Startup security: A field guide for CTOs

Security is always part of the CTO's job at first; what varies from startup to startup is when security moves into the foreground. For some businesses, that moment arrives on day one. For others, security sits in the background until something forces the issue. Here's how to know which one you are.

When security is a day-one priority

With some businesses, security can't sit in the background. The test is usually one of three things:

• You're in a regulated industry. Financial services, healthtech, govtech, and edtech all come with legislated requirements you'll have to meet, and those requirements include security obligations and standards. Anything involving minors as users raises the bar further.
• You're touching sensitive data. Even outside a formally regulated industry, if you're not just collecting a name and email but actually building profiles, analyzing behavior, or targeting on top of personal data, security is on your plate from the start. EU privacy law has its own expectations on how you handle and document all of it.
• You're selling to the enterprise or government. If your buyer is upper mid-market, enterprise, or government, security is a day-one requirement no matter what your product does. The buyer's procurement process will surface it before your first deal closes.

In cases where the data isn't regulated and the buyer doesn't see much risk, such as an entertainment app or an iPad tool that helps a restaurant track when the bathrooms were last cleaned, you can let security sit in the background for a while longer.

When something tips security into a priority

The obvious trigger is the bad one. If you've had a breach, security has already become the priority. The harder ones to recognize are the triggers that don't announce themselves, and in my experience they come in one of two forms.

The business itself surfaces security

My first startup, Topguest, was marketing technology for travel, and we gave away reward miles for taking certain actions. People figured out how to game the system with fake accounts and other tactics. The fraud became material enough that we had to invest engineering time into finding and stopping it, which meant bringing security into the foreground. Nobody was forcing us to do that work. The business was.

Security starts blocking sales

At Zenput, we sold to Fortune 500 and Fortune 1000 companies, and security showed up as a sales blocker in concrete ways:

• Custom questionnaires with eighty questions or more, including specifics like, how do you monitor intrusion detection, how often do you scan for vulnerabilities, what's your remediation workflow, and how do you verify a fix.
• A week or two of my time was lost filling each one out, followed by another week or two delay while the customer's IT person reviewed it.
• A month or more lost on every deal in this band, even ones otherwise ready to close.

Multiply that delay across the pipeline and security stops being something you'll get to when you have time. It becomes the reason you're missing your quarterly number.

The same pattern showed up earlier in my career, just further upstream. At Worksite, we sold to energy companies, major engineering firms, and construction companies, and their RFPs had explicit security requirements built in. If you couldn't address them up front, you didn't get on the selection list. Security wasn't slowing the deal; it was gating whether you'd be considered as a vendor at all.

Whichever way it lands, once security is the variable holding up revenue, it stops being optional.

The compliance response

The instinct when this pattern hits is often to chase a certificate that helps you meet buyers halfway. In B2B SaaS, that's usually SOC 2. I advocated for it at Zenput even though no customer was demanding it at the time, because I was tired of answering questionnaires from scratch and I saw the certificate as a way to clear most of the standard questions in one shot.

It didn't eliminate questionnaires entirely, but it did help us answer nearly all of a 300-question questionnaire with "yes, see our SOC 2 report," and let the reviewer go read it and come back. It was a leverage play.

Why a SOC 2 badge isn't enough today

It's worth noting that SOC 2 has become common enough that on its own it's no longer much of a signal, and the savvier buyers trust the report less because plenty of companies get certified without doing the work behind it.

A whole category of third-party risk management tools has also popped up. They send standardized questionnaires to vendors, use LLMs to grade the responses, and many won't let you opt out of a question by pointing to a SOC 2 report.

For most buyers today, SOC 2 gets you through the door to the next stage, but it doesn't get you past the questionnaire.

So if SOC 2 doesn't get you past the questionnaires, where do you actually start? Not by going straight for the certificate, and not by buying a stack of tools. Start with discovery: figuring out what security needs to do for your business. A compliance framework may still be the right thing to anchor to, but it works because of the discovery, not in place of it.

Understand your security needs

Step one is gathering information: where security plays in your organization, what it affects, and where the concern is coming from across the executive team, the board, or the founders. That concern is usually one of three things: reputational risk, business risk, or specific deals at risk. The specific reason you're sitting here is the input that shapes everything that comes after.

Some questions to walk through:

• What have prospects asked for in questionnaires or in RFPs?
• What questions are you getting from your team, your CEO, sales, or prospects?
• Where are those questions coming from?
• Is security on your plate because of a hack that happened before you joined?
• Is sales constantly slowed down by questionnaires they can't answer?
• Is it the inherent nature of your industry or jurisdiction?

The questions above are about where signals are already showing up. There's a second layer to walk through that's about the business itself:

• Are you touching sensitive data your customers will care about? If yes, what kind?
• What type of business are you actually running? A consulting service has a different security posture than a SaaS product collecting and processing customer data.
• What industry are you in, and what does it require of you?
• Are you a solo founder, hiring your first team, or already running an organization? Internal threats and the kinds of mistakes people make change as headcount grows.

The technical questions (what stack you're on, how it's built, what your network footprint looks like) matter, but they come after this layer.

The point of discovery is to figure out how much security your business actually needs before you start matching that need to tools.

Anchor your security program to an industry standard

Most startup CTOs don't have time to design their own security framework, and in the early stages it isn't the most crucial part of the business to be spending time on. That's why the highest-ROI move is to anchor your program to an established industry standard rather than build one from scratch. (The only case where I'd say otherwise is if you're already deeply familiar with your own threat model and have the expertise in-house to make security decisions without leaning on a framework. That's a small group, and if it's you, you already know it.)

Aligning to a standard will get you 80% of the way there for what you need, and you can spend your time on the remaining 20% that's specific to your business. That's a better use of your hours than building something from first principles. It also gives you a clear roadmap, a shared language with auditors and managed service providers, and clarity on what to do next.

The standard you select will depend on your business:

• HIPAA if you're in healthtech
• SOC 2 if you're general B2B SaaS and the security questions you get don't dig into much more than IT-oriented security controls
• ISO 27001 if you're selling to organizations outside the US

By aligning with a recognized standard, you meet the "minimums" of most Fortune 500 companies quickly and force standard requirements on the organization before the enterprise prospects arrive with security questionnaires.

With your standard chosen, the next move is putting the baseline tooling in place to meet it. Some of those tools are non-negotiable; almost all of them are far easier to put in place when you're small than to retrofit later.

There's a baseline set of tools every startup needs in place. The depth and sophistication of each will differ by stage and industry, but the presence of them shouldn't.

Identity and access

• A password manager. Non-negotiable.
• Identity and access management. At minimum, route everything you can through Google sign-in. Okta if you can afford it.
• MDM and endpoint protection. Native Microsoft Defender or built-in Mac antivirus is fine to start, but you'll outgrow it. Phishing and accidental installs through employee devices are still one of the most common attack paths.
• Security training. Annual at minimum, with a baseline curriculum every new hire goes through and a refresher when policies change. Tooling reduces the surface area; training addresses the rest.

Code and infrastructure

• Code security. Scanning at the point you're writing code, with depth scaled to your stage.
• Secrets management. Use a secrets vault, not "in environment variables" or "in the cloud console."
• CSPM. Something paying attention to your cloud configuration and flagging when you've made an unsafe choice. The trade-off between security and usability is real, and a CSPM catches the misses.

External surface

• Domain and network monitoring. Especially if you're living on Vercel, Supabase, and a handful of other services. Your network is the internet at that point. The risk people miss is forgotten subdomains an attacker takes over and uses to send phishing from your legitimate domain.

Ongoing testing

• Penetration testing. At least annually, grey-box style. Pen test findings rarely get pushback, which makes them the best lever for breaking prioritization debates.
• DAST. Run a deterministic DAST tool every other week against your running application. If you're really budget-constrained, an LLM with browser-use tooling can substitute, but the deterministic version is what holds up over time.

If you're in a heavily regulated industry like healthcare and you're handling PHI, add data security tooling to that list. The visibility helps you avoid the rookie mistakes that happen when you're moving fast and nothing is paying attention.

Lessons learned from doing this myself

A few of the items on the list deserve a closer look, because they're the ones where I've watched startups (mine included) get burned by skipping or deferring them.

Get secrets out of source code on day one

It is much, much harder to add secrets management later than to do it at the very beginning, and people still get it wrong constantly: secrets committed to source code, secrets in unprotected environment variables, secrets sitting in the cloud console. Invest in separating your configuration from your code early and make it easy to inject while your application is running.

Don't assume cloud-native and AI-generated means secure

There's a tendency to believe that because you're built on Vercel and Supabase and your code was written by Claude using Claude Code, security is no longer something you have to worry about. That's completely and utterly false. The platforms harden a layer of the stack for you. They don't harden how you're using them.

Code scanning is trivial to set up and pays off

When I joined Zenput at thirty people, the gap I felt most was visibility into where we had security issues. I brought in SonarCloud to give us at least some signal at the point we were writing code. It's the brush-your-teeth-for-two-minutes-a-day kind of stuff that compounds over time.

Stop fearing MDM, just do it

A lot of CTOs have a visceral fear of implementing it, usually because of bad experiences at other companies. It's not worth spending social capital fighting against. The tools exist, they're easy to use in 2026, and they're cheap. You'll also need to explain to customers why you haven't implemented one if you skip it, which is its own kind of pain.

Setup the WAF

Cloudflare is cheap, very flexible, and has great capabilities for defending your application from lots of common threats. Use at least the basic rules, and don't get cute: fix any errors if it's preventing your app from working. If you're exclusively on a hyperscaler, then use their technology with their baseline rules. It takes minutes, checks lots of boxes, and provides real security coverage.

Remember those monitoring controls

You might think that having New Relic, Datadog, or some other application performance monitoring tool covers you for the various Logging and Monitoring controls that a security standard or framework references, but you'd be wrong when it matters most (in the middle of a security incident). SIEMs can be expensive when you're small (it's one of the reasons why we built the Security Monitoring capabilities into Fencer), so consider working with a managed security services provider to do the monitoring for you.

Start before you think you need to

A meta-point worth holding onto: it's much easier to get all of this in place when you're small than when you're not. When you're a team of 100 engineers trying to retrofit a code security tool and it surfaces 5,000 findings, of which maybe 1,000 are actually legitimate, that's a lot of work. When you're a team of five doing the same exercise, the volume is manageable and you start with a clean baseline.

Once the foundations are in place, the work shifts from setup to operations. The challenge is keeping security operations running without trading off product velocity or burning out the team. Here's how I think about it.

Right-size the security budget

Carve out some time to be proactive about security. Security is one of the many things that lives inside the technical work bucket of your engineering capacity. The trick is to set the right size for that bucket.

At the earliest stage, when you're going to be dead in six to twelve months if you don't ship new features, the bucket is small. Maybe 10% of your capacity will go to purely technical work, and 90% to features.

As you mature, the bucket grows. My sweet spot is 20 to 30% of engineering capacity going to technical work, with standard security work prioritized inside that block. Less than that and technical debt compounds faster than you can pay it down; more than that and you're under-investing in the product.

Running this at Zenput, the security portion of that block ebbed and flowed. Some quarters we'd spend 10% of capacity fixing security stuff; others, once the work was done, we'd drop to 2% for the rest of the year.

Write down your priority threshold

The hardest part of any limited-resource environment is deciding what gets your attention first. For security, the trick is to set a prioritization threshold up front, ideally in writing, so you don't have to debate it case by case.

A basic threshold to consider has three tiers:

• Critical and obviously exploitable vulnerabilities. These get fixed at the top of the list, no debate. Moreso for anything that was found by a penetration tester.
• Middle of the spectrum. Issues that could lead to being hacked if a couple of other things go wrong too. You don't need to fix them immediately, but you do need to fix them eventually. Sequence them into the technical roadmap like any other piece of work.
• Won't do anything in your environment. Ignore them. There's no risk in your environment to address.

Or if you want to more explicitly define your priorities, here's what I recommend (tweaking the numbers based on your size and stage):

• Priority 1: CISA KEV Catalog (highest risk, fix in the next few days).
• Priority 2: EPSS > 0.25 and CVSS >= 7 (high likelihood, high severity, fix in the next couple of weeks).
• Priority 3: EPSS < 0.25 and CVSS >= 7 (low likelihood, high severity, fix in the next couple of months).
• Priority 4: EPSS > 0.25 and CVSS < 7 (high likelihood, low severity, fix eventually).
• Priority 5: EPSS < 0.25 and CVSS < 7 (low likelihood, low severity, don't fix).

Articulating the threshold removes the debate about what gets done and when so you're not relitigating priorities every time something hits the queue.

Use pen tests as tiebreakers

When the team can't decide between competing priorities, the easiest thing that breaks all ties is hiring somebody to try to hack you. A pen test will tell you, in concrete terms, what an attacker can actually exploit.

Critical findings from a pen test almost never get pushback. You walk into the head of product's office and say "we had a pen test, they got customer data out by doing X, we need to fix it." I've never had anyone in my career push back on that kind of issue.

The pen test takes the ambiguity out: either something is exploitable or it isn't, and when it is, the prioritization argument falls into place around it.

Work with the two camps on your engineering team

Engineering teams usually split into two psychological camps when security findings surface. Your job is to leverage these personalities without causing burnout.

• The pragmatists. They think security doesn't matter much at the early stage because nobody's targeting you yet. They're useful for gut-checking whether something is worth the time.
• The perfectionists. They treat any security finding like an indictment of their craft. They want to do a really good job in everything, and a vulnerability tied to their code can feel like an attack on their identity (sometimes one they spiral on). They also tend to be the people who'll happily do the security work without grumbling.

What I learned at Zenput is to lean on the perfectionists for the security work itself, and use the pragmatists as a sanity check on whether we were over-investing. That mix worked better for me than trying to assign security as a rotating responsibility across the whole team.

Don't make everything a fire drill

Critical findings deserve fire-drill energy; most findings don't. At companies that run security well (Zenput was one), there typically isn't a critical issue every day or every week.

If you're treating every finding like a three-alarm fire, you risk burning out the team, and after a few cycles they may stop responding when there actually is a fire to put out. Setting the priority bar and modeling the right energy is part of the CTO's job.

Buy your way out of the work you can't do yourself

There will be parts of the program you can't realistically run with the team you have. The right move in those cases isn't to leave the gap open, and it isn't to buy a tool you don't have the time to tune. It's to bring in a managed service provider who owns that capability for you.

At Zenput, we couldn't afford Splunk on our own, and even if we could, we didn't have the time to build and tune the detection rules. So we hired an MSP that owned the SIEM license, ran the tuning, and sent us a weekly report. We traded a recurring cost for a capability we wouldn't otherwise have had, and we got our time back to spend on the work only we could do.

The same pattern shows up later for things like pen testing, GRC operations, and on-call rotations. If the choice is "we'll get to it eventually" versus "an MSP owns it next week," the MSP wins almost every time at this stage.

The last few years have changed the security calculus for startups in three ways at once, and the three changes are converging into something different from anything I had to manage at previous companies.

• Your team is generating code with AI tools, which means more code with less developer attention on each line.
• Your dependencies, open source and closed source alike, are being targeted by attackers using AI to find weaknesses faster than they could before.
• The assumption a lot of startup CTOs have leaned on, that "we're too small to be a target," no longer holds, because AI made discovery and exploitation cheap enough that small targets are now worth the effort.

The fundamentals from earlier chapters still apply. This chapter is the extra layer of considerations the AI shift forces every startup CTO to take seriously, no matter how small the team is.

Being small no longer keeps you safe

The implication for the CTO is straightforward: you can't defer security on the basis of being small. That bet has gotten more expensive, and the math has flipped against you.

The customers you're selling to know this. Buyers, especially in the upper mid-market and enterprise tiers, are getting attacked themselves, and they're more sensitive to it. The expectations they bring to a vendor security review are rising, the questions they ask are more specific, and the questions about how you handle AI in your own product are getting more pointed. None of that is going to slow down.

New attack surfaces to know

The existing attack surfaces of open source dependencies, running application infrastructure, and cloud configuration are still there, and the fundamentals chapter covers how to address them. AI has introduced four new attack surfaces worth understanding alongside them.

Prompt and skill marketplaces

Skills and prompts are text files that tell something with a lot of access to your system what to do. The marketplaces around them are immature, and someone not deeply focused on security can read a shared skill and believe it's safe when it isn't. Treat shared prompts and skills the way you'd treat any third-party code you didn't write: with skepticism, and ideally with a review before you put them in front of an agent that has access to your systems.

LLM-specific attacks

Prompt injection is the AI version of phishing. Instead of tricking a human into clicking a link, an attacker crafts input that tricks an LLM into ignoring its guardrails and acting on instructions it shouldn't. Model poisoning is a related concern at the training stage. These attack types didn't exist as practical concerns five years ago. They do now, and if your product uses an LLM in any capacity, you're exposed to them.

Dependency hallucination and squatting

Agents sometimes hallucinate package names. If a particular agent consistently invents the same fake dependency, an attacker can register that name with malware inside, and your agent installs the malware on your behalf. It's a new flavor of typosquatting, automated by the very tool that's supposed to be helping you ship faster.

LLM-recommended infrastructure

When you ask an LLM to set up cloud infrastructure for you, it'll often misconfigure it. The misconfiguration becomes a security hole the same way an unsafe IaC template would. AI-generated infrastructure needs the same review as AI-generated code.

The implicit insider threat

The bigger concern isn't any one of those surfaces: it's the agent itself, when it has too much access. Think of it as having an easily phished executive on the team. The agent has elevated permissions, the ability to act on its own, and a steady stream of untrusted input flowing through it from users. That combination, without any boundaries, is the most dangerous pattern in a 2026 startup engineering team.

The lethal trifecta looks like this:

• An LLM with external network access
• Access to sensitive data or systems
• Operating on untrusted input (the prompt)

If you have all three at once and no constraints, you've built an insider threat into your own development environment.

The defense isn't to stop using agents. It's to constrain what each agent can touch. That means:

• Keep secrets in vaults, not in local files the agent can read. The whole "secrets in environment variables" pattern was already weak; with agents in the picture, it's actively dangerous.
• Sandbox the agent rather than letting it run on your workstation with full access. Run it inside a constrained environment where you control what it can see and what it can do.
• Apply network restrictions and cooldowns to limit what dependencies the agent can pull in.
• Set boundaries on what the agent can do without human approval. Writing code is one thing. Deploying it is another. Pushing to production is another. Each step should have a different threshold.

What to do, beyond the fundamentals

The fundamentals from Chapter 3 still apply, and a few of them matter more now than they did before AI:

• Code security tools matter more when AI is writing more of the code with less attention from humans on each line. Code scanning has gone from "nice to have" to "default."
• Code reviews with guardrails. Don't fully delegate review to AI. Even the best LLMs miss things. A Stanford study recently found that 15% of code written by LLMs had security flaws, even when the LLM was explicitly prompted to write secure code and take secure actions. Human review remains the last line.
• Secrets management. More important than ever because agents can read what's in your environment. A secret in a local file is now a secret the agent can find and use.
• Comprehensive visibility. You can't fix what you can't find. A high-quality security platform should give you coverage across skills, code, services, and cloud configuration. Once findings are visible and clearly defined, you can point an agent at them and have it fix things for you, which is the offensive use of AI that's available to defenders.

That last point is the silver lining. The same tools that attackers use cheaply against you, you can use cheaply for yourself. The advantage in 2026 goes to whichever side has better visibility into what needs to be fixed.

Grill your vendors

If you're using a vendor's product that has agentic capabilities, ask hard questions about how they secure it.

I've had conversations with prospects who told me that one of their most critical vendors, doing something absolutely essential to their business, had told them they thought security was a joke and did nothing about it. That's not a defensible position in 2026.

The bar for a vendor's AI security posture is rising. The questions you should be asking:

• How is the agent's access scoped?
• What input does it operate on, and how is that input validated?
• What can it do without human approval?
• Where are secrets stored?
• What network boundaries are in place?

Your buyers are going to start asking you these same questions. The vendors you trust should be able to answer them in detail.

The misconceptions I keep hearing

Three patterns I've seen from startup CTOs that are worth flagging directly.

"We're too small to be a target."

This was true once. It isn't anymore, and acting on outdated memory here costs you.

"Claude wrote the code, so Claude can audit it."

The same LLM that generates code can't be the verifier of that code. Even the smartest team members introduce flaws and need someone else to check their work. You can't blindly rely on Claude Code security running on code that Claude itself wrote to verify that Claude was secure. The Stanford 15% figure is the proof point. Use AI to help find issues, but don't let it be the only thing looking.

"We're already paying for Claude, so we don't need a security tool."

This one feels good because it saves a hundred bucks. The cost of a missed vulnerability is much higher than the cost of a security tool subscription, especially in a year when low-severity vulnerabilities are trivially exploitable with some clever prompting. Your peace of mind for a small amount of money seems like a no-brainer trade to me.

Closing thought

Things move a lot faster now than they did a year ago, and they'll move faster again a year from now. The "wait and see" posture has gotten expensive, and the cost is going to keep rising.

The rest of this guide still applies. AI doesn't replace the fundamentals; it adds a new layer of considerations on top of them. The good news is that the same tools you have to defend with are getting more capable too. The leverage matters for whichever side picks it up first.

By the time the security fundamentals are in place, you've probably got 7 to 10 point solutions stitched together: scanners for code and cloud, an MDM, a secrets vault, a GRC tool, and a couple of free scanners running on the side.

This setup will get you a long way, but it won't last forever. Past a certain point, the duct tape between the tools starts to wear, and the stack you built to move fast can become the very thing slowing you down.

The three patterns below are the ones that wore me down most at Zenput, and they're a big part of why I co-founded Fencer. Here's what each one looks like, and what to do when you see it.

Collating findings across tools

It starts innocently. A vulnerability scanner over here, a code quality tool over there, a CSPM looking at the cloud, and a few one-off reports that need to be reconciled. At some point, the only way to make sense of any of it is to dump exports from all of them and cross-reference in a spreadsheet.

At Zenput we had this exact ritual. I'd transform CSVs because half the time the export wasn't clean, collate everything into a master spreadsheet, and walk through it with the team every month. What's a duplicate, what's noise, what we're addressing by Friday, etc.

What I didn't see at Zenput until I was deep in it: 90% of my security hours went into figuring out what to fix. Only about 10% went into the fixes themselves, which were almost always small (a few lines of code, a toggle in a console, a new IAM rule) and quick once we'd decided what to do.

What to do

Tighten what you look at. Suppress whole categories of findings that aren't producing actionable signal, and raise the bar on your prioritization threshold. That buys time. But the ritual itself is structural. It's a sign your stack has outgrown what cross-referencing by hand can hold together, and the next move is either dedicating a person to it or moving to a platform that consolidates findings for you.

Babysitting tools more than fixing

Native cloud tools and free scanners generate findings constantly: container CVEs from base images you haven't upgraded, misconfigurations from defaults nobody changed, alerts from rules that haven't been re-tuned in months. There is signal in there, but it gets buried under everything else the tools want to tell you.

A lot of my hours at Zenput went into deciding which findings to suppress, which to triage, and which needed a person. That isn't security work. It's the maintenance you do to keep the apparatus running while you wait for the thing you need to act on to surface above the noise.

What to do

Tune in batches, not one finding at a time. Take a half-day every quarter to suppress whole categories of repetitive findings rather than triaging them one by one. If you can afford it, a managed service provider can absorb this kind of work. What you can't realistically do is keep up by hand. If your weeks read like "tune three rules, suppress fifty findings, escalate two," the apparatus has stopped serving you and started consuming you.

Producing audit evidence after the fact

The first time you go through SOC 2 or a comparable audit, you'll discover that every control needs evidence. Log retention policies, access reviews, change management. You'll have been doing most of these things. You won't have been documenting them in a form an auditor can review.

A meaningful chunk of audit prep, then, becomes retroactively producing evidence for work that was already happening. The work isn't the policy. The work is proving the policy existed in a format somebody else can verify.

What to do

Shift evidence collection upstream. Document what you're doing as you do it, not after the fact. A GRC tool like Vanta or Drata helps, but it works best when it has something to capture; it doesn't generate the evidence itself. If retroactive prep is the reality for your first audit, plan for it explicitly in your roadmap rather than letting it consume an unplanned month.

The breaking point

These patterns are what taught me what a platform built for this should look like. The moves I've described above buy you time, but they don't change the structural reality that the security tools we have today weren't designed to work together, and a small team ends up paying for that with their hours.

Fencer is what I would have built for myself at Zenput if I'd had the chance: one place to see findings across the stack, one place to make decisions about what to fix, and one place to produce the evidence somebody else will need to read.

Security work compounds. Every habit you build and every decision you make early pays back later, usually more than you'd expect. That's what taught me what a security platform should look like, and it's why I co-founded Fencer.

If you'd rather not cobble the stack together by hand, that's what we built it for.