Fencer

4 days ago

Most security stacks at startups aren't designed. They accumulate. 👀 https://t.co/qlP7OH5XE5

6 days ago

An honest list of where startup security hours actually go: ⌛️ Exporting CSVs from four different tools and cross-referencing them in a master spreadsheet. - Tuning alert rules to filter out the same false positives you filtered out last month. ⌛️ Retroactively producing audit evidence for processes the team is already doing. ⌛️ Filling out 300-row security questionnaires from enterprise prospects. ⌛️ Babysitting tools. Based on his experiences as a startup CTO, our co-founder Tim wrote a field guide on what to do about all of it. https://t.co/t0Cy0TIMU4

11 days ago

There's a name for the stack most startups assemble to get to SOC 2. The duct-tape stack. A free vulnerability scanner. The GRC platform. GitHub built-ins. A CSPM tool you bought separately. Endpoint coverage from somewhere else. Alerts forwarding to Slack. The weekend audit-prep ritual. It works. It got you here. The trouble is what's underneath: every sprint, your team is making invisible trade-offs to keep it running. Fencer is full-stack security for startups. One platform, built for the stage you're at, and the next. https://t.co/kFB9OopNc7

13 days ago

"As CTO, you're the de facto CISO until you're big enough to hire one, whether you like it or not." From the intro of Tim's new startup security field guide. He's been in that seat: he was CTO of Zenput before he co-founded Fencer, and he built the security program, ran SOC 2, and figured out the operations himself. His guide is for the CTO who's running security on top of everything else. https://t.co/t0Cy0TJkJC

18 days ago

Free SAST tool. Dependabot. GitHub Advanced Security. The GRC platform you bought for SOC 2. A separate CSPM. Endpoint coverage from a different vendor. Alerts forwarding through Slack. The weekend audit-prep ritual. If this is your stack, you're not alone. And you've probably outgrown it. https://t.co/kFB9OopNc7

fencer_security's tweet photo. Free SAST tool.
Dependabot.
GitHub Advanced Security.
The GRC platform you bought for SOC 2.
A separate CSPM.
Endpoint coverage from a different vendor.
Alerts forwarding through Slack.
The weekend audit-prep ritual.

If this is your stack, you're not alone. And you've probably outgrown it.

https://t.co/kFB9OopNc7

104

19 days ago

When 90% of your security hours go into deciding what to fix rather than fixing it, your stack is generating work, not finishing it. Here's four signs your startup's security stack has hit its limit. https://t.co/wYYPKtUikI

24 days ago

Engineering capacity at a startup is finite. Security is one of the things asking for a piece of it. Here's Tim Olshansky on how to stop running security as a parallel program to product and start budgeting it as part of engineering capacity instead: https://t.co/X6xvNjoGiV

27 days ago

New: a field guide on running security at a startup, from someone who lived it. Our co-founder @timolsh was a CTO at a startup before he built Fencer. He built and ran the security program himself. Led the company through SOC 2 with no security team to hand it to. He wrote down what he wishes someone had handed him then. Startup Security: A Field Guide for CTOs covers: 👉 When security stops being a "someday" problem 👉 Where your hours actually go when you're the one doing the work 👉 What to put in place first 👉 How to run security operations without burning out the team 👉 Considerations for startups in the AI era Read it here: https://t.co/t0Cy0TIMU4

2 months ago

The best time to get security right at a startup is when you have 10 employees, one cloud account, and nothing complicated yet. Most teams wait until they have 50 and a mess to untangle. Here's what to do when you have 10 employees: https://t.co/3CbFsjXb3j

2 months ago

88% of attacks against web applications start with stolen credentials. Not a zero-day. Not a sophisticated exploit. A login. The five biggest security risks for B2B SaaS companies are all this preventable. We broke down all five with the stats and what to do about each: https://t.co/92z0SKA5R7

fencer_security retweeted

Tim Olshansky

@timolsh

3 months ago

Trivy, LiteLLM, now Axios. Damn malware is hitting hard and fast now. A few small shifts that close most of the security gap: * Add a 3–7 day delay on new package versions with package cooldowns (minimumReleaseAge) * Disable install scripts (--ignore-scripts) * Only install from lockfiles (--frozen-lockfile) * Upgrade on a schedule, not on deploy Attackers rely on speed. You don’t have to.

fencer_security retweeted

3 months ago

If you were impacted by the recent Delve issues and want to harden your security posture, we (@fencer_security ) will be happy to help you out. For anyone that signs up in the next two weeks, we will give you 15% off an annual subscription and provide white glove onboarding ourselves. This will include our full platform of code, infrastructure, runtime protection, static code analysis (SAST), dynamic application security testing (DAST), identity management and SIEM. We typically work with software companies between 20 and 500 employees. While we don’t ourselves do the compliance part, we integrate with many of the large vendors in the industry (Vanta, Drata, etc.) Feel free to DM me or comment below.

591

fencer_security retweeted

3 months ago

@watchdutyapp serves millions of people during active wildfires. That kind of public visibility comes with real threats like phishing campaigns, fake apps, and domain squatting, on top of the compliance pressure that comes with landing enterprise customers. When their CTO David Merritt started the SOC 2 journey, they had four engineers. He didn't need a security program built for a thousand-person org. He needed something that could grow with them without burying them. Shortly after rolling out @fencer_security , Watch Duty identified and fixed multiple critical vulnerabilities before they could be exploited. Security ownership spread across the team. Audit requirements got knocked out automatically. "Fencer gives us peace of mind that we're providing a strong security posture for our customers." https://t.co/89zZsm7I7L

fencer_security retweeted

Tim Olshansky

@timolsh

3 months ago

https://t.co/RP40Aip5xc

270

fencer_security retweeted

Tim Olshansky

@timolsh

3 months ago

https://t.co/DpTNLXPVKM

466

fencer_security retweeted

3 months ago

Wrapped up an interview on Monday with @joshuahlipton on @YahooFinance about current cyber risks. Wanted to share my three key takeaways for execs (and board members if they feel like reading it : ) 1️⃣ Iranian retaliation backed by state actors, hacktivists, North Korean and Chinese groups is now the top risk for U.S. companies. Most organizations remain reactive, only hardening perimeters, networks, apps, and identity after an incident. 2️⃣ Attacks will target three layers: defense and military systems, critical infrastructure (power, water, airports, transport), and everyday corporations. Independent hacktivists add further unpredictability. 3️⃣ AI is accelerating offensive threats, letting attackers deploy hundreds or thousands of agents to probe environments simultaneously and find hidden flaws. The good news: AI can also strengthen defenses when applied strategically. Bottom line: Security can no longer be treated as optional insurance. Prioritize code security, network/application protection, and especially identity management today. Full interview here 👇 https://t.co/3wFv2M3Nl5

fencer_security retweeted