"We don't have anything worth stealing yet."
Last month, a seed-stage founder said this to me during our first call. She'd been building for 14 months. She had 800 users, most of them paying. Her product handled names, email addresses, business financials, and some sensitive personal data from a health-adjacent feature she'd recently launched.
Three weeks after that call, one of her users emailed to say they'd received a phishing email that referenced their account details — details that could only have come from her database.
This conversation happens more often than I'd like. And it's almost never the founder's fault. Nobody teaches you startup security. You're too busy building.
What I Find in the First 48 Hours
When I start with a new client, the first thing I do is a security audit. Not a formal penetration test — that comes later. This is a structured review of the obvious gaps. The ones that cost nothing to fix but can cost everything to ignore.
Here's what I find, almost every time:
API keys in the codebase. Not buried — literally in committed files, sometimes even in public repositories. I've found AWS credentials, Stripe keys, and Twilio tokens sitting in Git history. Removing them from current code doesn't help if they're in the history — the key is still exposed, and it needs to be rotated immediately.
Everyone has admin access. The developer who left six months ago? Still has production database access. The contractor who helped with the MVP? Still in the AWS account. Access management is almost never cleaned up as the team grows. I've audited accounts where 60% of the users with admin rights were no longer at the company.
No MFA on critical systems. The cloud provider account, the code repository, the deployment pipeline — all protected by a password only. One phishing email from one team member, and an attacker has full access to the infrastructure.
The number I see most often: 3–4 critical security gaps in the first 48 hours of any new engagement. These are not edge cases — they are the standard baseline for a startup that hasn't had dedicated technical leadership focused on security.
The Real Cost of Getting It Wrong
I've seen this play out at three different points in a startup's life, and the cost scales with the stage.
At pre-seed: A breach usually means a small number of affected users and a recoverable situation — if you move fast. The reputational damage is manageable when you're early and the user base is small. Cost: $5,000–$15,000 in incident response, legal review, and remediation. Painful but survivable.
At seed: You have more users, more sensitive data, and potentially regulatory obligations depending on your sector. A breach at this stage triggers user notification requirements, potentially GDPR breach notifications (72-hour window), and the very real risk of customers churning over loss of trust. Cost: $30,000–$100,000+ depending on scope. I've seen seed-stage companies lose 20–30% of their user base in the 30 days following a breach.
At Series A: A breach during or before a raise is not just expensive — it can kill the round. I know of two companies where security incidents in the six months before their planned Series A either delayed the raise by 12 months or forced the founders to accept significantly worse terms.
Average cost of a data breach for companies under 500 employees (IBM, 2024): $3.31 million USD. Most early-stage startups cannot absorb that.
Not Sure Where Your Security Gaps Are?
I run a structured security audit as part of every ShipSixty engagement. In 48 hours, we know exactly what's exposed and what to fix first.
Let's Talk About Your Situation →What a Fractional CTO Actually Does on Security
Here's the thing most founders don't realise: security is not a project. It's an ongoing practice. A fractional CTO doesn't just set it up and disappear — they embed security into the way the team builds.
Here's what we do for clients at ShipSixty:
Week 1–2: Audit and triage. We review the codebase, cloud configuration, access controls, and deployment pipeline. We document every gap with a severity rating and a fix time estimate. Most founders are surprised how quickly the most critical gaps can be closed — often within the first two weeks.
Month 1: Fix the criticals. Rotate any exposed credentials. Set up proper secrets management. Enable MFA across all critical systems. Restrict database access. Lock down cloud IAM permissions. These are not glamorous, but they eliminate the most dangerous exposure.
Month 2–3: Build the foundation. Centralised logging. Alerting on unusual access patterns. Dependency scanning in the CI pipeline. Role-based access control implemented properly. A basic incident response plan that the team actually knows about.
Ongoing: Keep it current. Security is not a one-time fix. New dependencies introduce new vulnerabilities. New features create new attack surfaces. New team members need proper onboarding. A fractional CTO keeps this running without it becoming a full-time job for the founder.
The Client Story I Keep Telling
Eight months ago, a fintech founder came to us six weeks before his Series A term sheet was expected to be signed.
His lead investor had commissioned a technical due diligence review. The firm came back with a 14-page report. Page 3: "API credentials for production payment processing were found committed in the application's Git history, accessible to all 23 contributors to the repository."
"How bad is this?" he asked me on our first call.
Bad. Those credentials had been there for 11 months. The repository had been cloned by a contractor six months earlier. Whether anyone had actually exploited them was impossible to know.
We rotated every credential in the system, implemented secrets management, conducted a full access audit, and submitted a remediation report to the investor within three weeks. The round closed — but on a 60-day delay and with an additional condition that a formal security audit be completed within 90 days of funding.
The delay cost the founder approximately $80,000 in operational expenses that had to be covered from personal reserves while waiting for the capital. The remediation work itself cost $12,000.
Had this been caught six months earlier, the total cost would have been under $3,000.
The pattern is consistent: Security gaps that take a week and $2,000–$5,000 to fix at seed stage typically cost $20,000–$100,000+ to remediate when discovered during due diligence, following a breach, or after a regulatory inquiry.
Want Your Security Sorted Before It Becomes a Problem?
We've helped 12 Australian startups close their security gaps without disrupting product development. Most of the critical work is done within the first month.
Book a Discovery Call →30 minutes • No obligation • Honest feedback
The Five Things I Check First
If you want to do a quick self-assessment right now, here are the five things I check in the first hour of any security review:
1. Search your repository for secrets. Run a search for common patterns: `AWS_SECRET`, `API_KEY`, `password =`, `sk_live`. Use a tool like git-secrets or truffleHog to scan the full git history, not just current files. Anything that shows up needs to be rotated immediately.
2. Check who has access to what. Open your cloud provider's IAM dashboard. List every user and role with admin rights. If you don't recognise a name or they've left the company, remove them. This should take 20 minutes and will almost certainly surface accounts that should not exist.
3. Verify MFA is on. Cloud console, GitHub/GitLab, deployment tools. Check the settings, don't just assume. I've had clients tell me "yes we have MFA everywhere" only to find it's enforced for some users but not all.
4. Check database accessibility. Can your production database be connected to from the public internet? If you can connect to it using a database client from your laptop without going through a VPN or bastion host, it's exposed. Fix this first.
5. When was the last backup restoration test? Not "do you have backups?" — everyone thinks they do. "When did you last restore from backup and confirm the data was complete and correct?" If the answer is never, you don't actually have backups. You have files that might be backups.
How to Work With ShipSixty on Security
There are three ways founders typically engage with us on security:
As part of an ongoing fractional CTO engagement ($10,000–$15,000/month): Security is integrated into everything we do — code reviews, architecture decisions, infrastructure setup, hiring, and due diligence preparation. This is the right option if you need ongoing technical leadership across the full stack.
Security audit and remediation sprint ($8,000–$15,000): A focused 4–6 week engagement specifically to identify and close security gaps. Includes the full audit, remediation of critical and high-severity issues, and documentation you can share with investors or enterprise customers. Right for founders who have a specific event coming up — a raise, an enterprise deal, or a compliance requirement.
Due diligence preparation ($5,000–$8,000): If you have a term sheet signed and technical due diligence is scheduled, we can work specifically on preparing your security documentation and closing the most visible gaps before the review. This is not ideal — it is much better to fix things before a raise than during — but it is what some situations require.
Let's Sort Your Security Before It Costs You
Most startup security gaps are fixable in weeks, not months — if you catch them early. Tell me where you are and I'll give you an honest view of the risk and what it takes to close it.
Talk to Jaffar →30 minutes • No obligation • Honest feedback