I don't provide dedicated security services to start ups, so maybe I am outside my lane. However, it is my baseless assertion that nation-states are not dedicating entire teams and months of social-engineering research to backdoor a startup for non-monetary motives. I also suspect startups do not own the entirety of their own distribution infrastructure in production from the wheels, through the ISP, to the local keyboard.

The US Army at least uses Azure and AWS govcloud and not their own infrastructure. I don't think this takes away from your points though, the infrastructure is very locked down and meticulously managed and approved.

It's not one or the other, they use both third party cloud and a lot of their own infra.

Its very likely any given startup will not be attacked by nation state backed hackers continually, 24/7 365. I don't think this is off base at all.

>>> it’s very likely any given startup will not be attacked by nation state backed hackers.

On what assumption do you base this? Startups that have high research value don’t hit your radar as a target?

And Really? Any given startup? Also the OP used Facebook.

I am baffled at your sense of security in nation state activity. Read the 2012 annual report to Congress about China. They collect everything.

You’re misunderstanding.

Resources even for nation states are finite. At minimum attention is a finite resource that limits ongoing operations. Active high value targets make sense: defense, infrastructure, finance and even to some extent media.

With that in mind, do you really think they’re interested in a startup that optimizes Google ads? Or how about postgres as a service with no clients of interest?

It’s not that I feel a sense of security but the low success rate script based attacks aren’t what I’m talking about here (or for that matter things like perpetual port scanning of the internet. Every entity seems to do this looking for holes), we are talking about active operations by skilled attackers. There is only so much of that to go around.