| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by ravelantunes 855 days ago
	I think this is a very valuable insight, especially in the consumer and small/medium size business. I have fallen into this trap before. One area where I would say that full-time matters more is if your product's target is big enterprise customers. Those are a bit harder to sell bootstrapping/moonlighting.

1 comments

sb8244 855 days ago

For sure. Big challenge with those companies—that I found—is that they want a lot of credentials + proof that are simply outside of the reach of small businesses. So even if you're full-time, it may be a "good luck" scenario.

Although SOC2 is fairly easy to get, it's expensive for bootstrapped founders (maybe $30-45k all in.)

It wasn't enterprise, but the 600 person company (that I knew very well) simply wouldn't work with us in the end because we were too small (2 of us.) It sucked, a lot, because the deal cycle took about 18 months to get to a firm no. Since then, everyone involved has left the company

link

gunapologist99 854 days ago

SOC2 (Type 1) doesn't have to be that expensive, not counting your own time. For a very small company, it can run as low as $12-15k. Shop around.

Don't invest a lot of time in individual deals when you're small. Aside from the time and probably attorney fees (and opportunity cost), it's pretty demoralizing if it doesn't come through, and most of the time it doesn't, especially when you're small. The distraction alone can kill your company.

Focus on many smaller deals rather than one or two big deals.

link

sb8244 854 days ago

Agree completely. Going after small deals ruthlessly would've been my biggest change. We were trying to, but so much was wrong with the actual way we were trying to sell.

Btw the price comes from my latest adventure. I think 12k is too low unless you can literally do everything without help (i could have but it would've destroyed my time.) 20k is probably a realistic price floor with pentest included.

Although type 1 doesn't require a pen test or you to actually do anything. Just to say you would do it a certain way. Every prospect that has asked for SOC2 has wanted a separate pentest deliverable.

link