How Vanta, Secureframe and Laika are arming the rebels of B2B SaaS

TL;DR: We did interviews with the CEOs of Secureframe, Vanta, and Laika—three compliance companies helping SaaS startups sell into the bigger ACVs and TAMs of the enterprise market.

Key points from our interviews:

Vanta, Secureframe, and Laika do for compliance what Auth0 (Okta) did for single sign-on before them—they “arm the rebels” of B2B SaaS to sell into the enterprise by making their apps "compatible" with the enterprise stack. At Sacra, we call these "enterprise interoperability" startups, which are powerful in enabling small startups to sell into the big ACVs and massive TAMs of the enterprise market, both benefiting from and enabling the accelerating digital transformation of the enterprise. [link]
Companies like Vanta, Laika and Secureframe found product-market fit removing a key enterprise sales prerequisite with their TurboTax-like workflow for completing SOC 2 audits. Today, companies with just 10 employees are getting SOC 2 certified in order to expand upmarket rather than waiting until they hit the 100 employee mark. [link]
The pre-software experience for getting a SOC 2 audit cost $50-100K and could take more than a year. Auditors would physically show up at your office to collect information about your data retention, security, and personnel/HR practices. [link]
Secureframe/Vanta/Laika integrate with a company’s SaaS tools and cloud providers to shorten the process to a few weeks or less. They then offer their software to auditors, reselling and making their audits more efficient. [link]
Auditors who partner with Vanta/Laika/Secureframe can complete more audits faster, driving more revenue even if their ACV is lower. On the flip side, that need for human auditors means they won’t have the margins of a pure SaaS business. [link]
The pre-software SOC 2 audit is a one-off transaction, while Secureframe/Vanta/Laika charge on a yearly subscription based on the size of the company and their number of certifications. The SaaS model provides coverage for a company’s yearly re-certifications and gives them real-time visibility into their organization’s security practices. [link]
Customer acquisition is currently driven by hand-to-hand combat and the overall market is in land-grab mode. Similar compliance-focused platforms have raised a total of $441M over the last several years, fueling a race to acquire customers and win mindshare via paid advertising. [link]
Vanta/Laika/Secureframe partner and integrate with external vendors like Checkr/Vetty (background checks) and Jamf (device management). Compliance-focused enterprise interoperability tools rise in tandem with other security-related services programmatically accessible via API. [link]
A key expansion opportunity for Secureframe/Vanta/Laika is repurposing the data they collect to help startups collect other certifications. Since launching with SOC 2, the platforms have expanded to ISO 27001, HIPAA, PCI DSS, GDPR, CCPA, and other frameworks. [link]
Long-term, they can use their integrations across a company’s SaaS apps and cloud providers to expand cybersecurity and data management use cases. These kinds of adjacent use cases like surfacing potential vulnerabilities in real time give Secureframe/Vanta/Laika a hook into an enterprise customer base and a bigger TAM. [link]

For more, check out our new interviews here:

How Vanta, Secureframe and Laika are arming the rebels of B2B SaaS

Read more from

Secureframe

Shrav Mehta, CEO of Secureframe, on building a TurboTax for security compliance

Read more from

Laika

Sam Li and Austin Ogilvie, co-CEOs of Laika, on the compliance-as-a-service business model

Read more from

Vanta

Christina Cacioppo, CEO of Vanta, on the value of SOC 2 compliance for startups

Read more from
#b2b

DocSend's self-serve strategy

How Clearbit sold to HubSpot

Instabase: the $70M/year Palantir of banking

Read more from Secureframe