Fractional CISO for Seed and Series A Companies.

SOC 2, security programs, and AI governance for startups — from someone who's been the auditor, the practitioner, and the builder.

View Services Book a Call
CISSP · CISA · CRISC
Who I Help

Built for companies at the security starting line.

I work with founders who know they need to take security seriously — and need someone who can own it.

Seed / Series A SaaS

First SOC 2 Type II, building a security program from scratch. You need someone who's done this before and knows what auditors actually look for.

Growth-Stage Companies

Ongoing compliance, vendor risk management, and continuous SOC 2 surveillance. Keep your security program current as your company scales.

Agentic AI Companies

Enterprise buyer security questionnaires, AI governance, and threat modeling for agentic pipelines. I've seen these questions from every angle — as a builder, an auditor, and the person writing the responses.

Services

Three ways to engage.

Depending on where you are and what you need.

SOC 2

SOC 2 Readiness & Audit Support

From gap assessment to Type II attestation — including auditor liaison.

  • Initial gap assessment against SOC 2 Trust Service Criteria
  • Policy and control documentation buildout
  • Evidence collection process design and automation guidance
  • Auditor selection support and relationship management
  • Point of contact throughout fieldwork and findings remediation
Controls built. Evidence ready. Auditor engaged.
Retainer

Fractional CISO Retainer

Ongoing security program ownership for companies without a full-time CISO.

  • Security questionnaire ownership and response (enterprise sales unblocked)
  • Vendor risk management and third-party assessment
  • Policy maintenance and annual review
  • Incident response planning and tabletop exercises
  • Board / investor-level security reporting
  • Ongoing SOC 2 surveillance and continuous compliance
A security program that scales with your company
AI Security

AI Security & Compliance

Purpose-built for companies developing or deploying agentic AI systems.

  • Threat modeling for agentic AI pipelines and LLM-integrated architectures
  • SOC 2 scoping for AI service providers
  • AI Governance program design: data classification, acquisition standards, review processes
  • Security review for embedded AI features and purchased AI tooling
  • SBOM analysis and supply chain controls for AI/ML dependencies
  • Security narrative for enterprise buyer questionnaires and investor diligence
Enterprise-ready security posture for AI companies
About

The background behind the work.

Ten years in security compliance and risk management. I started as an auditor — SOC 1, SOC 2, HITRUST, SOX — which means I know exactly what auditors look for, and more importantly, what they don't.

I've spent the years since building security programs inside growth-stage SaaS companies, which means I know what actually works in practice versus what looks good on paper.

I'm also an active AI builder — developing AI-native security tooling — which means I understand agentic systems from the inside.

CISSP, CISA, CRISC.

Auditor background

Started in public accounting on SOC, HITRUST, and SOX engagements. I know what auditors look for because I was one.

Practitioner experience

Built security programs inside growth-stage SaaS companies. I know what actually works in practice.

Active AI builder

I build AI-native security tooling, so I understand agentic systems from the inside — not just as a compliance framework.

CISSP · CISA · CRISC

Security management, audit, and risk — the three disciplines that come up in every engagement.

Contact

Let's Talk

I take on a small number of engagements at a time. If you're building a SaaS company and need a security partner who can get you to SOC 2 and keep you there — reach out.

Book a Call jacob@selfsecurityservices.com