How I Audit Startups 🚀👀

§Introduction

In ages past (from 2007 to 2011), I performed startups security audits (penetration testing, offensive / defensive security, etc). Since 2015, I perform more general audits and audited more than 30 startups. A big part of my experience is due to do previous audits :) The more auditing I do, the better I’m at it; I hope to continue doing audits regularly and improve further. In this article, I will share this personal experience.

My domains of expertise are:

• Scaling teams from less than 10 people to more than 100
• Scaling apps and hostings
• Improving the developers’ efficiency with processes and tools
• Avoiding common and less common mistakes
• Identifying weaknesses and set up plans to keep them under control
• Identifying recruitment needs
• Helping to set up tech/human strategies
• Giving a list of pieces of advice and coach the founders
• Helping set up better communication between tech/non-tech, especially when the founders are non-tech
• Identifying the current employees’ strengths/weaknesses and help them take a fitting role

I’m focused on looking for red/orange/green flags about:

• Maturity and scalability of the organization
• The intrinsic value of the technology
• Pieces of advice & recommendations about actions to take quickly

§Who asks me for audits

• Venture capital financing companies that request “due diligence” before a money raise:
  • When the investment is huge, over 10 million
  • When VCs have specific uncertainties (though it’s rare)
  • When the topic is ultra-competitive
  • When the technical challenges are important
  • When they want me to coach the founders
• Startups that have one or more topics to address
• Previously audited startups that want a follow-up check or have changed enough to have a new range of topics. The most common case is a startup I audited when there were less than 10 people and that grew to have over 50 people; now they’ve got new problems to address.

My services aren’t listed on any website, I only audit startups based on my reputation from previously audited ones (“word of mouth”).

§The process

Before starting the audit, I ask the founders to prepare some documents. They will be the base for discussion during the audit, but they are also documents that should always be maintained up to date, as they can easily become the best documentation for new hires, to present their company to new VCs and so on.

Points that should be in the documents:

• Platform description (list of functionalities, list of apps, list of services, list of websites, list of processes)
• Development history (the beginning, big refactors, big changes, big milestones)
• Development of current tasks + future roadmap
• Organization history (at least in the tech team): (hires, fires, leaves, current hierarchy)
• Organization future plan (recruitments, role changes, hierarchy changes)
• External dependencies: SaaS, tools, vendors, etc
• Some metrics (users, activities, load, database sizes etc)

The most common format of auditing is 1 day in the office. I start the audit with the founders, speak about history, strategy, roadmap, identified strengths, weaknesses, areas of uncertainties. I conduct interviews and do the digging on specific identified topics. In the process, I enumerate some general/standard points, and, finally, debrief the founders.

Another format is ½ day by phone/video with the founders and at least 1 tech lead. We focus on fewer topics; this can work when the VCs have already identified the potential dangers.

Sometimes, depending on the context and constraints, I utilize other formats: 2 days in the office, 3 days in the office, ½ day in the office + ½ day by phone.

§The deliverables

During the whole audit, I provide advice to the founders.

After the audit, I send a report to both the founders and the VCs, debrief the VCs, and do some follow-up if needed. This report can also be useful for a new VC round later (and I can debrief it by phone to the new VCs if needed). The report contains:

• A list of red flags to prioritize in the roadmap or be the reasons for a small pivot
• Orange flags that should be prioritized or kept under the radar
• Green flags that should stay competitive advantages
• Pieces of advice & suggestions

I plan to write more on this topic, to share some trends and findings I discovered.