Security BasicsMay 20, 20255 min read

The Essential Security Checklist for Seed-Stage Startups

A founder recently asked me: "We just closed our seed round. Do I need to hire a CISO?"

Answer: No.

You don't need a CISO, and you don't need enterprise-grade security appliances. You need to cover the basics that prevent 90% of automated attacks and negligence.

Here is the minimalist security checklist I give to Seed/Series A startups.

Identity & Access (The most critical layer) #

  • Enforce MFA Everywhere: Hard keys (YubiKey) or App-based (1Password/Google). No SMS MFA (sim-swapping is real).
  • Use a Password Manager: 1Password or Bitwarden. Enforce it company-wide. No sharing passwords in Slack.
  • SSO (Single Sign-On): If you use Google Workspace, enforce "Log in with Google" for all SaaS tools (Slack, Zoom, Jira).

Infrastructure (AWS/GCP) #

  • No Root Accounts: Lock away the root user credentials physically. Create individual IAM users/roles.
  • MFA on Console: Enforce MFA for anyone logging into the cloud console.
  • No Public S3 Buckets: Turn on "Block Public Access" at the account level.
  • No SSH to Production: Use AWS Systems Manager (SSM) or GCP IAP to access servers. Don't manage SSH keys.

Device Security #

  • Disk Encryption: FileVault (Mac) or BitLocker (Windows) must be on.
  • Auto-Updates: Force OS and browser updates.
  • Screen Lock: Set to 5 minutes.

Code & Pipeline #

  • Branch Protection: No pushing directly to main. Require 1 reviewer for PRs.
  • Secret Scanning: Enable GitHub's native secret scanning or use gitleaks.
  • Separate Prod/Dev: Production data should never live in a development environment.
  • Background Checks: For anyone with access to production data.
  • Offboarding Checklist: When someone leaves, have a scripted process to revoke access immediately (Identity provider first, then individual accounts).

That's it. #

If you do these things, you are more secure than 90% of your competitors.

Don't waste time on "Advanced Threat Protection" or "AI-driven anomaly detection" until you have MFA enforced on your email.


Need a deep dive on your specific infrastructure? I offer a Cloud Security Assessment that covers this checklist and your K8s configuration in detail.

Nikita Mosievskiy

Security Engineer & AI Researcher