JS Jared Smith Staff Engineer

Topic guide

Security for startups

Pre-Series-A security gets scoped wrong three ways: founders treat SOC 2 as a security project (it isn't), they hire a CISO before they need one (a $300K mistake at the wrong stage), and they bolt classic appsec onto AI-native architectures that need a different stack entirely. Each of the posts below reframes one of those decisions and gives the actual numbers from real engagements.

Read in order if you're starting from scratch — SOC 2 first to anchor the revenue framing, then vCISO math to size the security org, then the AI-native stack to scope the actual work. The engagement-teardown post is for when you've decided the work is needed and want to know what the next 90 days look like in practice. The auth-migration post is for when you've already shipped and need to fix it without forcing every user to re-authenticate.

The reading order

  1. 1.

    SOC 2 Is a Revenue Tool, Not a Security Tool

    $25–45K total over 90 days. Scope it as a sales project, not a security project. The playbook for unlocking enterprise pipeline before Series A.

    April 27, 2026 3 min read

  2. 2.

    vCISO Math for AI Founders: Why 5 Hours a Month Beats a Full-Time Hire

    Full-time CISO costs $200–400K and is over-leveled for pre-Series-A work. Fractional vCISO is $2–4K/month. The graduation criteria are explicit.

    April 6, 2026 9 min read

  3. 3.

    How I'd Run Security at an AI-Native Company in 2026

    The four-layer stack — prompt injection defense, agent credentials, secrets handling, audit logging. None of these come for free in classic appsec.

    April 20, 2026 9 min read

  4. 4.

    What 90 Days of a Fractional Security Engagement Actually Looks Like

    The week-by-week composite of a typical 90-day fractional CISO engagement. $32–42K total cost. What graduation looks like at month four.

    May 3, 2026 8 min read

  5. 5.

    Migrating 225K Users from AWS Cognito to Auth0 Without Forcing a Single Logout

    Production identity migration without forcing 100K users to re-authenticate. Hash incompatibility, lazy migration, MFA token handling — the implementation details vendor docs skip.

    March 30, 2026 9 min read

Or browse differently