Compliance at scale and why TAM is a distraction, with Christina Cacioppo of Vanta
- 01Compliance as the Trojan Horse for Security
- 02Proprietary Audit Data as an Unassailable Moat
- 03AI Will Collapse GRC Teams, Not Eliminate Them
1. Key Themes
Compliance as the Trojan Horse for Security
Vanta's foundational insight was that startups never proactively buy security, but they do buy compliance when a customer demands it. Christina built a security company by calling it a compliance company — using the buying moment as the wedge.
"One of the original founding hypotheses of the company is if you want to start a security company for startups, you should actually start a compliance company. Because your customers never ask you for security, but they do ask you for compliance." 00:00:40
This is a powerful GTM lesson: find the painkiller version of your vitamin product.
Proprietary Audit Data as an Unassailable Moat
With 30,000+ completed audits, Vanta has built a dataset that no competitor or AI can replicate from public internet data. This enables them to tell customers — with specificity — whether their evidence will pass with a particular auditor. It's the compliance equivalent of Stripe's fraud detection advantage.
"It feels like the data you have of anonymized prior audits is an incredibly powerful network effect that cannot be replicated because it doesn't exist in the public internet... Similarly, people going through an audit, you can tell them that this will work and this won't." 00:29:29
"We now do AI evidence evals. So it's like, oh, you're going to provide this piece of evidence. We can just tell you, is it going to work for this auditor?" 00:28:21
AI Will Collapse GRC Teams, Not Eliminate Them
The compliance profession is undergoing the same transformation IT did — from dedicated teams to consolidated, tool-augmented single-threaded owners. AI is eating the hourly labor (questionnaire responses, vendor reviews, control mapping) and leaving the strategic risk oversight work.
"We're going to see actually those GRC teams collapse a bit more into these single threaded owners... I think you can mostly agent the work and then have someone oversee it with 20% of your time." 00:37:56
"GitHub gets 92% of all of the questionnaires they receive answered through Vanta." 00:33:03
2. Contrarian Perspectives
TAM Analysis Is Largely Useless for Category-Creating Companies
Christina explicitly states that the SOC 2 market for startups in 2018 was literally $0. A TAM-driven investor would have passed. This is a direct rebuke of standard venture analysis frameworks.
"If you looked at the SOC 2 market in 2018, my best estimate was there was $10 million spent globally and you would never start a startup on that... The market for startups getting SOC 2 in 2018 was $0. Truly zero." 00:48:58
"Market size today is only a predictor of the market size today." 00:48:28
Data Breaches Don't Actually Hurt Large Companies' Terminal Value — And That's Correctly Priced
Most people believe breaches should devastate companies. Christina argues the cynical but correct take is that customers don't churn, and investors are right to price it that way. This has significant implications for how compliance is motivated in practice.
"What are investors betting on? They're betting on like will anyone churn off of Equifax because this happens? And I think the cynical but correct take is no." 00:16:00
Podcast Advertising Was Dismissed as Vanity — It Was Actually the Growth Engine
Christina almost blocked the first $60K podcast ad spend as CEO. Her instinct was wrong by an order of magnitude. This challenges the conventional wisdom that B2B SaaS should focus narrowly on performance marketing.
"The next month he sold like 34 more Vantas because of the podcast ads. And I was wondering, you're like, well, I know nothing. You should keep going." 00:46:18
Outbound Phone Calls Are Working Better Than Email Right Now
Counterintuitive in a world of SDR automation — the fact that everyone AI-ified email has made phone calls the new high-signal channel. Brief window, but real.
"What I have heard is phone calls work in a way that I kind of wouldn't accept. For now, right? Until one year from now. But now with emails, like, yeah, yeah, a million AI bots." 00:42:22
3. Companies Identified
Vanta Trust management and compliance automation platform. 15,000 customers, 60%+ annual growth rate, 30,000+ audits completed. Mentioned as the subject company, notable for its audit data moat, AI-driven questionnaire automation, and expansion into internal/financial audit.
"We have 15,000 customers. Our growth rate's actually quickened the last couple of years and quarters and months. And so it's been 60% annual plus for the last couple of years." 00:05:20
GitHub (Microsoft) Used as a proof-of-concept customer for AI-driven security questionnaire automation.
"GitHub gets 92% of all of the questionnaires they receive answered through Vanta." 00:33:03
Union Square Ventures Venture firm co-founded by Fred Wilson and Brad Burnham. Described as uniquely ideas-first rather than founder-personality-first. Notable for outsized returns (USV 2004 vintage specifically called out as exceptional).
"If you go look up USV 04 vintage, like, God, we all should have invested in that." 00:50:00
4. People Identified
Fred Wilson Co-founder, Union Square Ventures. Credited with coining the term "freemium" in a blog post around 2008-2009. Described as exceptional at articulating complex investment ideas to the broader world.
"Fred was excellent at articulating those ideas in a way the rest of the world could understand." 00:50:53
Brad Burnham Co-founder, Union Square Ventures (mostly retired). Described as the underappreciated intellectual engine behind USV — cerebral, philosophical, deeply complementary to Fred Wilson. Called the "undersung" partner.
"Brad is the undersung Fred partner... Brad is cerebral, philosophical, academic, like so interesting to talk to... Fred and Brad had that for like a decade and a half." 00:49:52
Pete Wasserman GSA official working to modernize FedRAMP. Identified as a rare competent actor in federal compliance reform, trying to bring the standard from a 1990s framework into the modern era.
"There is a part of GSA and one team in particular led by a guy called Pete Wasserman who is trying to modernize FedRAMP... He's fighting the good fight and he gets it." 00:19:41
5. Operating Insights
Eliminate Internal Prioritization Debates by Building a Universal Intake Machine
Vanta wasted significant time debating which compliance standards to support. The solution was to stop debating and build a system that could ingest any standard cheaply — turning a recurring strategic debate into an engineering problem solved once.
"We used to spend a bunch of time debating which ones those would be. And it was honestly so frustrating... Now you're just like, build the machine that just logs them in. And so the debate and the document you would write... We did that with compliance standards and integrations because it was just like the prioritization debates were just too intense." 00:39:46
Let Employees Run Experiments with Skin-in-the-Game Constraints Rather Than Vetoing Them
Christina almost killed the podcast advertising channel. Instead of blocking it, she set a measurable bar: sell 4 more Vantas to cover cost. This preserved optionality, avoided a costly mistake in the other direction, and gave the employee accountability.
"My deal with him was like, fine, but you got to sell four more Vantas because the Vanta basically costs $15,000." 00:46:18
Use Gong Call Mentions + Deal Tracking to Measure Brand/OOH Attribution
A practical, replicable method for measuring billboard and brand spend ROI without relying on surveys or last-click attribution: track keyword mentions on recorded sales calls, then follow those deals through to close.
"We do all the stuff people do of like, you know, zip code tracking and all of that. Gong call mentions. So recorded sale, like mentions of the word billboard on recorded sales calls. And then you can track those deals through to closed one." 00:44:52
6. Overlooked Insights
ISO 42001 Is the Sleeper AI Compliance Standard Worth Watching
Mentioned briefly and almost in passing, ISO 42001 is the European standards body's AI governance framework. It currently has no breakout adoption, but Christina bets on it specifically because European enterprises — the buyers most serious about AI risk — are the ones returning to it. As AI regulation matures globally, this standard could become the SOC 2 of AI systems.
"I bet on any of them. If you really like pressed me, I would say ISO 42001 just because it's the European one... European enterprises are the ones that care the most about AI and this is where they return. And so it's something that has the most market traction so far." 00:40:25
This is a category-creation moment hiding in plain sight — the same dynamic that made SOC 2 Vanta's wedge could repeat with ISO 42001 for AI-focused vendors selling into Europe.
Vanta Is Quietly Building Toward Financial Audit — A Radically Larger Market
In the final minutes of the conversation, Christina casually mentions that financial audit is "adjacent and interesting" and that the technical architecture (controls platform + integrations) largely translates. This is a throwaway comment that points toward a potential 10x expansion in addressable market, from compliance software into the core of the Big Four accounting services market.
"Financial audit is, the system is similar. It's a different set of integrations on data. And so it's thinking through, okay, at what is the right point to start building out those ERP integrations, appointments integrations, all of that." 00:57:00
The implication: Vanta could become the automation layer underneath financial auditing — a market orders of magnitude larger than security compliance.