Need a full-time security team.
Most startups don't. That's a good thing. If that's you, enjoy it while you can!
Some signs you might need full-time security:
An acid test: we don't work much longer than 5-6 quarters with anyone. When we're done, we'll need to hand the security practice over to someone. Are you ~18 months from hiring that person?
We're software security people. If your company doesn't do much software development, we're not a great fit.
We do the "boring" policy and controls stuff, too; we own the whole security practice. But to get value out of us, your company should be ready to deploy code to solve problems.
Can give us commit privileges.
We're not just security consultants. We fix things and build security features.
We don't need your AWS root account or admin on all your systems. In-house security teams don't have that access all the time either!
But to really benefit from what we're doing, you want to be ready to treat us like you would full-time members of your team. Any access you'd give to a senior engineer, you should be prepared to give us.