While most companies settle for security certificates that look good on paper, Oneleet just raised $33 million to actually make them secure. The Y Combinator-backed startup tackles what founder Bryan Onel calls 'compliance theatre' - where businesses pass audits but remain vulnerable to real attacks. With cyberthreats escalating and AI changing the attack landscape, Oneleet's integrated approach is drawing serious investor attention.
Bryan Onel spent a decade breaking into companies that had just passed their security audits. As an ethical hacker performing penetration tests for over 150 businesses, he kept finding the same problem: organizations were getting certified on paper while remaining completely vulnerable to real attacks.
'The result is compliance theatre,' Onel told TechCrunch. 'You're certified on paper, but still vulnerable.' His clients kept asking if he could solve this disconnect, so in 2022, he teamed up with his wife Ora and college friend Erik Vogelzang to launch Oneleet.
The timing couldn't be better. On Thursday, Oneleet announced a $33 million Series A round led by Dawn Capital, with participation from Y Combinator, Dropbox co-founder Arash Ferdowsi, and former Snowflake and ServiceNow CEO Frank Slootman. The round validates a growing frustration in the enterprise market: traditional compliance platforms are basically evidence-collection tools that spit out certificates without actually securing anything.
Most existing platforms work like this: companies import data from various security products, pay a fee, and get a shiny certificate saying they're compliant. But Onel discovered these businesses were still getting breached because their security was fragmented, incomplete, and often just for show. 'Security often fell within two brackets: Painful but effective, or painless but ineffective,' he explained to TechCrunch.
Oneleet's approach is fundamentally different. Instead of just collecting evidence, the platform includes integrated penetration testing, code scanning, cloud data security, attack surface management, and security training. 'Because it's integrated from the ground up, we can deploy comprehensive security with the click of a button,' Onel said. 'That saves clients hundreds of hours and eliminates the blind spots that come from managing fragmented tools.'
