[chasemiller]

Hey dsacco, thanks for the great reply! I am a security guy on the outside of the startup world looking in and I was just trying to get a better feel for what the security landscape looks like.

You'll find that startups between seed funding and Series A are most likely to care about security. They have the funding to pay external firms for audits but they won't want to invest in a full-time security team just yet. After that, if they eventually get to "enterprise" level they'll care more about security and have both an in-house team and external reviews.

I figured this was the case. Pre-seed startups are too concerned with getting something to market and most who raise (and have something worth owning equity in) would have the funds to outsource to you.

As for your proposal of equity, I would never do this. Frankly, security services are closer to insurance than they are to building positive value. I have interacted with many startup founders, and most would not take an equity proposal like that for this reason. There are several obstacles.

The equity for security question was mostly hypothetical to get a better understanding for how security is valued among early employees. When I read the title of Jason's article, "It’s Time For You To Make Security a Core Feature — Not a Tax" all I could think of is what a hard sell that would be to both founders and customers, and you confirmed my assumptions. I completely agree that the business model is not sustainable.

Thanks again!