Startup Security Checklist: 50 Controls Before Your First Enterprise Customer

Closing your first enterprise deal is a milestone. But before procurement signs off, their security team will review your posture. Whether it arrives as a 200-question vendor questionnaire or a short email asking "do you have SOC 2?", the underlying bar is the same: can we trust you with our data?

This checklist covers the 50 controls enterprise buyers look for. Each item is labeled Quick Win (days to implement) or Long-Term (weeks to months). Start with quick wins while planning the long-term items in parallel.

---

1. Identity & Authentication

Quick Wins

• Enable MFA for all internal tools — SSO dashboard, cloud console, GitHub, Slack, billing. No exceptions. [Quick Win]
• Use a password manager company-wide — 1Password Teams or Bitwarden for Business. Enforce it during onboarding. [Quick Win]
• Rotate all shared credentials — Shared passwords for social accounts, domain registrar, DNS are common attack surfaces. Rotate and store in the password manager. [Quick Win]
• Remove former employees immediately — Check your IdP, GitHub org, AWS IAM, Slack, and cloud console. Do it the day they leave. [Quick Win]
• Enforce strong password policy — Minimum 12 characters, no common passwords. Most IdPs can enforce this automatically. [Quick Win]

Long-Term

• Implement SSO with SAML or OIDC — Okta, Auth0, or Google Workspace as IdP, then connect all SaaS tools. [Long-Term]
• Set up SCIM provisioning — Automate employee onboarding and offboarding through your IdP. Eliminates ghost accounts. [Long-Term]
• Enforce phishing-resistant MFA — Move from SMS/TOTP to hardware keys (YubiKey) or passkeys for admin accounts. [Long-Term]

---

2. Encryption

Quick Wins

• TLS everywhere, HTTPS only — Redirect all HTTP to HTTPS. Check every subdomain, including staging. [Quick Win]
• Use TLS 1.2 minimum, TLS 1.3 preferred — Disable TLS 1.0 and 1.1. Most CDNs and load balancers make this a one-click change. [Quick Win]
• Enable encryption at rest in your database — AWS RDS, Google Cloud SQL, and MongoDB Atlas all support encryption at rest by default. Verify it's on. [Quick Win]
• Check your SSL certificate expiry — Automate renewal with Let's Encrypt or your CDN. A cert expiry during a sales process is embarrassing. [Quick Win]

Long-Term

• Encrypt sensitive fields at the application layer — PII like SSNs, payment card data, or health information should be encrypted before it hits the database. [Long-Term]
• Implement key management — Use AWS KMS, GCP KMS, or HashiCorp Vault. Never hardcode encryption keys. [Long-Term]

---

3. Access Control

Quick Wins

• Apply least privilege everywhere — Developers should not have production database access by default. [Quick Win]
• Audit your AWS/GCP/Azure IAM roles — Identify and remove overpermissioned roles. Look for * permissions in IAM policies. [Quick Win]
• Separate production from development — Use separate accounts/projects for prod and dev. Never test in prod. [Quick Win]
• Remove unused API keys and credentials — Rotate and revoke API keys that haven't been used in 90 days. [Quick Win]

Long-Term

• Implement role-based access control (RBAC) in your product — Customers need to trust that their users can be scoped. [Long-Term]
• Use just-in-time (JIT) privileged access — Tools like AWS IAM Identity Center or Teleport grant temporary elevated access instead of permanent admin rights. [Long-Term]
• Set up a privileged access workstation (PAW) — For production deployments, use a dedicated hardened device. [Long-Term]

---

4. Logging & Monitoring

Quick Wins

• Enable audit logs in all cloud services — AWS CloudTrail, GCP Audit Logs, Azure Monitor. Turn them on today. [Quick Win]
• Log authentication events — Every login success, failure, MFA event, and password change should be logged with timestamps and IP addresses. [Quick Win]
• Set up billing anomaly alerts — A surprise $10k AWS bill is both a financial and security incident. Set a threshold alert. [Quick Win]
• Forward logs to a SIEM or log aggregator — Even a free Elastic Cloud tier or Logtail is better than logs siloed in each service. [Quick Win]

Long-Term

• Implement application-level security logging — Log access to sensitive data, permission changes, and administrative actions. [Long-Term]
• Set up alerting on suspicious events — Multiple failed logins, access from new countries, unusual data export volumes. [Long-Term]
• Retain logs for 12 months — SOC 2 and many regulations require at least 12 months of log retention. [Long-Term]
• Conduct quarterly log reviews — Someone should look at the logs, not just collect them. [Long-Term]

---

5. Backups & Recovery

Quick Wins

• Enable automated database backups — AWS RDS, MongoDB Atlas, and most managed databases support daily automated backups. Verify they're running. [Quick Win]
• Test backup restoration — Backups you haven't tested are not backups. Restore a backup to a staging environment this week. [Quick Win]
• Document your RTO and RPO — Recovery Time Objective and Recovery Point Objective. Knowing these numbers is the first step to meeting them. [Quick Win]

Long-Term

• Implement point-in-time recovery (PITR) — Goes beyond daily snapshots, enabling recovery to any specific moment. [Long-Term]
• Back up to a separate region or account — Ransomware can delete backups in the same account. Cross-region or cross-account backups are protected. [Long-Term]
• Run disaster recovery drills — Annually simulate a full environment loss and recover from scratch. [Long-Term]

---

6. Vulnerability Management

Quick Wins

• Run a dependency scan — Use npm audit, pip-audit, or Dependabot to find known CVEs in your dependencies. Fix critical and high severity issues. [Quick Win]
• Enable Dependabot or Renovate — Automate dependency updates so you're not running three-year-old packages. [Quick Win]
• Check your security headers — Run your domain through ShipSafer or securityheaders.com. Add Content-Security-Policy, X-Frame-Options, HSTS. [Quick Win]
• Scan Docker images for vulnerabilities — Trivy or Docker Scout catch vulnerabilities in base images before they reach production. [Quick Win]

Long-Term

• Commission an annual penetration test — External web application pentest by a reputable firm. Required for SOC 2 and many enterprise deals. [Long-Term]
• Implement a vulnerability disclosure policy (VDP) — Publish security.txt and a responsible disclosure process so researchers can report bugs to you. [Long-Term]
• Build a formal patch management process — Define SLAs: critical patches within 24 hours, high within 7 days, medium within 30 days. [Long-Term]

---

7. Secrets Management

Quick Wins

• Rotate any secrets that have ever been in source code — Search GitHub history for API keys, database URLs, private keys. Rotate everything found. [Quick Win]
• Use environment variables for all secrets — Never hardcode credentials. Use .env files locally and a secrets manager in production. [Quick Win]
• Enable GitHub secret scanning — GitHub will alert you when secrets are pushed. Enable it on all repositories today. [Quick Win]
• Add pre-commit hooks for secret detection — detect-secrets or gitleaks as a pre-commit hook catches secrets before they're committed. [Quick Win]

Long-Term

• Adopt a secrets manager — AWS Secrets Manager, HashiCorp Vault, or Doppler. Centralize all secrets with rotation policies. [Long-Term]
• Implement automatic secret rotation — Database passwords and API keys should rotate automatically, not when you remember to. [Long-Term]

---

8. Incident Response

Quick Wins

• Write a 1-page incident response playbook — Who to call, in what order, for different incident types (data breach, outage, ransomware). [Quick Win]
• Define your breach notification obligations — Know the GDPR 72-hour rule and applicable US state laws. Have a lawyer review your obligations before you need them. [Quick Win]
• Create an incident Slack channel — #security-incidents — so you have a coordination point ready before you need it. [Quick Win]

Long-Term

• Conduct a tabletop exercise — Walk through a simulated breach with your team. What would you do if your database was stolen? [Long-Term]
• Get cyber insurance — A $1M–$5M policy for a small startup is often under $5k/year and covers breach response costs. [Long-Term]
• Establish relationships with a breach response firm — Having a retainer with a forensics firm means faster response when it counts. [Long-Term]

---

9. Employee Security

Quick Wins

• Run phishing simulations — KnowBe4, Proofpoint, or even a manual test. Know your click rate before attackers do. [Quick Win]
• Enforce full-disk encryption on laptops — FileVault on Mac, BitLocker on Windows. This is a one-hour project per device. [Quick Win]
• Create a security onboarding checklist — Every new hire goes through security basics on day one. [Quick Win]
• Establish a clear screen lock policy — Laptops lock after 5 minutes of inactivity. Enforce it via MDM. [Quick Win]

Long-Term

• Deploy Mobile Device Management (MDM) — Jamf, Kandji (Mac), or Microsoft Intune. Enforces encryption, screen lock, remote wipe. [Long-Term]
• Conduct annual security awareness training — Formal, documented training that satisfies SOC 2 and cyber insurance requirements. [Long-Term]
• Implement Endpoint Detection and Response (EDR) — CrowdStrike Falcon Go or SentinelOne for startups. Detects malware that antivirus misses. [Long-Term]

---

10. Vendor & Third-Party Risk

Quick Wins

• Create a list of all SaaS tools with access to customer data — Your subprocessors list. You'll need this for GDPR, SOC 2, and customer questionnaires. [Quick Win]
• Review the top 5 vendors' security pages — Check if Stripe, AWS, Intercom, and your other critical vendors have SOC 2 reports available. [Quick Win]
• Sign DPAs with all data processors — GDPR requires Data Processing Agreements with every vendor that processes EU personal data. [Quick Win]

Long-Term

• Build a formal vendor review process — Require SOC 2 or ISO 27001 from vendors with access to sensitive data before onboarding. [Long-Term]
• Conduct annual vendor reviews — Re-evaluate vendors yearly. Access creep and vendor security lapses are common. [Long-Term]

---

Prioritization: Where to Start

If you have one sprint, tackle these first:

Priority	Item
1	MFA on all internal tools
2	Remove departed employee access
3	HTTPS everywhere + security headers
4	Enable automated database backups
5	Rotate secrets found in source code
6	Enable dependency scanning
7	Full-disk encryption on all laptops
8	Write a 1-page incident response plan
9	Create subprocessors list for GDPR
10	Sign DPAs with data processors

Completing the quick wins on this list will satisfy the baseline bar for most enterprise procurement teams and get you through the majority of vendor security questionnaire questions. The long-term items build toward SOC 2 readiness, which is the gold standard for US enterprise deals.