Ottawa-based Klavan Security has launched beta access to two new products, BaseCamp and BaseCamp Recon, designed to help startups build enterprise-grade security foundations from the moment they start selling, rather than after they scale.
The announcement targets a long-standing friction point in startup sales cycles. Early-stage companies often lose enterprise deals because they cannot produce security documentation or demonstrate formal controls when asked. Klavan Security argues that this gap is not a tooling problem, but a timing problem. BaseCamp is a 12-month guided security program that starts with a live Trust Center in the first month and continues through a structured security and compliance buildout. BaseCamp Recon is a separate penetration testing service aimed at pre-revenue startups, including AI-built applications, offering both automated-assisted reporting and a full pre-launch human-led test. The company positions both products around a single idea it calls “security before compliance.”
Closing the enterprise deal gap
According to Klavan Security, many startups hit the same wall when selling into larger customers. Buyers request security documentation, but founders often have no formal artifacts ready, causing deals to slow or stall.
Andrew Amaro, Founder and Chief Holistic Security Officer of Klavan Security, described the problem as structural in how startups approach compliance.
“Founders are told to go get SOC 2 like it’s something you buy off a shelf,” said Andrew Amaro, Founder and Chief Holistic Security Officer of Klavan Security. “It isn’t. SOC 2 is a thing you prove, and the proof takes a year. So we built the year. You start closing deals in Month 1 instead of waiting until Month 18 with nothing to show a buyer.”
BaseCamp includes a Trust Center that becomes available in the first month. It is designed to be shared with enterprise buyers as a living security profile that evolves as the startup completes its controls, policies, and risk documentation.
Amaro emphasized that the Trust Center is not the end product, but a signal of progress.
“The Trust Center isn’t the product,” Amaro said. “It’s proof the product is working. The real work happens in the ten sections behind it.”
Rethinking compliance versus attacker behavior
Klavan Security argues that much of the compliance industry is structured around audit readiness rather than real-world security threats. The company says BaseCamp is designed to align more closely with how attackers actually operate.
“We build toward what attackers look for, not what auditors need to check off,” Amaro said. “Get the security right and the compliance follows. Do it the other way around and you’ve got a certificate sitting on top of a system nobody actually hardened.”
Bringing penetration testing to early-stage startups
BaseCamp Recon focuses on another gap in the startup ecosystem: access to penetration testing. Traditional testing services are often priced for enterprise budgets and scoped for mature systems, leaving early-stage products untested before launch.
Klavan Security says this is especially relevant for startups building AI-generated or low-code applications using tools such as Bolt, Lovable, and Cursor, which may reach production quickly without security validation.
The company’s offensive security team, known as the Shellhounds, performs the tests manually rather than relying on automated scanning alone.
“AI-generated or hand-built, the same gaps show up, and a real attacker doesn’t care which,” Amaro said. “Scanners check components one at a time. Attackers chain findings across layers. We test the way they do, because that’s who we are.”
Findings from BaseCamp Recon are integrated directly into the BaseCamp risk matrix, allowing startups to transition from a one-time assessment into a continuous security program without duplicating work.
Shaped by Hundreds of Real Startup Security Engagements
Klavan Security says the launch is the result of five years of hands-on work with startups across Canada’s innovation ecosystem. The company reports experience working with hundreds of startups across 28 innovation hubs and involvement with programs such as Rogers Cybersecure Catalyst, along with appearances at industry events including Web Summit Vancouver and EU CYBERNET.
The shift from services to product, according to Amaro, is a direct response to recurring patterns observed in the field.
“We spent five years doing this by hand for startup after startup,” he said. “BaseCamp is what we learned, turned into something a founder can run themselves or run with a Guide beside them. Same work either way. We just made it reachable.”
Klavan Security is positioning its platform as part of a broader shift in how startups approach enterprise readiness, particularly in sectors handling sensitive data such as payments, infrastructure, and healthcare. The company argues that security must be established early to support long enterprise sales cycles.
“Every month without documented security is a month your auditor can’t count,” Amaro said. “The companies winning enterprise deals today started their evidence trail a year ago. The second-best time to start is now.”
