How Vanta fails
It's hard to sell easily reproducible commodities
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I haven’t had a sale recently, and the number of subscribers has increased a lot since the last one. It’s time to have one, especially before Black Friday since Black Friday is overrated. If you’re on a monthly subscription, this is your chance to upgrade to a yearly subscription at 50% off!
This week, I’m continuing my series on failure modes for certain companies. In the past, I’ve discussed companies like Crowdstrike, Snyk, Wiz, and Cloudflare. Since joining Headway, I’ve been more involved in our compliance work. As a result, I’ve been learning a lot about SOC2, HITRUST, and the various compliance tools that have recently come to market and how they are used. Specifically, I’ve spent time with Vanta and looked at other tools. To be honest, I was initially dismissive of Vanta and its true value when it first came out. However, after using it, I can see the value: Vanta brings automation to a part of security (compliance) that’s traditionally heavy on operations. It’s interesting to see how Vanta has managed to expand its platform.
As a disclaimer, I do use Vanta, and I’m a fan of the product. However, as always, all products and companies have risks.
What is Vanta?
Vanta started as a product that helped companies achieve SOC2 compliance more easily. The main advantages, in my opinion, are the automated evidence collection as well as the project management abilities, which I will describe more below. Since then, they have expanded to new frameworks, such as ISO, HIPAA, GDPR, etc. They also have expanded the platform to include other features that benefit from their evidence collection and/or are necessary for compliance. For example, they now have access requests, trust pages, and third-party risk management tools.
Why is Vanta useful?
For compliance frameworks, it has integrations with various common tools that make evidence collection much less time-consuming. It also displays the various controls and pieces of evidence you need to collect so that you can upload them whenever you want (rather than scrambling to get them before/during the audit), and you can assign the evidence-gathering tasks more easily to others (project management). Finally, Vanta’s control management is “continuous,” which means that it automatically updates and gathers information from the integrations, and it will also ask the appropriate individuals in charge of the documents.
Another benefit is that it has partnerships with auditors who can log in and view the evidence. From the customer's perspective, this is great for two reasons. First, they don’t have to upload evidence to an auditor’s proprietary portal each time. Second, the operational cost to switch auditors is lower because the security/compliance team doesn’t feel like they have to re-upload evidence into another portal, which takes time. Of course, this isn’t great for the auditors, but Vanta is now so widespread that auditors have been forced to partner to stay competitive.
Finally, they have started to reduce compliance operational costs as they have now placed more compliance-focused tooling on their platform, such as access requests, trust pages, etc. As a result, teams have purchased more on the platform. In my opinion, most companies want to minimize what they spend on compliance, so having all the tools on one platform is a major benefit. It reduces both cost and operational effort, which is benefitting Vanta.
Democratization of compliance and the continued rise
Most of their initial customers were SaaS startups that didn’t have the resources to hire a dedicated security or compliance person. This allowed their engineers or even other employees to have a path to obtaining SOC2 compliance with little to no security knowledge. As many know, without SOC2 compliance, selling to enterprises is difficult. They have now spread and become commonplace on most compliance teams, which are looking to improve their operations.
As Vanta grows, it will likely add more compliance-related tooling to its platform and undercut competitors that sell point solutions. For example, they will likely add tooling that helps with privacy and consent management. They have started to add tooling around security questionnaire management, and they might add the ability to do RFPs and sales enablement. Vanta can do this for a lower cost than its competitors because it will require less acquisition cost, and they can bundle discounts. I can see it also becoming more self-serve, especially for startups that want to move fast.
They will continue to grab market share from point-based compliance solutions, and it will allow them to efficiently grow their revenue.
High costs to stay competitive and expand revenue
Unfortunately, it’s easy for them to develop these products, but with all SaaS products, it’s also easier for competitors to enter this space. We are already seeing several with the likes of Drata being a close competitor. This will lead to a product feature and price war. Although this is great for consumers, it’ll be a constant and expensive battle for them to stay ahead both from a GTM cost and a product development cost. They can continue to compete here, but fast growth will be difficult. We’ve seen something similar happen to OneTrust.
Another avenue they might consider taking to expand their market share and revenue is to go into services. Right now, they just partner with auditors, but this allows them to become a one-stop shop for compliance. Other auditors have tried this but failed because they lack the technical leadership. However, services are a low-margin business and might affect both their perception as a technology company and as a partner with auditors. If they go this route, they will likely lose their partnerships, making their product less valuable.
Also, as cybersecurity talent becomes higher in demand, many cybersecurity executives want to increase their scope, so they might start reducing their reliance on products that improve their efficiency so that they can increase headcount under their organization.
The combination of these effects will have Vanta in a holding pattern where they get stuck at 100-200M ARR where the board and leadership will have to make a tough choice of whether to invest in more growth or try to achieve profitability. Either way, they go through several leadership changes and just stay a low-growth SaaS company. Other startups might start chipping away at their platform as new regulations come out or regulations change. These new startups use these regulatory changes as a wedge to take market share from Vanta’s platform.
Slowly, Vanta fades away. They either merge with another compliance platform similar to what’s happening in the third-party risk management space or split the company into products and services.
Takeaway
Vanta has built a great platform that helps security teams tackle compliance more efficiently. However, the products don’t have a lot of technological differentiation, so it’ll be easier for competitors to enter the market, which will increase the costs of obtaining more revenue. Vanta is a great company and product that I believe every company should use. However, they face the same competitive pressures as most SaaS companies, especially since they are in a space where cost reduction is key.
Interesting view! I’m a drata user and it’s been interesting to see the different features all the platforms come out with and where they choose to focus. I just found out about Sprinto this week too which I think is coming after both drata and vanta. Just found your Substack today and look forward to checking out past posts!