3 AI Startups. 3 Retainers. 1 Month.
Since launching the retainer, I’ve started working with a handful of early-stage AI companies.
Here’s what we found in month one for three of them.
No zero-days. No nation-state actors. Just simple governance gaps that would have become expensive problems.
The setup: An AI agent that handles customer support tickets. Integrates with Zendesk. Has access to conversation history and customer email addresses.
The fix: Added tool call boundaries and output filtering. Cost: 2 hours of dev time.
What they saved: Potential GDPR fine (~โฌ20k+), customer trust, and the cost of breach disclosure.
โ “I thought we were safe because we use Claude. Turns out the model isn’t the problem. The prompt is.”
The setup: A Telegram-based trading bot. Executes trades via API. Holds access to a wallet with ~$50k in user funds.
The fix: Moved keys to a secrets manager with per-call scoping. Added tool allowlisting.
What they saved: His entire wallet and user funds. ~$50k+.
โ “I didn’t even know the agent could read its own environment. That’s terrifying in retrospect.”
The setup: An agent that reads academic papers, summarizes findings, and stores them in a Notion database.
The fix: Locked the prompt to a version-controlled, read-only source.
What they saved: Weeks of “why is my agent acting weird” debugging and potential data exfiltration.
โ “We assumed the prompt was immutable. Never occurred to us to test that assumption.”
The Pattern
None of these were complex zero-days. None required nation-state resources.
They were simple governance gaps:
- No tool call boundaries
- API keys in the wrong place
- Mutable system prompts
Every single one would have been exploited eventually. Not by a sophisticated attacker. By a curious user or a random prompt injection.
๐ฆ You don’t need a breach to justify a retainer.
You just need a month of looking.
What These Startups Had in Common
- They were shipping weekly. Their attack surface changed faster than they could keep up.
- They assumed “the model is safe” meant “the agent is safe.” It doesn’t. The model is a component. The agent is a system.
- They had no one watching the perimeter. Security was “someone will look at it eventually.”
- After month one, they all renewed. Because finding problems is cheaper than explaining breaches.
Your Turn
You don’t need to be a unicorn to afford a retainer. You just need to be growing. Shipping. Handling data that matters.
The first month usually pays for itself in prevented disasters alone.
The Bottom Line
One-off pentests find what’s already broken. Retainers find what’s about to break.
These three startups learned that in month one. So will you.
Leave a Reply