How We Secure Recroot Without Spending Thousands on Security Tools
One challenge we faced while building Recroot:
We store candidate/user videos, interview recordings, resumes, and personal information.
Like most startups, we don't have an unlimited security budget.
But that doesn't change our responsibility to protect user data.
So we started by asking:
"What are the biggest risks to an AI hiring platform?"
We identified five key areas:
🔹 Vulnerabilities in our own code
🔹 Hackers exploiting the website or mobile app
🔹 Supply-chain attacks through third-party packages
🔹 LLM prompt injection and AI misuse
🔹 Unknown weaknesses that automated tools might miss
Then we looked for practical ways to reduce those risks without spending thousands of dollars every month.
Here's what we use today:
Semgrep Community Edition
Scans our code for common security vulnerabilities
Runs as part of our development process
Helps identify insecure coding patterns before deployment
Developer Security Reviews
Every feature undergoes security checks before release
Authentication, authorization, and sensitive data handling are reviewed during development
Secure Pull Request Process
Security findings must be reviewed and addressed before code is merged
Code is not pushed to production until identified issues are resolved
OWASP ZAP
Scans the running application for common web vulnerabilities
Helps identify issues such as XSS, authentication weaknesses, and security misconfigurations
Cloudflare WAF
Provides an additional layer of protection in front of our applications
Helps block common web attacks, malicious bots, and suspicious traffic before they reach our infrastructure
Reduces exposure to automated attacks and exploitation attempts
GitHub Dependabot
Monitors open-source libraries and packages
Alerts us when known vulnerabilities are discovered in dependencies
Helps reduce software supply-chain risk
Gitleaks
Scans for accidentally exposed secrets, API keys, tokens, and credentials
Prevents sensitive information from being committed into source code repositories
Penetration Testing
We periodically perform manual penetration testing against the application.
This is the one security activity where we intentionally spend real money
Focus on authentication, authorization, API security, business logic flaws, and AI-specific attack scenarios
Helps identify weaknesses that automated scanners may miss
AI & LLM Security Controls
Because Recroot uses AI, we also focus on AI-specific risks:
Input validation and sanitisation
Prompt injection testing
Restricting access to sensitive functions
Limiting AI actions to approved workflows
Continuous monitoring of prompts and outputs
Are we perfect?
Of course not.
Security is never "finished."
But we've learned that good security isn't always about buying expensive tools.
It's often about understanding your risks, using the right controls, and making security part of your development process from day one.
Many startups think security starts when they become bigger.
We've found it's much easier and cheaper to build security in from the beginning.
Curious:
What free or low-cost security tools have become essential in your startup stack?

Replies