SecurityPal
CEO Pukar Hamal’s startup SecurityPal handles a niche operational headache for many of tech’s leading players. His secret sauce: AI and a growing hub of analysts in Kathmandu’s ‘Silicon Peaks.’
By Alex Konrad, Forbes Staff
When high-flying tech companies like Airtable, Figma and OpenAI are close to signing on a new customer, they go through the same important, but tedious dance: before any money exchanges hands, they must answer the corporation or agency’s questions to ensure they remain in compliance with regulations and data privacy laws.
What that looks like is decidedly low-tech: a security questionnaire whose asks often run into the hundreds. What data do you collect and where do you keep it? Would you use it for AI models? Does your data center have barbed wire? What about background checks for your staff? It’s a necessary nuisance, but without it, too risky for the big-business buyer to follow through.
At OpenAI, which has signed on customers like Morgan Stanley and NASA, two or three people often toil on these forms at any given time. At AI writing assistant Grammarly, a sales engineer used to wade through 10 or 12 such packets a month. “No one likes to do these things,” chief customer officer David Hwang told Forbes.
To handle this paperwork headache, those bluechip companies, as well as public ones like monday.com, MongoDB and Snap, have found their painkiller in an unlikely place: Nepal. There, in a gated office off a small street in central Kathmandu, about 180 employees of startup SecurityPal use a combination of software and an advantageous time zone to turn around such questionnaires quicker and more cheaply, with what founder and CEO Pukar Hamal argued is the right blend of AI assistance and human expertise.
“If you create risk for companies today, you’re going to lose the deal,” Hamal said. “And so long as humans are running businesses, there’s going to be humans in ours.”
After a company signs up for SecurityPal, its analysts spend 4 to 6 weeks building up a ‘Knowledge Library’ that details every answer they might need for a security questionnaire or audit. Then, when the question packets come in, SecurityPal’s analysts work with its software to turn them around fast — often within 24 hours. An AI copilot makes it easy for the customer’s employees to check up on a certain answer. And, using anonymized learnings from its user base, SecurityPal’s analysts can also surface up best practices that the client might want to adopt for the future (like how frequently a company should be testing its procedures for responding to a cyber attack).
“It’s hard to motivate a bunch of people to answer questionnaires all the time unless there’s a bigger reason why you’re doing it.”
In four-plus years, SecurityPal has answered two million such questions so far. Companies pay in the hundreds of thousands, with a couple million-dollar contracts sprinkled in, meaning SecurityPal’s revenue has grown 3x in the last two years to an estimated $10 million-plus. The startup reached a $105 million valuation after raising $21 million in a Series A led by Craft Ventures, the firm founded by Trump administration crypto and AI czar David Sacks, in 2022, with participation by a16z and Kearny Jackson.
Compared to its clients, SecurityPal’s own use of artificial intelligence isn’t glamorous; its services are admittedly niche. But, like go-to-market startup unicorn Clay, it’s turned such focus on the ho-hum into a strength, gaining quick market share among AI’s best and brightest by making it easier for them to sell their own software in turn.
The fact that SecurityPal is doing most of this from Nepal makes Hamal even more of an emerging tech leader to watch. Using cheaper offshore staff is far from a new idea in IT; even within the burgeoning AI sector, companies like Scale AI have grown so fast on the backs of armies of contracted click-workers.
But Hamal, a Nepali-born U.S. citizen who splits his time between SecurityPal’s Kathmandu and San Francisco offices, is looking to build SecurityPal differently: not as an outsourcing arbitrage, but as the center of a new startup hub in Kathmandu that he’s dubbed ‘Silicon Peaks’. And he’s hiring full-time employees, paying them above-market salaries and hosting training programs to make it happen.
“It’s hard to motivate a bunch of people to answer questionnaires all the time unless there’s a bigger reason why you’re doing it,” Hamal said. “If I retired, this is still the thing I would want to be doing, bringing Silicon Valley to Kathmandu.”
SecurityPal got its start in 2020 amid the pandemic’s global lockdowns, as a bootstrapped project. Born in Kathmandu, Hamal had spent part of his childhood in rural western Nepal before emigrating to the U.S. with his politician father and teacher mother, who sought political asylum in 1999 during a period of violence and civil war in Nepal. The family moved to the New York City borough of Queens, where his mom found work as a nanny, and his father worked in restaurants until he could earn a new law degree and find more stable work selling health insurance.
SecurityPal employees enjoy Nepalese food on its office roof in Kathmandu.
SecurityPal
Hamal was an ultra-gifted student, spending time during high school at Columbia University, then studied international relations at Stanford University, where he first rubbed shoulders with tech’s elite while working at the non-profit foundation of billionaires Marc Andreessen and Laura Arrillaga-Andreessen. After two years working in sales operations at a startup, Hamal became cofounder of another one, Teamable, in 2016. The talent acquisition startup raised more than $5 million but ultimately tried to grow too fast and was acquired on the cheap in 2020.
As Hamal was deciding what to do next, a “painful lesson” from Teamable stuck with him: it was late at night, and he was close to scoring a major new customer. At the eleventh hour, the expectant buyer sent over a 200-page security review questionnaire. The ensuing all-nighter didn’t go well. “We totally flubbed it,” Hamal remembered. “And it killed the deal.”
In March 2020, Hamal decided to try to help other startups facing similar challenges. SecurityPal was more hustle than technology at first. After signing up Airtable as his first major customer, Hamal worked all-nighters alongside several U.S.-based contractors to reduce a three- or four-week turnaround process to just one week. Figma signed up not long after. One year in, Hamal had reached annual recurring revenue of $1 million without outside funding and committed to scaling up.
“Our pitch would be, when you get a questionnaire, don’t even open it. Forward it to us, and go to bed, and it will show up completed in your inbox the next day. It will feel like magic,” Hamal said.
Analyst salaries can range from $18,000 to $40,000, depending on seniority, about 150% the average local market rate.
By late 2020, Hamal knew he needed to shift his business away from a dependence on contractors, whose expertise is harder to manage, and who are more likely to jump from job to job. Luckily, he had a unique advantage: his roots in Nepal, where he had just connected with a veteran startup leader and people manager, Laxman Basnet. After receiving his education and working in tech in Germany, Basnet had returned to Nepal in 2015 at the request of Rocket Internet to work on a local ecommerce startup that the group later sold to Alibaba.
With Basnet on board as vice president of delivery and as general manager for a Nepal office, SecurityPal could tap into a pool of English-speaking, technically trained young workers who historically left Nepal for better opportunities in India, Europe or the U.S. — and who were cheaper than their alternatives in those places. But Hamal aspired to have more impact than that: he wanted to “help this community win,” he said. “When an American company establishes an office in Europe, or Australia, we don’t call that ‘outsourcing.’”
In February 2023, SecurityPal unveiled a security operations center in Kathmandu in a ceremony that featured the U.S. ambassador to Nepal. Today, the 30,000 square-feet office now employs 180 full-time staff, compared to 25 in SecurityPal’s San Francisco office. Called “team members” like their U.S. colleagues (the San Francisco office includes sales, senior engineering, marketing and product), Nepal staff receive health and accident insurance, as well as a vacation budget, Basnet said.
Most are early-career analysts for whom a couple of years at SecurityPal is a springboard. But the company has also hired data scientists and software engineers. Analyst salaries can range from $18,000 to $40,000, depending on seniority, about 150% the average local market rate, the company said; more senior roles might take in $60,000 to $70,000 — enough to live quite comfortably locally, Basnet added. “For us to be ambitious, we need amazing talent, and we need to pay them respectably. We are not doing charity,” he said.
John B. Park, a former longtime product leader at Google and Capital Group who retired to Nepal 18 months ago, said that SecurityPal’s reputation as a good employer rings true. The cofounder of Product Vidhyalaya, a four-week training program for product managers in Nepal, Park has brought all three of its cohorts to date to tour the SecurityPal office and hear from Basnet or Hamal (now personal friends) as a capstone.
“The IT industry here is like any other burgeoning IT industry: there are some companies that don’t pay very well. There are some that churn through employees, knowing they’re not going to stay,” Park said. “SecurityPal is not that type of company. They’ve taken a long-term approach to things.”
SecurityPal is willing, however, with employees who can’t keep up with its Silicon Valley standards for productivity, Park noted. Such departures typically happen within the intensive training of its first six months, according to Basnet; the company said it maintains a net promoter score with employees of 76, well above what employment experts consider “excellent.”
When OpenAI’s chatbot ChatGPT was publicly released in November 2022, Hamal had a moment of panic: “does this eliminate our business?” Quickly, he found a way for SecurityPal to embed generative AI tools within its software instead. SecurityPal’s version would combine automation and AI with its human analysts, functioning as supervisors, to speed up its process without losing accuracy.
A hybrid approach has tripped up other startups in the past: In 2020, Atrium, a high-profile legal software and law startup launched by Twitch cofounder Justin Kan that had raised more than $75 million, fully shut down after layoffs. Other software businesses, from writing assistance to accounting and financial services, have felt pressure from OpenAI and other models that can replicate much of their work with the push of a few buttons.
In SecurityPal’s domain, a number of other startups now offer their own questionnaire automation tools, from more end-to-end compliance software providers like Vanta to point-solutions like Conveyor, which raised $12.5 million in 2023. At Grammarly, Hwang said that his team had investigated AI-only solutions before committing to SecurityPal but found them unreliable so far. “There is still a lot of effort required to go to validate those answers and correct them,” he said.
Craft Ventures’ Bil Harmer, a former security executive at SecureAuth, Zscaler and SuccessFactors, argued that large businesses that don’t want to take on any additional risk from AI hallucinations would prefer SecurityPal’s combination of AI tooling and human expertise. “When I first saw it, I thought, where have you been all my life?” he said.
Hamal, SecurityPal’s CEO, noted that cutting edge AI startups in addition to OpenAI, like Cursor and Langchain, all work with SecurityPal instead of trying to automate the niche process themselves. “LLMs have made a little bit of progress here, but the reality is that you still need good, sound human judgment to review it,” he said. “I don’t want to say AI will never solve it, because there will be breakthroughs. But the journey of delivering assurance, of receiving it, is so high stakes.”
SecurityPal is now taking advantage of AI to filter up more proactive insights and recommendations for customers, utilizing its body of experience to flag best practices, or potential areas of concern before they pop up in a questionnaire. But humans will still play key roles. In addition to hiring 25 or 30 more people in Kathmandu this year, Basnet said he’s planning satellite security centers in Cambodia, the Philippines and Vietnam.
Across Nepal, SecurityPal is working with high schools and universities to develop curriculums with skills needed by security analysts, ranging from computer science, cybersecurity and information systems to psychology and English comprehension for better working with AI tools. At least three startups have already hired the same firm that SecurityPal used to upgrade their own offices in Kathmandu. Hamal hopes more will follow suit as SecurityPal employees launch their own companies next: “I know there are a lot of future founders in this crew.”