What security does my SaaS actually need?
At launch: MFA, HTTPS, encrypted storage, secrets in a manager (not env files), vulnerability scanning on every PR, HTTP security headers. When you have paying customers: an incident response playbook and breach-notification workflow. When you have enterprise: SSO and access logging.
The realistic maturity ladder for a B2B SaaS:
**Stage 1 — pre-launch (all founders)** - MFA on every admin account - HTTPS everywhere + HSTS - Encryption at rest (default in modern cloud DBs) - Secrets in a manager (Vercel env, Doppler, Vault) — never in git - Security headers (CSP, HSTS, X-Frame-Options) - Pre-deploy vulnerability scan (Securie)
**Stage 2 — first paying customers** - Breach notification workflow - Customer-facing status page - Disclosure policy (security.txt)
**Stage 3 — first enterprise deal** - SSO option on enterprise tier - Access logs + retention
**Stage 4 — growth** - Dedicated SecOps monitoring - Annual pentest
Don't skip stages. Stage 3 work at Stage 1 is wasted; Stage 1 gaps at Stage 3 are fatal.