How Vanta’s founder bet big on startup security and found product-market fit — Christina Cacioppo

Todd: Welcome to the show, Christina.

Christina: Thank you so much for having me, Todd.

Todd: Since Vanta was founded back in 2018, the company has been quietly expanding its corner of the global security and compliance market. And so what's first started as Vanta specializing in helping companies meet standards like SOC two, HIPAA and GDPR has grown into the leading trust management platform.

And so now you're a series B company. You've raised over 200 million to date, uh, by some very big names. CrowdStrike, Sequoia Craft Ventures, and Vantis customer base. Now numbers north of 5,000 organizations, including Quora, modern Treasury, Autodesk, and companies like Lattice. Uh, as one of its very first customers, Van's.

Low profile has been, I think, in a way by design. In fact, I know you signed your first 600 customers or. Without even a real website and only hired your first marketing role in late 2020. So in today's conversation, I really want to peel back the layers of Vantis story. And so to kick things off, Christina, I'd love if you could take us back to before the company, uh, was even an idea in your notebook.

Could you tell us a bit about your background and some of the different pieces that pushed you towards the founder path?

Christina: For sure. Um, so I grew up in. The Midwest, uh, my parents were both academics. Um, two parts of that. One, they actually really liked their job. So growing up I thought, you know, a job was something you really liked to do and you found really interesting. Um, and second part is I thought I would be an academic.

Uh, I didn't wanna study what they studied, but it actually just seemed comfortable and familiar to me. So that's what I thought I would do until I was. 21 kind of graduating school. Um, and then somewhere around there, I think I was in the process actually writing an undergrad thesis at economics. I realized this was great, but there's other things to do.

Um, and so I kind of did a, a host of different things. Um, Ended up, uh, getting really lucky in my first job at a school was at an early stage venture firm in New York City, union Square Ventures. Um, so got to work with Fred and Brad and Albert, uh, as they thought about large networks of engaged users. And I think in that, um, you know, I think actually going into that, I, I maybe did wanna start a company, but I definitely didn't say that out loud and or even in my head, um, it kind of seemed like, I don't know, I wasn't, you know, prepared, ready, the sort of person who started a company, whatever that meant.

But at U S V, um, I basically just spent two years meeting with founders, like day in and day out, week in and week out. And it was really helpful because you just see all the different sorts of people who become founders, um, and how different they are. And like, yes, there's commonalities around, just getting up and putting one foot in front of the other.

But there's so many different ways to do. . And so that was just like really helpful, honestly, really transformative. Um, and I kind of got to the point where it's like, okay, I kind of do wanna go start a company, but I want it to be a software company and I can't code. And I know lots of people do that, but I don't feel like I can.

So I'm gonna go take my bonus, um, and go teach myself to code and teach myself to build product. and I spent the next two years or so doing that. Um, made a bunch of things, none of which anyone has ever heard of, um, most of which were bad because it just says you're learning something you like, have to make a lot of bad stuff before you start to make reasonable stuff.

It's kind of the like Ira glass quote, right, where you're like, taste outstrips your talent for a long time. , um, did that in some ways felt like I got to a better place of like, I learned how to make things. But, um, you know, I was also at this funny place where I'd, I'd done some of it with, you know, one or two other people, but I'd never really worked at a real company, before.

Um, and so ended up joining Dropbox, uh, which is where we cross paths, um, as a product manager, and again, got really lucky. Worked on a new product. At the time, Dropbox Paper, trying to bring that to market. Um, and that was just a whole different ballgame. Like the team with the engineering product and design team was about seven or eight people when I joined for, for a paper in particular.

Um, and it was probably about 70 or 80 when I left a couple years later. So, got to like, see what that is, see what a company is, you know, see what marketing does. Joking and not joking. Uh, I sort of didn't know.and so all of that was, you know, kinda ended up in vanta in a lot of ways, 

Todd: did you join Dropbox knowing that my next step after Dropbox will be to start my own company, and this is sort of like the training ground for that in a

Christina: yeah, that was very much the like, what I, what I wanted and I'd kind of at least gotten to like, saying that to myself. Um, so a little bit less to other people, but yes.

Todd: Cool. And so, um, talk about, you know, when you decided to leave Dropbox and, and how you started to think about the idea that would become.

Christina: Yeah. you know, I think all of these things, they make sense in retrospect, but they're kind of complicated and they feel like swirly at the time. it was kind of from a, a product perspective, I think for me, with Paper it became pretty clear to me that the best chance for paper success would be to go a lot closer to core Dropbox.

Whereas we'd sort of been operating as this like separate team and that was, you know, really fun in a lot of ways. But I think not actually serving the product or its users very well. Um, and so there was a piece there where it seemed like that should just change and like, am I the person for that?

Or like, ish, you know, I think it was less clear to me probably also to others. I think there was also a part where, you know, just kind of impatient was like, okay, I feel like I've learned a lot. Um, let me go see if I have or not right. Uh, but, but I wanna, I wanna go try this thing. Um, you know, in some ways there's no time like the present.

Let me see what, what happens.

Todd: And so was Vanta your first idea or did you have other ideas kind of in those early days?

Christina: No, there were a host of slew of terrible ideas. Um, so to take you back, this was late 2016. Uh, at the time there was actually also a like AI chat bot, voice assistant, right? Alexa, like wave. And so one of the initial ideas, uh, sort of the framework was. , what new technologies, you know, are opening up new opportunities and what are you good at?

So I was like, okay, well, voice, um, is new and maybe opening stuff up and you just got an Alexa. It seems kind of cool and like, I guess I know things about team collaboration after a couple years at Dropbox. So can you make right, like your voice assistant for work? Um, and spent some time on that. Made I think as, as many people have, The, you know, meeting recorder that records all your meetings and transcribes them across the company.

And, um, it sounds kind of neat. Uh, you know, some people really wanted, I think actually your median person doesn't want that product at all. Uh, there's a bunch of like very real reasons for that. Also, at the time, the technology just like, wasn't that good. Um, you know, we made a microphone. The joke was a microphone that dumps things into a Slack channel.

It mostly dumped nonsense into a Slack channel. Like this wasn't even us. . Um, and we're also like, look, we're not AI engineers. Like we're not gonna make this, you know, make these models really good. Um, you know, Google was like the type also, it's like Google at the time will, but then that's for every startup.

And so like, what's our differentiation again? You know, it just like didn't, the pieces didn't fit together. Um, the true low point. It's really funny now, but we were trying to like narrow in on a use. because the general like startup one just didn't, didn't seem like it made sense. Uh, and ended up making a voice assistant for biologists in a lab, right?

Like, you know, it kind of makes sense. You're like doing things with their hands. They have gloves, they have chemicals, they need to do conversions. It's kind of like cooking. Anyway, but that was kind of a moment where we were like, when did we found a lab? We like shipped them a microphone. We made them an iPad app.

In some ways they were really excited cuz like no one makes software for biologists in labs. Um, but also like, this was not a real, you know, like the market for this was like, you know, the size of my thumb. Uh, you know, we didn't actually know anything about biologists. You'd like go tell somebody that's what you're working on and they look at you like, what are you doing?

Um, I'm glad we didn't pursue that one.

Todd: Okay. And so then I think at some point you, you thought about, Hey, what about the security space? And so what was it that was drawing you to security?

Christina: This is, it's funny, it was in some ways just naive interest, right? Um, it was, this seems exceedingly important and increasingly so, um, security on the internet, you know, you're reading more and more about breaches. It's eroding trust in software. as somebody who sort of grew up in software, like I really like software.

I believe in the transformative power of new tools. But if no one trusts them, then it doesn't matter, right? and honestly, actually back to Dropbox. Dropbox had an incredible product security team and so just spending time with the people on Nat team, you know, really compelling, really Articul. talking through the problems, um, that they had in their workflows and, you know, the, the high points in their low points of their job.

There's also just a bit of like, I like spending time with those people, right? Um, and so if you're gonna go both think about product development and then ongoing customer relationships, I think it is just, you know, not necessary, but it's really nice if you, if you love, love spending time with your users.

Todd: Okay, awesome. Yeah, so it sounds like it was just really fun and you enjoyed talking to security folks. Did you find that when you were researching the security idea, you spent more time talking to potential customers than you did with the voice idea?

Christina: So, absolutely. And I think, uh, just like made all the classic, um, find an idea mistakes that I, you know, maybe could have enumerated to you in advance and then promptly made them. Um, but I think of the voice idea, it was like, it was a bit of, you know, excitement about a technology. Uh, Believing you have this kind of brilliant product idea that of course everyone will want.

Um, and like not really focusing on anything real people and like real problems, uh, when you're in the like ideation or the creation stage. So what with the voice thing, you know, honestly, what we did was we. You know, built, built this tool and then walked around to people and were like, do you want our tool?

Do you want our tool? What about you? Um, and it was a little bit like the, you know, kids' book, like, are you my Mother ? You know, and like, no, no one is like, no one, no one wanted the tool really. Um, and it, you know, we did that for a bit, didn't feel very good. And I think, you know, then kind of realized that, and so, Rather than having the initial rush of being like, I've got a great idea, I'm gonna build something.

Like you get, you know, like there's positive feeds and lock back loops. You feel like you're making progress when you're building and then you like hit this wall because no one wants it. Um, since somebody's tried to reverse it. And so it's like, okay, we're actually not allowed to build anything. at all.

We are just going to talk to people, um, and talk to them until we have a lot of confidence and like a mental model of people and their jobs and the problems they might have and, and how we might solve it. Um, and there were a couple heuristics we used there too. So one was you had to keep having conversations with people until.

You knew you could kind of predict about two thirds to three quarters of what they would tell you, right? So you had to like, again, keep having these conversations until like three quarters of it was stuff you already knew at least. Um, and yeah, just really focus in on like what was their day-to-day like?

Some of the best questions we asked were, you know, asking people to like pull out their calendar and say, okay, you know, look at all the meetings you had in the past couple weeks. Like what were the best parts of the last couple weeks? What were the worst parts? Um, and again, just try to underst. People and their problems.

Todd: How do asking those sorts of questions get you to the point where you understand kind of what they want.

Christina: Yeah. I mean, so slowly, I think, and iteratively, right? Um, I think in retrospect it, it sounds a lot cleaner, but if I think about. Um, literally doing that and actually with the, uh, product security lead at Dropbox, it's one of the first conversations I had because it was so easy to kind of get to that person.

Um, and what he told me when he, you know, we looked at his calendar, was like, look, the, the best parts of my weeks are when I get to work with product teams. on security issues, right. And sometimes I embed with them, you have to do this with us, a paper, right? But it's like, I can work with the PM and the engineering managers.

And the engineers and like get the right stuff prioritized and fixed. Like that's the best part. The worst part is when I have to like, you know, pull together reporting on the things I've done for my manager, for executives, or sometimes get on the phone with customers and explain what we do. And you know, some of that's nice, but then you do it for.

Fifth time that week. And that gets like pretty dull pretty quickly, right? And so you kind of get this, okay, like the person really likes doing the work. Like they, they fundamentally like their job. Um, but there's this like, work about work or, you know, demonstrating that you've secured things.

Part that was like kind of tedious and annoying. That's just as an example of something got out those conversations. Um, you kinda keep pushing on that and, you know, talked how we got to compliance, but just like this very early glimmer of, of something there.

Todd: Got it. And so what were the clues that you were hearing that eventually led you to sort of this, automating soc two idea that you became known for?

Christina: Yeah. So couple fold. So one was, You know, going around and talked to, so probably when I, when I went down and, you know, did all these interviews or a couple audiences when I was like, co-founders, Security folks if they had them, engineering leaders, uh, eventually sales leaders. And so what that happened is cause you'd kind of go to like technical co-founders and, you know, roughly would say, Hey, you know, what, what are you doing for security at your startup?

Um, and they would generally look at like, Quite guiltily back and say like, not that much and I wish it would better. And like, please don't write this down. Right. Um, you're totally cool. You know, why don't you do more? Sounds like you want to do more than you were doing, like, what's going on? And I think the answers were always like, I mean, often quite reasonable.

You know, there's a little bit of. I don't know what good looks like or I don't quite know what to do, but there's actually more like, it's just really hard to prioritize, right? I can go and spend a bunch of time securing things and do stuff, I think would be quite good. , it's like, I don't really how to measure, right?

I'm measuring it by the absence of a breach. But also, we're a small startup and our problem is no one knows us. Not that everyone's trying to hack us. Um, or I can go spend my time building a feature that a customer wants in order to give us our first revenue. I'm gonna do the latter, like kind of all the time.

Todd: Right.

Christina: right? So we heard that a bunch. And actually that was, you know, initially kind of, um, discouraging, right? Cause you're like, oh, this is why there aren't security companies for startups. Because even if it's a good idea, it's an easy to use product. You're still running up against this like, prioritization hurdle.

Um, and, and there's actually a phase of that. We kind of kept talking to people and there was actually a really transformative moment when I walked into Figma and Figma at the time was. Probably 30, 35 people

Todd: Mm-hmm.

Christina: and I was talking to one of their infrastructure engineers. Yeah. Yeah. Um, And, you know, kind of expecting to have the same conversation.

Right? Uh, you're like in the, so have you already heard, have you already had the conversation? You're about to have vain? Um, I was talking to him and I was like, okay, so what, what do you all do for security? And this person just listed like 12 tools and a bunch of best practices and like, just kept talking.

Uh, and that, that's one of like, why , right? Like who are you and why? Um, and the answer at the time was they had just signed Google. Which is like a huge deal. 30 person company, right? And as part of selling Google on Figma, Google it sent over this long questionnaire. Do you do this practice? Do you, you know, encrypt this?

Are you secure in this way? And. The answers were mostly nos, but they didn't wanna say no. So they just turned that into their roadmap and just did everything so they could like credibly say yes. Um, and that was this moment of like, oh wow. Like of course you did right? And you managed to like align.

Securing your company with growing your business Like what is this? Like this sounds quite promising.

Todd: That that's sort of what created the urgency for.

Christina: Yes. Yeah. And it let you know, I think like this engineer, certainly engineers, um, we talked to, right? It was like, They kind of, again, had an idea of what to do. It gave them a prescriptive list and more so just like the organizational mandate to go do it. Um, right. And so that's for this like, okay, so questionnaires like, what are these?

And you know, we did this like, go look at the questionnaires. Can you standardize them? Can you automatically answer them? Um, Kind of like there's some stuff there, but then we're like, uh, mostly you just don't wanna get these cuz they're so bespoke custom. So how do you not get a questionnaire and you're like, oh, compliance certifications SOC two, and then what are those anyway?

And so it, it all kind of built, um, in a way that again makes a lot of sense in retrospect, but just to like kind of level set that process. Was probably three or four months, um, of these like conversations, right? So it did not happen overnight. And you know, two months in, you're sort of like, I don't know if I, you know, I'm spending a lot of time on this, but I don't even know if it's gonna turn out into anything or not.

Todd: Right. But the, the aha moment it sounds like was if I can help these companies unlock business and sell to bigger customers, that's a real motivator, and that's sort of what gets them to think about security and, and doing all these things.

Christina: correct? Yes. Yes. There's just this moment of like, okay, now we're not sure we can build a product here, but like, just for a moment, suspend disbelief. Say you could make a, like, press a button and get soc two. Lots of people will pay to press that button 

Like if you can do it, this seems like a thing that people will want.

Todd: Okay. Got it. so you have this strong sense of validation that if I can make a button that says you get SOC two, there's demand for that. And so then how do you go trying to figure out if you can actually make that work?

Christina: Right? Right. So then you're like, okay, well what is a SOC two? Um, and so a couple folds. So Ben, it was just kind of this iterative prototyping where step one was like, go get every SOC two. You can get your hands on and read them all. . Um, and so got about a dozen of 'em and kind of compared them and tried to break down.

You know, you hear these are all different and everyone's unique and you need a consultant and like, are they actually different?

Todd: Well, for the folks who haven't seen one, Christina, what does the SOC two like even look like?

Christina: That's a good question. Uh, a SOC two is very practically, it is like an 80 page pdf. That lists out kind of what in compliance speak as a control, but is like the security practices of a company.

And it says, Hey, you know, as a company we have these practices and an auditor, in this case an accountant, uh, has come into the company, made sure we actually have that practice. Like we do what we say, um, and written some detail on how they do it and, you know, codified all this up in this long pdf. Um, but that's roughly what it is.

Todd: Okay. And so that's a, so you're attempting to now productize this, like, see if I, see if we can generate this, you know, somehow automat.

Christina: Yes. Um, and when we went and talked to, you know, consultants and auditors, uh, they were like, well, you can't do that because every report is unique. Right. Um, and you know, I think we were kind of software people and we're like, well, of course. But do they have to be unique?

Right. if we're talking about security practices here, Yeah, there's some nuance, but there's also best practices, right? Um, and say Dropbox has a very different business than Salesforce say, right? Two early SOC two as I read. Um, but should they actually, you know, protect customer data differently?

Uh, it's not evident, right? Um, so I think there's some bit of, of outside in thinking here of saying, Well, historically these have all been, you know, very bespoke. How bespoke should they be? Uh, especially at the earliest stages of a company building one of these out?

Todd: Okay. Got it. So what was like the first M V.

Christina: Yeah, so the first MVP was we went to, uh, a company segment, actually, um, where we knew some

Todd: some really good early customers.

Christina: We did well, segment was, I mean, you know, a lot of these, right? Like, I think they, uh, knew us and knew, uh, you know, we didn't really know SOC two that well yet, but we're gonna work really hard until we was much more of a bet on that.

Um, . And what we basically did was interviewed their whole, or interviewed their team, you know, figured out what their SOC two should look like and how far away is it. So we made them a gap assessment that was like very bespoke and customized to them that they could then plan a roadmap against if they wanted.

Um, and honestly the test there was one, can we deliver them something that's credible? And two, do they find it credible? We are learning here. Um, and that actually went well. Uh, and so then we moved to front second company and that test was can we basically give them segments gap assessment, but not tell them it is segments, right?

We use the same controls, the same rules and best practices go to the see where front is. You know, it's customized in that sense. Um, but this is kind of pushing on the, can you productize it, can you standard. the set of things, um, at that. And so that was like, well, can they tell it was actually for another company?

You know, it's not really like it's their gaps, but not, you know, the, the, the rubric of the same. Uh, they couldn't. Um, and then actually what happened was a former Dropbox coworker, uh, emailed pretty good email, which was basically a version of, Hey, I hear you've become soc two consultants. That's super strange.

Uh, two thoughts. One, we should get a drink cause like, what are you doing with your lives? Um, two, can you come do this for my company as well? Um, and so you're sort of like, oh, this is great. Like, no, now, now we can start coding. Right now we can start building some of this.

Todd: Oh, okay. So for these initial, you know, kind of test runs this, you were doing this all by hand and sort of thinking, okay, we'll be able to write code to do this eventually, but it's all by hand at this point.

Christina: Yeah. And I think there, I mean there's some, some, I dunno, some hubris and we were like, look, we can, we can build whatever we want, hubris and that, but it was like, but the hard part is building something people want. Uh, the easy part is writing code. Um, and so like focus on the thing people want and then you get to go write all the code you wanna.

If you know, hoping someone will actually use it.

Todd: Okay, so Christina, at this point, you know, you've, you've worked with Segment and Front did you have a hypothesis on kind of who your ideal customer profile would be and, and were you learning about what that profile looked like? You know, the more folks you talked to,

Christina: So we were, um, and I would say yes, I hypothesis, although kind of weekly held, I think it was so at the time, this is not true today, but back to, you know, 2017, uh, companies that were like under 500 people say, did not get soc twos at all. Right. Um, and. So we were looking at, we talked to people who had soc twos.

That seemed kind of hard. So it tended to be like couple hundred person companies, um, would have conversations with much smaller companies, uh, where there was a lot of education. They didn't really know what a SOC two was to the extent they knew they were like, that just sounds like a thing, you know.

Again, Dropbox does, but no one else does. Also talk to compliance teams at really big companies to kinda learn about the market. Um, so I guess weak hypotheses around it being a several hundred person company. Um, but actually just a lot of kind of take the intros you can get or get into the companies that you can get into and ask a lot of people and, and sort of flare out to try to cover a bunch of ground and figure out where it's really landing.

Todd: so you've done some of these kind of initial tests that, that we're promising. You're talking to a bunch of folks. You get the email from a friend saying, you know, can you do this for my company? When did you sort of have the internal confidence like, okay, it's time to start coding. Let's build a real product here.

Christina: Yeah, so it's kind of after that. And I think it was like, again, we had our gap assessment spreadsheet that we'd given to two companies, and actually this third one, it seemed useful to all of them, which was in some ways kind of shocking to us, but it seemed useful to them. Um, and you know, the joke was, this was something people were talking about over the weekend that people were hearing about we were doing this and you know, you can.

Make jokes about, uh, San Francisco startup people and the fun they have on the weekends, but like that, that also seemed kind of rare that people were hearing about it, and so felt like there was something in that too.

Todd: Okay. And then when did you, decide to apply to a Y Combinator?

Christina: Yeah, so that, so kind of after all that, um, when we'd started building, um, and probably overly thought about that decision, but, but what we were really thinking about was, um, you know, we're obviously a startup. We're gonna try to start selling to startups. . Um, the joke that's also very true is the last thing I sold prior to Vanta was Girl Scout cookies.

So like, no selling experience whatsoever. Um, and so YC would be helpful for, what I now know as prospecting, but just like getting early customers and users. Um, and so while you know, there's some trade-offs to doing the program, it would be worth it for that like early customer momentum.

Todd: Okay. Is that, I know that Lattice was one of your first customers too. Did that come sort of I.

Christina: Yeah, it did. Um, and honestly, what, was really helpful was, you know, got into yc, um, that's probably known. They have, you know, Bookface, that's Internal Hacker News that has a bunch of information on prior companies. And so just had our partners Go through those company lists with me and help me prioritize who might need a SOC to that I could reach out to.

Um, and then what I generally found was YC founders are just extraordinarily kind to one another and, you know, kind of would take meetings with early companies even when it wasn't totally clear. Uh, they had a business interest to do so. Um, so just tried to do that as much as possible.

Todd: And what did you learn during those early kind of founder led sales conversations where you said, you know, you hadn't sold anything but Girl Scout cookies. What, what's it like to learn how to do sales on, you know, on the job like that?

Christina: Oh yeah. You couldn't feel like you're terrible at everything until you like slightly get better. But, um, so a couple thoughts. One, uh, I very much sold like a pm. Uh, there's good and bad to that, right? But of a like, let me show you what I built and also I'll ask you a million questions, right? Uh, cause I'm kind of curious and I'm building a model of the user.

And like, oh, by the way, would you like to buy this? Um, you know, so the joke was I would kind of like, uh, do really deep discovery and then like sometimes forget to send the DocuSign. because I was like, so into the discovery. Um, uh, I think it helped to sell to other founders, , you know, cause they were like much more tolerant of that.

It helped to sell to like, you know, technical people, cuz they're much more like, oh, you know, yes, I'd like to talk about your product. I don't wanna be sold, um, on some like nebulous, solution. So that, that kind of inadvertently worked in my favor. . I also think honestly, founders were like very candid with their feedback.

And actually one in particular, um, the way I was doing it for a while, is I do a first call of discovery and asking them questions and then at the end kind of explain what Vanta did. Um, . And generally the reaction I'd get was, that sounds great. It sounds so great. You are lying to me.

There's no way you were doing that. Um, and so, no, no, no, let's do another call. I'll show it to you. And then I'd show them the product and they'd be like, oh man, it, it does what you, you said it would. Um, anyway. And I thought, I was like, great, I have this two call sequence. I'm, I'm set. I'm so good at this.

Uh, and then another founder, Uh, I did that too after the second call. And he is like, that should have just been one call , right? Like you talked all this. I didn't believe you, you showed it to me and believed you. Like you could have just done that in 30 minutes. Uh, and I remember rehearing that and being like, you are precisely correct.

I will do that going forward. Like thank you so much.

Todd: So was that kind of a formula that you learned, that you spend the first half kind of really building up the promise of what this product can do and everyone's like, okay, I'll believe it when I see it, and then you show it to him?

Christina: Yes. Uh, you know, and I think it was also like I read all the sales, books through, I read all the medium posts, and so I'm sure I like pulled stuff out of that. Um, but that was early sales. Uh, there was a moment probably how many months in, six months in or so where, um, the calls started.

Boring. Like you'd kind of done it so many times as a little routine. Um, and it would kind of work. Um, and now it's a point where I started going to salespeople outside of Vanta and just being like, Hey, this is the process I'm using.

These are the words I'm saying. Like, here's, you know, the conversion percentage is rough. Is this any good? You know, I like, truly don't know. Um, uh, and kind of got that like outside perspective cuz I was just living in this world where I just like kept doing these things and it, you know, was working as well as it worked.

And I, I didn't really have a baseline for what sales was.

Todd: . So what were some of the first big customer milestones you remember hitting and feeling good about or the, or the first big product milestones kind of in those early days?

Christina: Yeah, a couple. So on the customer side, there was a, everyone who was one new customer a week, right? And you're two new customers a week. So it was just like honing it well enough and being able to like source, I mean outbound, but like I didn't really know that it was outbounding at the time.

Um, but there was some sort of velocity there and being able to look back and be like, oh, remember what it was one a week and it's a big deal, and now it's three a week and like,

Todd: Wow. Did you get to three a week? Like in the, in those first six months?

Christina: Did I get to three a week? I have to do the math. Uh, probably two a week I think. Yeah. Um, on the product side, you know, there's this bit where we, uh, we're selling this product that got folks a soc too. Um, but right in the early days, the obvious question as well. Well, how many soc tooths have you gotten?

For people and they initially answer is zero. Um, right. Which doesn't feel great. Uh, and so, you know, certainly a milestone there. Actually for the very first audit, um, we were working with an auditor in Colorado. Uh, I flew to Colorado. I sat in that person's WeWork and like pulled information from the database for them just to make sure they had everything.

Um, and that was both the combo of. product development and research and being like, what do you actually need? And like, what does an audit actually look like? Um, and just the commitment of like, oh my gosh, we've told this customer it's gonna work, needs to work

Todd: Okay. And so you submitted that and it worked,

Christina: And it worked. Yes. And then afterward you tell that person they were, the first one. But, uh, yes,

Todd: fantastic. So how many customers had you already signed, you know, at the time where you were just

Christina: When that happened,

Todd: two? Yeah.

Christina: probably like 20 or just something

Todd: Wow.

Christina: Yeah.

Todd: Amazing. And I know kind of in those early days, you know, you didn't like sort of go the normal route of building like a, a fancy website to, to grab folks' attention.

Um, was that an intentional choice or was it just sort of a byproduct of you being fully heads down, you know, working on product?

Christina: Uh, mostly the latter. Um, I think in retrospect we were probably a little too clever for our own good, but at the time the thinking was one, we wanna make sure we can actually do this thing. And you know, you go into your first audit with 20 customers, like, that's frightening enough. Do you really want that number to be a hundred?

Um, and then a little bit too of once it started working, uh, realizing this was actually quite a, like deep and ripe area, whereas everyone still thought soc two was this tiny niche thing than only big company got. And so feeling like, oh no, this is actually much more. But it would be wonder. If everyone else thinks we're, you know, running down a dark alley for a while so we can kind of get ahead here.

Um, because we didn't want a bunch of copycats. And so there was honestly a little bit too of can we stay a little under the radar here? Um, and have, just have more time.

Todd: It's like we, we realize this secret and we're gonna just keep working on it before anyone else realizes. Okay. Um,

Christina: how long can we keep the secret? Yes.

Todd: you said that, you know, once it really started working, when, when did it feel like to you that it really was starting to work?

Christina: Probably like early 20, actually like late 2018 or early 2019. And some of it, I mean, to your point, you can see us in the way back machine. You know, we had this website that was basically like vanta.com, please go away, or here's an email. Um, and people would actually email us and they're at the point where we were starting to get, you know, two or three emails a week through that.

And you're just like, where? You know, what is this? But it was like all word of mouth. It

Todd: Word of mouth.

Christina: And this was an intro, so this was like somebody goes to vanta.com and you know, gets to the, like, email us at this, you know, contact address basically. Right. You're like, the hurdles here are are real. Um, and so there was this moment where we were like, oh, that should not be happening.

Todd: Got it. And so that's where you're like, wow, people are just finding us this, this is a good idea. Like this is a winning

Christina: yeah. Yeah.

Todd: so what did your team look like at that stage?

Christina: Yeah. So at that stage, um, I mean basically just like engineers and, and me and then it became a like, well what am I spending time on and how do you hire for it? Um, and so that was support actually first. Um, uh, and then cause that seemed easier to hire for them. Sales. Um, so there's like a support and a customer success, and then sales, um, and then, uh, some other roles.

But, but it sort of became a, like the very simple calendar analysis. Like what is taking up time and what feels like it's, it's kind of stable, ready enough for someone who actually knows how to, you know, do the function to.

Todd: And so to start hiring these folks, you know, I imagine that this is about, you know, when you raised money, or maybe slightly before this, um, talk about van's fundraising strategy. Like, was it, was it pretty easy for you to raise a seed round? And what, what proof points did you sort of need to have?

Christina: Yeah, the seed round was interesting. So we raised that coming out of Y Combinator in the spring of 2018. Um, it was, you know, probably quote unquote easy in that it was like you had the, the momentum of coming out of yc. Um, honestly, we had backgrounds like fancy undergrad, like PM at Dropbox.

Whatever you can have all those unfair advantages. Um, I think the thing that very much threw people for a loop was, again, our pitch was we're gonna go soc to all the startups. Uh, and at the time no startup got a sock too. And I remember one, you know, GP meeting in particular where, you know, just like, we're gonna sock to all the startups and here's my deck and I'm this compelling founder, and like, ha, pound the table and I'm done.

Um, and one of the partners literally turning to me and is like, sounds great, but this doesn't happen. Huh? You know, and you're like, oh, but it will, I promise. And like, you should make this bet. You know, smart investor who just surveyed your portfolio and found that none of them were getting a sock too. Um, right.

And so, you know, and very much got noses on people being like, you know, look, you seem strong. I'm still not sure why you're barking up this tree, but, you know, good luck. Um, and I think that is a, was a very reasonable read of the situation, given the information they had. Right. What we had, we felt. . Um, one, there was just gonna be more and more pressure on the software companies to prove their security felt like this One way ratchet more of that in the future, not less.

Um, and two, this insight of no startups would get us SOC two if it were easier, if it took them less time. Um, and so you're like, okay, the combo of more pressure from customers and taking down the time it takes to get one of these. It's gonna make more startups get soc twos. Um, so that was our thesis.

Some investors bought in, some didn't. Totally fair. Um, and then it just happened much faster than we thought it would, honestly.

Todd: When you get that kind of feedback from a VC where they're just like, this doesn't happen, this isn't going to work. Does that affect, you know, sort of your internal confidence level or were you already sold that? Like, no, this is gonna work.

Christina: No, a soul, but I think at that point I spent a year validating the idea, basically. Right? And so it's like, yeah, no, I've, I've critiqued that part. Like I'm good, like, you know, here, here's what I see and here's what I believe. And. You know, agree to disagree, kind of. Um, but I think because I'd spent so much time validating up front, it was like, oh, cool.

I look forward to proving you wrong.

Todd: Right, exactly. Okay. And then if I recall correctly, I think there was a pretty long span of time between when you raised your seed round and then later when you raised your series A. Um, is, is that because you were just sort of self, you know, you were making revenue and so you were just sort of self-funding the business?

Christina: Yes. Uh, we were basical. . So it was about two year that you No, three years. Um, it's basically three years. Uh, and basically zero to 10 billion in arr. Um, and uh, yeah, we were basically operating at cash flow break even. Um, and there were a couple parts of it. One was, but we were not very good at hiring, especially in retrospect.

but it was, it was sort of this initial realization of one, uh, I could spend time. Selling customers on Vanta and getting more revenue. I could spend time selling investors and the selling customers and getting more ARR was actually working quite well. And the more a r we had like the easier the investor conversations.

Um, so it's a bit of that, of realizing, you know, sure investors, you know, really like Series A that at a million dollars for revenue, they probably like Series A, they have $2 million for revenue, even more. Um, so some of that realization. Some of also being like, okay, well what is blocking our growth? And it never feeling like cash was what was blocking our growth.

It was like, oh, we, you know, aren't very good at hiring or, you know, not very good at setting up the great people we hired to do well or right. Like, definitely had our issues. Um, but they didn't really feel like the issues that money was gonna solve

Todd: and so when you made the decision to raise a series that you've got 10 million in ARR at that point, is that because you said, Hey, it is time to pour gas on the fire and if we had more capital, we could grow faster?

Christina: Kind of, so it's a little bit of that. It was a little bit of like the secret got out that this was in fact a very good business. Um, as part of it, you know, folks thought, you know, we were much smaller than we were. , um, which didn't feel like a great, you know, position in the market. To me, some of it was you can operate a cash flow break even.

But as you're growing your team and our team with about 50 people at this point, um, sort of the rough math the CFO gave me was, well, how many, you know, months of payroll do you have in the bank? And, uh, you know, the break even thing kind of works well until it doesn't. And so you're. If we, you know, missed sales targets for two months and went outta business, I'd feel really dumb.

Like we don't need to fly that close to the sun. Um, and then some of it too is, It was money, but it kind of, you know, again, we actually, when we were pitching candidates, you know, they'd be like, well, I'm not sure I wanna join a seed stage startup. And then we'd be like, no, no, no, we're actually, this is like series B stirred up.

Right? But it was just this whole back and forth that was like very confusing and annoying to everyone. Um, and so it just kind of felt like, okay, the, the principal stance here is, you know, outlived its usefulness.

Todd: That makes sense. And so when you raised that series, does this coincide uh, with the time where you sort of start to evolve the go to market and invest more in market and get a proper website, all those

Christina: Yes, exactly. Yes. Yeah. 

Todd: And so what did that look like? what were the changes that you wanted to make on the go-to-market side?

Christina: Yeah. So it was, marketing was the last kind of function and team. , that we started building pros and cons of doing that deeply. Um, but I think it was, you know, a website that really explained what, what we did, who we were, what we stood for, um, with a big piece of it, uh, you know, inbound and word of mouth is to this day, our, you know, best channel.

Your growth goals can surpass that, especially when you have the sales motion. And so, um, just starting to learn about who we should be selling to, who we should be targeting as an early moment where we thought revenue leaders would be an audience, right? Because they're the ones whose deals are getting blocked.

tri, it makes a lot of sense. In theory. Wasn't really something that worked in practice, but just being able to experiment like that, um, and not be like, oh, but you know, how much money have you spent, right? Uh, being like the learning here is, is just much more valuable.

Todd: So I wanna pivot Christina, we, we've heard now these amazing stories of kind of van's early days in, into more, you know, the things that you're thinking about now. Um, and so I know at, at your first user conference, Vanta Con in November, you described Vanta as a trust management platform, which I think is a new term for, for me, a new term for most people.

So what is trust management and how are you evolving as you take on creating a new.

Christina: Yeah, this is really fun. Cause I think it's honestly a, a. And I'm recentering on a lot of the, the kind of founding pieces of Vanta that we just talked through. Like, uh, you know, we're known for SOC two, but I think SOC two, again, it's, it's sort of this tool that is used to hopefully demonstrate the security you have and build your business.

Um, and SOC two is one tool to do that. Uh, the reason we kinda built the initial product around it is cause it seemed like the closest thing to an industry standard, or it seemed like the thing that a company would stir with. But it's not kind of special otherwise. Right. And so now that we, you know, feel very confident in our ability to get soc twos, we've gone from, you know, that first one to, to literally thousands.

Um, it's, it's really about, okay, what are the other ways a company is. It's kind of again, upleveling their security and then demonstrating that to grow their business. Um, I think there's a whole continuous piece here that's really interesting, right? We talked about SOC two as literally an 80 page pdf. Um, you know, that's one way to do it.

Uh, you asked an engineer, you know, how they think about security. It is probably not the PDF from nine months ago. Um, and so building things around like trust reports and security status pages. Actually I think it's a bunch. Really good incentives here, right? If you, if you have your like, security status page out in the wild.

Your internal security is probably gonna be a lot better. Um, and again, that just alignment of like business growth and actually securing your company is like really at the core of of Vanta.

Todd: And one thing that I think we're seeing is, given the current macroclimate security in a way seems to be recession proof, or at least like recession resistant with, you know, with security hiring and spending going up. Um, what do you attribute that to and, and how do you think it will evolve kind of over the coming months and years?

Christina: Yeah, we've seen this too amongst our, our customer within, and even some of the, the inbound demand. I think it's just a reflection of the, the most kind of world we live in today. Right? The joke of like, you know, software 10 years ago, it was like, oh, you built something new. Like, here's my credit card information, right?

Here's my address. Um, and now we're just much more default skeptical and sort of, um, again, I think to a fault almost. You're like, oh, well, you know, if I give you this information, you're gonna breach it all over the internet and this is gonna be awful. And, um, it just feels this kinda like one way ratchet where we're more and more concerned about the security of, of data for reasonable historical reasons.

And that's, you know, kind of independent of any economic cycle. 

Todd: And I know you started, you know, thinking about kind of Silicon Valley startups and we're gonna talk to all the startups. You know, these days you have now over 5,000 customer. I, I think a, a thing that founders often think about is like, if I start on one segment of customers, how do I expand to the next set?

How have you sort of thought about it over the years and, and who are all the customers that you're serving now?

Christina: Yeah, it is, uh, fascinating. So similarly, it's like you start with the startups cuz it's what, you know, they're, you know, the fix you can walk into their offices and, you know, prototype with them. Um, and I think in the early days, honestly sort of believe you're, you'll figure out how to get beyond them when the time has come.

Um, I think for us, some of it, you know, like everything, some of it's magic and a lot of it's hard work. and I guess also like figuring out, you know, what you can do from a product perspective and, and where to really rely on partners. So we've actually started building out a partner program and equipping like virtual CISOs and consultants with Vanta to go serve customers that we probably would not acquire or touch, you know, for a couple years.

Those tend to be brick and mortar businesses. That's starting to work now. It, it's kind of, you know, fascinating to watch cuz the conversation for the first couple years is, well, would we ever serve a law firm? Um, you know, and now we do, um, we do via these partners. So that's quite exciting. Um, I think it's also, you know, for, you know, breaking into enterprise, um, figuring out what the land and expand is, or like what are the ways in, um, you know, for us, acquisitions have been big.

So Vantage customer gets acquired into a bigger company and that ends up being this great way to, um, have this real depiction of, of, you know, here's what we do and here's why it's important and here's all these champions. And, you know, using that to break into much larger companies. And again, we would be able to by, you know, trying to go into the front.

Todd: you mentioned acquisitions. I, I think that Vanta actually just made its first acquisition of a company called Trust Page. Will you talk about that a little bit?

Christina: Yeah. Really we did. Um, it is a, Great, team, uh, and they were building, I mean, were they trust pages with these sort of real-time security status pages. So they would take questionnaire answers, policies, SOC two information, FAQs, and help companies, um, package that up and show that off.

Uh, you know, to get, to build trust and say, Hey, you know, here, here's all of our information. Uh, you can really dive into our security practice as a company and. You know, convince yourself we're, we're gonna do the right thing with your data. Um, really excited with the overlap. There's just like a ton of, honestly, vision and like mission overlap between the companies.

Um, and it's like an incredible team, uh, that, you know, is building in a great space. And so we're just like thrilled to have them at Vanta and, and, you know, integration, integrating that as a whole nother fun challenge for.

Todd: Amazing. So Christina, we'd love to wrap up just by asking you some, you know, personal questions. Out, uh, places where you learn people that you learn from. Um, so would love to know what, what people, or what mentors did you learn the most from in your career, and what did they teach you?

Christina: Um, yeah, there's a bunch of people come to mind here, but, but you know, for the sake, Of example. Um, I think I, well, I learned a ton from the folks at U S V, um, Brad Burnham in particular, uh, is a partner. There was, is an incredibly rigorous, uh, first principal's thinker. Um, and he was very good. Uh, making sure that, you know, investment hypotheses or company hypotheses just made sense truly and was very good at kind of cutting to the, to the root.

Um, a ton of focus on people and their incentives, uh, which I think very much filtered into Vanta, right? This idea of like, why are you prioritizing security because of the business incentive? And, you know, that's why, but I think a lot of that thinking came from Brad. more personally. He was also just very good at pushing me.

Um, and I remember him being, you know, uh, a bunch of kind of specific feedback and our advice around, um, you know, do you, do you want, Christina, do you often get feedback that your ideas are poor? Do you get feedback that, you know, you don't share your ideas enough, like worry less about if you're correct and, you know, just start saying things and see what happens.

Um, which was very pointed and, and very well, uh, very well placed as well.

Todd: And you, it sounds like you remember it very clearly, so that's, that means it was good advice. Um, any books or resources that you'd recommend for founders, you know, books, blogs, newsletters, places that you.

Christina: Yeah. Uh, so I'm trying to think. I read all the sales books. Uh, the one I actually do remember. Um, I think it's. The sales acceleration formula. I think actually what I, honestly, what I took out of that was sales is actually much more like industrial engineering. It's, it's more like engineering than actual software development.

I still think of software development as like a little bit of an art, right? Whereas, uh, go to market sales, particularly for like a high velocity SMB motion is just a process to be optimized and there's stages and there's conversion rates and like funnels and you kind of should think. That in spreadsheets and like, you know, write all those numbers down and then go optimize them all.

Um, and that frame took sales again from this like soft skill that I definitely didn't have to something that I felt like I could like, get my arms around and capture. Um, so very much remember that book. It's another user research book. I think it's literally called the User Research Manual, um, that just had a bunch of questions or, and like open-ended questions around talking to people about their problems in a way that, you know, doesn't feel constructed or unnatural or pokey, um, that I really enjoyed as well.

Todd: So do you think if like, uh, you know, an engineer who wants to be a founder or product manager who wants to be a founder, if they read these two books, it would make them much better at figuring out what customers want and how to sell it to 'em.

Christina: Oh gosh. I don't know. I mean they really work for me. They're also kind of like how, I think I probably just like them cuz it's how I think. Um, but, uh, maybe the, the broad bit is. Yeah, pick up, pick up a lot of these and then, and turn, like, also read a bunch of books I didn't particularly like and so, you know, if you can just like go through and find the ones that work for you.

Um, there are so many sales books out there, there probably is one for you. Uh, you just might need to, to try a bunch. Okay.

Todd: Fantastic. Well, Christina, thank you so much. This has been an amazing story of Van's history and everything that Vanta has to look forward to, so really appreciate having you on the podcast.

Christina: Thank you so much for the time. It's wonderful being here.