Skip to main content
Comparison progress
intermediatePage 5 of 7

Observability, Security, and Compliance

How monitoring, on-call, security, and compliance scale from solo / small / large companies.

Observability, Security, and Compliance

In one line: A solo dev relies on Sentry emails and prayers; a startup adds dashboards and an informal on-call; an enterprise has full SLOs, error budgets, 24/7 follow-the-sun on-call, plus AppSec teams, bug bounties, and multiple compliance regimes.

In plain English

This is where the scale gap is most extreme. The cost of being wrong about reliability or security goes up roughly with the square of your user count, and operations at enterprise scale reflect that.

A solo dev who misses a Sentry alert ships a bug to themselves. A startup that misses an alert ships a bug to a few hundred customers. An enterprise that misses an alert can trigger SLA breaches, regulatory fines, and front-page news.

Observability

AspectPersonalSmall CompanyLarge Company
Error trackingSentry free tierSentry TeamSentry Enterprise / custom
LogsVercel logsBetter Stack / AxiomDatadog / Splunk / Loki
MetricsVercel AnalyticsPostHog / Better StackDatadog / Prometheus / custom
TracesNoneSomeOpenTelemetry + Honeycomb/Datadog APM
RUMVercel AnalyticsVercel / SentryCustom + Datadog RUM
Synthetic monitoringNoneBetter Stack uptimeMulti-region synthetic tests
AlertingEmailSlack / emailPagerDuty / Opsgenie
On-callNoneInformal rotation24/7 follow-the-sun
Post-mortemsNoneFor big incidentsFormal for SEV1/SEV2
SLOsNoneLoose targetsFormal SLO + error budget

For enterprise specifics, see Phase 9: Observability at Scale.

Highlight: distributed tracing is the dividing line

The single observability tool that most clearly separates "small company" from "large company" is distributed tracing. A trace follows a single user request through every service it touches, with timing for each hop.

You don't need tracing when you have one or two services — log timestamps and Sentry are enough. The moment you have ten services and a slow page, traces become the only way to debug. That's why every enterprise observability strategy assumes traces are standard, while most startups don't have them at all.

Security and Compliance

AspectPersonalSmall CompanyLarge Company
HTTPSYes (free SSL)YesYes + HSTS preload
WAFNoneCloudflare defaultCustom rules
Secrets managementVercel env varsDoppler / 1PasswordVault / cloud-native
Rate limitingSometimesYesYes, sophisticated
MFA for adminsRecommendedRequiredMandatory
Penetration testingNoneAnnualContinuous + quarterly
Bug bountyNoneOptionalYes
SAST/DASTNoneSnyk/DependabotComprehensive
SOC 2NoType II at 20–30 employeesYes
HIPAA / PCI / etc.NoIf business demandsOften multiple
Threat modelingNoneFor sensitive featuresRequired for new services
AppSec teamNoNoYes

For enterprise specifics, see Phase 10: Security and Compliance.

Worked example: when does each tier of security investment become worth it?

A rough adoption pattern for security investment:

  • Solo: Use HTTPS (free via Vercel/Cloudflare), don't commit secrets, use a password manager. Cost: $0, effort: minimal.
  • 5–20 engineers: Add Dependabot, enforce MFA, use a secrets manager (Doppler/1Password), add a WAF (Cloudflare's default). Cost: $50–$500/month, effort: a few hours of setup.
  • 20–30 engineers (or first enterprise customer): Pursue SOC 2 Type II — typically a 6–12 month project, costs $20K–$100K in tooling + auditor fees. Now you can sell to mid-market.
  • 100+ engineers: Hire your first dedicated security person. Add SAST in CI, bug bounty, annual pen tests. Cost: $300K+/year fully loaded.
  • 500+ engineers: Full AppSec team. Continuous pen testing. Multiple compliance regimes. Cost: millions per year.

Each step is triggered by a specific business event — a customer requirement, a regulatory deadline, a security incident — not by general aspiration.

Common mistakes

Where people commonly trip up
  • Starting a SOC 2 project before a customer is asking. A 6–12 month, $20K–$100K compliance program with no specific deal attached is dead weight — it expires, the controls drift, and you redo it when a real customer eventually shows up. Wait for the email that says "we need your SOC 2 report."
  • Adopting formal SLOs and error budgets at 5 engineers. Without enough traffic, your SLO math is statistical noise — a single bad hour torches the budget. At startup scale, "we want >99.5% uptime and we'll write a quick post-mortem when something burns" beats the full Google SRE ceremony.
  • Buying Datadog at startup scale "to be ready." Datadog at full enterprise volume is $4M/year, and at 5 engineers you're paying $2K/month for a tool whose value comes from features you can't yet use. Sentry + Better Stack + Vercel Analytics covers the same ground for ~$100/month until you actually have services to trace.
  • Confusing "we have alerts" with "we have on-call." A Slack channel with notifications that everyone mutes after the third false positive is not an on-call rotation. Either commit to PagerDuty with a real schedule and runbook, or be honest that recovery is "whoever notices first" — both are valid at small scale.
  • Reading the enterprise security column as a checklist to copy. Bug bounty, AppSec team, threat modeling, continuous pen testing — every line costs real money and only pays back at corresponding scale. At startup scale, MFA + a secrets manager + Dependabot covers 95% of realistic threats for ~$100/month.

Page checkpoint

Checkpoint Quiz

Did ops across scales stick?

Required

What's next

→ Continue to Economics — what each scale actually costs, and how long changes take to reach users.