Vanta Automates SOC 2 Evidence
Christina Cacioppo, CEO of Vanta, on the value of SOC 2 compliance for startups
The key insight is that Vanta did not invent a new security standard, it turned a manual evidence gathering job into software. Before automation, founders and auditors were proving basic controls with screenshots, live demonstrations, and employee spot checks, which made SOC 2 feel like a long research project. Vanta shortened the work by connecting directly to systems like Google Workspace, AWS, and GitHub, then continuously checking controls and packaging the same evidence for both the company and the auditor.
-
The wasted time sat mostly in evidence collection, not in defining the rules. The controls were usually familiar things like MFA, encryption, and TLS. The slow part was proving them one by one, then repeating the exercise each year for renewal.
-
This pattern showed up across the category. Laika described the old workflow as engineers writing policies, uploading files into SharePoint, and emailing auditors back and forth. Its product, like Vanta's, connected company systems to automate evidence collection and give auditors access to the same underlying data.
-
That workflow compression is what created the market. Vanta's later growth came from selling a SaaS product that could get companies through one framework for roughly $10K to $15K, then expand into more standards and adjacent security products. By July 2025, Vanta was estimated at $220M ARR versus Drata at about $98M in January 2025.
The next phase is turning compliance from a once a year audit scramble into an always on security workflow. As more of the evidence collection becomes automatic, the winning vendors will be the ones that use the compliance foothold to sell adjacent products, increase daily usage, and become the system a company relies on to prove trust to customers year round.