Should a pre-Series-A AI startup hire a fractional CISO instead of a full-time one?
Yes — full-time CISOs cost $200–400K all-in and are over-leveled for the work pre-Series-A founders actually need done. A fractional vCISO at $2–4K/month covers SOC 2 readiness, vendor security review responses, and security hiring decisions through the first enterprise deals.
Read the full essay: vCISO Math for AI Founders: Why 5 Hours a Month Beats a Full-Time Hire
What does SOC 2 Type I cost for a 15-person AI startup?
$25–45K total over a 90-day window when scoped as a sales project, not a security project. That includes auditor fees, tooling (Vanta or Drata), and the operator time to assemble evidence.
Read the full essay: SOC 2 Is a Revenue Tool, Not a Security Tool
Is SOC 2 worth it before our first enterprise deal?
Yes when there is a named enterprise prospect waiting on it; no when scoped speculatively. SOC 2 is a revenue tool that unlocks pipeline you can already see — the ROI math breaks down without a real deal pulling it forward.
Read the full essay: SOC 2 Is a Revenue Tool, Not a Security Tool
How does an AI-native company actually run security?
Four layers: prompt injection defense, agent credential scoping, secrets handling, and audit logging — none of which the classic appsec playbook covers natively. The 90-day plan starts with credential scoping because that's where the largest blast-radius incidents originate.
Read the full essay: How I'd Run Security at an AI-Native Company in 2026
When should an AI agent be trusted to act autonomously?
On a four-level autonomy ladder: read-only, bounded write, state-changing, and public-facing. Promotion between levels requires explicit failure-mode tests, not vibes. Five signals — escalating retries, hallucinated tool calls, scope creep across sessions, silent error swallowing, and confidence inversions — mean a human takes the wheel immediately.
Read the full essay: When to Trust an Agent and When to Step In
Does AI let an engineering team ship more with fewer engineers?
No — it lets the same number of engineers ship more, while creating new surface area (eval pipelines, prompt regression, agent supervision) that requires senior judgment to manage. Companies cutting headcount on the "AI multiplier" thesis will get outpaced by ones that hold headcount and absorb the new work.
Read the full essay: AI Won't Shrink Your Team — It'll Expose Why You Needed a Bigger One
What's the right hiring order for a pre-Series-A AI startup?
Founding engineer → second backend generalist → first frontend specialist → infra/platform → first PM → second backend cluster → first eng manager around hire 8–10. Compensation framework is equity-heavy through hire 5, then base-heavy. Avoid hiring a Director of Engineering before there are at least two ICs to manage.
Read the full essay: The Pre-Series-A AI Startup Hiring Plan: Who to Hire, in What Order, and Why Most Get It Wrong
How do you triage an unfamiliar codebase quickly?
A 90-minute protocol: 15 min on README + recent commits, 20 min following the request lifecycle through the routing layer, 25 min on data model + migrations, 20 min on the test suite shape, 10 min on deploy and observability. Output is a one-page map plus three concrete questions for the team.
Read the full essay: How I Triage a New Codebase in 90 Minutes
What does an AI-assisted engineering workflow look like in practice?
Four to seven Claude Code or Codex sessions per day, scoped to discrete tasks at the right autonomy level, with the engineer reviewing every diff and running every test. Net effect: 2–3× throughput on greenfield work, 1.5× on brownfield, and a sharp drop in the kind of mistakes that come from human fatigue late in a session.
Read the full essay: My Daily Agentic AI Workflow
When should we graduate from a vCISO to a full-time CISO?
When security work consistently exceeds 20 hours/week of operator time, when the company is past Series A with 50+ engineers, or when a regulated industry deal (healthcare, finance, federal) requires a dedicated executive on the org chart. Before then, a full-time CISO is over-leveled.
Read the full essay: vCISO Math for AI Founders: Why 5 Hours a Month Beats a Full-Time Hire
Didn't find your question?
The curated reading paths group the essays by reader and stage — founder/CTO, VP of Engineering, senior IC. For anything specific to your situation, jared@sublimecoding.com is the fastest way to reach me.