[briancl]

Every strong engineering team needs someone with real security chops.. not just someone who can fix SQLi after it's been pointed out, but someone who gets security at the infrastructure level. Someone who gets the why, not just the how. Not every team has that person or that person can't devote the time to play that role.

With a few good references and strong VC/Accelerator connections, this boutique consulting business should do fine. The question for me is how much pain is there on the board/founder (the key influencers/buyers of the service) compared to the cost of the services... or the risk of doing nothing.

[tptacek]

Most startups don't need a dedicated security person and don't need a service like ours to bridge them to a full-time internal security team. So I think you're right: boards and founders are going to question whether they want something like this.

On the flip side: we have the bandwidth for only a few clients (we're doing a lot of work here), so mutual selectivity is a win. :)