Oneleet Raises $33M To Modernize Security Compliance

Oneleet has raised a $33 million Series A to rethink how companies achieve and maintain security compliance, betting that readiness for audits should come from actual, ongoing security rather than paperwork. The round was led by Dawn Capital, a B2B software investor that has backed the likes of Collibra and Mimecast.

Established in 2022 by Bryan Onel, Ora Onel and Erik Vogelzang, Oneleet blends compliance automation with a full-stack security program (penetration testing, code/dependency scanning, cloud security posture management, partner management and workplace training), then connects customers to independent auditors for formal certifications. The startup has $9 million in annual recurring revenue and has raised $35 million to date.

Why compliance is broken and how risk persists today

Security executives have long bemoaned running “compliance theater” — passing audits without fundamentally reducing risk. Piecemeal tools, manual evidence collection and talent shortages create gaps that adversaries take advantage of. ISC2 pegs the global cybersecurity workforce gap at over 3 million people, and that means a lot of teams are stretched thin.

The stakes are rising. IBM’s 2024 Cost of a Data Breach Report places the global average breach at about $4.88 million, and regulators are cracking down. The SEC now requires prompt incident reporting for public companies, and the European Union’s NIS2 and DORA frameworks raise the stakes for operational resilience and third-party risk management.

Against this backdrop, even when an organization successfully attains SOC 2 or ISO 27001, it still typically requires hundreds of engineering and governance, risk, and compliance (GRC) hours and months of coordination. The friction is particularly painful for startups, which often require certifications to close enterprise deals but lack dedicated security teams.

Inside Oneleet’s integrated stack for continuous compliance

Oneleet’s pitch is that audit evidence should be the exhaust of good security operations. The platform hooks up to cloud providers, code repositories, identity systems and ticketing tools — think AWS, Azure or GCP; GitHub or GitLab; Okta or Jira — in order to continuously check controls and gather evidence without having to take manual screenshots.

That might manifest as a misconfigured storage bucket caught by cloud posture checks, automatically tied to an SOC 2 control that it satisfies (in the control language) and assigned as a Jira ticket with verification via retest prior to the audit. Penetration testing and attack surface monitoring are baked in, so auditors and buyers have a real-time view of exposure while policy templates and security awareness training diminish administrative lift.

It’s a challenge, as auditing has to be independent, but Oneleet works with accredited third-party assessors for SOC 2, ISO 27001, HIPAA and PCI DSS to prepare for readiness in such a way that feels like arm’s-length validation.

Funding details and traction from investors and customers

The round was led by Dawn Capital with participation from Y Combinator, Dropbox alum Arash Ferdowsi, and former Snowflake and ServiceNow CEO Frank Slootman. Two-thirds of YC’s portfolio companies now use its platform, according to Oneleet, a sign that venture-backed startups are beginning to prioritize verifiable controls earlier in their scaling journey.

The capital will also be used to scale engineering, accelerate AI capabilities and expand go-to-market efforts in North America and Europe. Oneleet’s near-term objective: compress time to audit, draw down the expense of continuous monitoring, and turn more “check-the-box” programs into living defenses that are dynamically positioned against real risk.

A crowded field and the wedge Oneleet uses to compete

It’s a competitive space in compliance automation with players such as Vanta, Drata, Secureframe, and Sprinto defining the category. Oneleet’s wedge is to package operational security — pentesting, vulnerability and code scanning, attack surface discovery — so that customers aren’t cobbling together five tools and crossing their fingers that the evidence matches up at audit time.

If Oneleet can continuously show less time-to-certification and reduced audit findings — all while being able to visually represent the reduction in risk — then it’s definitely something that will make headway if enterprises continue this push to have the same controls that appear within the four walls of their own business across all aspects of their supply chain.

AI’s double edge in compliance and the risks and benefits

AI is changing offensive and defensive strategies. Threat landscape reports by security agencies as well as those from ENISA have outlined how much deadlier generative tools can make phishing, malware development and reconnaissance, effectively putting nation-state techniques within reach of lower-skilled players. There is also a new risk: fake AI-generated evidence during audits.

We use AI to threat model, map controls and write policy with human review to reduce hallucinations. That human-in-the-loop model matches NIST’s guidance through its AI Risk Management Framework, which recommends guardrails and accountability around automation of high-stakes decisions.

What to watch next as Oneleet scales security compliance

Buyers should look for hard metrics: time-to-SOC 2 or ISO 27001, auditor rework rates (which can be a strong indicator of reliability), mean time to remediate critical misconfigurations, and how evidence quality holds up under independent review. If Oneleet can keep those curves bending downward while ARR rises, it will have presented a compelling argument that good security might at last make compliance easier — and more honest.