Cheeky Pint - Compliance at scale and why TAM is a distraction with Christina Cacioppo of Vanta
Episode Date: March 31, 2026Christina Cacioppo, founder and CEO of Vanta, joins the pub to discuss building the future of agentic trust. She explains why compliance has a “vitamin vs painkiller” dynamic, the drama b...ehind their famous 101-billboard campaign, and why she believes "market sizing is bullshit." They cover the tension between vibe coding and rigorous security, how Vanta is using agents to generate UI, and why the best founders are relentless truth-seekers.Timestamps(00:00:17) Vanta(00:12:30) How compliance works(00:15:06) Breaches(00:23:52) Stripe Tax(00:24:43) AI and compliance(00:44:50) Go-to-market(00:47:22) Lessons from USV
Transcript
Discussion (0)
Christina Cassiope founded Vanta in 2018 to solve a problem most founders didn't even know they had, compliance.
Under her leadership, the company has defined the trust management category growing to over 15,000 customers.
Cheers.
Cheers.
Good to see.
Tell the Vanta story.
We help companies start or build out their security programs and then get credit for all that work through an audit, through a security questionnaire, a trust center.
but it's basically like do all the work to improve your security and then go get credit for that, your customers.
All the Vantibilboards I see use the word compliance rather than security.
Yes.
What's going on there?
It is one of those where you're like, well, vitamin and painkiller, I think, right?
And I think compliance is, SOC2 is a word that no one knows what the heck it means until they deeply know and then they want it.
Exactly.
Yeah.
And so it's kind of like, and one of the original founding has.
hypotheses of the company is if you want to start a security company for
startups, you should actually start a compliance company.
Ah.
Because your customers never ask you for security, but they do ask you for
compliance.
So compliance is like the buying moment for startup.
Exactly.
Exactly. And then when you're going through that, you have to implement a bunch of
like do a bunch of best practices, maybe buy some tooling.
Yes.
But you don't even if you want to, you don't do it before that moment.
Yeah, yeah.
Because you're doing the thing that customer wants.
And I guess at a later stage, the buyer would be spliss where security would be the
CISO versus compliance would be the compliance would be the.
the CFOGC, something like that?
So I actually think Stripe is like a little, I don't know,
and what I see, which is biased, been different.
And that usually compliance is,
there's this unified GRC governance risk and compliance function
and that lives in the CSO org.
Okay.
And that will centralize internal audit.
It'll centralize like enterprise risk.
Okay, so you're mostly...
You put those teams together.
Yes.
Third-party risk.
Those teams are all together in CSO org.
So you're mostly selling to CSOs?
Yes.
Okay.
How did you, you woke up in the morning
and you decide you were passionate about starting a compliance company.
When I was three years old, it was my first word.
Yes, we joked in the early days.
We'd never be able to pull that story off.
I don't know.
I heard training businesses are good.
I've heard more absurd founding myths.
I think you could just go for it.
Yeah, go.
No, it's the real story's twofold.
So one, prior to Vanta, I worked at Dropbox.
I worked on what at the time was a new product,
Dropbox paper.
We were trying to take it to market and didn't take it to market as well as we could have for several reasons.
One of which was, turned out of time, all the Dropbox contracts had written into them,
like, we're secure, we're compliant, we're pen tested, we're XYZ.
Our new thing had none of those.
And so it was like in order to talk to someone with a Dropbox account, which was, you know,
100 million people or whatever it was, we had to go through this process.
This was Dropbox 2015, so like the height of its Silicon Valley power, you know,
year and a half, 10 engineers, you know, feature building, did it, all that.
I like, that all happened.
I was not smart enough to then be like, aha, startup idea.
And instead, like, this, like, Dropbox, what do you do?
And this sounds bad.
It was about a year and a half later just talking to startups and founders about security,
trying to figure out, like, what is there a company to be built here?
How do you get more startups to care about security?
How do you be able to do it?
And kind of came across basically companies that either sort of did nothing for security,
but felt really badly about it sometimes.
It still did nothing.
And then companies that had a lot of stuff in place.
And a lot of stuff in place was because they'd gotten a questionnaire,
they'd gotten to them up to because of an out-of-price customer.
And that was kind of the like, oh, that thing.
Yes.
I remember that being crazy and onerous and sort of terrible.
But also kind of if you do it, like, you know,
that is like Pasco collect $200, like huge benefit on the other side.
And it was kind of the combo of those two things.
Which you're describing, I think, is just so commonly the experience in founders who start companies, I mean, it's our experience with Stripe as well, where we had just run into the problem before.
But it's funny, I often run into people in university who are excited about starting a startup.
And this generally, and, you know, obviously there's lots of sexy stories of people who dropped out of college to, you know, start something.
It's generally a bad time because you talk to university students, and often their ideas for companies are pretty half-baked.
Find my friends.
Yeah, it's for Find My Friends.
It's like a college textbook exchange app.
You know, there's like the five apps, whatever.
Whereas so frequently what happens is people go out and they build successful products in the world and they do Dropbox paper or they get some experience.
And it turns out there are huge markets available with problem spaces that most normal people have not heard of with things like SOC2.
But you have to kind of spend a while seeing how the value flows in the real world work to discover those big opportunities.
Okay, so how do you feel when you go to YC now?
And you have these founders who've dropped out and been like,
my passion is sales enablement.
But they actually kind of do know, surprisingly, much about it.
Kind of.
I mean, if you truly manage to learn enough about sales enablement to be, you know,
to be able to feel a strong product there,
then good on you.
I just think you're more likely to discover those areas after, you know,
five or ten years.
What stage is the business at now?
We have 15,000 customers.
Our growth rate actually quickened the last couple of years.
and quarters and months.
And so it bends 60% annual plus for the last couple of years since that milestone.
So both part number there.
Yeah, yeah, yeah.
Yeah, it's a proper business.
Yeah.
And you go to market, it's all sold.
All sales.
Yeah.
Yeah, it's one of the blessings and purses of them.
With what company sizes?
All, so we do the, like, we call them the two founders on the couch.
But it's like the two founders on the couch who are building their thing.
And someone asks them for talk to and they're working on Friday night.
because like what else are you going to do the thing,
all the way up to at least one member of the Fortune 50.
I would have thought that compliance is very different for founders
who have never even heard of it versus companies who have a lot of existing teams here
with opinions and stuff built out.
Yeah, that is true.
So down market or down market, I kind of, we're not quite turbotax,
but I think that is the kind of experience of founder wants.
I see.
It's like, this is high stakes and I don't want to get it wrong,
that I don't really know, but just guide me through.
And then, so that's more of the product experience.
And then the output is like, here's a set of controls,
but like security rules you follow that are monitored on an ongoing basis.
And because of that, whenever you're kind of constantly audit ready.
You always have everything in place.
Great.
And so that's sort of the experience a founder wants,
but the output is still a security program that's monitored all the time.
Upmarket, I switch to I'm talking to an engineer.
It's like, it's more data dog for your compliance.
controls, right? You're like, I have my program. I have my thing, but it's lives in a spreadsheet. It lives in Jira, custom
Jira. It lives in something like that. And I want real-time dashboards and visibility. I see.
And like, you know, deviations and have auto remediation. And like, I want that world.
Okay. So it's almost like two layers to Vanta. There is what your controls should be and then how the
controls are monitors and implemented. And kind of early stage companies want both later stage companies may
want more of the latter. Exactly. Exactly. And then the tie to audit is like great. Well, you know,
in some ways it's like if controlled or with monitored, you just pass the logs to a monitor.
It's more complicated than that, but that's the base model.
Okay, you're getting to a question I had, which was, like, compliance at some level is not a thing you can just buy.
It's a thing you have to do.
And so, like if you actually talk about all these rules, like, I don't know about SOC 2 in particular,
but for example, a lot of compliance regimes have this notion of, you know, doer and approver being separate for some thing.
And so it's like the, you know, the nuclear submarine where, you know, you know,
You have to have the two keys turn simultaneously to launch the PR, I guess, in this analogy.
And again, Vantakant do that for you.
You have to do this.
And so what you do is one for, say, a startup, you actually just let them know the complete list of things they actually need to do.
And I pretend there's some, maybe you can talk about there's some logic of only telling them the stuff that actually applies to them.
Yep, exactly.
And then there's actually, how do you enforce, say, separate doers and approvers in something like Code Review?
Yeah, so for something like, so this is where, it's the first thing we built, and we call it tests.
So it's advanced word, but like modeled after unit tests.
You're like, turn each of these controls into a unit test.
Yes.
And so pull from version, you know, GitHub, GetLab, whatever, look at every pull request and check, you know, these fields or this thing or run some logic over it.
Yep. And that is our test for the control.
Ah.
And so that was kind of the, again, the first thing we built were these tests.
But tests are just ways to prove control.
Ah, so you're just a test suite.
You're the battery of unit tests for the compliance rules.
Exactly.
Ah, why don't you just say that?
Why don't you just billboards say that?
There was a niche audience of San Francisco.
It would be like, oh, now I understand.
Yeah, but I think for the 101 billboards.
Yeah, yeah.
Oh, what's the controversy with your 101 billboard?
Oh, my goodness.
How much do we want to do this?
We had a great one-on-one.
Great billboard.
You drive by it every day.
Yeah, yeah.
Compliance that doesn't suck too much.
Arguably, you know, hundreds of millions of dollars in the car,
a cap attributed to that billboard.
It's funny, that was just in the annual event on startups.
The person who came up with that billboard, very pleased with herself, as she should have been.
100% right.
Her manager at the time was very skeptical of that billboard.
Are we negging our users?
Yeah, yeah.
Is it so because are we too far over the line?
Anyway, you can guess which one of those people is still advantage today.
Not just because of that.
Yeah, yeah, yeah.
It's kind of a cultural test.
Exactly.
Yeah, yeah.
Anyway, so we had this billboard. It was great. For many years. For many years. I used to joke that we've had it locked up for years. Turns out we didn't, and I'm an idiot. Oh, you forgot to renew it. Not even.
You should have had a little vantage check for us. I know. It was like, it was like your domain and you're just like that you're not supposed to. Yeah. It was slightly better. Yeah. It was slightly better. Um, the agency we worked with. Um, the agency we worked with. We worked with. We had we should have caught this. Or our contract was just written in Cran. And we got locked to be able to ask about our billboard. We'd introduce them to lots of startups.
you know, some of those startups were also buying with that agency.
Wow.
And so that agency.
A startup you introduced to them went and took your billboards.
They didn't even do it on purpose.
It was like, yeah, yeah.
The agency went to them and it was like, oh, we have this great inventory.
Would you like it?
And then we found out.
Okay.
Hmm.
That's rough.
But people will learn about, people will learn about, people will learn about Vanta in other ways.
They do like, we do like to market.
Yeah.
Yeah.
Okay.
And then go back to the other part of the question.
So how does the layer work for, you know,
rulebook might be a thousand pages long, compiling that rulebook into the steps that are
actually actionable for me because I am not a farm. And so all the farm parts of the rulebook
don't mind to me. Yeah. Okay. So the initial send of you box. So the initial version of it actually was
this is like back when we were found out on a couch was getting like as many sock tooth as we
could. It's like Salesforce, Slack, AWS, right? Yeah. Whatever. And actually opening them all and just
comparing them. Yes. And trying to extract it was common and sort of doing it that way. So that was the first
cut. What we do now is hopefully more advanced, but there's a bit of, now that we have
probably 30,000 audits completed, we can just go back and be like, okay, for a company
that looks like you, and for this auditor often, what sorts of controls are there?
So we have that input in. Then we can also layer in both for a company in particular and in
general, like you get questionnaires. What are the themes and the questions you're being asked?
We just launched a new commitments product that ingest contracts and scans that contracts for things that are contracted.
So you can then even like, pull them out and say, hey, this should be a control.
Yes.
And, you know, God forbid something happens.
But you're like, what are my obligations to my customers?
And you can just have, you know, basically have all that structured data.
But one of the most important things is I just want to see progression over time and increase maturity over time.
And you've probably had this at Stripe where you wanted to use some cool new tool that, like, had no.
security posture.
And a contingent, say, heck that, maybe.
But like, you know, one part of it was like, oh, can you just like walk this up over
time and show me you're making progress?
Yes, yes.
Is SOC to the main Bible, you know, the book from which you read?
It's funny, we don't, we don't, we don't break it out by framework anymore because it's all
just, you're like, they're all just inputs into the system.
Sure, but like ultimately you need to comply with some specific thing.
Yeah, yeah.
But like, yes.
Most customers will come to us for that first.
Number two is ISO-2701, which is, if you part of Europe talk to.
European-European enterprises.
Okay.
Yeah, yeah, yeah.
And so if you're a European company selling to Europeans, you will start with that.
If you're Europeans start selling to Americans, you'll start with soft-to.
Okay.
How aligned are they?
I think our fish, like, mapping is like 65%, and the additional ISO stuff is often documentation.
Okay.
So it's like a great place for software to help you.
Sounds like Europe, yeah.
Yeah, yeah, yeah.
Exactly.
Yeah.
There's like less, you know, please and permit these six more rules.
Okay, so is it SOC2 and its international equivalence is basically that captures most of what you're doing?
It is probably plurality, not majority.
Okay.
And so we see a lot of growth.
There's this like whole host thousand flowers bloom of AI standards right now.
It's like the whole thing there.
There's a healthcare specific things.
Sure.
They're the PTI piece, which you're very familiar with.
There's like that.
On the healthcare, is this?
which...
There's HIPAA, which is U.S. law.
You can just declare yourself compliant with HIPAA.
Yeah, exactly.
The downside of doing that is if you do that and are breached, the fines are enormous.
And so that's the check that.
There's semi-market check there.
Can you describe the policy goals that something like SOC2 seems to accomplish?
And you might say, oh, it's simple.
It's just security.
But, yeah, like, as we know, there's many different.
facets to that. And so it could be preventing information leaks or it could be preventing
fraud against the customer or it could be all these different things. And so if you're at a stack
rank, what is SOC2 actually trying to accomplish at a policy level? I would say it is trying to
ensure customer data is protected. I think that is what it is trying to do. And you're just
ran out the point. Your Java, JavaScript and Harrison is that, you know, Java was a very popular language
before the emergence of web browsers with JavaScript.
And so when they invented JavaScript,
they wanted to kind of ride off the Java Halo
as it needs to do the programming language,
despite the fact Java and JavaScript share no exactly commonality at all.
But it was just good branding.
And what you're saying, is that a similar with SOC2 here?
Okay, so you're saying the primary goal
is to ensure that the data that you are giving this company.
Your software provider, whatever.
is adequately protected.
Many companies have had humongous data breaches.
Equifax was a great.
Yeah, Equifax, AT&T, I believe.
Kind of all of them.
Exactly.
It's from every big company as they suck to.
Yeah, yeah.
But there's a difference between kind of some data
was leaked in some context versus like in the Equifax case.
Sorry, we lost all of your data.
Exactly.
Yeah, we didn't fix the database.
Exactly.
Which data did you lose?
Like all of it.
Yeah.
It's very hard to find.
find that moment in the Equifax stock price chart.
Yes.
What's going on there?
As in, we think society cares.
Society should care.
It's valuable to not lose this data.
And yet it does not seem to impair what investors deemed to be the terminal value of the company.
Yes.
What are investors betting on?
They're betting on, like, will anyone churn off of Equifax because this happens?
And I think the cynical but correct take is no.
Sometimes because you're like, you know, Equifax or DelPla, you're.
I'm not going to stop, you know, like I'm not going to stop playing Delta,
especially 10 to 15 years into this where you're like, oh, another one,
I'll add an eighth credit monitoring service, right?
And I think there is a cynicism there that is probably correct.
Yes.
Yes.
The other thing that feels like it's changing in this ecosystem is that the costs of having
data breaches are going up because Europe in particular,
particular is getting very strict about notifications and sometimes fines around these breaches.
How is that changing your world?
We see more, so we also cover some of the data privacy standards.
So your GDPR, your CCPA, there's Brazil, there's, you know, whole, again, alphabet soup of acronyms here.
It goes, honestly, we see demand for that that goes in waves.
And it kind of tracks we do expect.
It's higher in Europe.
Yeah.
I mean, Vanta as a product in general does kind of even better in Europe and better than you would guess for a California company that doesn't have European roots.
And I do think there's some cultural affinity and just seriousness there.
Yes, yes.
Versus the easy critique of Americans and Compliance is, like, I'm just checking.
You tell me where the bar is and I'll meet your bar.
Yes.
Is it a box tricking.
Exactly.
Or it is just kind of culturally something that is like more important.
You can tell me where the bar is and I'll meet it.
but also I have my own internal bar, just more of the European day.
But we see, like, demand for, say, CCPA,
which is a California private, California version of GDPR, quote-unquote,
go in waves.
And right now it is definite, I mean, all the American, you know,
regulation is kind of at a, I don't know, total mid-year,
but it's down right now.
Yeah.
Well, it's down at a federal level.
Is it also down at a state level,
the kind of energy around the CCBA-type things?
Yes, it is, even with, you know, California,
and it's not clear what California is going to do,
and it could go multiple ways,
but I still think the national politics casts a larger shadow,
even over like a state like California.
Oh, that's interesting.
Yeah.
Okay.
And on the national side, you know, current administration is very into streamlining regulation
through automation and AI.
Yeah, yeah.
But like that is the catchphrase that they deeply believe in and are driving.
I would have thought that this kind of stuff is just too boring to be caught up in any reform
initiative or will this be streamlined?
I think there's very hardworking folks in D.C. in special, well, kind of across the board, but in GSA, in the area office trying to do this. And the primary lever they're using is FedRamp.
Yes. Yeah, yeah. One of those. And which broadly I would think of, I'd talk to for the federal government, but basically a very onerous set of both controls and requirements and documentation in order to begin trying to think about selling.
to federal and often state, sometimes even local governments.
It's a broad FedRamp thing.
I haven't realized state and local governments also use FedRamp as kind of their
state ramps.
So there's like literally Texas Ramp.
But they kind of conform to FedRamp.
Yeah, yeah.
And there is a part of GSA and one team in particular led by a guy called Pete Wasserman
who is trying to modernize FedRamp.
But I would say make a like 2020 version of FedRamp where the current version feels a bit more 90s.
And it is unclear if he will get the traction to succeed.
But he's fighting the good fight and he gets it.
But even if they do that,
I find it hard to imagine the society of accountants
just copying the new Fedram, block, stock, and barrel.
I don't think they will.
I think you're just going to have even more divergence between these things.
Yeah.
You're just like less control over.
Yeah, I feel like your life is the XKCD of, you know, we have 15 standards.
And the answer is the 16.
Yes, yes.
Yeah, yeah.
That is also my answer when people are like,
Is in Vantta going to make a standard?
Couldn't you make a better one?
Yeah, yeah, yeah.
We have that posted on the office wall.
Yeah, yeah, yeah, because it is your life.
Yes.
But, okay, going back to the effects of the European strictness,
it doesn't show up in the form of kind of maybe American companies previously
were looking to kind of check the SOC2 box versus now they're like,
okay, it's really important I don't cross this, actually quite strict European rule.
Right, right.
Whereas I think now, and I think in the, what's funny, we are starting Vantta,
Vanta as what it is now today in spring of 2018, which was when GDPR was going into effect.
And so I was kind of running around and being like, well, you talk to me about compliance?
And everyone said, yes, I was having this great luck.
And then I'd show up and I'd be like, so suck too.
And they'd be like, GDPR is a priority like next please.
And that energy is like mostly dissipated, especially in the United States.
Yes.
I think because it's like, the theory at the time was GDPR is written by lawyers at a very high level.
it's like not a spec you can handle an engineer like comically kind of bad as an engineering spec.
But like it's fine.
We will clarify that in court over the next 10 years.
And now we're, whatever, seven, eight years in.
Hasn't really happened.
Yes, yes.
It still is kind of hand-wavy for an engineer, at least to go implement as it ever was.
And how does this work with agentic coding for the honest answer to the number of human reviewers?
This code is zero.
Yes.
How should it work?
Because right now it is like, well, somebody
I did be like, I did code well.
Right now it's like agent, you know, writes code.
Human or agent puts up PR.
Maybe human or agent reviews it.
And I think to a like naive sock to audit,
you're like those seem like two user IDs had that conversation.
And so we can go forward.
But it's more about having two throats to choke as opposed to, you know,
we read the code of this, you know, ATM.
software and guaranteed this, you didn't introduce a infant money glitch.
Yes.
My interpretation from talking to folks is some of the impetus behind that or the primary
impetus was insider threat.
And like that's what you're preventing against, which maybe that's my like macro answer
is just go through the sock two controls and be like, what are we trying to do here?
Yes, yes.
And be like, okay, great, let's design for that.
Yeah, yeah, yeah.
And that may or may not be how it's written today.
That's a good question because on all the insider threat stuff, having two reviewers is kind of one way to do it.
Does SOC2 mandate exactly a lot of other insider threat stuff?
Because presumably you should be logging a lot of activity, auditing a lot of activity.
You know, there should be process that you have in place.
No, and I think this is where actually you get to the like technical standard made by folks who often aren't as in their deaths in engineering, let's say.
Right.
And so the controls for like there are a bunch of logging and monitoring controls that are suggested.
One thing maybe also mentioned, unlike PCI, SOC2 doesn't have a person.
subscribe control list. So PCI is kind of different and it's like you must do, like you must buy
this tool whether or not it's useful to you. I'm sure you have your own stories with that.
Yes. So do is like you must log useful events and have a system to look at them.
I see. But it is up to you to decide what the heck that means. Which sometimes it's helpful.
Yeah, yeah. I think for a startup that's never done this, it is unhelpful because it sort of opens
a maze in a way that's just not great. That's where I'm being prescriptive. Like, yes.
is part of, I think, the Invanta's initial product market fit, I think it's actually largely
due to that.
Yes, yes.
In a way that that wasn't the plan.
But I think it's like figuring out how to take that high-level guidance, bring it down
in some places.
Yes.
In a way that actually makes sense.
Christina and her team at Venta are helping their users automate compliance, which for many
companies is the thing standing between them and being able to sell to enterprises.
We're very familiar with this category of products in strike, where you have a complex web of
rules that businesses need to be able to comply with so they can move on to actually
improving their products. Just take tax compliance and our product, Stripe Tax. As you start selling
in more states and more countries, you discover there's thousands of rules you need to follow.
For example, did you know Chicago actually has a lease tax, which applies to SaaS companies,
too, since you're leasing out software? Stripe Tax is built to automate all of this. With one
integration, it knows what you're selling, when and where you have to collect transactional taxes,
and how to register and file on your behalf. So if you're
want to sell globally without becoming an expert in tax rules, check out Stribe Tax.
You know, the kind of joking reference that everyone makes is they talk about kind of
competition from Claude for software products is, yeah, you know, you're not just going to vibe
code, your X in a weekend. But obviously, something like SOC2 is actually the kind of thing that
LMs or kind of coding agents are good at working with because there's just a
so much training data out there and it's a, you know, codified set of rules. And so how is
AI helping with what you're doing and kind of what is your plan for? You're describing some of the
scale economies you have and having seen other customers. I'm curious just kind of what the defenses are
against a customer could in theory say, hey, Claude, give me the plan for our SOC2 compliance,
make no mistakes, you know? Like that is a thing you can contemplate. Right. And I think like there's,
you know, so you can do the sort of the very defensive thing, but actually the very defensive
It's like, right, but like this is a place where you don't want to get stuff wrong.
Spending much time on it does not make your beer taste better.
Right.
Like, is this really the place?
Like, even if you really want to vibe a bunch of stuff, is this really what you want to vibe?
Facts.
Whatever.
There's all those arguments.
Ignore them all.
I think where the LLMs are excellent and a little dangerous in a bill versus by, but then we just
need to build better experiences on top of this are is like, hey, Claude, I'm going to give you a mess of data.
you go make sense of it to me and like get me ready.
Right?
I'm just going to like give you a bunch of AWS screenshots or API calls.
I'm going to give you all my policy documentation.
Like go.
I'm going to give you my existing GERA workflow.
Go turn it into a thing.
And so you know, you can go do that today.
We are building, this is our like onboarding flow or will be our onboarding flow,
which is, oh, you have an existing program that's already running.
That's cool.
Give you all the stuff.
We will go map it into the Vanta world.
Yes.
And then in a, like, Cloud, we're on LM, it's like, okay, cool, now you get out of that, I don't know, files in a folder structure that you then, you know, box share that took over to EY and, like, call that your audit.
Fine.
You can do that.
In Avanta world, the outcome is now, hopefully, we have your program mapped and is observable and monitored and so you have continuous control monitoring.
You get your dashboards.
You always know what is in place and what is not.
And, yes, you can go, you know, send a share link to your auditor here too, and they can like.
log in and see everything.
Yep.
And so we sort of think about it as they have lowered the initial audit prep.
Yeah.
In a way, inside outside banter.
Or like if they're not inside ban to what are we kind of doing?
So building that.
But the continuous monitoring piece.
Yes, yes.
That you're not going to get out of at least LOM chat.
You've got to go vibe code that whole system.
Okay, so you're saying this.
Everyone just wants, like no one enjoys spending time in SOC2, everyone wants to have been
sub sub-suktu compliant.
as of yesterday.
Yes.
And so you're saying part of the advantage here in this new landscape
is you can just take a whole bunch of unstructured stuff
and just empty it into the Vanta hopper.
Right.
And Vanta will make sense about...
We'll get widgets out, you know.
And I presume part of the defensibility
comes from the fact that preference amongst practitioners,
in this case the auditors that are reviewing your SOC2 materials,
is a very strong effect.
And both QuickBooks and Zero to some extent,
really grew off accountants becoming familiar with those pieces of software.
And companies could have opinions about what they were using,
but those opinions were not that strong,
and they were overridden by the opinions of the auditors.
And so...
We have a version of that.
It's not, I don't think it's as strong as old effects yet, at least.
But even again, we've seen 20,000 audits and thousands for particular firms.
And so you're like, in control, you know,
And so you're like, we now do AI Evidence Evidence.
So it's like, oh, you're going to provide this piece of evidence.
We can just tell you, is it going to work for this auditor?
Did you upload a cat picture?
Did you upload a screenshot without a timestamp on it?
And you're going to get told to put the timestamp back up.
You know, just like that feedback loop.
We already have, and we've thought about doing things for auditors as well with that.
Yes.
But yeah, it sort of moves in the direction of like an AI internal audit, at least.
It feels like the data you have of.
anonymized prior audits is an incredibly powerful network effect that cannot be replicated because, again, it doesn't exist in the public internet.
The AIs don't have it available to them, which is just private data.
And just like, you know, stripes an advantage because we have all the fraud data.
We know what like a normal buying pattern looks like versus not.
And so we can offer the best anti-fraud performance just because we're working with a larger data set than other people.
Similarly, people are going through an audit, you can tell them that this will work and this won't.
This is our radar.
Yeah, exactly.
In a way that's just you cannot do it even if you're, you decided to buy it yourself.
Yes.
Yeah.
Yeah.
That's a big deal.
Yeah.
That's kind of cool.
Where else have you seen that be useful?
In relationships between a software, um, uh, vendor and buyer.
Mm-hmm.
Right?
And so we, so Vanta core, we think of ourselves as, you know, broadly and what we're best known
for is serving software vendors, but people who make software and want to sell it into the
world, right? And you're like, do it security wear? Is it secure? Grand. Okay. Then we have this third-party
risk product, but it's basically, I think of like, you're an organization, maybe it's tech, maybe it's not tech.
You're buying software, and you're going to go put a bunch of your customers data in it. You want that software to be
secure, because if not, you have to turn around and tell your customers. Like, I lost your data,
but it's actually our email provider, but you don't care of our email provider. Like, you think it's me and I've
sent you in it. Anyway, right? Like, no one wants to send that email. So there's a whole world of like,
third-party risk or vendor reviews. And we build a product for those folks.
But is there kind of a compliance versus security tension here as you're doing this stuff?
We haven't seen as much. What we have seen is, so the person buying software, you know,
they might work at a tech company and be quite savvy and up-to-date on those threats.
They might work when our customers is, you know, a hotel chain, right? And so not that,
and they certainly don't get compliance themselves because they don't build software, right? But they buy it.
Yeah.
Fine. And so, we're not. And so, we're not. And so,
what we generally see is some companies will come in with their set of questions they want to ask.
And maybe I will read your talk to, maybe I will not, but like I really want to ask you questions one through ten.
Some companies don't have that.
And again, there's some part of the value proposition is like, we'll prescriptively guide you.
And so we have a product principle just around reasonable defaults.
And it's like, can we make the reasonable default questionnaire in this case something that leads in the security versus compliance or versus, you know, do you have a policy tax?
And can you just ask them if they ask if you care?
Yes.
And so that's a place where we've tried to, on the margin,
nudge the buyer questions toward more security,
knowing that will change the economic incentive of the vendor.
One of the big debates people are having right now is how AI productivity gains show up.
Yes.
And I feel like you could have an opinion on this because we have filled out a lot of security questionnaires at Stripe.
And I think we'd be very happy if the machine.
could take over from here.
We really don't need to.
We filled out enough.
We should talk about this.
Exactly.
Yeah.
But so one case you could make is the machines are getting quite good.
They can understand what stripe, you know, is and is something can do and can't do.
And so every time we get a security questionnaire, AI can fill it out.
The counter argument you could say is maybe Jevin's paradox will show up and will be even more
exhaustive and elaborate and custom, you know, security questionnaires.
And so, you know, the total amount will increase.
But so just how do you see AI product?
activity showing up here on the effect.
So the questionnaire actually is a great example because then questionnaire
so that we tried to build this product in 2018, which before I suck to, because it just
seems easier, actually, but the language models were not good enough.
And then we tried again in like early 21.
And like Bert came out and you're like, oh, is there a remote?
It's like, was not good enough.
And now it is good enough.
So that actually, GitHub gets 92% of all of the questionnaires they receive answered
through Vanta.
And so you're like, not at 100, but you're like, it's GitHub.
they have AI tools like they have copilot it's a lot and so we're absolutely seeing this like
the models are definitely good enough for sorry people ask GitHub to fill out security questionnaires
before using GitHub and now they can mostly turn around and return those security questionnaires
with 92% filled out filled out and we have a human but just it's review and approve right and then like
the confidence scores on like prioritizing even for the reviewer it's like you probably want you can look at
the section if you want, but you kind of don't have to, where it's like, we really look at these
10.
Yeah, yeah, yeah.
And to, like, all of that work, like, our product does that.
Yes.
Yes.
That's cool.
Okay, so where do you think it goes broadly?
I think that so much of the work of a compliance team is, again, keeping things in sync,
keeping, and, like, different sorts of text in sync, right?
Adding on new compliance regimes, which is just adding controls.
Yes.
And then you, but really, you really want to, do you want to, if you want to,
the like, you know, new ones to the old ones and figure out what the duplicates are.
That's actually a huge part, classically, of the work of a compliance team.
And so I think there's so many opportunities for LMs at Agentic Workflows in Vanta's business.
And we, you know, we probably have a couple dozen of them.
And if I think about a roadmap, you know, knock on all the things.
Like, we have like hundreds by the end of the year.
Yes, yes.
But it's just, and it's kind of a, what we've been doing is raking down what folks do, right?
And so you're like, okay, there's a questionnaire piece.
If you send out a questionnaire, someone has to read it on the other side.
And then you have to think about it and figure out, you know, where does it work?
Where does it doesn't?
Oh, I have this new policy update.
I need to put this thing in a policy.
I need to, we're going to start doing, I don't know, ISO 40, 2001, which is a new AI standard.
And so how do I map that in?
Yes.
I need to rerun a risk assessment.
I'm going to change my, like, risk score.
Anyway, all of these things, all of these tasks are all just like workflows.
that you can have an AI do, write an eval against with like subject matter experts,
and then he'll climb until they're quite good.
And so it feels like, you know, you can reason about the number of people in a profession,
especially at a certain stage of company changing.
Like if you think back to ancient times, I don't know, the year 2000,
if you had a 10-person company with, you know, 10 Gateway 2000s beige workstations,
they probably would have had an IT person.
That IT person would have had to, like, servers in the closet.
Yeah, exactly.
It's service in the closet.
They had Microsoft Access database.
They had to do software updates, you know, for all the machines.
Occasionally, like, lint and stuff would get stuck in the mouse ball.
Oh, yeah, yeah.
You have to take it out and cleaners.
I've thought for that in one time.
And all those kind of stuff.
So, IT was a real job.
Yes.
Now, I don't think a 10-person company really has an IT person.
No.
Because the hardware is super reliable and just buy a new version every now and everything's in the clouds.
There's no porting data over.
You just use Google Workspace for everything.
It works really nicely.
And so IT still exists as a profession, there's lots of interesting things.
But, you know, Stripe has a bunch of IT people.
You don't need a bunch of IT people at the 10.
You've got like mail laptops to like how many countries in the world, which is like actually kind of hard.
Yeah, we have some IT challenges.
But again, we're 10,000 people.
And again, it naively feels like you will have a similar effect with compliance as we had with IT.
Where the profession very much stays around.
It actually gets more skilled rather than like I think the stuff we do in IT is harder than kind of the basic IT.
that a 10-person company would have done?
Is that basically where the clients is going?
I think this is basically true, yes.
So one model we've thought about with Vanta, even like pre-AI,
is we will delay the point at which you have to bring on a full-time security compliance person
or like a kind of consultant who's spending meaningful time.
But, you know, in the past, if you were an enterprise company,
maybe you did that at 50, 100.
And it's like, can we actually push that further out?
Yes, yes.
Because what we see is then, like an engineering leader or someone in the engineering
org can manage more of this.
Because they kind of have the mental models and they're usually system
sinkers and they can, you know. And they're responsible
for it so they can kind of change this. Exactly.
Yeah. And so you're like have this
a persona, we call them Amelia engineers, but like you have the
Amelia engineers just like going further here.
And then you bring on and then you can bring on a like unified
security and compliance person versus like, oh,
you're your security person, your IT person, your compliance person.
But it's a little bit of like the, kind of what we're seeing in
the like engineer PM designer collapse.
So you have the like security.
security compliance, IT collapse into one role?
You can keep them unified for longer.
Exactly.
If you can give them good tools, right, they can do that.
Okay, fine.
And then again, pre-AI, but then over time, that team starts to grow, and then you
get a GRC team and see-so and all this.
What we're talking about now and we haven't seen yet, but if I, like, had the future
cast and guess, is we're going to see, actually, those GRC teams collapse a bit more
into these single-threaded owners.
kicking a GEOC team today,
there's maybe one person answering questionnaires,
one person just reviewing new software vendors, right?
And you look at those and you're like,
okay, I think you can mostly agent the work
and then have someone oversee it with 20% of your time.
But like, okay, great, it's collapsed 2% to 40%.
Right?
And you're like, okay, you have some person
who's like the, who is responsible for
bothering the engineers
to get evidence for them, you know, for the audit,
or like to get the control in place
because they don't own the control, but they own the programs.
They have to go to the engineer and be like,
hello, I noticed you have a new database that is not encrypted
and like, will you please encrypt it?
Right.
And you're like, you can just have software going to act that person.
Anyway, it collapses.
And so I do think we will seek smaller GRC teams managing agents,
but actually in the future.
Yeah.
And then they are doing more.
I'm not doing the security reviews.
I'm like thinking about the findings and overall managing this like risk portfolio,
just like vendor risk portfolio versus being like, oh, this vendor doesn't have this thing
and I need to go get it from.
Yeah, I think what you're saying is there's a strategy component to how should we be doing
things.
Yes.
And then there's an hourly labor component to compliance, which is like, oh, we did 10 times
many sales.
We need like 10 times many bodies on the security reviews.
And you're saying that AI will eat up a lot of the hourly labor part of compliance and
leave people doing the strategy work. Yes. Yeah. Yeah. I do think that. What changes are coming down the
pike in the world of compliance? I think there's, to the XKCD, there's lots of folks both trying to
make new compliance standards, but it's a little bit of like what's the difference with the 22nd one.
From a vantage perspective, we sort of take a now like, we will support them all because we have
built a machine where it is easy to add a new one in. Yeah. But obviously, you only want to support
ones like customers actually want to comply with. So you're not. Yeah. Well, yeah, but like kind of what we do
actually, we used to spend a bunch of time debating which ones that would be. And it was honestly so frustrating. Exactly. Now you're just like build the machine that just lobbed them in. And so the debate and the document you would write. Do you want to support this payment method? Sure. Sure. Whatever. Yeah, exactly. We did that with compliance standards and integrations. Because it was just like the prioritization debates were just too intense. We can take all of that debate time. And anyway, so anyway, there's a bunch of those. I would, what I bet on any of them. If you really like press to me, I would say,
ISO 42001, just because it's the European one.
I don't know that ISO.
You got to catch me up on this new ISO.
My recommendation is bedtime reading.
So you know this, but like European standards body.
And it is their version of what you, what one should care about with AI.
It ends up being pretty data privacy focused and pretty high level.
Those counters.
The pros are that European enterprises are the ones that care the most about AI and this is
where they return.
and so it's a thing that has the most market traction so far.
But again, none of these are like break out.
None of them have product market fit.
And none of them are regulatory.
Like they're all.
Correct.
You opt in to.
Exactly.
It is like this market has like roughly agreed.
You might need this thing.
So there was that.
I think the, uh, okay.
Um, I'm kind of proud of this.
They're like trust, you're from the trust centers.
Uh, they're the, um, security status pages.
Oh, sure.
Yeah.
Like trust dot blah, blah, blah.
Trust.dvantta.com. Trust. I don't know they're called trust centers. It's just like a status page.
Yeah. But like they're for your security posture. So you get the like, you know, green bars sort of or green traffic lights or yellow traffic lights. But it's for your controls. I see. And they always say the same thing. Like a status page is like red, amber, green.
Right. Hopefully the trust center always says we're a real compliant bus. Yeah, yeah, exactly. So there's like a version of that. And so of nothing else, what they actually are, their ticket deflection for the GRC team.
I see.
You know, because, like, one, your sales team sends them out, and you're like, doesn't it look good?
And then if you have any questions, you know, here you go.
Yeah, yeah, yeah.
It's the pre-filled questionnaire.
It's the pre-yes, exactly.
It's like, here's the binder of information, please read it.
And if you have questions for me thereafter, I am here.
Does that work?
It does, actually.
And I think part of it is the just show of strength.
Yeah, yeah.
And the show of, like, I'm on top of it.
Yep, yeah.
And then there is like, yeah, read things first.
And then, if you want to ask me, go for it.
Has outbound selling gotten harder now that everyone is,
has a million AI bots spamming everyone?
I think it has.
What I have heard is phone calls work.
In a way that I kind of wouldn't exist.
For now, right?
Until one year from now.
But now, like emails, like, yeah, yeah, yeah.
A million AI bots.
And I mean, like, how many chat GPT written emails do you get, you know, in your inbox a day?
But outbound phone calls are currently working.
Got it.
Yes.
But again, it's only a matter of time.
It's only a matter of time.
And I think, you know, then we're just back to like, oh, events, right?
Yeah.
And especially like, small curators and you pick up the phone.
events and yeah.
Yes.
The topic we talk about sometimes here is on-demand software.
Patrick's taking the thing that software should be like pizza, you know, delivered fresh, piping hot.
But why are you using software that someone coded five years ago rather than just the computer
deciding what to render to you at that moment?
Is that coming to Vanta?
It is.
It's something we're playing with internally, but like really excited about, is having an agent
that maybe is guiding you through the process or doing something
and then needs the user to render an opinion or make a connection
or just do something.
And you're like, can the agent just generate UI specific for that task?
So the user completes it and then move on.
And you get this like bespoke agent generated hand generated UI just for that.
But are you talking about because like maybe people have a little bit of a
experience with agentic UI where, you know, an AI chat interface is like people's
first experience.
And, you know, maybe there's like three options you can choose example.
That's like kind of an agentic UI.
But you're talking about a full UI.
Or like maybe you have that agentic chat bar on, you know, half of the page or a third of the page.
And then the other two thirds would be a SaaS app.
You can imagine a data table with a view and columns.
And, you know, rather than just like customizing it.
You're like, no, no, no.
I just want you to do this thing.
And I will take over that right side canvas of the page.
Generate the UI for the thing.
Or generate the report.
I think reporting is another great use here.
And what step of the process?
process would this be? And would this be like you have 14 things you need to fix to get.
Yeah. So we thought about it in two ways. So kind of in the like you're setting it up and you're
going through. And actually reporting is another, I think, great case. It's like no one wants more,
you know, knobs and whistles on their reporting tool. And also no one really wants to learn SQL.
Yeah. Yeah. Yeah. I want to report for this go. Yes. Generate it. Yeah. Yeah. Like not quite right.
Take this out. That's cool. So when will we be seeing generated UI in Vanta?
this summer. Wow. Okay. What has worked well from a go-to-market perspective for you guys?
In a way that we don't, we have tried to, but brands, spend, honestly, the billboards.
We do all the stuff people do of, like, you know, zip code tracking and all of that.
Gong call mentions. So recorded sale, like mentions of the word billboard on recorded sales calls.
And then you can track the billboard. Exactly. Then you track those deals through to closed one and like that.
And you're ultimately doing a geosplish. You're looking at like the. Yeah.
Yeah, yeah, locations where you had a billboard versus Noss.
Exactly.
And then just like does the prospect say the word billboard?
I see.
In a call at some point.
So, no, some of that podcasts have that podcast advertising has been exceedingly effective for us.
It's funny because we started doing it in late 2020 and our first salesperson, Eric, who's still at the company.
We really wanted to advertise, I think, on This Week in startups.
And I thought it was silly because my model is like the only.
you know, companies that out of time podcasts are like founders who want to hear about themselves.
Like, this is just nonsense.
Or mattress companies.
Exactly.
Or mattress companies.
But like, exactly.
But like we are neither, right?
Like doesn't everybody really need us talk to?
Anyway.
And so that polly came to me and was like, I want to spend $60,000 on this ad.
And my deal with him was like, fine, but you got to sell four more Vantas because
the Vantas.
And the next month he sold like 34 more Vantas because of the podcast ads.
And that was one where you're like, well, I know nothing.
You should keep going.
I call this, by the way, I think there's a real, this the founder negative value at a time is where founders have these like incredibly strong views that are wrong. But it's like really hard to remember. It's good. You let them go and do it. Because sometimes, you know, I think some people would have said, no, we're not doing that. It's silly and would have taken many more years to learn. The deal is you have to sell four extras.
I feel like I've heard you on the Acquired podcast.
We do, yeah, because I'm going to acquired.
We do invest like the best.
Yeah.
Yeah.
I like those.
And I think in the early days, so this was helpful and then deeply unhelpful,
but in the early days before we had competitors,
we tried to basically make this call response of like someone says SOC2,
someone says Vanta.
And there's really close association, which in the early, again,
when we were just competing-I-I-I-consult.
Yeah, basically.
Yeah.
Which worked really well until we had competitors who,
who were like, well, we do a sock too, but we're, you know, Vanta but cheaper, but worse but better.
And then you're like, oh, that got, you know, like, now we're all pointing at a thing we don't own.
Yep.
And, like, that's bad.
Yeah.
And so there was a, yeah, that's like kind of a, then there was a great reframe on that one.
Yeah, yeah.
What did you learn working with Fred Wilson?
USV is a very special place in lots of ways.
And I think USV is fundamentally about ideas.
More so than other venture firms.
Yes.
I think most venture firms are a sort of great man, great.
person firms. They're about the person and this person will like do the thing. I've no idea what
this is but I like the cut of his gym. Exactly. Yes. And I think USB is, you know, in a, it's just
two black and white, but it's like basically the opposite. Whatever person can walk in, but like if it is
an idea that is interesting and compelling and intellectually engaging in networked, that is
like classic USB. And they matches back some great people. I don't mean that, but it's just first thing,
first second and third thing is the idea.
And so like really pressing on that, those that piece, that I think is like very important.
I think the second part is market sizing is bullshit.
You know, you can like be as academic or whatever, strategory-ish as you want about it.
And like the market size today is only a predictor of the market size today.
And I think I deeply learned that because if you like you just if you looked at the sock two market in 2018, my best estimate was there was $10 million spent globally and you would never start a startup on that.
But the theory of Vanta was like, well, if we can make this thing easier to get and like take down the cost of dollars for really time, more people will get them.
Yep.
And you're like that ended up being deeply true.
But it, that was not a market, especially for startups.
So the market for startups getting sucked to in 2018 was $0.00.
Yes, yes.
Truly zero.
Yes.
Okay, so Vanta is an example of the kind of company that being too 10-grained.
Yeah, you would not come up with it.
And now it's like, oh, but of course everyone gets it.
And you're like, right.
But like 2017, again, when did Stripe get a sock-to?
Probably reasonably early on because it's so core.
Like it's not a small part of your stack, but definitely before 2017.
It's a very interesting framing on USV where I feel like you can see this a little bit in your Fred's blog and stuff where it's clear.
Yeah, exactly.
Attraction to ideas.
And a prepared mind for, you know, when something like crypto comes along.
You're like that thing.
You're ready to strike.
Yes.
And is that across the firm or is that Fred in particular?
Fred and Brad for sure.
Brad is the undersung Fred partner.
I mean, they start the firm together.
Oh, you're talking about the Fred and Brad relationship.
Yeah, yeah.
Brad Burnham is a venture capital.
It's mostly retired now, but like X also excellent, incredible track record.
He and Fred started Union Square Ventures in, I think 2002, first fund was 04,
took them two years to raise that fund.
If you go look up USV-O-4 or Vintage, like, oh, God, we all should have invested in that, you know.
But it was the two of them, and then Albert came on at the venture partner, I think it was like 06.
I was on the OAT fund of the partner.
Going real deep here, sorry.
but it was like the two of them and there is just, it's not yin-yang, it's not the right frame, but like, there was, yeah, like, and so many of the ideas of the firm were back and forth by them and, and then Fred was excellent at articulating those ideas in a way the rest of the world could understand, which you did on AVC.
Yes.
But I think one of the underappreciated things is like how much back and forth they're, they're, they're,
kind of was there in the creation there.
Yes.
And like that, that pairing is I think probably should be in the annuals of like, you know,
the coastal door pairing.
Yeah, maybe like Leone Moritz, like these venture pairings where you had two people
who could play off one of another.
And they were just like that.
Like, I think Brad and Fred had that for like a decade and a half.
What's the difference in person?
Because like, say Doug and Mike Moritz at Sequoia are very different people.
And again, I think that's part of how it works.
Yeah.
I don't think Fred and Brad are as different.
Is this to her? But, like, yeah, Brad is cerebral, philosophical,
academic, like, so interesting to talk to you,
and you have this wonderful conversation, and you'll be like,
are there any ties to the business world of math?
You know, but, like, truly these, like,
and then, like, one thing Fred could do was, like,
go back and forth and be like, oh, freemium, you know?
And then, like, run with freemium, right?
But it wasn't just, I'm going to market this turn.
It was like, it was a back and forth and the communication out.
Wait, did Fred coined the term freemium?
He did.
Yeah.
Yeah, and like a blog post in like 2008, I don't know, eight, nine, something like that.
Yeah, yeah, yeah.
Right, like, doesn't it feel like it was just like always a term?
Yeah, exactly.
That's what it's called.
In 1952, didn't they talk about premium?
Yeah, it's like, did you know, seeing the quiet part out loud?
That term comes from the Simpsons.
In what ways are you a different CEO coming from your experience as an investor?
I mean, I wouldn't have done it.
It's a real answer.
That's a good start.
I mean, I was really lucky in her family nine million ways with them.
one of the ways was for two years,
I just like met 15 founders a week for two years straight.
And I think whatever model I had of like what a founder is or does was like,
yeah, that exists.
But like look at all the ways one can do it.
And there's like some coming out, some more successful.
But just like there's a lot of ways to do this thing.
And I think that exposure was super helpful for me.
because you got to see people who I felt more affinity or similarity to in whatever dimension,
like also do it.
And it was kind of the role model thing, but not like one person, just, you know, you meet
a thousand of them.
Yes.
And you can pick out the pieces.
Having all that training data, what passions do you think you see in people who went
on to be successful?
Or maybe conversely, what anti-patterns do you see in the people who...
Oh, I think there is a, like, someone said this better from me than me, but like there is a totally
a truth-seeking piece of it or just sometimes you can bend reality to your will, but often
like reality is reality and you've got to like embrace it and figure out how to work around it.
Like reality, sometimes it's an immovable object.
And I think there was a delusion for the unsuccessful founders.
Exactly.
I've noticed that.
Yeah, yeah.
The like, oh no, but I can change this.
And you're like, yeah, that one.
Yeah, gravity's gravity.
Yeah.
The version of this I talked about with Des Trainer is I feel like investor updates with a lot
of words and no metrics.
Oh, yeah, those are bad.
Those are bad.
And actually, like, no investor updates is fine.
Like, you didn't have to send me.
Either either very good or very bad.
Metrics is fine, but, like, a lot of words and no metrics is almost a sure sign of failure.
Bad, yes.
Yep.
Because, again, I think it gets out that delusion.
Right.
Failure to truth-seek tendency.
Yes.
What else?
Do you think famous Etsy and Kickstarter?
There's a bunch of these companies of this era stories.
where I think I developed, yeah, this is true, this huge appreciation for product market fit.
That sounds so dumb.
But kind of now it's the like, if you think you have it, you don't, framing.
Or if you're asking whether you have it, you don't.
Yes.
And so Etsy, great example.
You're like, co-founder's CEO spent 80% of his time for kind of years, like making people desks.
Because they have this lovely cultural thing.
When you joined, you would get like homemade bespoke desks because they sold,
homemade bespoke things.
So there's a thing.
Yancey would make people a desk?
Rob,
hang with Rob,
Kaylin at Etsy.
He would make people a desk.
Yeah, yeah.
Sorry, I'm getting confused between Kickstarter and Etsy.
This is the Etsy version.
Yeah, yeah.
And you're just like, now if you're like,
80% of a CEO's time is making desk.
And the business is on fire.
See, Amazon had it figured out where you had to make your own desk.
It's a much more scalable way.
Rob made the desks.
Yeah.
But you know, you're just like, I mean, it's kind of a funny story,
but you're like, the business was fine.
Yeah, yeah, yeah.
You know, and so there are just these things that have like,
their own physical, their own immovable objects.
And you can be making desks for people all day long.
It doesn't matter.
And like, if you don't have that, you know, it's not that we should all, I mean, maybe
we should all make desks.
I don't know.
Would you spend time making desks at this stage?
I think woodworking is very, I don't do it, but I did it as a kid.
It's satisfying.
So, yeah.
Last question.
Does Vanta expand from here beyond security?
Do you start helping people fly with?
everything else.
Just do you continue taking over the world
until all the world runs an inventor?
Yeah.
That's fun.
Definitely taking over the world,
making desks along the way.
No.
I think right now we do think about,
especially in this world where, in theory,
code has become much cheaper,
actually two things.
So one, it's like, can we add different pillars
or verticals?
And so there's a whole lot in security,
especially for a small business
or a mid-market business.
I think it's a different ballgame there,
There's things there.
And then when we think about it,
we really think about,
we think about parts of the CISO organization
versus, for the most part,
other parts of an organization.
But we would think about enterprise risk
for internal audit.
Financial audit is adjacent and interesting.
What can you do an internal audit or financial audit?
So internal audit is sort of easier for us,
given what we've built in a way,
is like we have all of this.
And currently we're packaging material
and sending it to the auditor
but you can imagine packaging it and sending it to an internal.
And it's the same thing, it's a controls platform, right?
It's like decide what it is that you should do and then validate that you're doing it.
Prove that you're doing it.
Exactly.
Financial audit is the system is similar.
It's a different set of integrations on data.
And so it's thinking through, okay, at what is the right point to start building out those ERP integrations,
appellation, all of that, to get that sort of data to parcel this in.
Exciting.
Yeah.
And Christina.
Thank you.
Thank you.
Thank you.