Probo

What do they actually do

Probo is an open‑source compliance platform for startups and small teams. It offers a hosted product and a self‑hosted codebase that help companies prepare for and maintain audits like SOC 2, ISO 27001, HIPAA, and GDPR. The team publishes its code on GitHub and supports customers with documentation and community resources (homepage, docs, GitHub).

In practice, Probo guides companies through onboarding, maps their business to the right controls, provides tailored checklists and policies, connects integrations to collect evidence, coordinates the audit process, and supports ongoing maintenance after the initial report. The company emphasizes hands‑on help alongside templates and integrations, and lists coverage of “10+ frameworks,” “20+ countries,” and “100+ customers” (homepage, about, docs).

Who are their target customer(s)

• Early‑stage startups selling B2B or raising capital: They need SOC 2/ISO/HIPAA/GDPR evidence acceptable to auditors and enterprise buyers without a long, expensive process or an in‑house compliance team (about, YC).
• Small platform/ops engineering teams: They must wire up SSO, logging, backups and automate evidence collection while shipping product; time and headcount are tight and auditors expect automation (docs).
• Founders or ops leads coordinating audits: They carry the administrative load—chasing evidence, aligning teams, and translating technical work into auditor‑ready documentation—while trying to keep the business moving (homepage).
• Compliance/legal leads at regulated startups: They need tailored policies and continuous monitoring to avoid control drift and gaps after the initial audit, which is ongoing and costly work (about, SOC 2 cost blog).
• Teams that prefer open‑source/self‑hosting: They want transparent, auditable evidence and to avoid opaque vendor lock‑in, favoring tools they can self‑host and inspect (GitHub, open‑source blog).

How would they acquire their first 10, 50, and 100 customers

• First 10: Run high‑touch, managed pilots with founders’ and YC/accelerator networks plus active GitHub users; Probo handles audit coordination end‑to‑end in exchange for detailed case studies and testimonials (YC, GitHub).
• First 50: Grow inbound via open‑source/community, targeted how‑to content and webinars; add 1–2 boutique auditor partnerships with modest referral incentives to convert pilots into paying customers and secure public case studies (open‑source blog, docs).
• First 100: Productize a self‑serve onboarding flow, ship turnkey integrations for evidence collection, and scale SEO/content (e.g., SOC 2 cost guides) plus light paid search; complement with VC/accelerator channels, auditor marketplaces, and a small CS team (docs, SOC 2 cost blog).

What is the rough total addressable market

Top-down context:

Published GRC/eGRC market estimates range from roughly $18B (software+services in some definitions) to $50B+ depending on scope and methodology (MarketsandMarkets, Grand View Research).

Bottom-up calculation:

If 1% of ~400M SMEs pursue formal attestations and spend ~$15k annually on platform + audits/assist, the TAM is ~${60}B; even a conservative 0.5% at $5k implies ~${10}B (UN MSME report, LowerPlane, Secureframe).

Assumptions:

• Adoption rate among SMEs pursuing third‑party attestations (0.5%–2%).
• Annualized per‑company spend bands for platform + audits ($5k–$30k).
• Focus on startups/SMBs that need auditor‑acceptable reports; excludes many consumer‑only SMEs.

Who are some of their notable competitors

• Vanta: Closed‑source, turnkey compliance automation and Trust Center for startups through enterprise; strong integrations and continuous checks aimed at fast audit prep.
• Drata: Compliance platform emphasizing deep integrations, continuous monitoring, and automated framework mapping for SOC 2/ISO/HIPAA/GDPR.
• Secureframe: End‑to‑end compliance automation with built‑in audit support and managed experts for small and mid‑market customers.
• OneTrust (Tugboat Logic): Tugboat Logic’s certification automation folded into OneTrust’s broader enterprise GRC/privacy suite; suited to customers seeking vendor consolidation.
• Hyperproof: Compliance operations/GRC system of record for controls and evidence, optimized for multi‑framework programs in mid‑market and enterprise teams.