The $0 security stack
CEO / Founder
In building a tool that determines what access is allowed in your environment and which integrates with your most sensitive internal systems (your identity provider and your HRIS), we have to care about security. Not just because we like it, and not just for compliance, though compliance is often the motivation to get started with security.
For many SaaS tools, the security features you need (like SSO, SCIM, or audit logs) are often on the highest price tier, because they’re "enterprise" features. You need to pay for security features — but in recent years, there’s been a different approach with security vendors. Between open source and product-led growth, security doesn’t have to cost a lot. In fact, for a team like ours, it costs nothing.
We just completed our first SOC2 audit period, and as part of that, we set up our initial security stack. We’ve set up literally world-class security tools, without it costing us a cent.
Here’s our $0 security stack.
Semgrep for SAST and SCA
We use Semgrep for code analysis and supply chain analysis (CC8.1). It’s free for up to 10 contributors, so it’s free for us. It’s made some valuable suggestions, such as forcing a higher minimum version of TLS or using a different library. The AI-based triage means that issues are automatically triaged as false positives based on context in the codebase, or dependencies that aren’t reachable aren’t prioritized.
TruffleHog for secret scanning
We use TruffleHog on every commit to make sure we don’t accidentally leak secrets. We initially ran the open source Action on every commit, but now we run it daily to verify we haven’t regressed. It hasn’t caught anything, which is a good thing!
RunReveal for SIEM
We use RunReveal as our SIEM, which ingests logs from our infrastructure (GCP, Cloudflare, and GitHub). Once we set up log streaming, we turned on the built-in detections (CC7.2), and hooked it up as an alert to a private #siem Slack channel. RunReveal’s Community tier supports 5 data sources and generous retention. It found some misconfigurations we had in the first 24h, but since then the only time it’s gone off was over the holidays when it thought our log streaming was broken since no one was deploying 😂.
Sublime Security for email security
We connected Sublime Security to our Google Workspace, and have it send alerts to the #siem Slack channel as well. Their Core tier is free for up to 100 mailboxes.
We assume that phishing attempts (that we absolutely get sent) will occasionally succeed, and so rely on SSO and/or MFA across all systems to limit the damage of a single click, but also use email security tools to flag and mitigate suspicious emails as an additional defense. I strongly prefer this to doing phishing simulations (which might get brought up in CC2.2), and which we know don’t work.
Sublime detects more than Google out of the box, but we still get a lot more false positives than ideal, so we are now testing out another solution in parallel.
Apple Business for MDM (now free)
Unfortunately, I lied, there is one security tool we pay paid for: an MDM. (Everyone else, please don’t charge me!). It may seem crazy to have an MDM at a company our size, but… try deploying one later and you’ll regret it. (And I refuse to deploy a compliance vendor’s osquery shim with no enforcement. If that’s the solution then we could just deploy osquery ourselves… which also does not spark joy.)
We use Apple Business (formerly Apple Business Essentials) to enforce disk encryption (CC6.7), password lock (CC6.1), force updates (CC7.1) — and share WiFi creds. (Note that Mac devices have XProtect anti-malware (CC6.8), and it can’t be disabled.) It was already less than the cost of Notion… and now it’s free.
As a founder, I get it — every dollar matters. But if you're already paying for compliance, the incremental cost of doing security correctly is smaller than you think. "We can't afford security" is almost never true in 2026, even if you’re a startup. There's more excellent, free tooling than you realize. You just have to look.
(Also, it’s not lost on me that we don’t have a free tier of Oblique yet for access requests and access reviews (CC6.2, CC6.3). Give us a bit more time.)
