Aug 29, 2025
4 minutes read
759 WordsSecurity rarely tops the priority list for startups - but that doesn’t make it optional.
Running a startup is no small feat. Facing enormous pressure to address a never-ending list of priorities (finding market fit, fundraising, launching new features, scaling infrastructure, etc.) security often becomes a “later” issue……until it can’t be. Even when companies know they need help, the breadth of the problem can be intimidating. Application security, cloud infrastructure, third-party vendors, compliance, cryptography: any resource-constrained startup will be hard-pressed to find a unicorn hire who can own all these responsibilities equally well.
That’s exactly where Notion found themselves in 2019.
They were growing fast, designing an API, and starting to field security questions from large customers. Yet despite a serious effort to hire in-house from Co-founder Simon Last, the right candidate just wouldn’t materialize. But then, a friend introduced Notion to Latacora.
The timing was perfect.
At the time, Notion had no internal security team. Rather than rushing to hire a full department, they partnered with Latacora for a long-term engagement. Together, we prioritized foundational security work, and identified which responsibilities would eventually require dedicated hires - but only when the time was right. This approach avoided both over-hiring and underutilizing staff.
Latacora’s onboarding process mirrors what it’s like to bring on a Head of Security, except we show up with a deep bench of expertise, an understanding of which questions to ask, and our tooling for critical services including GWS, GitHub, AWS, GCP, Azure and even a Security Information and Event Management (SIEM). We break security recommendations down into bite-sized, actionable initiatives that align with our clients’ growth and evolving risks.
The result? A security program built from the ground up, but never in isolation.
A great takeaway from our work with Notion and countless other clients is that it’s never too soon to engage with us. Latacora works best when we join at the ground level, helping you to make crucial security decisions early on and ensuring your product and architecture are built on a secure foundation.
In 2021, Dan Pyykonen joined Notion and immediately saw the value of the Latacora relationship. In 2024 he sat down with Latacora Co-founder, Laurens Van Houtven (lvh), and technical staff member, Luke Shoberg, to review the success of Notion’s engagement with Latacora. Said Dan,
“When you’re at a startup, there are so many layers you don’t understand, and hiring talent isn’t immediate. Latacora helped us get real outcomes while we were still figuring out what we needed long-term.”
Dan tapped Latacora to advance initiatives like a bug bounty, code reviews, and log storage, all while supporting both infrastructure and application-level challenges.
“It was like having a red team at our disposal,” Dan said. “With enough notice, I could just point Latacora at a new feature and know it would get tested.”
Shared Slack channels meant Notion engineers could ask questions directly, a game changer for Dan, who self-described as “an army of one.” The engagement served dual purposes: helping satisfy customer security concerns, and providing evidence of a mature security posture during audits.
Dan noted that unlike other vendors (he name-checked Deloitte), a Latacora engagement is anything but impersonal and rigid.
“Latacora feels like part of the team. A lot of services firms just deliver tasks. Latacora shows up like they actually care and want to fix it.”
He also praised the flexibility and tone of Latacora’s proposals and agreements, saying, “Even the way contracts are written shows they’re in it with you.”
Dan shared a framework that captures how different kinds of teams operate:
Destroyers tear down outdated systems
Maintainers keep existing systems running
Builders make something out of nothing. They thrive in chaos and create structure where there is none
Notion sees Latacora as Builders.
Latacora came in at a chaotic phase of growth and helped create a durable security program, bit by bit. Eventually, it was time for Notion to graduate in a phased, intentional manner. Like a senior year, we handed off responsibilities gradually until Notion’s internal team was ready to carry the program forward with confidence.
If we had the chance to do it again — would we? Absolutely.
Working with Notion was a highlight for the Latacora team. Over the course of four years, we watched them grow from a fast-moving startup into a global product with a mature security program. We’re proud of what we helped build, and grateful to have been part of their journey.