An open-source security guide, compliance checklist, and LLM-based virtual CISO persona for startups -- with specialized coverage for foreign companies entering the Korean market.
Startups are vulnerable. Limited resources, no dedicated CISO, and security always deferred to "later." But customer data and intellectual property accumulate from day one -- and legal obligations apply regardless of company size.
Three incidents from Korea in the first half of 2026 demonstrate that one misconfiguration can cascade into existential damage:
The common thread: All three began with a single misconfiguration or a single overlooked vulnerability. None required sophisticated zero-days. The damage was inversely proportional to organizational maturity.
What startups need is not a $100K security suite. It is knowing what to do first, and a system to check it regularly.
An LLM can serve as a startup's first CISO.
As of mid-2026, Claude 4, GPT-4o, and DeepSeek V3 -- alongside locally-run models via Ollama -- can:
A hybrid model -- where proprietary data stays on-premise with local LLMs (Ollama) and general policy assessment uses public LLMs -- makes this production-ready today.
This project implements that hypothesis in code and prompts.
Korea is Asia's fourth-largest economy and a strategic launch market for SaaS, fintech, AI, and consumer platforms. But its data protection regime presents unique challenges that differ significantly from GDPR and CCPA:
| Dimension | GDPR (EU) | CCPA/CPRA (US/CA) | PIPA (Korea) |
|---|---|---|---|
| Regulator | |||
| National DPA per member state | California AG / CPPA | Personal Information Protection Commission | |
| Breach Notification | |||
| 72 hours to DPA | Without unreasonable delay | 72 hours to data subject; 24 hours to KISA for ISPs | |
| Data Protection Officer | |||
| Required for most processors | Not required (but privacy officer recommended) | CPO required for ALL entities, regardless of size | |
| Encryption | |||
| Appropriate technical measures | Reasonable security | ||
| Mandatory AES-256 for unique identifiers (RRN, passport, etc.), SHA-256+ for passwords | |||
| Access Logs | |||
| Retention per purpose | Not specified | ||
| Mandatory 6 months minimum; monthly review for ISPs | |||
| Cross-border Transfer | |||
| Adequacy decision / SCCs / BCR | No specific restriction | ||
| Data subject consent required for overseas transfer | |||
| Penalties | |||
| Up to 4% of global turnover or EUR 20M | Up to $7,500 per violation | Up to KRW 30M fines + criminal liability | |
| Resident Registration Number | |||
| N/A | N/A | ||
| Collection prohibited unless specifically required by law |
Key Insight: A GDPR-compliant EU startup is not automatically PIPA-compliant in Korea. The Korean law has stricter encryption mandates, mandatory access logging, and a universal CPO requirement that has no equivalent in GDPR or CCPA. Violations carry criminal penalties, not just civil fines.
This project's LLM CISO persona includes jurisdiction-aware compliance modules that flag these gaps automatically.
Startup_Security_Guide/
βββ README.md # Korean README
βββ README_EN.md # This document: English README
βββ STARTUP_SECURITY_GUIDE_KR.md # Phase 1: Korean guide & checklist
βββ STARTUP_SECURITY_GUIDE_EN.md # Phase 1: English guide (with jurisdiction comparison)
βββ LLM_CISO_PROMPT_KR.md # Phase 2: Korean CISO prompt system
βββ LLM_CISO_PROMPT_EN.md # Phase 2: English CISO prompt system (cross-jurisdiction)
βββ LLM_CISO_DASHBOARD.md # Phase 3: Dashboard design (Korean)
βββ LLM_CISO_DASHBOARD_EN.md # Phase 3: Dashboard design (English)
βββ llms.txt # LLM-friendly index
A comprehensive, stage-gated security guide covering the startup lifecycle from pre-seed to Series A. Based on KISA guidelines and the MINARC framework (startup-security.netlify.app), extended with:
Usage: Open in a browser to follow the checklist, or provide the full document as context to an LLM and ask: "Evaluate our company against this checklist."
A persona prompt system that transforms any LLM into a virtual CISO with explicit cross-jurisdictional expertise. Includes:
| Component | Description |
|---|---|
| Base CISO Persona | 15-year veteran CISO with pragmatic, action-oriented style. NIST CSF-based methodology, standardized response format. |
| Korea Compliance Module | Deep knowledge of PIPA, Network Act, Unfair Competition Prevention Act. KISA security standards. |
| GDPR/CCPA Module | EU and US privacy law expertise for cross-referencing compliance gaps. |
| Cross-Jurisdiction Diff Module | |
| New. Specifically detects where GDPR/CCPA compliance does NOT satisfy Korean requirements, and vice versa. | |
| Domain Assessment Prompts | Cloud / Google Workspace / DRM / KISA compliance / GDPR compliance / Quick scan. Each with 25-31 evaluation items. |
| Prompt Chain | 6-step multi-stage assessment: Context Gathering -> Parallel Domain Assessment -> Cross-Jurisdiction Gap Analysis -> Synthesis -> Final Report -> Action Plan. |
| Ollama Modelfile | Custom model creation script for air-gapped local CISO operation. |
| TypeScript/Node.js Integration | API invocation code for Claude, GPT, DeepSeek. Ollama Provider implementation. Vercel Serverless Function. |
Usage -- Public LLM:
1. Copy the "Base CISO Persona" section from LLM_CISO_PROMPT_EN.md as System Prompt
2. Copy the desired domain assessment prompt as User Message
3. Provide specific company context (jurisdiction, data types, stage)
Usage -- Local LLM (Ollama):
brew install ollama # macOS
ollama pull llama3:8b # or gemma3:12b, qwen2.5:14b
cat > Modelfile << 'EOF'
FROM llama3:8b
SYSTEM """You are a Virtual CISO for startups, specializing in cross-jurisdictional
compliance (GDPR, CCPA, PIPA/Korea). You identify gaps where compliance in one
jurisdiction does not satisfy another..."""
PARAMETER temperature 0.3
EOF
ollama create ciso-global -f Modelfile
ollama run ciso-global "We are a US-based SaaS startup (Series A, 25 employees, AWS + Google Workspace)
expanding into Korea. We comply with CCPA. What additional measures do we need for PIPA?"
Usage -- TypeScript/Node.js (Vercel deployment):
git clone https://github.com/gameworkerkim/CYBER-THREAT-INTELLIGENCE-REPORT.git
cd CYBER-THREAT-INTELLIGENCE-REPORT/Startup_Security_Guide
npm install
export ANTHROPIC_API_KEY="sk-ant-..."
export CISO_MODE="public" # or "local" for Ollama
npm run assess -- --domain cross-jurisdiction \
--context '{"homeCountry":"us","targetCountry":"kr","stage":"series-a","teamSize":25}'
Web-based CISO dashboard design document. Planned implementation with Next.js + Vercel + TypeScript:
Phase 1 (Done) Phase 2 (Done) Phase 3 (Planned) Phase 4 (Planned)
| | | |
v v v v
Security Guide LLM CISO Persona Web Dashboard Unified Monitoring
& Checklist & Prompt System Framework
| |
+-- CLI MVP +-- Wazuh/XDR integration
+-- Web UI +-- Real-time alerts
+-- Cron automation +-- SIEM integration
+-- Multi-LLM +-- Team dashboard
The end goal is a self-hosted dashboard that startups access daily. Not merely a checklist viewer, but an integrated monitoring system where the LLM periodically scans infrastructure, detects anomalies, and prioritizes remediation actions -- functioning as an always-on virtual CISO.
Curated evaluation of open-source and research projects relevant to AI-assisted security governance. Current as of June 2026.
| Project | Stars | Assessment |
|---|---|---|
| Project | Stars | Assessment |
|---|---|---|
| Project | Stars | Assessment |
|---|---|---|
| Project | Stars | Assessment |
|---|---|---|
| Report ID | Title | Relevance |
|---|---|---|
| CTI-2026-0604-TVING | Tving OTT Platform Personal Data Breach | CI exposure, misconfiguration impact |
| CTI-2026-0604-CU_BREACH | CU Delivery Service Web Vulnerability Hack | Unpatched web vulnerability consequences |
| CTI-2026-0611-FASTCAMPUS_DAYONECOMPANY | FastCampus GitHub Master Key Theft | Secret management and detection failure |
| CTI-2026-0420-VERCEL | Vercel Security Breach (AI SaaS Supply Chain) | Cloud/CI/CD supply chain threats |
| CTI-2026-0611-MIASMA_SPRINGBLIGHT | Miasma Worm Azure Package Mass Infection | Supply chain attack impact on all organizations |
| CTI-2026-0605-CLAUDECODE | Claude Code GitHub Action Privilege Bypass | LLM/CI/CD security vulnerabilities |
| Awesome Static Analysis Security Tools | Open-source SAST Tools Collection | DevSecOps pipeline construction |
| LAON VaultGuard | Multi-LLM Secret Detection Tool | Pre-commit hardcoded secret prevention |
| Criterion | How This Project Differs |
|---|---|
| Scope | |
| Cloud + SaaS (Google Workspace) + DRM + KISA compliance + GDPR + CCPA + incident response in a unified guide. Most similar projects focus on a single domain. | |
| LLM Support | |
| Hybrid architecture supporting both public (Claude/GPT/DeepSeek) and local (Ollama) LLMs. Few comparable projects support both modes. | |
| Cross-Jurisdiction | |
| Explicit coverage of GDPR vs. CCPA vs. PIPA legal differences. The cross-jurisdiction compliance diff module has no equivalent in any listed project. | |
| Startup-Specific | |
| Stage-gated checklists from Pre-Seed to Series A. Free/open-source tool recommendations accounting for limited budgets. | |
| Execution Readiness | |
| Concrete CLI commands, API code, Modelfiles, Vercel deployment configuration -- ready to deploy, not just conceptual. |
| Layer | Technology | Purpose |
|---|---|---|
| Language | TypeScript (Strict), Node.js 22 | API server, CLI tools |
| Framework | Next.js 15 (App Router) | Phase 3 dashboard |
| Hosting | Vercel | API endpoints and frontend |
| Database | Vercel Postgres | Assessment history |
| Cache | Vercel KV (Redis) | Assessment result cache |
| LLM - Public | Claude (Anthropic), GPT-4o (OpenAI), DeepSeek | High-capability assessments |
| LLM - Local | Ollama + Llama 3 / Gemma 3 | Air-gapped sensitive data processing |
| Scheduling | Vercel Cron Jobs | Automated periodic assessments |
| Notifications | Slack Webhook, Resend (Email), Notion API | Assessment result delivery |
| Auth | NextAuth.js (Google OAuth) | Dashboard user authentication |
This project is open-source and welcomes contributions:
Contribute via GitHub Issues or Pull Requests. All contributions follow the CC BY-NC-SA 4.0 license.
This guide and prompt system are provided for educational and defensive purposes. Actual security architecture and regulatory compliance depend on each company's specific circumstances. Critical legal decisions require professional review. LLM assessments are assistive tools; automated evaluation results should not be relied upon as sole grounds for compliance decisions.
| Channel | Info |
|---|---|
Maintained by
[Dennis Kim]| (c) 2026 |[CC BY-NC-SA 4.0]