Oneleet raised $33M by breaking into companies that had just passed their SOC 2
The $33M Bet Against Compliance Theater
Oneleet raised $33 million in a Series A on October 2, 2025, led by Dawn Capital with participation from Frank Slootman, former CEO of Snowflake and ServiceNow, Arash Ferdowsi, co-founder of Dropbox, Y Combinator, and several CISOs and startup founders. The round closed after the Amsterdam-based startup reached roughly $7 million in annual recurring revenue and profitability, according to reporting from TechCrunch and Startups Magazine. The company has raised $35 million in total funding to date.
The explicit pitch: replace what founder Bryan Onel calls "compliance theater" with genuine security. Onel, a penetration tester by background who spent a decade breaching Fortune 500 systems, said he kept encountering the same pattern. Companies would hold current SOC 2 and ISO 27001 certifications and still be trivially exploitable. "I kept breaking into companies that had just passed their SOC 2," he told TechCrunch. "That's when I realised the entire compliance industry was broken."
Oneleet's founding premise is that most compliance platforms function as evidence-collection tools. Users import data from disparate security products, pay a fee, and receive a certificate. The audit passes. The company remains vulnerable. Oneleet instead built an integrated platform that includes penetration testing, code scanning, cloud security posture management, attack surface monitoring, device management, and security training, all on a unified data model. The company claims its AI-plus-penetration-tester verification model detects 30% more assets than incumbent platforms and guarantees successful audits.
The YC connection matters for distribution. Oneleet participated in Y Combinator's Summer 2022 batch, and the company says two-thirds of new additions to the YC portfolio are now its customers. It reached that $7 million ARR before the Series A, largely through word-of-mouth and customer pull from competitors.
Dawn Capital partner Henry Mason said the firm's conviction rested on a specific technical shift. "Only recently has AI matured enough to automate the messy, human-heavy work of compliance and security," Mason said. "That shift delivers more than speed. It unlocks software-level gross margins and scalability in a market long dominated by services."
The $33 million will fund engineering hires, AI capability expansion, and go-to-market scaling. Oneleet's job board lists 15 open roles added in the past week, including fullstack engineers, endpoint security engineers, application security engineers, and security program managers, with base compensation ranging from $110,000 to $180,000. The company serves more than 750 customers.
Mexico's Digital-ID Mandate Creates a Compliance Tsunami
On July 18, 2025, Mexico signed into law a mandatory biometric digital-ID system that transforms the country's existing CURP identifier into a compulsory credential embedding fingerprints, iris scans, and facial photographs in a scannable QR code. Full rollout is expected by February 2026. Every Mexican citizen must enroll. Every private business (banks, hotels, hospitals, telecom carriers, employers) must accept the biometric CURP as valid identification and, in many cases, connect to the government's Unified Identity Platform (PUI) for real-time verification. Hogan Lovells' analysis of the reforms lists nine distinct obligations for companies, ranging from mandatory MX Llave authentication acceptance to delivering source code for public-sector contracts.
The compliance surface this creates is enormous. Mexico's updated Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), effective March 21, 2025, simultaneously expanded the definition of personal data, imposed stricter consent requirements, and formally recognized a right to object to automated AI decision-making. Companies processing data for hiring, credit scoring, or profiling must now document algorithmic logic and offer human intervention. The overlap means any firm operating in Mexico faces two converging mandates: integrate with the government's biometric infrastructure while independently demonstrating that every data-processing activity meets the tightened privacy framework.
Then there is the threat vector. Mexico recorded 31 million cyberattack attempts in 2024, a 78% increase year over year, according to figures cited in the compliancehub.wiki analysis. Kaspersky research linked the cybercriminal group RevengeHotels to AI-powered phishing attacks specifically targeting Mexico's hotel industry to steal guest financial data. And between December 2025 and January 2026, an unidentified solo operator used large language models to infiltrate multiple Mexican government agencies in what Cloud Security Alliance researchers called one of the most consequential AI-assisted public-sector breaches documented to date, by scope of data affected. The centralized biometric database that underpins the new CURP system concentrates that risk: fingerprints and iris patterns, unlike passwords, cannot be rotated after a breach.
This is the demand signal Oneleet is built to address. The company's platform automates the compliance workflows (evidence collection, control mapping, continuous monitoring) that Mexico's twin regulatory overhauls now require at scale. When a single legal change forces every bank, hospital, and telecom in a 130-million-person market to restructure how it handles identity data, the case for compliance automation stops being theoretical. It becomes a build-now-or-fail-later calculation.
The Talent War for AI-Compliance Engineers
The role that sits at the crossroads most recruiting pipelines aren't built to map: security engineering, regulatory frameworks, and the machine-learning systems that increasingly automate both. Zero G Talent's board lists 15 Oneleet roles added in the past week alone, spanning those same three titles. That hiring velocity is the labor-market signal of a category being born in real time.
The Global Skills Development Council tracks this emerging career ladder in three tiers. Entry-level roles (compliance analyst, risk analyst, AI auditor) require basic AI literacy, governance fundamentals, and regulatory-framework knowledge. Mid-level positions like AI compliance officer or audit manager demand deeper risk-evaluation skills, AI-model understanding, and legal fluency. Senior roles (head of AI governance, chief AI risk and compliance officer) call for multi-jurisdiction regulatory knowledge and board-level communication. The GSDC's breakdown makes clear this isn't a single job description; it's a career path that didn't exist three years ago.
The salary data confirms the scarcity. AI-related jobs pay roughly 28% more than comparable non-AI roles, according to analysis cited by the GSDC. Leadership roles overseeing compliance risk and governance command 30 to 40% over standard tech promotions. In the U.S. market specifically, mid-level AI security engineers command six-figure salaries, while lead and staff roles clear $298,000. These numbers are driven by a supply-demand gap where, by some estimates, roughly one qualified engineer exists for every ten generative-AI roles in certain markets.
Magnit's 2025 workforce data adds the macro layer. AI and automation role fills doubled year over year in the first quarter of 2025, even as total IT and tech fills contracted 2%. Automation roles specifically grew from 32% to 44% of all AI-automation fills, while data-engineering shares dropped. The message: organizations are hiring for execution and streamlining, not more research headcount. The U.S. and India both doubled their AI-automation workforces; Mexico, Canada, Belgium, Ireland, Australia, and the Philippines stayed flat or shrank.
Oneleet's own postings mirror this shift. The company is hiring application-security engineers and endpoint-security engineers, positions that require understanding both the compliance framework and the automated tooling that enforces it. The "security compliance automation engineer" archetype is what this convergence produces: someone who can write the control, build the system that checks the control, and explain the output to an auditor. That combination is rare, and the premium attached to it is only moving one direction.
For engineers evaluating the move, the crossover is the play. Security professionals who add AI-literacy and automation skills move into the upper salary bands. Software engineers who pick up regulatory knowledge (SOC 2, ISO 27001, the NIST AI Risk Management Framework) become the candidates companies like Oneleet are hiring 15 roles a week to find.
Why Dawn Capital Wrote the Check
Dawn Capital's portfolio reads like a blueprint for how enterprise infrastructure actually gets sold. The London firm led Flatpay's $47 million Series B and followed on when the Danish payments company hit a €1.5 billion valuation. It led Runware's $50 million Series A in December 2025, betting on AI inference infrastructure. Both investments share a DNA: companies that consolidate fragmented, manual workflows into automated platforms, then price them so the old way becomes irrational. Oneleet fits the same pattern, but in a sector where the manual workflow is a $33 billion audit-industrial complex.
The thesis is structural, not thematic. Dawn targets B2B software where a painful, repetitive process still runs on human labor and incremental tools, which the firm's own content hub describes as moving from "audit overload to AI-driven clarity." When that process also carries regulatory penalties for failure, the switching costs invert. Companies don't adopt automation because it's novel; they adopt it because the cost of staying manual is compounding.
Compliance automation sits at that inflection point in 2025. Momentum Cyber's year-end report recorded a 52% increase in cybersecurity venture capital deployment, led by AI-driven startups. But the funding split sharply: late-stage winners pulled in premium valuations while early-stage founders struggled for follow-on rounds. Dawn's $33 million bet on Oneleet landed in the winner-take-more tier, and the terms reflected it. Oneleet raised the round after hitting $7 million ARR and profitability. You don't get to raise a $33 million Series A at that stage unless the unit economics already work.
What made Dawn commit at this scale was Oneleet's margin structure. Legacy GRC tools charge for the expensive human work (pentesting, evidence collection, audit preparation) to the customer. Oneleet folds AI-augmented pentesting and continuous monitoring into a single platform, then guarantees the audit outcome. That collapses two budget lines into one and shifts the risk from the buyer to the vendor. For a VC firm that watched Flatpay scale to €100 million ARR by making payments simpler and cheaper for small merchants, the parallel is clear: when you make the compliant path the easiest path, adoption stops requiring a sales push.
The cybersecurity market itself forced the timing. AI-powered attacks accelerated in 2024 and 2025, and regulatory frameworks (SOC 2, ISO 27001, HIPAA) didn't slow down to let companies catch up. Point-in-time audits became liability markers, not assurance. Dawn's own market analysis pegged "the next generation of cybersecurity" as systems built for continuous verification, not periodic checks. Oneleet's architecture, built around a unified data model, proprietary integrations engine, and attack-surface monitoring, was built for that continuity from day one.
Zero G Talent's board currently lists 15 open roles at Oneleet (including a Fullstack Engineer at $120,000–$180,000 and an Endpoint Security engineer at $110,000–$180,000), which signals where the fresh capital is flowing: product and security engineering, not sales headcount.
The bet, stripped down, is that compliance automation becomes infrastructure, not software. You don't evaluate your payment processor every quarter. You don't reassess your cloud provider after each deployment. Dawn is wagering that security compliance follows the same trajectory: embedded, continuous, invisible.
From Point-in-Time Audits to Continuous AI Assurance
The old compliance model is simple to describe and expensive to maintain: schedule an engagement, sample a fraction of transactions, document findings, issue a report, and repeat 12 to 18 months later. Between audits, nobody knows whether controls are working. That gap is where breaches happen.
Continuous monitoring inverts the model. Instead of testing 25 journal entries out of 50,000, the system evaluates every entry against defined criteria in real time. Control failures surface in hours, not quarters. A 2026 guide from Sirion.ai puts the ROI of continuous compliance monitoring at 285% or higher over periodic audits, driven by faster payback and reduced risk exposure.
The distinction matters technically. AuditBolt's breakdown separates three approaches that often get lumped together. Periodic auditing is the traditional engagement with a defined start and end date. Continuous monitoring is automated, ongoing assessment of control effectiveness, usually owned by management. Continuous auditing is internal audit's own ongoing assurance activity, using similar tools but operated independently. Most organizations end up with a hybrid: automated monitoring for high-volume, rule-based controls, and periodic audits for judgment-heavy work like process walkthroughs and first-time risk assessments.
The practical implementation follows a control-categorization framework. Controls fall into four buckets: periodic only (governance assessments, conversations with process owners), periodic with monitoring supplements (access reviews with automated alerts between audits), continuous monitoring with periodic validation (transaction controls spot-checked annually), and continuous monitoring only (backup execution, system availability). The goal is not to eliminate periodic auditing. It is to stop wasting auditor hours on work a script can do.
Where AI changes the equation is in the middle layers. Traditional continuous monitoring runs on binary rules: compliant or not compliant. AI-driven systems assign risk scores based on transaction patterns, user behavior, and historical incident data. They learn which anomalies matter and which are benign, cutting the alert fatigue that kills most monitoring programs. ISACA notes that AI-driven analytics tools can process billions of events in real time, flagging high file downloads, abnormal access times, and unauthorized configuration changes as they occur.
Oneleet's platform architecture targets this transition directly. The company builds AI-native security compliance infrastructure that replaces manual audit workflows with automated, continuous assurance. Its hiring reflects the shift: 15 roles added in the past 7 days on Zero G Talent's board, including fullstack engineers and application security engineers building the pipeline that connects source-system data to real-time compliance dashboards. The engineering work is less about generating audit reports and more about building the data infrastructure (clean automated feeds, tuned alerting thresholds, validated detection logic) that makes continuous assurance possible.
The hard part is not the model. It is the implementation. Organizations struggle with data access and quality, poorly calibrated alerts, and blurred ownership between management's monitoring and audit's assurance role. AuditBolt recommends starting with three to five obvious candidates (high-volume, stable, rule-based controls), proving the concept before scaling. Get the data feeds right first. Everything built on top of bad data is theater with a dashboard.
The Competitive Landscape: Oneleet vs. Legacy GRC
Oneleet's pitch to "end compliance theater" is aimed squarely at the category it's trying to disrupt. The incumbent GRC platforms fall into two camps, and neither is built for what founder Bryan Onel calls the gap between being certified on paper and being secure in practice.
The legacy enterprise stack (ServiceNow GRC, RSA Archer, IBM OpenPages, MetricStream, SAP GRC) dominates Fortune 500 procurement. These are highly customizable, deeply entrenched, and designed for organizations with dedicated GRC teams that run on annual audit cycles. They manage risk registers, policy libraries, and board reporting. They were not built to run a penetration test, scan your codebase, or surface a misconfigured S3 bucket in real time. When a startup with 40 engineers and no compliance lead needs a SOC 2 report in six months, these platforms are the wrong instrument.
Then there's the newer automation layer: Vanta, Drata, Sprinto, Secureframe, Thoropass. These tools digitized the evidence-collection workflow by connecting to AWS, GitHub, Okta, and HR systems to auto-generate audit artifacts. They cut the time-to-report from months to weeks. TechCrunch reported that Oneleet competes directly with Vanta, Secureframe, and Sprinto. G2 lists all of them as Oneleet alternatives. The Sprinto comparison piece ranks Sprinto, Drata, Vanta, Secureframe, and Thoropass as the top five alternatives, with base pricing from $7,500 to $15,000 per year.
But Onel's argument, and the structural distinction Oneleet claims, is that these platforms are evidence-collection tools. They prove you have controls. They don't test whether those controls work. A Vanta dashboard can show that MFA is enabled across your org. It can't tell you that an attacker would still get in through a misconfigured API gateway; that's what a penetration test does.
Oneleet's differentiation is bundling the offensive security layer (manual pen testing, code scanning, attack surface management, cloud data security) with the compliance automation layer, then wrapping both in a dedicated vCISO. It's a service-wrapped platform, not a self-serve tool. That's the pitch. And at $9 million in annual recurring revenue with $35 million total raised, the market is buying it.
The trade-offs are real. Oneleet publishes no public pricing. Reviewers on G2 report that important features go undiscovered for weeks because they aren't documented or announced. The bundled service model means you can't opt out of the vCISO or pen testing to lower your bill. Teams running SOC 2 plus ISO 27001 plus HIPAA report that Oneleet handles each framework individually but lacks unified mapping and evidence reusability across them, adding rework as program complexity grows.
For engineers evaluating where to place their careers, the signal is this: Oneleet is hiring across security engineering, endpoint security, and application security, with 15 roles added in the past 7 days on Zero G Talent's board alone. The compliance-automation category is producing real demand for people who understand both the security and the regulatory sides. The legacy GRC platforms aren't going anywhere, but the growth is in the layer that connects evidence to actual security posture.
What This Means for Frontier-Tech Operators
The compliance-automation wave is producing a rare thing in tech hiring: a new job category that didn't exist three years ago, with more open roles than qualified people to fill them. Indeed lists roughly 67,965 AI compliance jobs open right now. Oneleet alone has 15 positions added in the past week, spanning security engineering, product design, and program management. If you're an engineer or operator weighing your next move, here's what the Oneleet signal actually means for you.
The roles that command the biggest premiums sit at the intersection of hands-on technical work and regulatory fluency. The career ladder is forming in real time. GSDC's framework maps three tiers:
| Tier | Roles | Salary Range (U.S.) |
|---|---|---|
| Entry-level | Compliance analyst, risk analyst, AI auditor | Six-figure (mid-level AI security engineers) |
| Mid-level | AI compliance officer, audit manager | $185,000–$248,000 |
| Senior | Head of AI governance, chief AI risk and compliance officer | $298,000+ |
What's notable is that the biggest salary jumps, 30 to 40 percent over standard tech promotions, hit at the leadership tier, where you're expected to operate across engineering, legal, and policy simultaneously.
For operators, the practical takeaway is specific. The people getting hired into these roles combine a technical foundation (security engineering, ML ops, or data infrastructure) with working knowledge of frameworks like NIST AI RMF, ISO 27001, or the EU AI Act. Oneleet's own hiring reflects this: the open roles include endpoint security engineering, application security, and security program management, positions that require both building and auditing systems. If you're a security engineer who's never touched compliance, or a compliance analyst who can't read infrastructure code, you're on the wrong side of the gap.
The certification market is better or worse. Programs like GSDC's Generative AI in Risk and Compliance and ISO 0 risk manager tracks are becoming resume signals, though their actual weight with hiring managers varies. The more durable signal is applied work: running a model audit, drafting a governance policy your org actually adopted, building an automated control that replaced a manual review step.
Mexico's digital-ID mandate and the broader regulatory acceleration mean this hiring pressure isn't cyclical. It's structural. The companies building in this space now, Oneleet among them, are defining what the role looks like before it gets standardized. The job title "AI compliance engineer" is still malleable, the salary bands are still climbing, and the people who move now will write the playbook everyone else follows.
Working in AI? Zero G Talent tracks the openings: browse AI jobs, openings at Oneleet, and the people building the field.