Secfix Raises $12M Series A to Close Enterprise Security-Compliance Gap

Secfix, a Munich-based startup that automates cybersecurity compliance for European businesses, has raised $12 million in a Series A funding round led by Alstin Capital. Bayern Kapital and returning investor neosfer, the venture arm of Commerzbank Group, also participated. The round was oversubscribed. The company previously raised $3.8 million in a 2023 seed round from Octopus Ventures and neosfer, putting total funding at roughly $16 million. The valuation was not disclosed.

The deal lands in the middle of what has become a scramble across European boardrooms. A cluster of new and updated regulations, NIS2, DORA, the EU AI Act, are expanding cybersecurity obligations well beyond the large enterprises that have traditionally carried them. NIS2 alone now applies to more than 160,000 entities across the bloc, with fines reaching €10 million or 2% of global turnover. For mid-market companies with limited compliance staff, the mandate is clear but the path to meeting it is not. That is the gap Secfix is trying to fill.

The company was co-founded in 2021 by CEO Fabiola Munguia, CTO Grigory Emelianov, and CISO Branko Džakula. All three are based in Munich and came up through the city’s technology network. Munguia held B2B sales and growth roles at Siemens and BMW before spending five years in cybersecurity. She was named to the Forbes 30 Under 30 Europe list in 2024. Emelianov built enterprise software at Amazon and MAN for over a decade. Džakula is a PECB Lead Auditor with more than 15 years as a security practitioner, including CISO roles at Kaia Health and HolidayCheck.

Their first company was not Secfix. Munguia and Emelianov originally built Requestee, a marketplace that matched businesses with ethical hackers for penetration testing. Running that platform surfaced a pattern. The same clients ordering pen tests were struggling with a more fundamental problem: ISO 27001 certification. The process, widely considered the international benchmark for information security management, was grinding and manual. Companies routinely spent 12 to 18 months preparing for audits. Engineering teams lost hundreds of hours gathering evidence. Enterprise deals stalled while buyers waited for the credential. The founders shut down the marketplace and built a platform to attack the bottleneck directly.

What Secfix sells today looks considerably different from that initial product. The platform connects to a company’s existing infrastructure, AWS, Azure, Jira, Office 365, Personio, and dozens of other tools, then continuously scans the environment and maps it against whichever compliance framework the customer is pursuing. When it finds a gap, it flags the issue and assigns remediation to the right person. Evidence that auditors need, things like access logs, encryption configurations, and policy documents, is collected automatically rather than manually assembled by an internal team weeks before an audit.

The practical effect, according to the company, is that a business targeting ISO 27001 can move from zero to audit-ready in weeks instead of months. Secfix currently supports seven frameworks: ISO 27001, SOC 2, NIS2, DORA, GDPR, TISAX, and the EU AI Act.

Automation is only half the offering. Secfix also runs what it calls CISO-as-a-Service, a layer of human security expertise on top of the software. That includes incident response, penetration testing, security questionnaire handling, policy reviews, and cloud security scanning. The pitch to a 200-person company with no security team is straightforward: Secfix replaces the compliance manager, the auditor prep, and the fractional CISO with a single subscription.

Whether that model scales will depend on execution. The company says customers cut up to 90% of manual compliance work and compress certification timelines from months to weeks. It reports that security questionnaire response times drop by 50% and that sales cycles accelerate by 3x for companies previously stuck waiting on certifications. Secfix also claims a 100% audit success rate across its customer base, which it says numbers in the hundreds across more than 15 European countries. Clients include WorkMotion, Veremark, Trafigura, and Orianda of the Valantic Group. Banks, energy firms, and multinationals are also on the roster. None of these figures have been independently verified.

The market context favors the company’s thesis. Europe’s cybersecurity sector was valued at approximately $82 billion in 2025 and is projected by IMARC Group to reach $165 billion by 2034 at a compound annual growth rate of 8.2%. Ransomware attacks on European organizations rose 30% in 2024. The EU’s cybersecurity agency recorded more than 11,000 incidents in a single 12-month window. Average security spending across the continent has climbed to 9% of IT budgets. Much of that growth is not optional. It is being driven by regulation, not preference.

Alstin Capital, the lead investor, is a Munich-based early-stage fund that writes checks between €2 million and €8 million into B2B software companies across the DACH region and broader Europe. Andreas Schenk, a partner at the firm, described Secfix as essential compliance infrastructure for European growth companies. Bayern Kapital, backed by Bavaria’s state development bank, provides public-sector credibility. Neosfer’s continued involvement connects Secfix to Commerzbank’s financial services network, relevant as the platform moves deeper into banking and insurance.

Munguia says the next 12 months will focus on expanding AI-driven automation within the platform, scaling the CISO-as-a-Service model, and pushing into markets beyond the company’s established DACH base. Coverage for ISO 42001, the emerging standard for AI management systems, is also planned.

The competition is real. Vanta, Secureframe, and Thoropass all operate in the same broad category and carry significantly more funding. But those companies were built primarily for the U.S. market and SOC 2 compliance. Secfix has staked its position on being European-first, built around continental frameworks and staffed by auditors who know how local regulators operate.

That distinction matters now more than it would have three years ago. With NIS2, DORA, and the AI Act all hitting enforcement timelines, European compliance is no longer a version of the American playbook. It is its own arena. Secfix has $16 million to prove it can own it.