While most companies settle for security certificates that look good on paper, Oneleet just raised $33 million to actually make them secure. The Y Combinator-backed startup tackles what founder Bryan Onel calls 'compliance theatre' - where businesses pass audits but remain vulnerable to real attacks. With cyberthreats escalating and AI changing the attack landscape, Oneleet's integrated approach is drawing serious investor attention.
Bryan Onel spent a decade breaking into companies that had just passed their security audits. As an ethical hacker performing penetration tests for over 150 businesses, he kept finding the same problem: organizations were getting certified on paper while remaining completely vulnerable to real attacks.
'The result is compliance theatre,' Onel told TechCrunch. 'You're certified on paper, but still vulnerable.' His clients kept asking if he could solve this disconnect, so in 2022, he teamed up with his wife Ora and college friend Erik Vogelzang to launch Oneleet.
The timing couldn't be better. On Thursday, Oneleet announced a $33 million Series A round led by Dawn Capital, with participation from Y Combinator, Dropbox co-founder Arash Ferdowsi, and former Snowflake and ServiceNow CEO Frank Slootman. The round validates a growing frustration in the enterprise market: traditional compliance platforms are basically evidence-collection tools that spit out certificates without actually securing anything.
Most existing platforms work like this: companies import data from various security products, pay a fee, and get a shiny certificate saying they're compliant. But Onel discovered these businesses were still getting breached because their security was fragmented, incomplete, and often just for show. 'Security often fell within two brackets: Painful but effective, or painless but ineffective,' he explained to TechCrunch.
Oneleet's approach is fundamentally different. Instead of just collecting evidence, the platform includes integrated penetration testing, code scanning, cloud data security, attack surface management, and security training. 'Because it's integrated from the ground up, we can deploy comprehensive security with the click of a button,' Onel said. 'That saves clients hundreds of hours and eliminates the blind spots that come from managing fragmented tools.'
The strategy is working. Oneleet has hit $3 million in annual recurring revenue and counts two-thirds of Y Combinator's portfolio companies as clients. That's a remarkable penetration rate that caught Dawn Capital's attention during a San Francisco meeting that Onel described as having 'immediate chemistry.'
'They already had deep knowledge of the security and compliance space and immediately understood what we were building,' Onel said about the lead investor. The funding process was notably smooth in a market where enterprise security deals often drag on for months.
The timing reflects broader anxiety about AI-powered attacks. Onel warns that advanced threat actors are automating cybercrimes while AI tools lower the barrier for novice hackers to launch sophisticated attacks. Meanwhile, companies are being reckless with AI integration - what he calls 'vibe coding' tools - giving AI systems access to business-critical information without proper guardrails.
In compliance specifically, some organizations are using AI to generate fake documentation that makes them appear more secure than they actually are. It's compliance theatre taken to a digital extreme. Oneleet uses AI too, but differently - for threat modeling and security assessments in the background, with human teams verifying everything to prevent hallucinations.
The competitive landscape includes Vanta, Secureframe, and Sprinto, but Oneleet's integrated approach sets it apart. While competitors focus on evidence collection, Oneleet actually implements security controls alongside compliance documentation.
The fresh capital will fuel engineering team expansion, enhanced AI capabilities, and customer acquisition. With $34 million raised to date, Oneleet is positioned to capitalize on a market where the cost of getting hacked far exceeds the investment in real security.
'Good security should be invisible,' Onel concluded. 'Companies should spend less time worrying about security and more time building great products.' As AI reshapes both attack vectors and defense capabilities, that philosophy might be exactly what enterprises need - security that actually works instead of just looking good in audit reports.
Oneleet's $33 million Series A signals a market shift away from checkbox compliance toward integrated security that actually protects businesses. As AI amplifies both cyber threats and defense capabilities, companies need platforms that do more than generate certificates - they need systems that prevent breaches. With strong traction among Y Combinator companies and backing from experienced enterprise investors, Oneleet is positioned to lead this transformation. The real test will be whether they can scale their integrated approach while maintaining the effectiveness that sets them apart from traditional compliance vendors.
