You Cannot Afford Everything. That Is Fine.
Security is not all or nothing. You do not need to spend $50,000 on a SOC 2 audit when you have 12 users and $200 in monthly revenue. That would be absurd.
But doing nothing is also not an option. The moment you have real users, you have real responsibility.
Here is the honest truth: you can get meaningful security at every budget level. This guide walks you through what to do at each stage of your bootstrap journey. Start where you are. Level up when you can.
Level 1: $0 - The Free Tier
You are pre-revenue or barely revenue. Every dollar matters. Good news: the best time to learn security basics is when your app is small.
Hack your own website
Our free hack tool scans your site for exposed secrets, missing headers and common misconfigurations. Takes 30 seconds. No signup required. No email capture. Just a scan.
Run the security checklist
The solopreneur security checklist covers 10 things you can check in an afternoon. HTTPS, password hashing, API key storage, rate limiting, input validation. Each item has a how-to guide.
Read your framework's security docs
Next.js, Django, Laravel, Rails. Every major framework has a security guide. It takes 30 minutes to read. It covers the defaults that are on (good) and the protections you need to enable manually (often missed).
Enable MFA on everything you own
Your hosting account. Your domain registrar. Your database provider. Your payment processor. Your email. Turn on two-factor authentication everywhere. This is free and prevents the most common account takeover attacks.
What this catches
Exposed secrets, missing HTTPS, plaintext passwords, basic misconfigurations. About 30% of the vulnerabilities we find in professional audits.
Level 2: $0-100 - Automated Tools
You have some revenue. Maybe $500 a month. You can afford a few tools but not a consultant.
OWASP ZAP
Free and open source. ZAP is a web application scanner that crawls your app and tests for common vulnerabilities. It finds SQL injection, cross-site scripting, missing headers and insecure cookies. Download it, point it at your staging environment and run a full scan. Fix everything marked high or medium.
npm audit / pip audit / bundler-audit
Free. Built into your package manager. Run it every week. It checks your dependencies for known vulnerabilities. Fix anything critical. Set up a GitHub Action to run it automatically on every push.
Mozilla Observatory
Free. Scans your site's HTTP headers and gives you a grade. It checks for HTTPS, Content Security Policy, HSTS, X-Frame-Options and other header-based protections. Aim for a B+ or better.
GitHub secret scanning
Free for public repos. Scans your code for accidentally committed API keys, passwords and tokens. Enable it in your repository settings. Consider using gitleaks as a pre-commit hook for private repos.
What this catches
Known dependency vulnerabilities, common web application flaws, header misconfigurations, exposed secrets in code. About 50% of what a professional audit finds. The other 50% is business logic, authorization and payment flow issues that automated tools cannot test.
Level 3: $1,500 CAD - Quick Audit
You have revenue. Real users. Maybe you are approaching $2,000-3,000 a month. You can justify the investment.
This is where the Quick Audit from Sherlock Forensics fits. A human security professional reviews your entire application. They test authentication, authorization, payment flows, data storage, API security and configuration.
What a human finds that tools miss
Broken authorization. User A can see User B's data by changing an ID in the URL. No automated tool catches this because it requires understanding what the app is supposed to do.
Payment flow abuse. Someone can modify the price on the client side, replay a payment or access premium features without paying. This requires manual testing of the actual payment integration.
Session management issues. Sessions that do not expire, tokens that can be predicted, missing logout functionality. These require human judgment to identify and exploit.
Business logic flaws. Privilege escalation, workflow bypasses, race conditions. These are specific to your application and invisible to scanners.
When to pull this trigger
When any of these are true: you process payments, you store personal data, you have more than 100 users, or you are about to do a big launch. The $1,500 is less than what most founders spend on design tools in a year.
What you get
A plain English report listing every vulnerability, ranked by severity, with step-by-step fix instructions. Five-day turnaround. No 80-page PDF of jargon.
Level 4: $5,000+ - Full Penetration Test
You are raising money. Or you have a large user base. Or a compliance requirement. Or an enterprise customer asking for a security report.
A full penetration test goes deeper than a quick audit. It covers internal infrastructure, more extensive API testing, social engineering vectors and longer testing windows. This is what investors and enterprise customers expect to see.
When you need this
Pre-fundraising. Investors doing technical due diligence will ask for an independent security assessment. Having one ready shows maturity.
Enterprise sales. Your first enterprise customer will send a security questionnaire. A recent pentest report answers most of their questions.
Compliance. SOC 2, PCI DSS and other frameworks require periodic penetration testing from a qualified firm.
Post-incident. If you had a security incident, a full pentest identifies the root cause and any other vulnerabilities that need attention.
The Priority Order
If you are reading this and feeling overwhelmed, here is the short version.
Today: Enable MFA everywhere. Run the free checklist. Scan your site with our free tool.
This week: Run npm audit. Fix critical findings. Download OWASP ZAP and scan your staging environment.
When you hit revenue: Get a Quick Audit for $1,500 CAD. A human reviews your app and gives you a fix list.
Before you raise: Get a full penetration test. Show investors you take security seriously.
Every level builds on the one before it. You do not need to jump to Level 4 on day one. Start where you are. Do what you can. Level up when it makes sense.
The worst thing you can do is nothing.