Security and Compliance for Startups in the Age of AI Agents - Episode 353 Prep

Guest: Caleb Mattingly

Title: Founder & CEO, Secure Cloud Innovations (SCI)

Bio: CISSP-certified security professional with a Master’s in Cybersecurity from Liberty University. Career path from IT help desk through defense contracting (ManTech International, supporting Army, Navy, Air Force, DISA) to Senior Security Engineer at AllTrails, then founding SCI during COVID. SCI is a small boutique firm (2-10 employees) based in Chesapeake, Virginia, helping post-revenue B2B SaaS startups embed security and compliance (SOC 2, ISO 27001, HIPAA) without killing engineering velocity. Their motto: “Compliance hell is optional.”

Company: trysci.co — Combines DevSecOps engineering with Cyber GRC. They don’t just advise — they build Terraform modules that implement controls. Fixed pricing, SOC 2 or ISO readiness within 5 months, requiring fewer than 40 hours from the client’s team annually.

LinkedIn: linkedin.com/in/caleb-h-mattingly (~8,600 followers)

Previous Podcast Appearances:

  • Ardan Labs Podcast — career journey, compliance frameworks, entrepreneurship
  • “Compliance Hell Is Optional” — deep dive on SOC 2/ISO 27001 realities, AI in compliance
  • SDM Show — security training culture, MFA, patching strategy, AI threats
  • GRC Room — policies vs. controls, “compliance doesn’t equal security”
  • The San Francisco Experience — AI meets cybersecurity

Key Perspectives to Explore:

  • “Compliance doesn’t equal security. Treat it as the floor, not the ceiling.”
  • “AI accelerates the grunt work, humans own quality”
  • SOC 2 Type 1 is NOT for startups — go straight to Type 2
  • Gap assessments cut enterprise sales cycles from 12-18 months to 4-6 months
  • Critiques “snake oil” vendors in compliance who prioritize ARR over actual security
  • Startups should embed compliance early rather than retrofit
  • DOP 323: “The Security Nightmare of Vibe Coding” — covered AI-generated code security risks. Good to reference and go deeper with Caleb on the compliance side.
  • DOP 277: “Making Security Tooling Easy for Developers” — shift-left security for practitioners.
  • DOP 280: “Policy as Code for Cloud-Native Success” — compliance frameworks, policy enforcement.
  • DOP 309: “Using AI Agents in Daily Development Tasks” — agentic workflows and tooling.
  • DOP 338: “The Assembly Line Problem” — AI breaking existing bottlenecks in pipelines.

Opening Hook Options

Option 1 — The Stat Bomb: “A recent study found that AI coding tools are driving 4x developer velocity — and generating 10x more security vulnerabilities. Privilege escalation paths are up 322%. Syntax errors are down, but the bugs that actually get you breached are through the roof. So what happens when your startup that ‘shipped fast with AI’ gets its first SOC 2 audit?”

Option 2 — The Provocative Question: “Here’s a question nobody’s asking: if you’re mandating AI coding tools across your engineering team, why aren’t you mandating AI-powered security scanning in parallel? Today we’re talking to someone who sees this gap every week with the startups he works with.”

Option 3 — The Cautionary Tale: “In January 2025, researchers found a passwordless database at DeepSeek — one of the hottest AI startups on the planet — wide open to the entire internet. Over a million lines of logs, chat histories, API keys, all exposed. No zero-day exploit. No sophisticated attack. Just… no password. That’s what happens when you optimize for speed and skip the basics.”

Segment Structure

1. Opening Hook + Guest Introduction (3-5 min)

Choose one of the hooks above, then introduce Caleb:

  • Defense contracting background — supported Army, Navy, Air Force, DISA
  • Senior Security Engineer at AllTrails
  • Founded SCI during COVID to help startups not repeat the same security mistakes he kept seeing
  • His team actually implements the controls, not just advises — they build Terraform modules
  • “Compliance hell is optional” — what does that actually mean?

2. Guest Background & Context (5-10 min)

Discussion prompts:

  • Walk us through your path from defense contracting to startup security consulting. What made you make that leap?
  • You were at AllTrails as a Senior Security Engineer — what did you learn about scaling security at a consumer app that you now bring to B2B SaaS startups?
  • SCI’s tagline is “compliance hell is optional.” Our listeners are the engineers who get pulled into compliance work. What does that phrase mean to them specifically?
  • You’ve said “compliance doesn’t equal security — treat it as the floor, not the ceiling.” Can you unpack that? Because a lot of teams think once they pass the audit, they’re done.

3. Core Topic Deep Dive: Security & Compliance as AI Changes Everything (15-20 min)

The current landscape:

  • Apiiro research: AI tools driving 4x velocity but generating 10x more security findings. Privilege escalation paths up 322%, architectural design flaws up 153%.
  • Only 10.5% of functionally correct AI-generated code is actually secure (NYU/Stanford study).
  • Developers using AI assistants are 3.5x more likely to overestimate the security of their code (Stanford/Dan Boneh).
  • 30+ CVEs found across Cursor, GitHub Copilot, Windsurf, and other AI IDEs — prompt injection attack success rates as high as 84%.

Questions for Caleb:

  • When you work with startups that are fully embracing AI coding tools, what new security patterns are you seeing that didn’t exist two years ago?
  • How does AI-generated code change the compliance conversation? If your SOC 2 audit requires you to demonstrate secure development practices, and half your code is AI-generated, what does that look like?
  • The PR pitch mentioned “which security principles hold up as automation and agentic workflows become the norm.” So which ones DO hold up? And which ones are broken?
  • You use Terraform modules to implement controls rapidly. How do you think about securing infrastructure-as-code when AI agents are increasingly involved in generating that IaC?
  • Shadow AI — 20% of organizations know developers are using banned AI tools. Is this the new shadow IT? How do you address this with startup teams?

Darin/Viktor discussion prompts:

  • Reference DOP 323 (Vibe Coding security nightmare) — how has the landscape changed since that episode?
  • Connect to DOP 338 (Assembly Line Problem) — adding AI security scanning as another step in the pipeline vs. embedding it

4. Practitioner Impact: What Founders and Engineers Get Wrong (10-15 min)

Common mistakes Caleb sees:

  • Waiting until a customer demands SOC 2 in 3 months when it takes 6-12 months
  • Copy-pasting policies from the internet that don’t match how the team actually operates
  • Implementing controls but not collecting evidence — auditors can’t verify what they can’t see
  • Treating compliance as a one-time project rather than architecture
  • Pursuing SOC 2 Type 1 when Type 2 is what customers actually want
  • Choosing the cheapest auditor without checking references

Questions for Caleb:

  • You posted on LinkedIn that “it’s 2026 and most startups still underestimate compliance ownership.” What does unclear ownership actually look like in a 15-person startup?
  • You compared a DIY founder spending 40 hours for 18% readiness vs. a professional approach taking 3.5 hours for 44% readiness. Walk us through what that difference actually looks like day-to-day.
  • You’ve called out “snake oil” in the compliance vendor space — vendors prioritizing “Distribution over Quality” and ARR over security. How should a practitioner evaluate compliance tooling? What questions should they ask?
  • For the engineer who just got told “we need SOC 2 by Q3” — what’s the first thing they should do? And what should they refuse to do?
  • HIPAA: You found a neurology practice using personal email for patient data. How common are these kinds of basic gaps in healthcare startups?

Darin/Viktor discussion prompts:

  • Have you experienced the “compliance as a project vs. architecture” tension in your own work?
  • Reference DOP 280 (Policy as Code) — how does policy-as-code fit into Caleb’s approach?

5. Pushback & Counterpoints: Where Practitioners Might Disagree (5-10 min)

Common pushback:

  1. “We’re too early for compliance.” Counter: Gap assessments cut enterprise sales cycles from 12-18 months to 4-6 months. The ROI math changes when you realize compliance unlocks revenue. But also — is there a point where it genuinely IS too early?

  2. “Compliance automation platforms (Vanta, Drata, etc.) handle everything for us.” Caleb has said tools don’t “do” SOC 2 for you — there’s still 200-300 hours of real work. But are these platforms genuinely reducing that burden, or creating a false sense of security?

  3. “AI will automate compliance away.” Caleb’s view: “AI accelerates the grunt work, humans own quality.” Where exactly is that line? Is it moving?

  4. “Security slows us down.” Netflix’s “paved road” philosophy — guardrails instead of gates. Semgrep’s MCP integration with Cursor as a concrete example. Does Caleb agree that security done right actually improves velocity?

Questions for Caleb:

  • What’s the most common “yeah, but…” you hear from startup CTOs when you tell them to invest in security early?
  • Is there a company stage where it genuinely is too early for SOC 2? Or is that always an excuse?
  • You critique compliance vendors, but you also use automation yourself (Terraform modules). Where’s the line between helpful automation and dangerous shortcuts?

6. Wrap-up & Takeaways (5 min)

Questions for Caleb:

  • If you could give one piece of advice to the engineer who’s been tasked with “figure out our security and compliance” at a 20-person startup — what would it be?
  • What’s one thing that’s changed about startup security in the last year that most people haven’t caught up to yet?
  • Where can people find you and SCI?

Closing discussion (Darin/Viktor):

  • Key takeaway each of you is walking away with
  • What surprised you from this conversation

Research & References

Articles

Data Points for the Episode

  • AI tools → 4x velocity, 10x security findings (Apiiro, Fortune 50 enterprises)
  • Privilege escalation paths up 322%, architectural design flaws up 153% with AI code (Apiiro)
  • Only 10.5% of functionally correct AI code is secure (NYU/Stanford)
  • Developers 3.5x more likely to overestimate security when using AI (Stanford/Dan Boneh)
  • 30+ CVEs across major AI IDEs, 84% attack success rate via prompt injection
  • 20% of orgs know devs use banned AI tools (LeadDev)
  • SOC 2 readiness: DIY = 40 hours for 18% vs. professional = 3.5 hours for 44% (Caleb’s LinkedIn)
  • Gap assessments cut sales cycles from 12-18 months to 4-6 months
  • Pen tests cost $10K-$40K+ but unlock 6-7 figure enterprise deals
  • 200-300 hours of real compliance work regardless of tooling
  • DeepSeek: passwordless database exposed 1M+ lines of logs to the internet

Books

  • The DevSecOps Playbook: Deliver Continuous Security at Speed — Sean D. Mack (Wiley, 2024)
  • DevSecOps: A Leader’s Guide to Producing Secure Software Without Compromising Flow — Glenn Wilson

Tools Mentioned

  • Semgrep — SAST with MCP integration for AI coding agents
  • Trivy — open source container/IaC/dependency scanning
  • Checkov — IaC security scanning (Terraform, CloudFormation, K8s)
  • Snyk — SCA with IDE/PR/CI integration
  • OPA — policy-as-code engine
  • Vanta / Drata — compliance automation platforms
  • GitGuardian — secrets detection across git history
  • OWASP ZAP — DAST for web apps

Caleb’s Key Quotes (from previous interviews/posts)

  • “Compliance hell is optional.”
  • “Compliance doesn’t equal security. Treat it as the floor, not the ceiling.”
  • “AI accelerates the grunt work, humans own quality.”
  • “Never tell customers they’re secure once they’re compliant.”
  • “Shortcuts come back to bite. Startups talk — trust compounds when you do it right.”
  • “When compliance lacks a dedicated owner, it quietly absorbs resources and creates bottlenecks.”
  • “Sometimes the cost of doing it yourself isn’t just your time. It’s also your momentum.”