In ages past (from 2007 to 2011), I performed startups security audits (penetration testing, offensive / defensive security, etc). Since 2015, I perform more general audits and audited more than 30 startups. A big part of my experience is due to do previous audits :) The more auditing I do, the better I’m at it; I hope to continue doing audits regularly and improve further. In this article, I will share this personal experience.

My domains of expertise are:

I’m focused on looking for red/orange/green flags about:

Who asks me for audits

My services aren’t listed on any website, I only audit startups based on my reputation from previously audited ones (“word of mouth”).

The process

Before starting the audit, I ask the founders to prepare some documents. They will be the base for discussion during the audit, but they are also documents that should always be maintained up to date, as they can easily become the best documentation for new hires, to present their company to new VCs and so on.

Points that should be in the documents:

The most common format of auditing is 1 day in the office. I start the audit with the founders, speak about history, strategy, roadmap, identified strengths, weaknesses, areas of uncertainties. I conduct interviews and do the digging on specific identified topics. In the process, I enumerate some general/standard points, and, finally, debrief the founders.

Another format is ½ day by phone/video with the founders and at least 1 tech lead. We focus on fewer topics; this can work when the VCs have already identified the potential dangers.

Sometimes, depending on the context and constraints, I utilize other formats: 2 days in the office, 3 days in the office, ½ day in the office + ½ day by phone.

The deliverables

During the whole audit, I provide advice to the founders.

After the audit, I send a report to both the founders and the VCs, debrief the VCs, and do some follow-up if needed. This report can also be useful for a new VC round later (and I can debrief it by phone to the new VCs if needed). The report contains:

I plan to write more on this topic, to share some trends and findings I discovered.