Species360 manages the world's most comprehensive zoological database — serving over 1,400 member organizations across more than 100 countries. As the organization matured as a software company, it faced a pivotal question: how do you build a formal security and compliance program when you're starting from zero, with a small team and no dedicated security staff? With Strike Graph, Species360 went from ground zero to audit-ready — without hiring outside consultants, and with an AI-powered platform that fit the way a small, mission-driven team actually works.
Species360's mission is to support zoos, aquariums, and wildlife organizations in collecting, sharing, and analyzing vital data on animals under human care. Their platform — the Zoological Information Management System, or ZIMS — is the authoritative knowledge database on more than 22,000 animal species, containing sensitive animal medical records, husbandry data, and studbooks.
As Species360 evolved from a community-led effort into a mature software company, the question of formal security compliance came into sharper focus. Members were increasingly asking: what are you doing for backups? What's your disaster recovery? What's in place to protect our data?
"We were getting to the point where we knew security is something that has come up more and more with our members," said Nicole Errante, Manager of Site Reliability Engineering at Species360. "Both our members and prospective members were asking us, and this was kind of the next step in our evolution."
The core challenge was not that security was being ignored — it was that it had never been formally captured or documented. Security practices existed organically, but there were no written policies, no formal evidence, and no structured program to demonstrate what Species360 was actually doing.
Key challenges included:
No formal information security program or written policies in place
No prior compliance audits or certifications of any kind
A small, cross-functional team with no dedicated security experts
Sensitive member data — animal medical records and institutional data — requiring meaningful protection
Budget constraints typical of a nonprofit operating on behalf of its members
Knowing they needed a structured path to SOC 2, Species360's leadership began evaluating compliance platforms. They looked at other tools in the space — including Vanta — but quickly determined that their solution wasn't the right fit for Species360.
"He thought it would be best to go with a smaller company that is more aligned on what we were trying to accomplish," Errante said of her manager's decision-making. "We were starting from nothing and knew we would need guidance and flexibility in our solution."
The team also valued what it meant to work with a company that understood the realities of running lean. As a nonprofit, Species360 needed a partner willing to work with them — not just sell to them.
Why Species360 chose Strike Graph:
Purpose-built for what they needed: a clear, structured path to SOC 2 certification
Bundled audit and pen testing services eliminated the need to manage multiple vendors
Personalized support and a collaborative partnership model suited to a nonprofit
Flexibility to customize the platform beyond just compliance requirements
Strike Graph gave Species360 something they didn't have before: a starting point. The built-in SOC 2 framework, policy templates, and guided evidence collection meant the team didn't have to figure out the path on their own.
"I knew nothing about SOC 2 and knew nothing about security compliance. And I didn't have to wonder where to start," Errante said. "Using Strike Graph with the risks and framework in place, having templates to not necessarily just take and use, but as a starting place — it gave us a starting point. Otherwise, it feels paralyzing, because you don't know where to start when you're starting from zero."
Centralized evidence and policy management: All policies live in Microsoft SharePoint, with Strike Graph pulling in the most recent documents automatically. Evidence is organized in one place, making audit preparation straightforward and board reporting simple.
Automated evidence collection: Wherever automation is available, Species360 uses it. Integrations handle routine evidence gathering so the team isn't manually tracking down documents on a recurring basis. "I use automation for evidence collection wherever I can. I can point to the folder in SharePoint and Strike Graph will automatically pull the most recent document. I don't have to think about it," Errante said.
Bundled pen testing and audit services: Species360 completed their penetration test through the bundled package and found the process seamless. Their first SOC 2 audit is scheduled for Q3, also through the bundled offering. "Having everything kind of a one-stop shop and not have to worry about it and have it all interconnected was super great," Errante noted.
Progress tracking and board reporting: Visibility into what's been completed versus what remains has been especially valuable for keeping leadership informed. "It makes it easy to report status updates to our board of trustees," Errante said.
Platform flexibility: Beyond SOC 2, the team has also used Strike Graph to track organizational risks that fall outside the framework entirely — demonstrating how the platform flexes to serve broader security program needs, not just audit checklists.
Species360 went from having no formal security program whatsoever to being fully organized, audit-ready, and engaged with AI-powered tools — all without adding headcount or bringing in expensive outside consultants.
"It took our security program from zero to existence," Errante said. "It brought visibility to processes we already had in place that had never been formally captured, and it helped us identify and close any gaps we found along the way."
Key outcomes:
Built a complete, formal information security program from the ground up
Organized all policies, controls, and evidence in a single centralized platform
Completed a penetration test through Strike Graph's bundled services
SOC 2 audit scheduled for Q3 — fully prepared through the bundled audit package
Streamlined board reporting on compliance progress
Eliminated the need for outside consultants or a dedicated compliance hire
On ROI, Errante offered a clear-eyed perspective: "The more honest framing is: could we have done this without Strike Graph? Probably not — at least not without hiring outside consultants or a dedicated compliance resource, which would have cost significantly more. Strike Graph effectively gave us an expert support system and a complete toolset at a fraction of what that alternative would have looked like."
When asked whether she would recommend Strike Graph to other organizations facing similar challenges, Errante's answer was immediate: "Yes, without hesitation."
What stood out most wasn't just the platform — it was also the people.
"The customer service alone is a reason to use Strike Graph. I have asked so many questions — about what kind of evidence is needed, whether something is required, how frequently to collect it — you name it. And every single time, I've gotten a friendly, helpful, and timely response," Errante said.
For other security leaders considering Strike Graph, Errante's advice is straightforward: "Strike Graph gives you an easy way to organize your security program and evidence so you're truly ready for an audit. Even if security isn't your primary area of expertise, they have an incredible team of people who will help you figure out exactly what you need."
With their SOC 2 audit on the horizon, Species360 is already looking ahead — and already putting Strike Graph's AI capabilities to work.
"We're really starting to get into the AI space here at Species360. It's really becoming kind of a core of our day-to-day functionality," Errante said.
She noted that she appreciated Strike Graph's approach to intentional AI built into the product from the very beginning. "Doing it thoughtfully and making sure we do it the right way — because people worry about security when it comes to AI. I love that approach."
In practice, that's already translating into time savings:
Verify AI is being used to internally audit evidence, catching issues before they reach the formal audit
AI Security Assistant for Questionnaires has dramatically reduced the time spent on security questionnaires — a notoriously painful, never-standardized process. "Security questionnaires — nobody wants to do them. And it has saved a ton of time," Errante said.
Looking further ahead, Errante envisions Strike Graph becoming a self-service resource across the organization — a place where internal teams, including sales, can quickly access security information for prospective clients without needing to pull in the engineering team every time.
"Once we get through the audit and get everything done, it can start to be a one-stop shop, even for folks inside of our organization. The sales guys who come and ask us, 'hey, we need this for this potential client' — they can just go and do it and get the information. That would be great."
With multi-framework support on the horizon and AI capabilities deepening, Species360 is well-positioned to continue growing its security program efficiently and without losing sight of what matters most: protecting the data of the members and wildlife organizations it serves around the world.