Security by industry
Every industry has its own security model. Pick yours for the specific threats, the regulations that apply, and the buyer signals that matter.
B2B SaaS
Selling SaaS to B2B buyers means passing their security review. The review asks ~150 standardized questions covering auth, data, process, and increasingly AI transparency. Miss the baseline and the deal stalls.
E-commerce
E-commerce security is payment + PII + fraud-defense. Most modern stacks use Stripe / Shopify Payments to offload card-handling; the remaining surface is account takeover, address enumeration, and checkout fraud.
EdTech
Products used in K-12 handle minors' PII under COPPA + FERPA. Higher-ed products handle FERPA-covered student records. International EdTech also faces GDPR-Kids, India's DPDP Act, and more.
Marketplace
Marketplaces balance frictionless onboarding with fraud defense. Typical attacker profile: sellers selling stolen goods, buyers committing payment fraud, account takeovers to monetize reputation, safety incidents between users.
Developer tools
If you sell dev tools, a single vulnerability in your product = potential breach at every customer. Your security posture needs to be above industry-baseline simply because your attack surface is everyone's production.
AI products (LLM wrappers + agents)
AI products add a new threat model on top of standard SaaS risks. Prompt injection, model supply chain, cost-of-abuse, data residency in training, and EU AI Act compliance all become first-class concerns.
E-commerce
E-commerce security has a payment-card layer (PCI-DSS) and a non-payment layer (auth, BOLA, fraud). Most modern e-commerce uses Stripe / Shop Pay / Apple Pay tokenization to stay PCI SAQ A.
EdTech
EdTech is regulatorily heavy: FERPA (educational records), COPPA (under-13 data), state-level student-data privacy laws (NY, CA, IL). AI tutoring adds prompt-injection + data minimization.
AI-as-a-Service
AI-as-a-Service (per-API-call inference, fine-tuning offerings, RAG-as-a-service) has unique threats: tenant-prompt isolation, prompt-injection, training-data contamination, AIBOM transparency.
Marketplace (two-sided)
Marketplace = double the threat model. Each side needs auth + BOLA scope + fraud detection. Plus: payout security, regulatory compliance per category (rentals, labor, finance).
Developer Tools
Devtools have customer credentials + customer source-code in scope. The Vercel Apr 2026 + Lovable Apr 2026 incidents highlight what happens when devtool security fails.