The question at every board
At every board of a growing African SaaS, the same question comes up: "How much do we really spend on cyber, and is it reasonable?" The honest answer is not a single absolute number — it depends on stage, data handled, and target market. But after 4 years supporting SaaS startups from Dakar, Abidjan, Lagos, Accra, Nairobi, we have three working budget templates.
The base rule: 5 to 8% of annual recurring revenue in cybersecurity once post-seed, scaling to 10-12% the year you prepare SOC2 / ISO 27001. Pre-seed, you're more on an absolute budget (3-8M FCFA / year) than a ratio.
Pre-seed template (0-200k USD revenue)
Targets: working MVP, 100-2000 users, 1-5 person team, no enterprise deal yet.
| Line item | Annual FCFA | Annual USD |
|---|---|---|
| Doppler / Infisical (3 seats) | 130,000 | ~215 |
| GitHub Advanced Security (3 users) | 460,000 | ~755 |
| Gitleaks + TruffleHog in CI | 0 | 0 |
| Cloudflare Pro WAF | 150,000 | ~245 |
| Sentry Team plan | 180,000 | ~295 |
| 1Password Business (5 seats) | 280,000 | ~460 |
| Self-served internal audit (OWASP ASVS) | 0 | 0 |
| Incident reserve | 500,000 | ~820 |
| Total | ~1.7M FCFA | ~$2,800 |
At this stage, no paid pentest, no SOC2, no Vault Enterprise. You build hygiene: secret scanning, MFA everywhere, 1Password, error monitoring, basic WAF.
Seed template ($200k-$1M revenue)
Targets: product-market fit, 2-10k users, 5-15 person team, first real enterprise deals in discussion.
| Line item | Annual FCFA | Annual USD |
|---|---|---|
| Doppler (10 seats) | 510,000 | ~840 |
| Cloudflare Business + Zero Trust | 1,800,000 | ~2,950 |
| Sentry Business + uptime | 720,000 | ~1,180 |
| 1Password Business (12 seats) | 670,000 | ~1,100 |
| Annual boutique pentest (8 days) | 5,500,000 | ~9,000 |
| Private HackerOne bug bounty (rewards + triage) | 3,600,000 | ~5,900 |
| Team training (phishing sim + secure coding) | 800,000 | ~1,310 |
| Cyber insurance (100M FCFA coverage) | 1,500,000 | ~2,460 |
| Incident reserve | 1,500,000 | ~2,460 |
| Total | ~16.6M FCFA | ~$27,200 |
At this stage, you shift to pentest + bug bounty and start carrying insurance. It's also when you prepare the move to SOC2 or ISO 27001 (early Seed decision, late Seed execution).
Series A template ($1M-$5M revenue, prepping cert)
Targets: 10k+ users, 15-40 person team, active enterprise deals, Series A signed or imminent.
| Line item | Annual FCFA | Annual USD |
|---|---|---|
| HashiCorp Vault HCP | 3,600,000 | ~5,900 |
| Cloudflare Enterprise (light) | 7,300,000 | ~12,000 |
| Sentry Business + APM | 1,800,000 | ~2,950 |
| Vanta or Drata platform | 9,100,000 | ~14,900 |
| Recognized agency pentest (2 / year) | 22,000,000 | ~36,000 |
| Bug bounty (rewards + managed triage) | 12,200,000 | ~20,000 |
| SOC2 Type II / ISO 27001 audit | 18,300,000 | ~30,000 |
| Cyber insurance (500M FCFA coverage) | 4,600,000 | ~7,540 |
| Fractional CISO (2 days/month) | 12,000,000 | ~19,670 |
| Continuous training + phishing sim | 2,100,000 | ~3,440 |
| Incident reserve | 6,000,000 | ~9,830 |
| Total | ~99M FCFA | ~$162,000 |
That's a significant jump. On typical $2-3M Series A revenue, $162k is 5.4 to 8.1% of revenue — exactly the healthy band.
What we cut when runway bites
During an Ivorian fintech's 2025-Q4 cash crunch, we had to trim its cyber budget by 28% in 8 weeks. Here's what we cut, in order:
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
- Fractional CISO from 2 to 1 day / month (-50%)
- Bug bounty paused (private program closed, kept only the triage on in-flight reports)
- H2 pentest pushed back 6 months
- Vanta kept (direct compliance ROI)
- Vault HCP kept (downgrade impossible without risk)
What we NEVER cut: MFA, secrets manager, WAF, secret scanning, cyber insurance. Cutting any one of these 5 multiplies the company extinction risk by 10.
What cyber insurance actually covers
Many founders underestimate cyber insurance. In 2026 Senegal, AXA, NSIA, Sunu, and a few specialized brokers (Ascoma, Gras Savoye) offer SaaS policies. Typical coverage for 100M FCFA: 1.2 to 1.8M FCFA / year. Deductible around 5M FCFA.
Covered: forensic investigation costs, client notification, ransom (with negotiation), business interruption, civil liability (data leak). Requirements: MFA everywhere, encrypted off-site backups, annual pentest, EDR on endpoints. No coverage if you fail these baseline conditions.
FAQ
Can my cyber budget be 0% pre-seed?
No. The bare minimum (Doppler, MFA, 1Password, Sentry, Gitleaks) costs ~1.7M FCFA / year. Below that you take a very real extinction risk via secret leak.
Need a full-time CISO?
Not before 30-40 employees or a highly regulated sector. Before that, fractional CISO (2-4 days / month) is the right cost-benefit.
At what revenue do I shift to Series A budget?
Not a strict revenue threshold but a mix: $1M+ ARR, 10+ enterprise deals, or SOC2/ISO cert prep started. If 2 out of 3, shift.
Local junior AppSec engineer vs external consultant?
A junior AppSec with good profile in Dakar/Lagos costs ~24-36M FCFA / year loaded. An external firm runs ~50-80M FCFA / year for senior level. Past 20 tech people, internal becomes more cost-effective.
We price your cyber budget
Want your 12-24 month cyber budget plan, calibrated to your stage and runway? We run the exercise with your CTO in 3 hours, FCFA + USD sheet + roadmap delivered. WhatsApp +221 77 596 93 33 or /en/free-quote.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
