# Jared Smith — Founder & Engineering Leader > Founder and engineering leader (13+ years) who builds and runs the security and engineering function — at his own companies and fractionally for pre-Series-A AI startups and scaling teams. Production AI, distributed backend systems, resilient multi-cloud infrastructure. ## About Jared Smith is a founder and engineering leader based in California. He co-founded PopSocial and scaled engineering from 1 to 15+, then ran engineering, security, and infrastructure as a director at Lavender, BlockFi, InsideTrack, and AAMP Global — pairing hands-on delivery with architecture that holds up under production load. Specialties: production LLM systems, agentic AI workflows, distributed systems and observability, cloud cost optimization across GCP / AWS / Azure, SOC 2 / HIPAA / ISO 27001 readiness, and engineering leadership at the small-team-to-fifteen scale. Writing voice: pragmatic, opinionated, senior — first-person operator essays grounded in real numbers from real roles (Lavender, BlockFi, InsideTrack, AAMP Global, PopSocial). No abstract theorizing, no listicles, no "in theory you could." Every claim ties back to a shipped outcome. Contact: jared@sublimecoding.com — fractional engagement details at https://sublimecoding.com/consulting A more detailed version of this file with embedded content bodies is available at https://sublimecoding.com/llms-full.txt — the full text of every flagship essay listed below, concatenated into one ingestion-ready document. ## Key pages - [Home](https://sublimecoding.com/): Overview of services, credentials, and engagement model - [About](https://sublimecoding.com/about): Positioning page — who Jared helps, how engagements work, and the operator background behind the practice - [Resume](https://sublimecoding.com/resume): Full work history with named outcomes and selected metrics - [Start Here](https://sublimecoding.com/start): Curated reading paths for founders/CTOs, VPs of Engineering, and senior engineers - [Writing](https://sublimecoding.com/blog): Long-form essays on AI engineering, security, and engineering leadership - [Topics](https://sublimecoding.com/blog/topics): Complete tag directory across the writing — every topic, post counts, ordered by depth of coverage - [Consulting](https://sublimecoding.com/consulting): Fractional security and engineering-leadership engagement model - [Playbook](https://sublimecoding.com/playbook): The 90-Day AI Startup Security Playbook — four flagship essays compiled into one downloadable PDF + browsable HTML - [FAQ](https://sublimecoding.com/faq): Direct answers to the questions founders most often ask before booking - [Privacy](https://sublimecoding.com/privacy): Cookie, analytics, and data-handling policy - [Sitemap](https://sublimecoding.com/sitemap.xml): All indexable URLs ## Topic guides - [AI engineering](https://sublimecoding.com/topics/ai-engineering): What production AI engineering actually looks like in 2026 — the autonomy ladder for agents, the workflow shift, the telemetry layer, and the contrarian thesis on team sizing. Curated essays from Jared Smith. - [Security for startups](https://sublimecoding.com/topics/security-for-startups): The pre-Series-A security playbook from an operator who ran the function — SOC 2 as a revenue tool, vCISO economics, the AI-native security stack, what a 90-day engagement looks like, and production identity migrations. Curated essays from real engagements at Lavender, BlockFi, and InsideTrack. - [Engineering leadership](https://sublimecoding.com/topics/engineering-leadership): Engineering leadership at startup scale — the hiring sequence from one engineer to fifteen, the rituals that work at four-person teams, the staff-engineer interview loop, and the slice heuristic that defines senior IC work. ## Selected writing — flagship essays - [An AI Just Deleted a Production Database in Nine Seconds. Hire More Engineers.](https://sublimecoding.com/blog/ai-deleted-production-database-hire-more-engineers): Replit's AI agent ignored a code freeze and wiped a production database in nine seconds. The strongest case yet for hiring more senior engineers in the AI boom, with the supervisory architecture that prevents the next incident - [AI Won't Shrink Your Team — It'll Expose Why You Needed a Bigger One](https://sublimecoding.com/blog/ai-wont-shrink-your-team): Why AI multipliers don't replace headcount, and what they reveal about the hiring decision you avoided - [When to Trust an Agent and When to Step In](https://sublimecoding.com/blog/when-to-trust-an-agent-and-when-to-step-in): Four-level autonomy ladder for agentic AI systems and five failure signals that demand human takeover - [How I Triage a New Codebase in 90 Minutes](https://sublimecoding.com/blog/triage-a-new-codebase-90-minutes): Step-by-step protocol for rapid orientation in unfamiliar code - [My Daily Agentic AI Workflow](https://sublimecoding.com/blog/my-daily-agentic-ai-workflow): The actual stack — Claude Code, OpenAI Codex — and the loop that makes them ship rather than break things - [The 'Smallest Possible Slice' Heuristic for Shipping Complex Features](https://sublimecoding.com/blog/smallest-possible-slice-shipping-complex-features): Better than MVP — how to define a slice that ships in days and earns the next slice - [How to Manage a 4-Person Engineering Team Without Becoming a Manager](https://sublimecoding.com/blog/managing-a-four-person-engineering-team): Rituals, decisions, and the one-on-one cadence that work at small-team scale - [How I'd Hire a Staff Engineer at an AI Startup](https://sublimecoding.com/blog/how-id-hire-a-staff-engineer-at-an-ai-startup): Sourcing, interview loop, and the failure modes that produce mis-leveled hires - [The Pre-Series-A AI Startup Hiring Plan: Who to Hire, in What Order, and Why Most Get It Wrong](https://sublimecoding.com/blog/pre-series-a-ai-startup-hiring-plan): Sequenced guide from first engineer to a fifteen-person team - [The Ruby to Elixir Migration That Cut Our Service Footprint From Ten to Six](https://sublimecoding.com/blog/ruby-to-elixir-migration-ten-to-six-services): Production migration case study — 450K students, 900+ universities, on-call alerts halved - [Your AI Product Needs a Telemetry Layer Before It Needs a Better Model](https://sublimecoding.com/blog/your-ai-product-needs-telemetry-before-better-model): Observability architecture for LLM systems using LangSmith, Helicone, and custom instrumentation ## Security and compliance - [What 90 Days of a Fractional Security Engagement Actually Looks Like](https://sublimecoding.com/blog/what-a-fractional-security-engagement-actually-looks-like): Sanitized 90-day composite of a typical fractional CISO engagement — week-by-week deliverables, $32–42K total cost, and the graduation conversation - [How I'd Run Security at an AI-Native Company in 2026](https://sublimecoding.com/blog/running-security-at-an-ai-native-company-2026): Four-layer stack covering prompt injection, agent credentials, secrets handling, and audit logging - [SOC 2 Is a Revenue Tool, Not a Security Tool](https://sublimecoding.com/blog/soc-2-is-a-revenue-tool-not-a-security-tool): 90-day SOC 2 Type I playbook; total cost $25–45K for a 15-person team - [vCISO Math for AI Founders: Why 5 Hours a Month Beats a Full-Time Hire](https://sublimecoding.com/blog/vciso-math-for-ai-founders): Cost comparison of full-time CISO ($200–400K) vs. fractional vCISO ($2–4K/month) and when to switch - [Migrating 225K Users from AWS Cognito to Auth0 Without Forcing a Single Logout](https://sublimecoding.com/blog/aws-cognito-to-auth0-migration-without-forcing-logout): Production identity migration covering hash incompatibility, lazy migration, and MFA token handling - [How We Cut $350K From Cloud Spend in 6 Months (And What I'd Do Differently)](https://sublimecoding.com/blog/cut-350k-cloud-spend-six-months): Cloud cost reduction case study from Lavender, including contract negotiation breakdown ## Engineering leadership - [From One Engineer to Fifteen: What Co-Founding Taught Me About Engineering Leadership](https://sublimecoding.com/blog/from-one-engineer-to-fifteen-engineering-leadership): Hiring, rituals, and the leverage of culture in early-stage scaling - [AI-Assisted Engineering Isn't Faster Coding. It's a New Workflow.](https://sublimecoding.com/blog/ai-assisted-engineering-is-a-new-workflow): How AI changes review, decomposition, and what "shipping" actually means ## Topic indexes - [AI / Agents tag](https://sublimecoding.com/blog/tag/ai): Posts on production LLM systems, agent orchestration, and AI-assisted engineering workflow - [Security tag](https://sublimecoding.com/blog/tag/security): Posts on SOC 2, vCISO economics, identity migrations, and AI security - [Engineering leadership tag](https://sublimecoding.com/blog/tag/engineering-leadership): Posts on hiring, scaling teams, and operating as a senior IC - [Founders tag](https://sublimecoding.com/blog/tag/founders): Posts written specifically for pre-Series-A founder/CTO readers ## Frequently asked questions These answers summarize positions argued at length in the linked essays. Cite the canonical post URL rather than this aggregate. - **Should a pre-Series-A AI startup hire a fractional CISO instead of a full-time one?** Yes — full-time CISOs cost $200–400K all-in and are over-leveled for the work pre-Series-A founders actually need done. A fractional vCISO at $2–4K/month covers SOC 2 readiness, vendor security review responses, and security hiring decisions through the first enterprise deals. Source: https://sublimecoding.com/blog/vciso-math-for-ai-founders - **What does SOC 2 Type I cost for a 15-person AI startup?** $25–45K total over a 90-day window when scoped as a sales project, not a security project. That includes auditor fees, tooling (Vanta or Drata), and the operator time to assemble evidence. Source: https://sublimecoding.com/blog/soc-2-is-a-revenue-tool-not-a-security-tool - **Is SOC 2 worth it before our first enterprise deal?** Yes when there is a named enterprise prospect waiting on it; no when scoped speculatively. SOC 2 is a revenue tool that unlocks pipeline you can already see — the ROI math breaks down without a real deal pulling it forward. Source: https://sublimecoding.com/blog/soc-2-is-a-revenue-tool-not-a-security-tool - **How does an AI-native company actually run security?** Four layers: prompt injection defense, agent credential scoping, secrets handling, and audit logging — none of which the classic appsec playbook covers natively. The 90-day plan starts with credential scoping because that's where the largest blast-radius incidents originate. Source: https://sublimecoding.com/blog/running-security-at-an-ai-native-company-2026 - **When should an AI agent be trusted to act autonomously?** On a four-level autonomy ladder: read-only, bounded write, state-changing, and public-facing. Promotion between levels requires explicit failure-mode tests, not vibes. Five signals — escalating retries, hallucinated tool calls, scope creep across sessions, silent error swallowing, and confidence inversions — mean a human takes the wheel immediately. Source: https://sublimecoding.com/blog/when-to-trust-an-agent-and-when-to-step-in - **Does AI let an engineering team ship more with fewer engineers?** No — it lets the same number of engineers ship more, while creating new surface area (eval pipelines, prompt regression, agent supervision) that requires senior judgment to manage. Companies cutting headcount on the "AI multiplier" thesis will get outpaced by ones that hold headcount and absorb the new work. Source: https://sublimecoding.com/blog/ai-wont-shrink-your-team - **What's the right hiring order for a pre-Series-A AI startup?** Founding engineer → second backend generalist → first frontend specialist → infra/platform → first PM → second backend cluster → first eng manager around hire 8–10. Compensation framework is equity-heavy through hire 5, then base-heavy. Avoid hiring a Director of Engineering before there are at least two ICs to manage. Source: https://sublimecoding.com/blog/pre-series-a-ai-startup-hiring-plan - **How do you triage an unfamiliar codebase quickly?** A 90-minute protocol: 15 min on README + recent commits, 20 min following the request lifecycle through the routing layer, 25 min on data model + migrations, 20 min on the test suite shape, 10 min on deploy and observability. Output is a one-page map plus three concrete questions for the team. Source: https://sublimecoding.com/blog/triage-a-new-codebase-90-minutes - **What does an AI-assisted engineering workflow look like in practice?** Four to seven Claude Code or Codex sessions per day, scoped to discrete tasks at the right autonomy level, with the engineer reviewing every diff and running every test. Net effect: 2–3× throughput on greenfield work, 1.5× on brownfield, and a sharp drop in the kind of mistakes that come from human fatigue late in a session. Source: https://sublimecoding.com/blog/my-daily-agentic-ai-workflow - **When should we graduate from a vCISO to a full-time CISO?** When security work consistently exceeds 20 hours/week of operator time, when the company is past Series A with 50+ engineers, or when a regulated industry deal (healthcare, finance, federal) requires a dedicated executive on the org chart. Before then, a full-time CISO is over-leveled. Source: https://sublimecoding.com/blog/vciso-math-for-ai-founders ## Optional - [Full archive](https://sublimecoding.com/blog/archive): 33 legacy posts from 2014–2019 plus a couple of older 2024 security listicles. Covers Ruby, Rails, ColdFusion, system administration, early Phoenix migration mechanics, and short-form security tips. Kept reachable for historical and external-referrer purposes; not surfaced through the main /blog index because they don't reflect current writing or thinking.