Rippling

Drata

Rippling

Rippling uses modular pricing — companies buy the modules they need and pay per employee per month. The core platform (employee directory) is the foundation, with add-on modules for payroll ($8/month per employee), benefits, time and attendance, learning management, IT device management, app management, corporate cards, and expense management.

This modular approach means Rippling can land with one module and expand to many. A company might start with just payroll, then add device management when they realize it's available, then corporate cards.

Average revenue per customer grows as companies add modules.

The compound effect is the strategy. Each individual module might not be the best standalone product, but the integration between modules creates value that no combination of point solutions can match.

When your payroll system, IT system, and expense system all share the same employee database, automation becomes trivial.

Drata

Drata charges annual subscriptions based on the number of compliance frameworks supported and the size of the organization. Pricing starts around $12,000-$15,000 per year for startups doing a single SOC 2 audit and scales into six figures for large enterprises managing multiple frameworks (SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, etc.).

The value proposition is clear: companies spend $50,000-$150,000 on consultants and hundreds of engineer-hours on manual compliance annually. Drata replaces most of that with software that costs less and runs continuously.

The ROI calculation sells itself.

The platform integrates with 100+ tools (AWS, Azure, GCP, Okta, GitHub, Jira, Slack, HR systems) to automatically collect compliance evidence. This means customers don't need to change their existing workflows — Drata observes what they're already doing and maps it to compliance requirements.

Rippling

Parker Conrad's origin story at Rippling is inseparable from his spectacular flameout at Zenefits. Conrad co-founded Zenefits in 2013 as an HR platform for small businesses and grew it to a $4.5 billion valuation in two years.

Then it imploded. Regulators discovered Zenefits employees had used software to cheat on insurance licensing exams.

Conrad was forced to resign as CEO in February 2016. The company he'd built was toxic, and his reputation was in ruins.

Most founders would have retreated. Conrad started Rippling in August 2016 — six months after being pushed out of Zenefits.

His co-founder Prasanna Sankar was a former Zenefits engineer. The insight behind Rippling came directly from the Zenefits experience: companies use dozens of disconnected systems for HR, IT, payroll, and finance.

When you hire someone, you set them up in the HR system, the payroll system, the benefits system, the laptop provisioning system, the software access system — all separately. When they leave, you have to remove them from each one individually.

It's a mess.

Rippling's premise was radical: build one unified platform with the employee record at the center. When you hire someone in Rippling, it automatically sets up their payroll, enrolls them in benefits, ships them a laptop, provisions their software accounts, issues a corporate card, and adds them to the right Slack channels.

One action triggers everything. When they leave, one click revokes it all.

Drata

Adam Markowitz had a front-row seat to compliance hell. As the founder of a previous health tech startup, he spent months manually collecting evidence for SOC 2 and HIPAA audits — taking screenshots of security settings, documenting access controls, filling out questionnaires.

The process was entirely manual, mindlessly repetitive, and had to be redone every year.

His brother Troy Markowitz and friend Daniel Marashlian had similar experiences. Every startup that wanted to sell to enterprises needed SOC 2 compliance (a security framework), and achieving it typically meant hiring consultants at $50,000-$100,000, assigning engineers to collect evidence for weeks, and praying that nothing changed between when you collected the screenshot and when the auditor reviewed it.

They founded Drata in January 2020 with a simple insight: most compliance evidence is just proof that security controls are configured correctly. And since those controls exist in software systems (AWS, Google Workspace, GitHub, Jira), you can check them automatically via API.

Instead of a human taking a screenshot to prove multi-factor authentication is enabled, Drata connects to the identity provider and verifies it continuously. The compliance audit becomes a live dashboard instead of a binder full of screenshots.

Rippling

Rippling's growth strategy is "compound startup" — building many products simultaneously instead of one at a time. Most SaaS companies pick a niche and dominate it before expanding.

Rippling launches new product modules aggressively, banking on the thesis that integration is the killer feature.

The land-and-expand motion works because every module sells every other module. An HR team that uses Rippling for payroll sees that IT device management is available.

The IT team that uses device management discovers corporate cards. Each module is a door to the entire platform.

Mid-market focus (50-2,000 employees) hits the sweet spot — these companies are big enough to need multiple systems but small enough that a single platform is appealing. Enterprise companies have entrenched vendors.

Tiny startups don't need the full suite. The mid-market wants consolidation and Rippling delivers it.

Drata

Drata grew through the startup ecosystem. Every SaaS company selling to enterprises eventually needs SOC 2 compliance, which means every startup is a potential customer.

Drata became the default recommendation in founder communities — YC companies told other YC companies, one startup's security team recommended Drata to their friends at other startups.

The sales cycle is short because the pain is immediate. A startup loses a deal because a prospect requires SOC 2?

That startup signs up for Drata the next day. The motivation is revenue — compliance is a gate to enterprise sales, not an abstract security exercise.

Partnership with audit firms was strategic. Drata works directly with audit firms who can use the platform to conduct more efficient audits.

This creates a two-sided network: companies use Drata to prepare for audits, auditors use Drata to conduct them faster. Everyone wins.

Rippling

Building many products simultaneously means none of them is best-in-class individually. Gusto has better payroll for small businesses.

Jamf has better device management. Brex has better corporate cards.

Rippling's bet is that "good enough across ten categories" beats "best in one." That bet is unproven at scale.

The Parker Conrad factor cuts both ways. His Zenefits implosion is public knowledge, and some investors and customers remain wary.

Conrad has been open about the experience but the baggage is real. On the flip side, the "I failed and came back stronger" narrative resonates with many founders.

International expansion is complex. Rippling's Global product offers employer-of-record services in 100+ countries, but managing local labor laws, tax regulations, and benefits across dozens of jurisdictions is extraordinarily complicated.

Deel and Remote.com are dedicated international employment platforms that may execute better in global markets.

Drata

The compliance automation market is getting crowded fast. Vanta (Drata's most direct competitor) raised similar amounts of funding and targets the same customers.

Secureframe, Sprinto, and other startups are also in the space. Differentiation is increasingly difficult when every platform connects to the same integrations and automates the same frameworks.

Expansion beyond startups is the growth challenge. Drata's core market is startups and mid-market companies doing their first SOC 2 audit.

Enterprise organizations have existing GRC (governance, risk, and compliance) platforms from vendors like ServiceNow, RSA, and OneTrust. Moving upmarket means competing against entrenched vendors with deep relationships.

AI could disrupt the category. If AI assistants can automatically fill out security questionnaires, generate policies, and collect compliance evidence without a dedicated platform, the need for specialized compliance software could diminish.

Drata is adding AI features to stay ahead, but the risk is real.

Rippling

Rippling Unity — the core employee data platform that connects all modules through a unified employee graph. Every system shares the same data, eliminating manual syncing.

Rippling Payroll — full-service payroll processing for US and international employees with automated tax filing. Rippling IT — device management (ship, configure, secure, and wipe laptops), software provisioning (manage employee access to hundreds of SaaS apps), and identity management.

Rippling Spend — corporate cards and expense management with policy enforcement built into the card itself. Rippling Global — international payroll and employer-of-record services covering 100+ countries.

Drata

Drata Compliance Automation — the core platform that continuously monitors security controls across 100+ integrations and maps evidence to compliance frameworks like SOC 2, ISO 27001, HIPAA, GDPR, and PCI DSS. Drata Trust Center — a public-facing page that companies can share with prospects to show their compliance status and security posture, replacing back-and-forth security questionnaire exchanges.

Drata Risk Management — tools for identifying, assessing, and tracking security risks with automated workflows for remediation. Drata Vendor Risk Management — automated assessment and monitoring of third-party vendor security posture.

Drata AI Compliance Assistant — uses AI to help answer security questionnaires and generate policy documents automatically.

Rippling

Founders Fund led the Series A — Peter Thiel betting on Conrad's comeback. Kleiner Perkins and Bedrock invested in growth rounds.

Greenoaks Capital, Coatue Management, and Y Combinator participated. The 2024 round valued Rippling at $13.5 billion, led by Coatue.

Notable for being founded by someone investors initially wouldn't touch after the Zenefits scandal.

Drata

ICONIQ Growth led the Series C at a $3 billion valuation. GGV Capital led the Series B.

Cowboy Ventures was an early investor. Alkeon Capital, Salesforce Ventures, and Greylock Partners participated in growth rounds.

The company has raised $328 million total across multiple rounds.