Between Two Quarters Founder Series feat. Stas Bojourkha: Building a GRC Platform Enterprises Actually Want to Use

Founder and CEO of Compyl, Stas Bojourkha, discusses finding product-market fit in a crowded compliance market, selling to technical buyers, and what he'd do differently

In the latest episode of Between Two Quarters, nvp capital's Principal Skylar Dorosin sat down with Stas Bojourkha, founder and CEO of Compyl, to dig into what it really takes to build a security and compliance platform that people actually want to use - and how five years of iteration turned a former CISO's frustration into a fast-growing enterprise GRC software company.

Stas is a technical founder with nearly two decades in information security. He holds a degree in information system security and a stack of certifications (CISSP, Certified Ethical Hacker, among others). More importantly, he's lived the pain Compyl was built to solve - from the inside.

Build for the Person Feeling the Pain, Not the Person Signing the Check

Compyl exists because security and compliance teams have always been asked to do the impossible: make data-driven decisions about an organization's risk posture without actually having access to the data.

As a former CISO, Stas watched organizations sink time and money into legacy GRC platforms - Archer, Open Pages, MetricStream - that were so clunky that no one wanted to log in. Critical security work was being tracked in spreadsheets. Metrics were inconsistent month to month. And the people who needed to act on the data had no easy way to see it.

Compyl was the answer: pull all that data into one place, layer workflow management over the top, and meet people where they already are - instead of dragging them into yet another platform.

Founder takeaway: If the people feeling the pain are different from the people cutting the check, sell to the pain first. The technical win comes before the C-suite conversation.

Three Iterations Before It Became a Company

Compyl didn't start as a startup. It started as something Stas kept rebuilding at every company he worked for.

Before Compyl was a company, it was a pattern. At every organization Stas worked in, he kept building the same thing - pulling disparate security data together, layering workflow and automation on top, and watching the organization's security maturity improve faster than he'd ever seen. By the time he'd done it a third time, the conclusion was obvious: this wasn't a one-off fix. It was a product.

So he left his job and built it.

The product launched as something closer to a consultancy engagement than a SaaS platform. The early version was feature-rich but not scalable, and the team wouldn't let customers touch it directly. That feedback accelerated the decision to rebuild from scratch with a professional engineering team - a move Stas now considers essential and wishes he'd made faster.

Founder takeaway: Your first version is a hypothesis. Ship it, learn from it, and don't let pride slow down the rebuild when the data tells you it's time.

The "Aha Moment" Was Simpler Than You'd Expect

In a space defined by complexity and talent shortages, the thing that clicked for early customers wasn't sophisticated AI or deep integrations. It was simply seeing everything laid out in one place - best practices surfaced automatically, repeating tasks handled without manual intervention - and realizing they didn't have to figure out "good" on their own anymore.

Security and compliance teams are often operating without a clear benchmark for what a mature program looks like. Compyl handed them one, and then automated the path to get there.

Founder takeaway: In technical markets where buyers don't know what "good" looks like, the product that shows them - and makes the path obvious - wins.

The "R" in GRC Is the Whole Point

As the GRC market has gotten crowded, Stas has stayed clear-eyed about where Compyl is differentiated and why.

Most platforms focus on the compliance piece - checkbox frameworks, audit trails, policy documentation. Compyl is built around risk: understanding what's actually happening across an organization's environment, predicting where faults or failures might emerge, and helping security teams get ahead of problems rather than documenting them after the fact.

AI has accelerated this meaningfully. Risk assessments that used to take hours now run in seconds and, in Stas's view, are more accurate. Regulation changes can be anticipated rather than reacted to.

But critically, Compyl built all its integrations in-house. Customer data never leaves the tenant. The LLMs run inside the customer's environment. In a space where buyers are handling sensitive data and have exactly zero tolerance for breaches of trust, that architecture isn't a product decision - it's a sales decision.

Founder takeaway: In regulated, data-sensitive markets, how you handle data isn't a footnote in the security review. It's a core part of the value proposition. Design for it from day one.

ROI Has to Be Visible - and Fast

Quantifying the return on security software has historically been a hard problem. Stas has found the answer is to make the value tangible and immediate rather than theoretical. (Nod to Nikhil Sethi, founder of Workgrounds who shared a similar sentiment when he sat down with Skylar!)

Compyl connects to DocuSign or Adobe Sign and automatically builds a contracts register - counterparty, expiration date, obligations - without anyone manually parsing a single document. It surfaces Salesforce users who haven't logged in for a month and calculates the license cost savings available if they're disabled. It gives procurement, HR, and finance the same cross-functional visibility it gives security teams, which is why those departments are now adopting the platform without being asked.

The ROI story isn't "trust us, you're more secure." It's a line item on a spreadsheet that a CFO can understand in thirty seconds.

Founder takeaway: If your product makes buyers look smart and their jobs easier, it spreads. Make the win visible, and make it easy for someone to claim credit for it.

Why Stas's Perspective Resonates

What makes Stas compelling isn't just Compyl - it's the credibility that comes from having lived the exact problem he's solving at multiple organizations, across multiple iterations, before anyone was writing him a check.

He's been the buyer. He's been the frustrated CISO staring at a spreadsheet that was out of date the moment it was sent. He knows what "good" looks like because he's spent twenty years building it, and he built Compyl to give that clarity to everyone else.

For founders selling into technical buyers in high-stakes verticals: the bar has moved. The product has to work, the data has to be safe, and the value has to be obvious before the conversation even gets to the C-suite.

Everything else is a nice-to-have.

Check out the full interview below - and dont forget to subscribe on YouTube and follow us on Linkedin

Frequently Asked Questions

What is GRC software and who uses it? GRC stands for Governance, Risk, and Compliance. GRC software helps organizations - typically led by CISOs, GRC analysts, and risk managers - centralize security data, automate compliance workflows, and maintain visibility into organizational risk. Most enterprise security teams use some form of GRC tooling alongside their broader tech stack.

What makes a GRC platform worth buying? According to Stas Bojourkha of Compyl, the biggest differentiator is whether the platform actually reduces risk - not just documents compliance. Ease of adoption, native integrations, and the ability to show fast, tangible ROI (like surfacing unused software licenses or automating contract tracking) separate the products that stick from the ones that get abandoned.

What should technical founders know before selling into enterprise? Enterprise deals take longer, buyers are more sophisticated, and the margin for a buggy early experience is essentially zero - especially when sensitive data is involved. Stas's advice: be willing to offer a significant discount or an easy out on the first contract, hire your engineering team faster than feels comfortable, and sell to the person feeling the pain before you try to close the executive.

How is nvp capital involved with Compyl? nvp capital is an investor in Compyl. Between Two Quarters is nvp's short form interview series, where we go deep with software buyers as well as founders on go-to-market, product evolution, and lessons learned building enterprise software companies.