How to Build a Security Budget When You Have No Security Team

A founder asked us recently: "How much should we spend on security?" The honest answer is: it depends on your stage, your data, and your customers. But that is not helpful. So here is a framework with actual numbers.

Pre-seed to seed (1-15 employees, pre-revenue to $1M ARR)

Budget: $500-$2,000/month.

At this stage, security is about hygiene, not infrastructure. Spend money on:

• Password manager: 1Password or Bitwarden for the team. $5-$8/user/month. This eliminates password reuse, which is the single most common attack vector for startups.
• MFA everywhere: Free with most tools. Enforce it on email, cloud provider, GitHub, and any system with access to customer data.
• Endpoint protection: CrowdStrike Falcon Go or SentinelOne. $5-$10/endpoint/month. Covers laptop security for the team.
• SSL/TLS: Free with Let is Encrypt or included with your CDN. No excuse for not having HTTPS everywhere.
• Automated vulnerability scanning: Snyk free tier for code dependencies. AWS Inspector free tier for infrastructure.

Total: $500-$1,500/month. This covers the basics and prevents the most common attacks.

Post-seed to Series A (15-50 employees, $1M-$10M ARR)

Budget: $3,000-$10,000/month.

At this stage, enterprise customers start asking for SOC 2, and your attack surface has grown. Add:

• Compliance automation: Vanta, Drata, or Secureframe. $10,000-$20,000/year. This is your SOC 2 engine.
• Virtual CISO: $3,000-$8,000/month. They set security strategy, manage compliance, and handle security questionnaires.
• SSO: Okta or Google Workspace with SSO. $5-$15/user/month. Centralizes access management.
• Penetration testing: Annual pentest by a reputable firm. $10,000-$25,000/engagement. Required for SOC 2 and most enterprise security reviews.
• Security awareness training: KnowBe4 or similar. $2-$5/user/month. Covers phishing simulations and compliance training.

Series A to Series B (50-200 employees, $10M-$50M ARR)

Budget: $15,000-$40,000/month.

At this scale, you are either building an in-house security team or deeply investing in outsourced security services. Add:

• First security hire: $150,000-$220,000/year. This person implements security controls, runs the vulnerability management program, and handles day-to-day security operations.
• SIEM/log management: Datadog Security, Elastic Security, or Panther. $1,000-$5,000/month. Centralized security event monitoring.
• Bug bounty program: HackerOne or Bugcrowd managed program. $2,000-$5,000/month platform fee plus bounty payouts.
• DLP (Data Loss Prevention): Prevent sensitive data from leaking through email, cloud storage, or code repositories.

The rule of thumb

Spend 5-10% of your engineering budget on security. If your engineering team costs $1M/year, your security budget should be $50,000-$100,000/year. This percentage tends to decrease at scale because security tooling costs do not grow linearly with team size.

The most important thing is not the exact number. It is having a security budget at all. Most startups spend exactly $0 on security until an enterprise customer requires SOC 2 or a security incident forces their hand. By then, they are playing catch-up and spending 3x what they would have if they had started earlier.