Prompt Injection Defense for a 5-Person AI Startup
Prompt injection defense a five-person team can ship in a week — trust boundaries, least-privilege tools, approval gates, and what not to build yet.
We can't find the internet
Attempting to reconnect
Something went wrong!
Attempting to reconnect
Writing · Tag
7 posts on security. Or browse the full writing index →
Prompt injection defense a five-person team can ship in a week — trust boundaries, least-privilege tools, approval gates, and what not to build yet.
Most founders who book the intro call have already read three or four of my posts and arrive at the same question: "Okay, but what would the next 90 days actually look like if I hired you?" Here's the answer — week by week, with the real numbers.
Replit's AI agent ignored a code freeze, wiped a production database in nine seconds, then confessed it violated every principle it was given. The strongest case yet for hiring MORE senior engineers in the AI boom — not fewer.
Every AI founder pre-Series A scopes their SOC 2 audit like a security project. Six months later they've burned their best engineer and lost the enterprise deal. Here's how to run it as a 90-day sales project — and unlock the pipeline you're already leaving on the table.
AI-native companies need a security model that classic appsec doesn't cover. Agents have credentials. Prompts are an attack surface. Training data leaks. The four-layer security stack I'd build, the controls I'd ship in the first 90 days, and the ones I'd defer.
A full-time CISO costs $200–400K plus equity. A vCISO costs $2–4K a month and gives you 80% of the value at 5% of the burn — until you outgrow them. The math, the deliverables to expect, and the red flags that mean you've hired the wrong one.
How we moved 225K+ users with $400M+ in fintech assets from AWS Cognito to Auth0 without forcing a password reset, breaking MFA, or interrupting active sessions. The lazy-migration pattern, the gotchas, and what I'd do differently.