Latacora is not a great fit for every startup. We take on just a few clients, and work with them for a long time. We try to be careful about who we work with.

We work best with companies that:

Need a full-time security team.

Most startups don't. That's a good thing. If that's you, enjoy it while you can!

Some signs you might need full-time security:

  1. Your customers are demanding security assurance as a condition of doing business.
  2. You're burning so much time securing systems and code that your engineers are having trouble getting features done.

An acid test: we don't work much longer than 5-6 quarters with anyone. When we're done, we'll need to hand the security practice over to someone. Are you ~18 months from hiring that person?

Are technology-driven.

We're software security people. If your company doesn't do much software development, we're not a great fit.

We do the "boring" policy and controls stuff, too; we own the whole security practice. But to get value out of us, your company should be ready to deploy code to solve problems.

Can give us commit privileges.

We're not just security consultants. We fix things and build security features.

We don't need your AWS root account or admin on all your systems. In-house security teams don't have that access all the time either!

But to really benefit from what we're doing, you want to be ready to treat us like you would full-time members of your team. Any access you'd give to a senior engineer, you should be prepared to give us.