Oneleet: Pen Testing to Recurring Software
Oneleet
This model turns a painful, one time compliance project into an account that can keep growing every year. A pen test or virtual CISO engagement gets Oneleet into active security work, where buyers are already spending real money and need expert help. Once embedded, the same customer can add recurring software for evidence collection, control monitoring, audit workflows, vendor reviews, and new frameworks like HIPAA, ISO 27001, or DORA.
-
The wedge works because services solve an urgent problem faster than software alone. Earlier compliance tools won startup customers by replacing $50K to $100K audit projects that could drag on for 6 to 12 months, then converted that work into annual subscriptions tied to recertification and added frameworks.
-
The closest comp is Thoropass, which bundles compliance automation with in house audit and pen testing. Oneleet is differentiated by pairing native security tooling and expert services while avoiding the added overhead of operating its own CPA firm, more like a lighter version of the vertically integrated model.
-
The broader category shows why this matters. Vanta grew average revenue per customer from $5K in 2021 to $18.3K in 2025 by moving beyond basic SOC 2 workflows into adjacent security products like vendor monitoring and on demand pen testing. That is the same playbook of using human security work to raise software attach and usage.
The next step is a shift from startup compliance helper to system of record for regulated security teams. As fintech, healthcare, and European customers face more formal testing and documentation requirements, the winners will be the platforms that start with expert led work, then pull customers onto always on software with higher contract values and lower churn.