Founders over-build infrastructure they don’t need and skip the few things that will actually sink them. Here’s the lean stack a startup genuinely needs on day one — and, just as important, what you’re allowed to ignore until later.
Auth: buy it, don’t build it
Authentication is a solved problem with a long tail of ways to get it dangerously wrong (session fixation, token leakage, weak resets). Use a managed provider or a battle-tested library. The rule: never store passwords yourself if you can avoid it, always scope sessions, and make logout actually revoke. This is not where you earn points for cleverness.
Observability before scale
You cannot fix what you cannot see. On day one you need three things: structured logs, error tracking with alerts, and a basic uptime check. That’s it. Skip the elaborate metrics platform until you have traffic to justify it — but never skip “did the deploy break something, and will I find out before a customer does?”
CI/CD: one command, every time
Deploys should be a single command (or a merge) that runs typecheck, tests, and ships — the same way every time. Manual deploy steps are how “it worked on my machine” reaches production. A ten-minute pipeline pays for itself the first time it catches a broken build before your users do.
Cost control from the start
The two runaway costs for modern startups are cloud egress and AI/LLM spend. Prefer platforms with no egress fees, cache aggressively, and put hard per-user daily and monthly caps on anything that calls a paid model. A compromised key or a runaway loop should cost you cents and an alert, not a five-figure surprise.
Security posture: the short list
You don’t need a compliance department on day one, but you do need: secrets in a secret store (never in code), least-privilege access, input validation on every write, and a plan for revoking access fast. Do these five and you’ve closed the doors that actually get walked through.
What you can skip (for now)
Kubernetes, multi-region, microservices, a data warehouse, and most of the “scale” tooling — none of it matters until you have the users to need it, and all of it slows you down before then. Lean infrastructure isn’t cutting corners; it’s refusing to pay for problems you don’t have yet. Ship the product; add the machinery when the traffic demands it.
The lean stack: managed auth, three observability primitives, one-command CI/CD, hard cost caps, and the five-item security short list. That’s a startup’s real infrastructure — everything else is a distraction dressed up as diligence.
