The Path to RegScale Series B: Disrupting the Legacy GRC Market

It all started on the back of a napkin in San Francisco. RegScale’s co-founder (Anil Karmel) and I had just finished a long day leading a big digital transformation project in the national security space, where we were buried in manual compliance paperwork and multi-week audit and review cycles. It was exhausting work, felt very low value and distracting, and we both really need a drink (or a bottle, if we’re being honest).  

Being engineering-minded, we couldn’t help but start to envision a world where somebody would automate this tedious work so nobody else had to go through a day like this. We even started sketching out the early ideas of RegScale on the back of a napkin about how it might work, and then we proceeded to put it on a shelf while we went back to our day jobs. Over the next decade, I had the opportunity to roll out and experience some of the best legacy GRC tools on the planet. However, they all suffered from the same manual problems we laid out on that napkin a decade ago. Eventually, the frustration built to the point where we just said, screw it, we will do it…. and that is how RegScale began. 

We didn’t want to just build another GRC tool. We considered GRC a four-letter word after our recent experience and wanted to reframe the problem. We wanted to build a real operational risk tool for the CISO, who could use it to focus on operational excellence in cybersecurity, maintain an always audit-ready position, and get compliance outcomes for free. Meanwhile, the market was saturated with low value-add tools that merely added prettier front ends to the same broken process. I’ve spent years working with engineering teams where one of my mantras is that “automating stupid is not an accomplishment.”  We felt that the GRC market was full of automated stupidity, and we wanted to think differently about the problem. 

In my opinion, risk and compliance are one of the last frontiers of unsolved computer science problems. Everything in modern development is fast – coding is fast with AI, deployment is fast with CI/CD, and hosting and scaling is fast with cloud. Well-engineered platforms can move exponentially faster than they could twenty-five years ago when I first started developing software. At the same time, compliance hasn’t materially changed at all. It’s the same manual process, using the same complex spreadsheets and the same expensive consultants, that it’s always been. The focus was on the wrong areas: GRC tools were building pretty UIs to support manual workflow processes, which was solving the wrong problem. Instead, we set out to build the most engineering-friendly GRC tool on the planet as a counterbalance to what everyone else was doing. 

Building the GRC platform of the future 

So, what does that look like? First, we considered what the world would look like in the future. We wanted to follow the Wayne Gretzky approach, where you skate to where the puck is going, not where it’s been. We anticipated that almost all future software development would be cloud-native, meaning it would spin up and down in containers or serverless functions and be more ephemeral than it is today. In addition, we were observing what I call the “Cyber Oprah Effect.”  If you watched Oprah, you would see episodes where everyone gets a new car, and they all go crazy. For CISOs, we get regulations instead, and we all go crazy in a negative way. Mandates for Zero Trust, Privacy, and Supply Chain security are all stacking new requirements on a fixed number of humans in a cost center in a way that is unsustainable even for the largest organizations on the planet. Moore’s Law is also still applicable, so things keep moving exponentially faster.  

The question we asked ourselves was this: Which first-generation GRC vendor can hit a moving target, at twice the scope and 4-8x the speed the business will need in the future?  The answer was obvious – none of them. They were already struggling a decade ago; they certainly won’t thrive in this future state environment. We saw an obvious market opportunity to build something better. That something better is RegScale.  

What does the best engineer-focused GRC look like, and how do you thrive in this environment? We aligned on five differentiators that we thought were crucial to disrupting the market: 

Compliance as Code. Part of why compliance is manual is that we base it on static PDF documents, websites, and Excel files in SharePoint that contain our control libraries. What if they could be machine-readable in JSON, YAML, or XML to power automated workflows? We leverage open standards such as NIST OSCAL, SBOM, OCSF, and SARIF to provide end-to-end compliance as code workflows that support extreme automation. In RegScale, you can Git pull your controls the same way you do your code from GitHub and easily manage changes over time. 

Extreme Automation. We live in an API-first economy, and we wanted to build an equivalent machine-readable experience to match the human UI experience. We have deployed 75+ integrations out of the box, published 2,000+ REST API endpoints, provided webhooks for event-driven workflows, and provided a GraphQL layer for self-service building your own APIs, similar to an Amazon shopping cart for your risk and compliance data. The result is a purpose-built architecture that works with your DevSecOps team to deliver self-updating paperwork. 

AI-Native. Much of the risk and compliance activities rely on humans conducting manual checks. This doesn’t scale, can’t match the speed the business needs, and is expensive. We have trained a fleet of AI agents that automate tasks such as documentation, audits, risk assessments, and evidence mapping to reduce the manual labor burden on the business and drive real-world return on investment. 

Office Automation. While we expect customers of our platform to leverage our Continuous Controls Monitoring (CCM) capabilities, audits are still based on point-in-time snapshots, and regulators still need their periodic reports. RegScale automates the creation of Word and Excel-based reports as transforms off of our Graph, enabling customers to be in an always audit-ready posture with no surprises. 

Best-in-Class Security.  With any cyber GRC tool, customers must trust the platform with their most sensitive data, such as asset inventories, misconfiguration data, findings, and vulnerabilities. RegScale has obtained FedRAMP High authorization, which is the gold standard for cloud security in the industry. In addition, we are deployed in national security environments such as the Department of Defense (DoD) and can even deploy on-premises and in air-gapped networks where needed. 

In our view, this is what the most engineering-friendly platform in the world looks like: Compliance as code, AI-native, extreme automation, Office automation, and best-in-class security working together to drive business value and acceleration in highly regulated industries.  

Leading an industry, backed by the best

What started on the back of a napkin is now a Series B, market-leading business backed by some of the biggest investor names in the industry: Washington Harbour Partners, M12, Microsoft’s Venture Fund, Hitachi Ventures, Ankona Capital, SYN Ventures and SineWave Ventures. 

From the first three employees who set out to build the cyber GRC platform of the future, to the 70+ person team we are today, RegScale is on a path to disrupt the legacy GRC business, the armies of consultants who support it, and the pain and frustration that come with creating mountains of paperwork nobody wants to write and nobody wants to read. Supporting our progress is a sales team that delivered over 300% growth last year and a customer base of dozens of large enterprises. 

Today, the best security companies in the world run RegScale. Watching everyone from a DoD customer who has seen a 200,000% process improvement in their time to achieve ATO, to a software factory that cut a month-long process down to minutes, to large tech companies that are achieving FedRAMP with 75% less time and effort, to large financial services customers looking to automate CRI with RegScale, it is tremendously satisfying as a founder to see the value we’re creating for  customers and the industry.  

I have tremendous gratitude for our customers who bring us new ideas every day to push the art of the possible, our investors who have provided us the resources we need to deliver our product roadmap, our employees who give their all to make RegScale the market leader in our space, and to our partners who work arm in arm with us to install, deliver, and scale next-generation risk and compliance programs.  

We are on a mission to end the tyranny of manual compliance paperwork and audits. We’re excited to unleash the next wave of innovation in this space in the coming years, and we invite everyone to join us in our journey. Whether you’re a customer, a potential employee, or a partner, we are going to bring DevSecOps best practices to risk and compliance and change the world for the better together.