B

And the additional ISO stuff is often documentation, so it's like a great place for software to happen.

A

Sounds like Europe.

B

Yeah, yeah, yeah, yeah, exactly. Yeah. There's like less, you know, please implement these six more rules.

A

Okay. So is it SOC 2 and its international equivalents is basically that captures most of what you're doing.

B

It is probably plurality, not majority. And so we see a lot of growth. There's this whole host thousand Flowers bloom of AI standards right now. It's like the whole thing there, the healthcare specific things, there's the PTI piece which I know you're very familiar with.

A

There's that on healthcare is this, which

B

there's hipaa which is US law. You can just declare yourself compliant with hipaa.

A

Like you get to decide.

B

Yeah, exactly. The downside of doing that is if you and are breached, the fines are enormous. And so that's the check that there's semi market check there.

A

Can you describe the policy goals that something like SOC 2 seems to accomplish? And you might say, oh, it's simple, it's just, you know, security. But yeah, like as we know there's many different facets to that. And so it could be preventing information leaks or it could be preventing fraud against the customer or it could be all these different things. And so if you're to stack rank or what is SOC2 actually trying to accomplish at a policy level?

B

I would say it is trying to ensure customer data is protected. That is what it is trying to do.

A

And just to round out the point, your JavaScript comparison is that Java was a very popular language before the emergence of Web browsers with JavaScript. And so when they invented JavaScript they wanted to kind of ride off the Java halo as an easy to do programming language, despite the fact Java and JavaScript share no exactly commonality at all, but it was just good branding. And what you're saying is that a similar with SOC 2 here. Okay, so you're saying the primary goal is to ensure that the data that you are giving this company, your software provider, whatever is adequately protected. Many companies have had humongous data breaches. You know, Equifax was a great Equifax at and T, I believe, kind of

B

altogether exactly as they talk to.

A

Yeah, yeah. But there's a difference between kind of some data was leaked in some context versus like in the Equifax case. Sorry, we lost all of your data. Exactly.

B

We didn't fix the data. Exactly.

A

Which data did you lose? Like all of us. Yeah. It's very hard to find that moment in the Equifax stock price chart.

B

Yes.

A

What's going on there? As in we think society cares. Society should care. It's valuable to not lose this data. And yet it does not seem to impair what investors deem to be the terminal value of the company.

B

Yes. What are investors betting on? They're betting on like will anyone churn off of Equifax? Because this happens. And I think the cynical but correct take is no. Sometimes because you're like Equifax or Delta. You're not like, am I going to stop, I'm not going to stop playing Delta. Especially 10 to 15 years into this where you're like, oh, another one, I'll add an eighth credit monitoring service. Right. And I think there is a cynicism there that is probably correct.

A

Yes.

B

Yes.

A

The other thing that feels like it's changing in this ecosystem is that the costs of having data breaches are going up because Europe in particular is getting very strict about notifications and sometimes fines around these breaches. How is that changing your world?

B

We see more. So we also cover some of the data privacy standards. So your gdpr, your ccpa, there's again Alphabet soup of acronyms here. Honestly, we see demand for that that goes in waves and it kind of tracks what you expect. It's higher in Europe. I mean, Vanta as a product in general does kind of even better in Europe and better than you would guess for an American. For a California company that doesn't have European roots. And I do think there's some cultural affinity and just seriousness there.

A

Yes, yes.

B

Versus the easy critique of Americans and compliance is like, I'm just checking. You tell me where the bar is and I'll meet your bar.

A

But like it's a box checking.

B

Exactly. Or it is just kind of culturally something that is like more important. You can tell me where the bar is, I'll meet it. But also I have my own internal bar. It's more the European take. But we see demand for say ccpa, which is a California version of gdpr, go in waves. And right now it is definite. I mean all the American regulation is kind of at a total mid year. But it's down right now.

A

Yeah, well, it's down at a federal level. Is it also down at a state level, the kind of energy around the CCPA type things?

B

Yes, it is. Even with it's not clear what California is going to do and it could go multiple ways, I still think the national politics casts a larger shadow even over a state like California.

A

Oh, that's interesting.

B

Yeah.

A

Okay.

B

I think on the national side, current administration is very into streamlining regulation through automation and AI. But that is the catchphrase that they deeply believe in and are driving.

A

I would have thought that this kind of stuff is just too boring to be caught up in any reform initiative. Or will this be streamlined?

B

I think there's very hard working folks in D.C. in special. Well, kind of across the board. But in GSA in the office trying to do this. And the primary lever they're using is FedRamp. Yes.

A

Yeah, yeah.

B

Which broadly I would think of SOC 2 for the federal government, but basically a very onerous set of both controls and requirements that. And documentation in order to begin trying to think about selling to federal and often state, sometimes even local governments.

A

State and local governments also use Fedramp as kind of their state ramps.

B

There's like literally Texas ramp, but they

A

kind of conform to FedRamp.

B

Yeah, yeah. And there is a part of GSA and one team in particular led by a guy called Pete Wasserman who is trying to modernize Fedramp. But I would say make a like 2020 version of FedRamp where the current version feels a bit more 90s. And it is unclear if he will get the traction to succeed, but he's fighting the good fight and he gets it.

A

But even if they do that, I find it hard to imagine the society of accountants just copying the new FedRAMP lock, stock and barrel.

B

No, I don't think they will. I think you're just gonna have even more divergence between these things. Yeah. There's less control overlap.

A

Yeah. I feel like your life is the XKCD of, you know, we have 15

B

standards and the answer is the 16th. Yes.

A

Yes.

B

Y. Yeah, that is also my answer when people are like, well, is Invanta going to make a standard? Couldn't you make a better one? We have that posted on the office wall.

A

Yeah, yeah. Because it is your life.

B

Yes.

A

But, okay, going back to the effects of the European strictness, it doesn't show up in the form of kind of. Maybe American companies previously were looking to kind of check the SoC2 box versus now. They're like, okay, it's really important I don't cross this actually quite strict European rule.

B

Right, right. Whereas I think now, and I think in the. It's funny, we were starting Vanta as what it is now today in spring of 2018, which was when GDPR was going into effect. And so I was kind of running around and being like, will you talk to me about compliance? And everyone said, yes, I was having this great luck. And then I'd show up and I'd be like, so sucked too. They'd be like, GDPR is a priority, like, next, please. And that energy is like mostly dissipated, especially in the United States.

A

Yes.

B

Think of. It's like the theory at the time was GDPR is written by lawyers at a very high level. It's like not a spec you can handle an engine like comically kind of bad as an engineering spec. But like it's fine. We will clarify that in court over the next 10 years. And now we're whatever seven, eight years in hasn't really happened.

A

Yes, yes.

B

It still is kind of hand wavy for an engineer at least to go implement as it ever was.

A

And how does this work with agentic coding where the honest answer to the number of human reviewers of this code is zero. Yes.

B

How should it work? Because right now it is like, well, somebody did code. Well, I think right now it's like agent writes code, human or agent puts up pr, maybe human or agent reviews it. And I think to a naive sock to audit, you're like, Those seem like two user IDs had that conversation and so we can go forward, but it's

A

more about having two throats to choke as opposed to we read the code of this ATM software and guaranteed that you didn't introduce an infinite money glitch.

B

My interpretation from talking to folks is some of the impetus behind that or the primary impetus was insider threat and that's what you're preventing against, which maybe that's my macro answer is just go through the SoC2 controls and be like, what are we trying to do here? And be like, okay, great, let's design for that.

A

Yeah, yeah, yeah.

B

And that may or may not be how it's written today.

A

That's a good question. Because on all the insider threat stuff, having two reviewers is kind of one way to do it.

B

Yes.

A

Does SOC 2 mandate exactly a lot of other insider threat stuff? Because presumably you should be logging a lot of activity, auditing a lot of activity. You know, there should be process that you have in place.

B

No. And I think this is where actually you get to the tactical standard made by folks who often aren't as in their depth in engineering, let's say. Right. And so the controls for like there are a bunch of logging and monitoring controls that are suggested. One thing maybe I'll also mention, unlike PCI, SoC2 doesn't have a prescribed control list. So PCI is kind of different. And it's like you must do like you must buy this tool whether or not it's useful to you. I'm sure you have your own stories of that. Yes. Soc 2 is like, you must log useful events and have a system to look at them.

A

I see.

B

But it is up to you to decide what the heck that means. Which sometimes is helpful. I think for a startup that's never done this, it is unhelpful because it sort of opens up a maze in a way that's just not great. That's where being prescriptive is part of. I think Advanta's initial product market fit. I think it's actually largely due to that in a way that wasn't the plan, but I think it's like figuring out how to take that high level guidance, bring it down in some places in a way that actually makes sense.

A

Christina and her team at Venta are helping their users automate compliance, which for many companies is the thing standing between them and being able to sell to enterprises. We're very familiar with this category of products at Stripe where you have a complex web of rules that businesses need to be able to comply with so they can move on to actually improving their products. Just take tax compliance and our product, Stripe Tax. As you start selling in more states and more countries, you discover there's thousands of rules you need to follow. For example, did you know Chicago actually has a lease tax which applies to SaaS companies too, since you're leasing out software. Stripe Tax is built to automate all of this with one integration. It knows what you're selling, when and where you have to collect transactional taxes, and how to register and file on your behalf. So if you want to sell globally without becoming an expert in tax rules, check out Stripe Tax. You know, the kind of joking reference that everyone makes as they talk about kind of competition from Claude Code for software products is, yeah, you know, you're not just going to vibe code your ex in a weekend. But Obviously something like SoC2 is actually the kind of thing that LLMs or kind of coding agents are good at working with because there's just so much training data out there and it's a codified set of rules. And so how is AI helping with what you're doing and kind of what is your plan for? You're describing some of the scale economies you have and having seen other customers, but I'm curious just kind of what the defenses are against a customer could in theory say, hey Claude, give me the plan for our SOC 2 compliance. Make no mistakes. You know, like that is a thing you can contemplate, right?

B

And I think like there's, you know, so you can do the sort of, the very defensive thing. Actually the very defensive thing is like, right, but like this is a place where you don't want to get stuff wrong. Spending much time on it does not make your beard taste better. Right? Like, is this really the place? Even if you really want to Buy code, a bunch of stuff. Is this really what you want to buy? Whatever. There's all those. Ignore them all. I think where the LLMs are excellent and a little dangerous in a build versus buy, but then we just need to build better experiences. On top of this R is like, hey, Claude, I'm going to give you a mess of data. You go make sense of it to me and get me ready. I'm just going to give you a bunch of AWS screenshots or API calls. I'm going to give you all my policy documentation, I'm going to give you my existing JIRA workflow, go turn it into a thing. You can go do that today. This is our onboarding flow or will be our onboarding flow, which is, oh, you have an existing program that's already running. Give you all the stuff. We will go map it into the Vanta world.

A

Yes.

B

And then in Cloudware and lm, it's like, okay, cool, now you get, I don't know, files in a folder structure that you then box share that over to EY and call that your audit. Fine, you can do that in a Vanta world. The outcome is now, hopefully we have your program mapped and is observable and monitored and alerted and so you have continuous control monitoring. You get your dashboards, you always know what is in place and what is not. And yes, you can go send a share link to your auditor here too and they can log in and see everything. And so we sort of think about it as they have lowered the initial audit prep in a way inside, outside banter or like if they're not inside Vanta, what are we kind of doing? So building that, but the continuous monitoring piece. Yes, yes, that you're not going to get out of at least LLM chat. You've got to go vibe code that whole system.

A

Okay, so you're saying this everyone just wants like no one enjoys spending time in SOC2. Everyone wants to have been SOC2 compliant as of yesterday.

B

Yes.

A

And so you're saying part of the advantage here in this new landscape is you can just take a whole bunch of unstructured stuff and just empty it into the Vanta hopper and Vanta will

B

make sense to us and then we'll get widgets that you know.

A

And I presume part of the defensibility comes from the fact that preference amongst practitioners, in this case the auditors that are reviewing your SoC2 materials is a very strong effect. And both QuickBooks Zero to some extent, really grew off accountants becoming familiar with those pieces of Software and companies could have opinions about what they were using, but those are generally, those opinions were not that strong and they were overridden by the opinions of the auditors.

B

We have a version of that. I don't think it's as strong as oath effects yet at least. But even again, we've seen 20,000 audits and thousands for particular firms. And so you're like to control, you know, so you're like, we now do AI evidence evals. So it's like, oh, you're going to provide this piece of evidence. We can just tell you is it going to work for this auditor? Did you upload a cat picture? Did you upload a screenshot without a timestamp on it? And you're going to get told to put the timestamp back on, you know, just like that feedback loop we already have. And we've thought about doing things for auditors as well with that.

A

Yes.

B

But yeah, it sort of moves in the direction of like an AI internal audit at least.

A

It feels like the data you have of anonymized prior audits is an incredibly powerful network effect that cannot be replicated because it doesn't exist in the public Internet. Like the AIs don't have it available to them through just private data. And just like stripe's an advantage because we have all the fraud data, we know what a normal buying pattern looks like versus not. And so we can offer the best anti fraud performance just because we're working with a larger data set than other people. Similarly, people going through an audit, you can tell them that this will work and this won't.

B

Yes, this is our radar.

A

Yeah, yeah, exactly. In a way that just you cannot do even if you decide to buy it yourself.

B

Yes. Yeah, it's a big deal. Yeah, it's kind of cool.

A

Where else have you seen that be

B

useful in relationships between software vendor and buyer? Right. And so Vanta Core, we think of ourselves as broadly and what we're best known for is serving software vendors, but people who make software and want to sell it into the world. Right. Do you have security work? Is it secure? Grant. Okay. Then we have this third party risk product. But it's basically I think of like you're an organization, maybe it's tech, maybe it's not tech. You're buying software and you're going to go put a bunch of your customer's data in it. You want that software to be secure because if not, you have to turn around and tell your customers, right, I lost your data. But it's actually our email provider. But you don't care who's our email provider. You think it's me and I've sent you email anyway. No one wants to send that email. So there's a whole world of third party risk or vendor reviews and we build a product for those folks.

A

But is there kind of a compliance versus security tension here as you're doing this stuff?

B

We haven't seen as much. What we have seen is so the person buying software, they might work at a tech company and be quite savvy and up to date on those threats. They might work when our customers is literally a hotel Ch. Right. And so not that. And they certainly don't get compliance themselves because they don't build software. Right. But they buy it.

A

Yep, fine.

B

And so what we generally see is some companies will come in with their set of questions they want to ask and you know, maybe I will read your sock to you, maybe I will not. But like I really want to ask you questions 1 through 10. Some companies don't have that. And again, there's some part of the value proposition is like will prescriptively guide you. And so we have a product principle just around reasonable defaults. And it's like, can we make the reasonable default questionnaire in this case something that leans into security versus compliance or versus do you have a policy to X? And you're like, can you just ask them if they X if you care? And so that's a place where we've tried to on the margin, nudge the buyer questions toward more security, knowing that will change the economic incentive of the vendor.

A

One of the big debates people are having right now is how AI productivity gains show up.

B

Yes.

A

And I feel like you could have an opinion on this because we have filled out a lot of security questionnaires at Stripe and I think we'd be very happy if the machines could take over from here. We really don't. We filled out enough.

B

We should talk about this.

A

Exactly, yeah. So one case you could make is the machines are getting quite good. They can understand what Stripe is and isn't and can do and can't do. And so every time we go to security questionnaire, AI can fill it out. The counter argument, you could say is maybe Jevin's Paradox will show up and there'll be even more exhaustive and elaborate and custom security questionnaires. And so the total amount will increase. But so just how do you see AI productivity showing up here? And the effect.

B

So the questionnaire is actually a great example because in Questionnaire too, that we tried to build this product in 2018, actually, before SoC2, because it seems easier, actually, but the language models were not good enough. And then we tried again in early 21, Bert came out and you're like, oh, is there a. It was not good enough. And now it is good enough. So to that actually GitHub gets 92% of all of the questionnaires they receive answered through Vanta. And so you're like, not at 100, but you're like, it's GitHub. They have AI tools, like they have Copilot. It's a lot. And so we are absolutely seeing this. Like, the models are definitely good enough. Sorry.

A

People ask GitHub to fill out the security questionnaires.

B

To fill it up. Exactly.

A

Using GitHub. And now they can mostly turn around and return those security questionnaires.

B

Exactly.

A

With 92% filled out.

B

Filled out. And we have a human. But just it's review and approved. Right. And then like the confidence scores on, like prioritizing, even for the reviewer. It's like, you probably want. You can look at the section if you want, but you kind of don't have to. Whereas, like, we really look at these 10.

A

Yeah, yeah, yeah.

B

And so, like all of that work, like our product does that. Yes, yes.

A

That's cool. Okay, so where do you think it goes broadly?

B

I think that so much of the work of a compliance team is again, keeping things in sync, keeping and different sorts of text instances. Right. Adding on new compliance regimes, which is just adding controls. And then do you want to map the new ones to the old ones and figure out what the duplicates are? That's actually a huge part, classically of the work of a compliance team. And so I think there's so many opportunities for LMS at agentic workflows in Vanta's business. And we're. We probably have a couple dozen of them. And if I think about our roadmap, knock on all the things, we'll have hundreds by the end of the year. But it's just kind of what we've been doing is breaking down what folks do. Right. And so you're like, okay, there's the questionnaire piece. If you send out a questionnaire, someone has to read it on the other side and then you have to think about it and figure out where does it work, where does it doesn't. Oh, I have this new policy update. I need to put this thing in a policy. I need to. We're going to start doing. I don't know ISO 42001, which is a new AI stand. So how do I map that in? I need to rerun a risk assessment. I'm going to change my risk score anyway. All of these things, all of these tasks are all just workflows that you can have an AI do, write an eval against with subject matter experts and then hill climb until they're quite good.

A

And so it feels like you can reason about the number of people in a profession, especially at a certain stage of company changing. If you think back to ancient times, I don't know the year 2000, if you had a 10 person company with, you know, 10 Gateway 2000 beige workstations, they probably would have had an IT person that IT person would have had.

B

They had like servers in the closet. Yeah, exactly.

A

They had servers in the closet. They had Microsoft Access database. They had to do software updates for all the machines. Occasionally like lint and stuff would get stuck in the mouse ball and you'd have to take it out. So it was a real job. Now I don't think a 10 person company really has an IT person because the hardware is super reliable. You just buy a new version every now and then. Everything's in the cloud so there's no porting data over. You just use Google Workspace for everything. And it works really nicely. And so it still exists as a profession. There's lots of interesting things, but Stripe has a bunch of IT people. You don't need a bunch of IT people at the time.

B

You've got mail, laptops to how many countries in the world, which is actually kind of hard.

A

Yes, that's right. We have some IT challenges, but again we're 10,000 people. And again, it naively feels like you will have a similar effect with compliance as we had with it, where the profession very much stays around, it actually gets more skilled rather than less. Like I think the stuff we do in it is harder than kind of the basic IT that a 10 person company would have done. Is that basically.

B

I think it's basically true, yes. So one model we've thought about with Vanta, even like pre AI, is we will delay the point at which you have to bring on a full time security compliance person or like a, a kind of consultant who's spending meaningful time. But in the past, if you're an enterprise company, maybe you did that at 50, 100 and it's like, can we actually push that further out? Because what we see is that an engineering leader or someone in the engineering Org can manage more of this because they kind of have the mental models and they're usually system thinkers and they can.

A

And they're responsible for it. So they can kind of change this stuff.

B

Exactly. Yeah. And so you're like, have this Persona, if we call them Amelia engineers, but you have the Amelia engineers just going further here. And then you bring on. And then you can bring on a unified security and compliance person versus like, oh, you have your security person, your IT person, your compliance person. But it's a little bit of like the kind of what we're seeing in the like engineer, PM designer collapse. You have the security, compliance, IT collapse into one role.

A

Keep them unified for longer.

B

Exactly. If you can give them good tools. Right. They can do that. Okay, fine. And then again, pre AI, but then over time, that team starts to grow and then you have a GRC team and you have CISO and all this. And what we're talking about now and we haven't seen yet, but if I had to future cast and guess is we're going to see actually those GRC teams collapse a bit more into these single dreaded owners. Taking a GRC team today, there's maybe one person answering questionnaires, one person just reviewing new software vendors. You look at those and you're like, okay, I think you can mostly agent. Agent the work and then have someone oversee it with 20% of your time. But like, okay, great, you've collapsed two into 40%. Right. And you just kind of. And you're like, okay, you have some person who's like, the. Who is responsible for bothering the engineers to get evidence for them, you know, when they. For the audit or like to get the control in place because they don't own the control, but they own the program. So they have to go to the engineer and be like, hello, I noticed you have a new database that is not encrypted. And like, will you please encrypt it? Right. And you're like, you can just have software go nag that person. Anyway, it collapses. And so I do think we will seek smaller GRC teams managing agents, but actually in the future. Yeah. And then they are doing more. I'm not doing the security reviews. I'm like thinking about the findings and overall managing this, like, risk portfolio. This like vendor risk portfolio versus being like, oh, this vendor doesn't have this thing and I need to go get it from.

A

Yeah, I think what you're saying is there's a strategy component to how should we be doing things. And then there's an hourly labor component to Compliance which is like, oh, we did 10 times as many sales, we need like 10 times as many bodies on the security reviews. And you're saying that AI will eat up a lot of the hourly labor part of compliance and leave people doing the strategy work.

B

Yes. Yeah. I do think that what changes are

A

coming down the pike in the world of compliance?

B

I think there's to the xkcd, there's lots of folks both trying to make new compliance standards, but it's a little bit of like what's the difference with the 22nd one? From a Vanta perspective, we've sort of taken a. Like we will support them all because we have built a machine where it is easy to add a new one in.

A

But obviously you only want to support ones that customers actually want to comply with. So you're not.

B

Well, yeah, but kind of what we do actually we used to spend a bunch of time debating which ones those would be and it was honestly so frustrating. Exactly. Now you're just like build the machine that just lobs them in. And so the debate and the document

A

would write, do you want to support this payment method?

B

Sure, sure, whatever. Yeah, exactly. We did that with compliance standards and integrations because it was just like the prioritization debates were just too intense.

A

Yes, yes.

B

We can take all of that debate time anyway. So anyway, there's a bunch of those. Would I bet on any of them? If you really like pressed me, I would say ISO 42001. Just click the European one.

A

I don't know that. ISO42141. You gotta catch me up on this new ISO.

B

Yeah, it's a good one. My recommender is bedtime reading. So you know this. But like European standards body and it is their version of what one should care about with AI. It ends up being pretty data privacy focused and pretty high level. The counters, the pros are that European enterprises are the ones that care the most about AI and this is where they would turn. And so it's the thing that has the most market traction so far.

A

But again none of them.

B

But none of these are like breakout. None of them have product market fit.

A

And none of them are regulatory. Like they're all correct. You opt in to report.

B

Exactly. It is like this market has roughly agreed you might need this thing. So there's that. I think the. Ah, okay. I'm kind of proud of this. They're like trust. Are you familiar the trust centers? They are the security status pages.

A

Oh sure, yeah.

B

Trust.blah blah blah. Trust.vanta.com, trust.

A

I didn't know they're called trust centers. It's just like a status page.

B

Yeah, but like for your security posture. So you get the green bars sort of. Or green traffic lights or yellow traffic lights. But it's for your controls.

A

I see, but do they always say the same thing? Like a status page is like red, amber, green. Whereas hopefully the trust center always says, we're a real compliant boss.

B

Yeah, yeah, exactly. So there's like a version of that. And so if nothing else, what they actually are, they're ticket deflection for the GRC team.

A

I see.

B

Because one, your sales team sends them out and you're like, doesn't it look good? And then if you have any questions, you know, here you go.

A

It's the pre filled questionnaire.

B

Yes, exactly. It's like, here's the binder of information. Please read it and if you have questions for me thereafter, I am here.

A

Does that work?

B

It does, actually. And I think part of it is the just show of strength and the show of like, I'm on top of it. And then there is the like. Yeah, yeah, read things first. And then if you want to ask me, go for it.

A

Has outbound selling gotten harder now that everyone has a million AI bots spamming everyone?

B

I think it has. What I have heard is phone calls work in a way that I kind of wouldn't expect for now.

A

Right.

B

But now with females, a million AI bots and I mean, like, how many ChatGPT written emails do you get, you know, in your bucks a day? But outbound phone calls are currently working.

A

Got it.

B

Yes.

A

But again, it's only a matter of time.

B

It's only a matter of time. And I think, you know, then you're just back to like, oh, events, Right. Especially like curated events. And yeah, yes.

A

A topic we talk about sometimes here is on demand software. Patrick's taken to saying that software should be like pizza, you know, delivered fresh, piping hot. But why are you using software that someone coded five years ago rather than just the computer deciding what to render to you at that moment? Is that coming to Vanta?

B

It is. It's something we're playing with internally, but really excited about is having an agent that maybe is guiding you through the process or doing something and then needs the user to render an opinion or make a connection or do something and you're like, can the agent just generate UI specific for that task? So the user completes it and then move on and you get this bespoke agent generated hand Generated UI just for that.

A

But are you talking about. Because maybe people have a little bit of experience with agentic UI where an AI chat interface is like people's first experience. Maybe there's three options you can choose. For example, that's kind of an agentic ui, but you're talking about a full ui.

B

Full. Or like maybe you have that agentic chat bar on half of the page or third of the page. And then the other two thirds would be a SaaS app. You can imagine a data table with a view and columns and you know, rather than just like customizing it, you're like, no, no, no, I just want you to do this thing and I will take over that right side canvas of the page, generate the UI for the thing or generate the report. I think reporting is another great use here.

A

And what step of the process would this be? And would this be like you have 14 things you need to fix to get.

B

So we thought about in two ways. So kind of in the like you're setting it up and you're going through and actually reporting is another. I think great case is like no one wants more knobs and whistles on their reporting tool. And also no one really wants to learn SQL. They just want like I want a report for this. Go generate it. Yeah, yeah, like not quite Right. Take this out.

A

That's cool. So when will we be seeing generated UI in Vanta?

B

This summer.

A

Wow. Okay. What has worked well from a go to market perspective for you guys in

B

a way that we don't. We have tried to but brands found honestly the billboards we do all the stuff people do of like zip code tracking and all of that gong call mentions. So recorded sale, like mentions of the word billboard on recorded sales calls. And then you can track.

A

Measure the billboard.

B

Exactly. Then you track those deals through to closed one and like that.

A

And you're ultimately doing a geosplit. You're looking at like the locations where you had a billboard versus nas.

B

Exactly. And then just like does the prospect say the word billboard? I see in a call at some point. So anyway, so some of that podcast advertising has been exceedingly effective for us. It's funny because we started doing it in late 2020 and our first salesperson, Eric, who still at the company, really wanted to advertise, I think on this week in startups. And I thought it was silly because my model is like the only companies that advertise on podcasts are founders who want to hear about themselves. This is just nonsense.

A

Or mattress companies.

B

Exactly. Or mattress companies. Exactly. But we are neither. Right. Doesn't everybody really need to talk to. Anyway, and so that poly came to me and was like, I want to spend $60,000 on this ad. And my deal with him was like, fine, but you gotta sell four more Vantas. Cause a Vanta basically cost $15,000. And the next month he sold like 34 more Vantas because of the podcast ads. And that was one where you're like, well, I know nothing. You should keep going.

A

I call this, by the way. I think there's a real. There's the founder Negative value Added times where founders have these incredibly strong views that are wrong. But it's really hard to. It's good that you let them go and. Cause sometimes, you know, I think some people would have said, no, we're not doing that. It's silly and would have taken many more years to.

B

The deal is you had to sell four extras.

A

I feel like I've heard you on the Acquired podcast.

B

We do advertising on Acquired. We do invest like the best.

A

Yeah, yeah, I like those.

B

And I think in the early days. So this was helpful and then deeply unhelpful. But in the early days before we had competitors, we tried to basically make this call response of like, someone says Soc2, someone says Vanta, and this really close association which in the early again

A

when we were just own the term

B

soc, basically, which worked really well until we had competitors who were like, well, we do a SoC2, but we're, you know, vanta, but cheaper, but worse, but better. And then you're like, oh, that got, you know, like, now we're all pointing at a thing we don't own.

A

Yep.

B

And like, that's bad. And so there was a. Yeah, that's like kind of a. Then there was a great reframe on that one.

A

What did you learn working with Fred Wilson?

B

USV is a very special place in lots of ways. And I think USV is fundamentally about ideas.

A

More so than other venture firms.

B

Yes. I think most venture firms are sort of great man. Great person firms. They're about the person. And this person will like, do the thing.

A

I have no idea what this is, but I like the cut of his jib.

B

Exactly. Yes. And I think USV is in a. It's just two black and white, but it's like basically the opposite. Whatever person can walk in. But like, if it is an idea that is interesting and compelling and intellectually engaging and networked, that is like classic USV and it matches back some great people. I don't mean that, but it's just first thing first, second and third thing is the idea. And so like really pressing on that is that piece that I think is like very important. I think the second part is market sizing is bullshit. You know, you can like be as academic or whatever or strategery ish as you want about it. And the market size today is only a predictor of the market size today. And I think I deeply learned that. Because if you looked at the SoC2 market in 2018, my best estimate was there was $10 million spent globally and you would never start a startup on that. But the theory of Vanta was like, well, if we can make this thing easier to get and take down the cost dollars, but really time more people will get them. And you're like, that ended up being deeply true. But that was not a market, especially for startups. The market for startups getting socked too in 2018 was $0.

A

Yes. Yes.

B

Truly zero.

A

Yes. Okay. So Vanta is an example of the kind of company that being too tan brained.

B

Yeah. You would not come up with it. And now it's like, oh, but of course everyone gets it. And you're like, right. But like 2017.

A

Yes.

B

Again, when did stripe get us up to?

A

Probably reasonably early on because it's so core. Like it's not a small part of your stack, but definitely before 2017. It's a very interesting framing on USV where I feel like you can see this a little bit in Fred's blog and stuff where it's clear. Yeah, exactly. Attraction to ideas and a prepared mind for something like crypto. Exactly. Comes along, you're like that, then you're ready to strike. Yeah. And is that across the firm or is that Fred in particular?

B

Fred and Brad for sure. Brad is the undersung Fred partner. I mean they started the firm together.

A

Okay, tell me about the Fred and Brad relationship.

B

Yeah, yeah. Brad Burnham is a venture capitalist. Mostly retired now, but like X also excellent. Incredible track record. He and Fred started Union Square Ventures in I think 2002. First fund was 04. Took him two years to raised that fund. If you go look up USVO for vintage, like, God, we all should have invested in that, you know, but it was the two of them. And then Albert came on at the venture partner, I think in like 06 and he was on the O8. Found at the partner going real deep here. Sorry. But it was like the two of them and there is just. It's not yin yang, it's not the right frame, but like. Yeah, like, and so many of the ideas of the firm were back and forth by them. And then Fred was excellent at articulating those ideas in a way the rest of the world could understand, which he did on abc.

A

Yes.

B

But I think one of the underappreciated things is, like, how much back and forth there kind of was there in the creation there. Like, that pairing is, I think, probably should be in the annals of the Coast La d' or pairing. Maybe Leoni Maritz. These venture pairings where you had two people who could play off one of another, and they were just like that. Like, I think Brad and Fred had that for, like, a decade and a half.

A

What's the difference in person? Because, like, say, Doug and Mike Moritz Sequoia are very different people. And again, I think that's part of how it works.

B

Yeah. I don't think Fred and Brad are as different as those two are. But, like, yeah, Brad is cerebral, philosophical, academic. Like, so interesting to talk to. And you have this wonderful conversation, and you'll be like, are there any ties to the business world in that? You know, but, like, truly these, like. And then, like, one thing Fred could do was, like, go back and forth and be like, oh, freemium, you know, and then, like, run with freemium. Right. But it wasn't just, I'm gonna market this. It was, like, it was the back and forth and the communication out.

A

Wait, did Fred coin the term freemium?

B

He did, yeah. In, like, a blog post in, like, 2009. Eight. Nine, something like that? Yeah. Yeah, right. Like, doesn't that feel like it was just, like, always a term?

A

Yeah, yeah, exactly. That's just what it's called.

B

Age 52. Didn't they talk about freemium?

A

Yeah, it's like, when you learn those things, like, did, you know, seeing the quiet part out loud? That term comes from the Simpsons. In what ways are you a different CEO coming from your experience as an investor?

B

I mean, I wouldn't have done it. It's a real answer.

A

That's a good start.

B

I mean, I was really lucky. And approximately 9 million ways with them. One of the ways was for two years. I just met 15 founders a week for two years straight. And I think whatever model I had of what a founder is or does was like, yeah, that exists. But, like, look at all the ways one can do it. Yeah. And there's, like, some coming out, some more successful, but just, like, there's a lot of ways to do this thing. And I think that exposure was super helpful for me. Cause you got to See people who I felt more affinity or similarity to in whatever dimension, like also do it. And it was just like it was kind of the role model thing, but not like one person. Just you know, you know, meet a thousand of them and you can pick out the pieces.

A

Having all that training data. What patterns do you think you see in people who went on to be successful? Or maybe conversely, what anti patterns do you see in the people who.

B

Oh, I think there is a, like someone said this better than me but like there is a totally a truth seeking piece of it. Or just sometimes you can bend reality to your will. But often like reality is reality and you gotta like embrace it and figure out how to work around it. Like reality, sometimes it's an immovable object. And I think there was a, there's a delusion.

A

The unsuccessful founders.

B

Exactly.

A

I'm not a surface.

B

Yeah, yeah, the like, oh no. But I can change this. And you're like that one. I don't, you know, gravity's gravity kind of.

A

Yes, yes. Yeah. The version of this I talked about with DES Trainer is I feel like investor updates with a lot of words and no metrics.

B

Oh yeah, those are bad.

A

Those are bad. And actually like no investor updates is fine.

B

Like you didn't have to send me either way.

A

Yeah, exactly.

B

No, it's either very good or very bad.

A

Metrics is fine. But like a lot of words and no metrics is almost a sure sign of failure because again I think it gets at that delusion, failure to truth seek tendency.

B

What else theme is Etsy and Kickstarter? There's a bunch of these companies of this era. Stories where I think I developed. Yeah, that's true. This huge appreciation for product market fit. That sounds so dumb, but kind of now it's the like if you think you have it, you don't. Framing but you're just.

A

Or if you're asking whether you have it.

B

Yeah, you don't. Yes. And so Etsy, great example, you're like co founder, CEO, spent 80% of his time for kind of years like making people desks because they had this lovely cultural thing. When you joined you were getting like homemade bespoke desks. Cause they sold homemade bespoke things.

A

So this is the thing. Yancy would make people a desk.

B

Rob. Rob Kalin at Etsy would make people a desk.

A

Yeah. Oh, sorry, I'm getting confused between Kickstarter and Etsy.

B

This is the Etsy version. And you're just like now if you're like, like 80% of a CEO's time is making desks and the business is on the side.

A

Amazon had it figured out where you had to make your own desk.

B

Exactly.

A

Much more scalable way Rob made the desks.

B

But you know, you're just like, I mean it's kind of a funny story, but you're like the business was fine.

A

Yeah, yeah, yeah, exactly.

B

You know, and so there are just these things that have like their own physic, their own movable objects and you can be making desks for people, doing a podcast.

A

Yeah, yeah.

B

It doesn't matter. And like if you don't have that, you know, it's not that we should all, I mean maybe we should all go make desks, but I don't know, how would you make, would you spend time making desks at this stage?

A

I think woodworking is very. I don't do it, but I did it as a kid. It was satisfying. So, yeah, last question. Does Vanta expand from here beyond security? Do you start helping people comply with everything else? Just do you continue taking over the world until all the world runs on Vanta?

B

Yeah.

A

What's the plan?

B

Definitely taking over the world. Making desks along the way? No, I think right now we do think about, especially in this world where in theory code has become much cheaper actually. So two things. So one, it's like can we add different pillars or verticals? And so there's a whole lot in security, especially for a small business or a mid market business, I think. I never thought it's a different ballgame there, but there's things there. And then when we think about it, we really think about, we think about parts of the CISO organization versus for the most part other parts of an organization. But we would think about enterprise risk or internal audit. Financial audit is adjacent.

A

How can you do an internal audit or financial audit?

B

So internal audit is sort of easier for us given what we've built. In a way is like we have all of this and currently we're packaging material and sending it to the auditor. But you can imagine packaging it and sending it to a internal auditor and the same thing.

A

It's a controls platform. Right. It's like decide what it is that you should do and then validate that you're doing it.

B

Prove that you're doing it. Exactly, exactly. Financial audit is. The system is similar. It's a different set of integrations and data. And so it's thinking through, okay, at what is the right point to start building out those ERP integrations, payments integrations, all of that, to get that sort of data to parcel. Listen.

A

Exciting.

B

Yeah.

A

Christina. Thank you.

B

Thank you.