Home  >  Companies  >  Oneleet
Oneleet
Security and compliance tool for startups combining monitoring, testing, and audit preparation

Funding

$35.00M

2025

View PDF
Details
Headquarters
Amsterdam, NH
CEO
Bryan Onel
Website
Milestones
FOUNDING YEAR
2022

Valuation

Oneleet closed a $33 million Series A in October 2025 led by Dawn Capital. The round included participation from Y Combinator, Dropbox co-founder Arash Ferdowsi, and former Snowflake and ServiceNow CEO Frank Slootman.

The company has raised approximately $35 million in total funding since its founding.

Product

Oneleet operates as a three-layer security-first compliance platform designed for tech startups needing SOC 2, ISO 27001, HIPAA, GDPR and other attestations.

The foundation layer is a compliance command center where customers connect their cloud accounts, code repositories, identity providers and productivity tools through pre-built integrations. Oneleet automatically pulls evidence like log files, configuration states and screenshots into a control library that maps to every selected compliance framework. A dashboard shows which controls are passing or failing, assigns remediation tasks to employees, and tracks audit readiness in real time with a countdown meter.

The second layer provides built-in cybersecurity tools including attack surface management that continuously discovers public assets and runs vulnerability scans, code security scanning that performs static analysis, and dark web monitoring for leaked credentials. All findings integrate directly with compliance controls, so fixing a vulnerability simultaneously closes compliance gaps.

The third layer delivers human expertise on demand through penetration testing executed by certified staff and scheduled within the platform, plus virtual CISO and audit management services where Oneleet's team interfaces with external auditors and handles evidence requests.

Additional modules include mobile device management, employee compliance portals, access review workflows, trust centers for sharing compliance status with prospects, and a marketplace for third-party audits.

Business Model

Oneleet operates on a recurring SaaS subscription model with pricing structured around company size and required compliance frameworks. The business model combines three revenue streams within each customer relationship: software subscriptions, security services, and compliance consulting.

The go-to-market approach is B2B, targeting tech startups and scale-ups that need compliance certifications to close enterprise deals. Oneleet leverages its strong position in the Y Combinator ecosystem as a beachhead, then expands into the broader startup market through word-of-mouth and direct sales.

The integrated model creates higher switching costs than pure software plays since customers rely on Oneleet for ongoing security monitoring, compliance evidence collection, and audit management. This bundled approach enables higher average contract values while reducing customer acquisition costs through land-and-expand dynamics.

Professional services like penetration testing and virtual CISO support provide higher-margin revenue that complements the software subscription base. The model scales efficiently because the core platform automates evidence collection and control monitoring, reducing the manual effort required for each additional customer while maintaining service quality through expert oversight.

Competition

Horizontal compliance automation leaders

Vanta leads the market with over 12,000 customers and a $4.15 billion valuation, focusing heavily on AI-powered questionnaire automation while relying on 60+ third-party integrations for security data rather than native scanning capabilities.

Drata has reached $100 million in ARR with 7,000 customers and recently acquired SafeBase to expand beyond pure compliance into trust center workflows. Like Vanta, Drata partners with external providers for penetration testing and security assessments rather than building in-house capabilities.

Secureframe emphasizes flexible control mapping and custom automated tests but lacks native security tooling, while Thoropass offers the most vertically integrated approach with its own CPA audit firm and CREST-accredited penetration testing team.

Cost-advantaged vendors

Sprinto and Scrut Automation have emerged as India-based competitors serving price-sensitive SMB customers, each with over 1,000 customers despite raising less than $32 million. Both companies invest heavily in generative AI for evidence collection while maintaining lower cost structures.

These vendors compete primarily on price in the lower end of the market, creating pressure on established players to defend their positioning through superior features and service quality rather than cost alone.

Vertically integrated players

Thoropass represents the closest competitive model to Oneleet, combining compliance automation with in-house audit and penetration testing capabilities. However, Thoropass operates its own CPA firm, which adds regulatory overhead that Oneleet avoids by partnering with external auditors.

The vertical integration trend reflects customer demand for single-vendor solutions that can satisfy auditors, procurement teams, and security organizations simultaneously, moving beyond the fragmented tool approach that dominated the early compliance automation market.

TAM Expansion

New products

Oneleet can expand its security suite into a comprehensive GRC platform by adding adjacent modules like third-party risk management, incident reporting workflows for SEC disclosure requirements, and AI-assisted policy generation. The company's existing architecture of integrated security and compliance tooling provides a natural foundation for these expansions.

Device and human layer controls represent another growth vector, with mobile device management and security training modules that would capture spend currently going to specialized vendors while generating high-frequency telemetry that doubles as audit evidence.

AI security copilots that explain control failures and provide remediation guidance can both upsell existing customers and attract engineering teams frustrated with legacy checklist-based tools.

Customer base expansion

Moving beyond Y Combinator startups into regulated mid-market companies in fintech, digital health, and enterprise SaaS creates opportunities for higher-value contracts. Penetration testing and virtual CISO services provide a human-led sales motion that can expand into recurring software revenue.

Europe's Digital Operational Resilience Act, which took effect in January 2025, forces banks, payment companies, and insurers to document and test ICT controls, creating demand for compliance templates that map to regulatory requirements with materially higher budget allocations than venture-backed SaaS companies.

Channel partnerships

Independent audit firms and cyber insurance carriers need continuous evidence streams to support their own service delivery. Oneleet can develop partner programs that provide these channels with real-time compliance data while expanding its own market reach through established professional relationships.

Managed service providers serving mid-market companies represent another channel opportunity, where Oneleet's integrated platform can become part of broader IT and security service offerings.

Risks

Commoditization pressure: The compliance automation market has attracted dozens of competitors since 2021, creating downward pressure on pricing as buyers increasingly view basic compliance tooling as a commodity. If competition shifts primarily to price rather than features and service quality, Oneleet's integrated model may not command sufficient premium to justify its higher cost structure compared to software-only alternatives.

Regulatory complexity: Compliance frameworks continue to evolve rapidly, with new requirements like DORA in Europe and updated standards for existing certifications. Oneleet must continuously invest in keeping its control libraries current across multiple frameworks while ensuring its security tooling remains effective against emerging threats, creating ongoing R&D demands that could strain margins during rapid scaling.

Enterprise sales execution: Moving upmarket from Y Combinator startups to regulated mid-market companies requires different sales capabilities, longer deal cycles, and more complex implementation processes. Oneleet's current go-to-market model optimized for startup customers may not translate effectively to enterprise buyers who demand extensive customization, integration support, and vendor management processes.

News

DISCLAIMERS

This report is for information purposes only and is not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. Nothing in this report constitutes investment, legal, accounting or tax advice or a representation that any investment or strategy is suitable or appropriate to your individual circumstances or otherwise constitutes a personal trade recommendation to you.

This research report has been prepared solely by Sacra and should not be considered a product of any person or entity that makes such report available, if any.

Information and opinions presented in the sections of the report were obtained or derived from sources Sacra believes are reliable, but Sacra makes no representation as to their accuracy or completeness. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a determination at its original date of publication by Sacra and are subject to change without notice.

Sacra accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that liability arises under specific statutes or regulations applicable to Sacra. Sacra may have issued, and may in the future issue, other reports that are inconsistent with, and reach different conclusions from, the information presented in this report. Those reports reflect different assumptions, views and analytical methods of the analysts who prepared them and Sacra is under no obligation to ensure that such other reports are brought to the attention of any recipient of this report.

All rights reserved. All material presented in this report, unless specifically indicated otherwise is under copyright to Sacra. Sacra reserves any and all intellectual property rights in the report. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of Sacra. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any report is strictly prohibited. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of Sacra. Any unauthorized duplication, redistribution or disclosure of this report will result in prosecution.