NexcurAI
Talk to us Start a project
G3.2 Guide · Cybersecurity (deep)

← Security guides

Series A security readiness.

A complete posture framework for $5M to $50M ARR SaaS companies. Read end to end, or treat as a reference: every chapter is independent.

Length: 45 min Audience: founder / CTO / security lead Last updated: 2026-04-19

The posture you need, and why

At seed, security was aspirational. Now it is a precondition. The enterprise procurement team on the other end of your next $250k deal will ask for SOC 2 Type II, a recent pentest, a data processing addendum, and proof of an incident response plan. The investors on your next round will look for the same things, less formally.

You will not build all of it at once. You will not need to. This guide sequences the work into four quarters. Each quarter builds on the last. You can ship the first quarter with a single platform engineer wearing a security hat; by the fourth quarter you likely need a full-time security lead.

The seven pillars

Every good posture rests on seven pillars. We cover each in turn.

  1. Threat model
  2. Identity and access management
  3. Data handling and privacy
  4. Detection and monitoring
  5. Incident response
  6. Third-party and vendor risk
  7. Compliance (SOC 2, ISO 27001, and the ones that matter for your industry)

Pillar 1: Threat model

Start here. Everything else is harder without it.

The threat model is the document that says: these are the assets we have, these are the attackers who care, these are the paths they might take, these are our controls. For a Series A SaaS, you need three:

  • Application threat model. STRIDE per data flow, with LLM-specific extensions if you use an LLM in a sensitive path. Includes tenant-isolation boundaries, trust boundaries between your services, and trust boundaries between you and your upstream providers.
  • Infrastructure threat model. Cloud account structure, network segmentation, admin paths, backup and disaster recovery posture.
  • Supply chain threat model. Your dependencies, your CI/CD pipeline, your artifact registry, your deployment tooling, the secrets your build sees.

You do not need to write these yourself. You need to have them. A consultant can produce the first version. You need to update them quarterly.

Q1 threat model deliverables

  • Written threat model for each of the three above. One document each, not a wiki.
  • Named owner for each document.
  • Quarterly review cadence booked on the calendar.

Pillar 2: Identity and access management

Most Series A companies have an IAM posture that evolved organically. Someone's laptop has root in prod because they bootstrapped the account in 2022. Someone else has an IAM user with * on S3 because it was convenient. Service accounts have keys that never rotate.

The Q1 fix is to make a list. The Q2 fix is to scope everything down to least-privilege. The Q3 fix is to automate drift detection.

The IAM hardening checklist

  • No standing admin access. Admin is granted just-in-time, with an audit trail.
  • Every human has SSO-backed access to every console; no local IAM users for humans.
  • Hardware 2FA for SSO, not SMS.
  • All service accounts have the minimum scope they need. None have *.
  • Access keys, where unavoidable, rotate every 90 days automatically.
  • CI/CD uses OIDC-federated access, not static keys.
  • Cross-account trust paths are documented. No implicit sts:AssumeRole into production from a dev account.
  • Secrets live in a secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password Teams), not in env files or repo.

Full tactical detail in the IAM hardening field manual.

Pillar 3: Data handling and privacy

What data do you hold? Where does it live? Who can access it? How long do you keep it? Four questions, one data inventory per subsystem.

  • Customer data. What you store about the tenant's account, what content they upload, what you derive from it.
  • End-user PII. If your customers' users get accounts in your product, what you know about those users.
  • Logs and telemetry. The data flows you see but do not think of as “data.” This is where PII leaks happen most often.
  • Backups and derived datasets. Analytics warehouses, data-lake copies, dev-environment data refreshes. Often overlooked.

Compliance obligations ride on top:

  • GDPR if you have EU users. Data processing agreements, data subject requests, a DPO contact, lawful basis for every processing purpose.
  • CCPA / CPRA for California residents. Similar shape, different notice requirements.
  • HIPAA if you handle PHI. BAA with every upstream processor, audit logs, breach notification rules.
  • PCI DSS if you handle cardholder data. Strongest scope-reduction strategy: do not handle cardholder data. Route it to Stripe; do not let it touch your systems.

Pillar 4: Detection and monitoring

The Q1 question is whether you would know if someone was inside your infrastructure. The answer, for most Series A companies, is “eventually.”

Minimum viable detection:

  • CloudTrail (AWS) or Cloud Audit Logs (GCP) on, flowing into a searchable sink, retained for at least one year.
  • GuardDuty on (AWS), with alerting configured for findings above medium severity.
  • Application audit logs for every privileged action: admin login, role change, data export, tenant creation, impersonation, privilege grant.
  • Alerting on the above: Slack / PagerDuty integrations that wake somebody up on critical, notify during business hours on high.
  • Runbooks for the five most likely incident types: credential compromise, data exfiltration, ransomware on a laptop, phishing of a named operator, API key leak in a public repo.

Not all of this ships in Q1. But all of it ships by end of Q3, at the latest.

Pillar 5: Incident response

You need three things: a plan, rehearsals, and a legal-and-comms overlay.

  • The plan. A written IR playbook per incident class. Who gets paged, who is authorized to make which decisions, what the first-hour triage checklist is, how evidence is preserved, when and how customers are notified, what the forensic boundary is (what do we handle in-house vs. what triggers an external IR firm).
  • Rehearsals. Quarterly tabletop exercise. One scenario per quarter, rotated. Run for ninety minutes. Record the gaps; close them.
  • Legal and comms overlay. Counsel involved from minute zero, because privilege attaches early. Pre-drafted customer notification templates (do not write these under time pressure). A named press contact.

Pillar 6: Third-party and vendor risk

Your security is the security of your least-secured upstream processor. Series A companies typically have 30 to 60 SaaS vendors. You do not have the budget to audit all of them, but you do need to:

  • List them. The Q1 work. Include the data flowing to each one, the account owner on your side, the criticality tier.
  • Tier them. Critical (production data flows through them), important (operational dependency), routine (low-consequence tools).
  • Ask for evidence from the critical tier. SOC 2 report, pen test summary, data processing addendum. If they cannot produce, either accept the risk explicitly or replace them.
  • Annual review cycle for everything critical. Re-request the SOC 2, check the scope, check for new subprocessors.

Pillar 7: Compliance

Compliance is not security. It is documentation of security in a form the auditor will accept. Do the security first; then document it.

  • SOC 2 Type I is achievable in one quarter if your posture is already reasonable. It certifies that the controls exist at a point in time.
  • SOC 2 Type II requires a six-to-twelve-month observation window. It certifies that the controls operated consistently across the window. This is the one enterprise procurement actually cares about.
  • ISO 27001 is the international equivalent, often expected by European enterprise customers. Lots of overlap with SOC 2; if you have one, the other is not a fresh effort.
  • HIPAA compliance if you need it. Scope-specific; we handle per-engagement rather than as a general posture goal.

The four-quarter sequence

Q1 (months 1 to 3): Foundation

  • Write the three threat models.
  • IAM inventory + no-standing-admin switch.
  • Data inventory per subsystem.
  • Basic detection (CloudTrail, GuardDuty, audit logs, alerts).
  • Vendor inventory.
  • Incident response plan v1 (written, not yet rehearsed).

Q2 (months 4 to 6): Scoping down and tightening

  • IAM least-privilege pass across all service accounts.
  • Secrets migration off env files.
  • Data retention policy per subsystem, with automated enforcement.
  • Detection rules tuned against first quarter noise.
  • First incident-response tabletop.
  • Begin SOC 2 Type I prep.
  • Commission Signature Security engagement (first external pentest).

Q3 (months 7 to 9): Institutionalization

  • SOC 2 Type I audit.
  • IAM drift detection automated.
  • Continuous vulnerability scanning stood up.
  • Vendor risk review cycle begins.
  • First retainer quarter complete; first handbook refresh.

Q4 (months 10 to 12): Proof and evidence

  • Type II observation window begins.
  • Second pentest or architecture re-review.
  • Threat models refreshed against new architecture.
  • Second IR tabletop; different scenario.
  • Board-level security update.

Team structure through the year

  • Months 1 to 3: one platform engineer, 30% of their time, plus consultant for the threat models and IAM review.
  • Months 4 to 6: same plus a dedicated engineer on security during the pentest engagement.
  • Months 7 to 9: consider a fractional security lead (15 hours a week) for SOC 2 prep coordination.
  • Months 10 to 12: full-time security lead hire, if ARR and risk profile justify it. For companies at the low end of the $5M to $50M band, retainer-model coverage can stretch for another year.

Budgets (ballpark)

  • Signature Security engagement: $65k (fixed).
  • SOC 2 Type I audit: $12k to $25k depending on auditor.
  • SOC 2 Type II audit: $25k to $60k depending on scope and auditor.
  • Tooling (GuardDuty, Vanta/Drata, vulnerability scanner, SIEM): $30k to $80k per year at this stage.
  • Fractional security lead: $8k to $15k per month.
  • Full-time senior security lead: $220k to $320k all-in, remote US / CA.

Common mistakes

  • Buying the tool before writing the threat model. The tool will generate noise that nobody triages. Model first, buy second.
  • Starting with SOC 2 instead of fixing the underlying posture. You will pass the audit and still be vulnerable.
  • Outsourcing incident response entirely. You need internal ownership; the outside firm is for forensic depth, not first response.
  • Deferring IAM drift detection. It compounds fastest, so it needs automation earliest.
  • Hiring a CISO too early. A Series A company rarely needs a CISO; it needs a senior IC or a strong fractional. The CISO title attracts people who want to build teams, not work with their hands.

Related