Startup Security in 2025: What Actually Matters
82 CISOs shared their priorities. Here’s what I’d steal, skip, and do differently.
Table of Contents
👋 I’m part of SecAtScale, an association of security leaders from startups and scaleups across the French tech ecosystem. I’ve been lucky enough to contribute to the annual benchmark of SecAtScale (only as a reviewer): the Pulse 2025, a no-BS survey of 82 security leaders mostly from FrenchTech companies — from seed-stage to well-funded unicorns.
The goal? Describe the security landscape and help each other figure out what to focus on, and what to stop pretending matters. SecAtScale asks the questions no vendor whitepaper wants you to read. I reviewed the results and decided to share my take on them — as someone who’s been the only security person at a startup, built programs from scratch, and still has DNS PTSD.
Let’s dive in.
The 2025 Security Priorities: What the Data Says
Here’s what Pulse 2025 respondents said were their top priorities for 2025–2026:
| 🥇 | Detection & Response (44%) – SIEM, SOAR, EDR, logs… |
|---|---|
| 🥈 | Compliance & Certifications (33%) – SOC 2, ISO, etc. |
| 🥉 | AppSec / InfraSec (43%) – SAST/DAST, CNAPP, secrets mgmt |
| 👀 | Access & Auth (27%) – SSO, provisioning, ZTNA… |
| ⚠️ | Risk & Governance (10%) – Policies, process, org changes |
| 📢 | Training / Awareness (6%) – Dev enablement, comms |
| 🧠 | AI & Automation (10%) – Fraud detection, policy tooling |
First: Stop Building Your Program for a SOC 2 That Isn’t Even Signed
Way too many startups (and by startup, I mean real small but growing company) still treat compliance like a product spec. I get it — the sales team wants the SOC 2 badge to close deals. But let me ask you this:
Do you even have basic monitoring for your admin panel?
Can you revoke a contractor’s access in under 10 minutes?
If the answer is “no” but you're doing a 12-month ISO 27001 prep, you're burning your team out on checkboxes instead of risk.
Start with controls that matter:
Central identity (with SSO)
MFA everywhere
Access reviews (that someone actually reads)
Infra logging that flows into something grep-friendly
Simple secrets scanning in your CI
Most of these won’t show up on a SOC 2 dashboard — but they’re what actually prevent production faceplants.
Want to Be Efficient? Avoid the Tool Soup
The Pulse shows a clear fatigue around security tooling. It’s not about whether you have tools — it’s whether they’re helping or hurting.
💸 1 out of 4 teams are spending more than 10% of their IT budget on security tooling, but many still can’t detect incidents properly or respond fast enough.
You don’t need CNAPP, DLP, and SOAR before you can do basic alerting on prod API abuse.
Here’s the stack I’d start with for a team <50 people:
GitHub + Dependabot + secret scanning
CloudTrail + custom detections for your AWS/org
A basic SIEM (Elastic or even Datadog with alerts)
Uptime monitoring for key surfaces
One security contact form (and someone who reads it)
Everything else is optional until your attack surface grows.
DevSecOps, but Only on Tuesdays?
Despite all the talk, only ~50% of teams run SAST/DAST on every PR. Half of us are just praying nothing evil slips into the main branch.
Even worse: nearly half of startups don’t do DAST at all.
Let me be blunt:
If you push code without any kind of dynamic test or auth check validation, you’re not doing AppSec. You’re just... hoping.
I’d rather see slow but consistent security checks than some 500k€/year commercial scanner that’s run once a quarter and ignored.
Unsexy ≠ Unimportant
Here’s where I disagree (a little) with the Pulse results.
Only 6% of respondents made developer training and awareness a priority. That’s... wild.
Listen, I’m not saying your team should do a 4-hour GDPR compliance quiz. But a dev who knows:
What a JWT is
How to test for broken access control
Where to find the company’s security contact
...is 10x more useful to your security than any new scanner.
That said — I can’t really blame the CISOs. I’ve been there. At my previous company, we tried. Multiple times. Small-group workshops, fun online platform, you name it. But it’s hard to find the right format — something useful, not too heavy, that doesn't create too much de-focus, that devs like, and not insanely expensive. We never really found the perfect resource that stuck.
If you’re too busy to train your devs? Cool. Just know you’ll spend triple that time later reviewing sloppy PRs and debugging broken AWS permissions.
My 2025 Advice for Startup Security Teams
Hardening beats headlines.
Don’t chase NIS 2 or SOC 2 before you’ve locked down IAM and infra access.Automate visibility early.
Get alerts on production misuse before you buy a next-gen AI thing. Simple alerts + on-call = actual response.Build your own “Minimum Viable Security.”
Every org has different needs. Write down your top 5 risks. Now solve for those. That’s your program.Don’t ship a tool you can’t operate.
Yes, CSPM looks cool in dashboards. But who’s reading the alerts? If it’s just you... don’t deploy it.Teach developers just enough to break things better.
Good security is a side-effect of good engineering culture. Bonus: fewer late-night pings for “Why is Auth0 denying me?”
Closing Thoughts
Being part of SecAtScale has shown me this: almost nobody feels they’re doing enough. Even big teams feel behind. So if you're a startup wondering where to begin, take a breath.
You don’t need to have it all. You need just enough to make an attacker’s life harder than the next target. And you need people who give a damn. All without impacting business.
Comments