The minimum viable security stack for a solo founder.

I am not a security expert. I am a one-person operator who has lost a Wi-Fi router to a hotel network, had a Stripe account flagged after I logged in from a new country, and watched a friend's business go down for a week because their domain expired. The stack below is built to prevent those three things, not to defend against state actors.

The whole stack, in one minute

• Password manager: 1Password at $4.99/mo, or NordPass if the household already pays for the Nord bundle.
• Two-factor everywhere: Authenticator app on phone. Hardware key for the email account.
• VPN for untrusted networks: NordVPN on annual, around $3.39/mo. Surfshark if you want unlimited devices.
• Domain hygiene: Auto-renew on, lock the registrar, two-factor on the registrar account. Pay for one extra year up front.
• Backups: Whatever your operating system already includes. iCloud Drive, OneDrive, Time Machine. Set it once.
• Email account hardening: The address every other account uses for recovery. Hardware key, recovery codes printed.

That is it. Six items. Setup takes one focused afternoon.

What is actually at risk for a solo founder

Worth getting honest about. The threats one-person operations face are not the threats that make headlines.

• Account takeover via leaked password. Your old password got dumped in a breach. Someone tries it on Stripe. Password manager solves this for $5/mo.
• Hotel/cafe Wi-Fi snooping. Less common than it used to be because most traffic is HTTPS now. Still a real issue for plain HTTP, captive portals, and apps that mishandle TLS. VPN solves this.
• Phone theft. Pickpocketed in a city you do not know. If your authenticator app is on that phone and you have no backup codes, you are locked out of everything for a week.
• Domain expiry. The number-one way small operations disappear. Auto-renew off + expired card + you ignored the email for two weeks = the site is gone and a squatter has the domain.
• Stripe / payment processor freeze. Not strictly security, but it shares the same shape. Keep records, keep alternates, do not log in from a sketchy IP if you can avoid it.

Notice what is not on this list. Sophisticated phishing campaigns. SIM-swap attacks. Targeted intrusion. Those exist. They are rare for an unknown small operator. Focus the budget on the boring stuff.

Password manager picks

1Password is the safe default. Family plan is $4.99/mo and earns that price on a few specific wins for a solo founder. A shared Operations vault you can give to your accountant, partner, or future hire without exposing the rest of your stack. Native iOS and macOS autofill that does not fight you on a single login. Travel mode that hides selected vaults at a border. A watchtower feature that flags compromised passwords against breach databases. The desktop app is fast, the browser extension is reliable, and the recovery flow if you lose a device is solid.

NordPass is cheaper and a strong choice if you already pay for NordVPN, since the bundle drops the per-tool price noticeably. The autofill on iOS is a step behind 1Password in my experience, but the core password storage, generator, and breach scanner are all there. Solid pick for a household that wants one Nord-branded subscription covering both VPN and passwords.

Bitwarden exists, is open source, and is free for most personal use. I have used it for over a year on a side project. The browser extension is fast, the mobile app is fine, and the premium plan at $10/year unlocks the same essentials without a monthly fee. If $5/mo is a stretch, Bitwarden is the answer. It is also the right pick if you specifically want an open-source codebase you can audit.

The drawback worth knowing about any password manager: every provider has a worst day where their service blips for a few hours. 1Password and NordPass have both had short outages in the last 18 months. Cache the master password somewhere physical. A locked drawer is acceptable.

VPN picks

A VPN is one of those tools where the marketing oversells one angle and undersells the more useful ones. HTTPS already protects most of your daily traffic. The real reasons to run a VPN as a solo founder:

• A clean, private network path you control. Hotel and cafe Wi-Fi captive portals see your DNS queries. A VPN routes those through your provider instead of the property.
• Geo-flexibility. Reaching a service that geo-blocks your travel destination, checking how a landing page looks from another country, accessing region-locked tools while abroad.
• IP hygiene. Obscure your home IP from sites you only visit once. Useful for casual research and signup forms that profile your address.
• Peace of mind on shared networks. Coworking spaces, conferences, family member's house. A kill-switched VPN means an accidentally weak network does not leak anything in plain text.

NordVPN on a 2-year plan lands around $3.39/mo. The kill switch works reliably. Connection speeds are solid on most servers I have used, including the US, EU, and Japan endpoints. The mobile app handles auto-reconnect cleanly on network changes. Customer support is responsive when you actually need them. The main drawback is honest pricing: the auto-renewal jumps to roughly $5.99/mo after the intro period. Cancel and re-sign-up at year two if you want to keep the headline price.

Surfshark is owned by the same parent company. Slightly cheaper on the 2-year plan, with one feature that matters for households: unlimited simultaneous devices on one account. Speeds are comparable on most routes, a touch slower on long-haul connections (Asia to US) in my testing, though the difference depends on which server you pick.

What I would skip on a tight budget: the VPN-bundled-with-a-security-suite pitches. They are usually a thin wrapper around a third-party VPN and tend to be slower.

The 30-minute setup, in order

If you are starting from scratch, this is the order I would do it.

1. Sign up for the password manager. Install the browser extension and the phone app. (5 min)
2. Change the password on your primary email account. Use the password manager to generate a strong one. Turn on 2FA, save recovery codes. (5 min)
3. Repeat for: payment processor, hosting/registrar, GitHub or equivalent, your bank. (10 min)
4. Sign up for the VPN. Install on laptop and phone. Turn on the kill switch. (5 min)
5. Log in to your registrar. Turn on auto-renew. Lock the domain. Add 2FA. Pay for an extra year up front if the budget allows. (3 min)
6. Confirm your OS-level backups are running. Open the settings, check the last-backup timestamp. (2 min)

Total time: about 30 focused minutes. Total cost: about $13/mo if you go with 1Password and NordVPN annual.

What I would not bother with as a solo founder

• Enterprise SSO providers. Okta, OneLogin, the whole category. Useful at 20+ employees. Useless solo.
• Endpoint detection products. Marketed at small businesses, priced at medium ones. The protections in your OS are enough.
• Cyber insurance for $80/mo. Read the exclusions. For a side project, you will not meet the claim conditions.
• A second VPN as a backup. The risk of two providers being down at the same moment you actually need a VPN is small. The cost of paying for two is not.

One more thing about domain expiry

Of every problem on this list, the domain expiry is the one I have watched cost the most. Tiny businesses lose their brand because a credit card expired and the renewal email went to a defunct inbox.

Mitigation that takes 60 seconds: pay for two years instead of one, set a calendar event for 30 days before expiry, and make sure the registrar account has a backup email (your password manager's secure notes is a fine place to store it). I have my registrar set to send renewal warnings to two different addresses. Belt and suspenders. Worth it.

Final pick

If you want the one-line version: 1Password family, NordVPN annual, 2FA on email, auto-renew on the domain. Total monthly cost in the $13 range. The rest of the security industry can wait until you actually have something worth attacking.

Last verified: 2026-05.