MicroConf US 2026 in Portland: Notes from Two Bootstrapped Founders Building AI-Native Compliance
We just got back from MicroConf US 2026 in Portland — three days, around 250 founders, and one question on almost every panel: when AI eats the code, what's left to defend? Here's what stuck with us, why we sponsored as YSecurity, and what we're carrying back to the Cyberbase roadmap.
April 23, 2026
8 min read
Share this post:
Portland in mid-April is wet, green, and full of coffee shops where founders end up arguing about pricing pages. We can confirm.
We flew in last week for MicroConf US 2026, which ran April 12–14 at The Nines downtown. Sasha hadn't been before. Jon had — twice — and kept saying the same thing on the flight: "Don't try to do everything. The hallway track is the conference."
He was right.
This is the kind of recap we wish existed before our first MicroConf. Less "here's the agenda we already saw on the website," more "here's what we actually changed our mind about." So that's what this is.
Why we went, and why we sponsored
Quick context for anyone new to us: we run two companies. YSecurity is the on-demand cybersecurity team we started in 2021 — SOC 2, ISO 42001, pen-tests, DDQs, and sales-call support for startups. Most of our customers are AI companies that need to look enterprise-ready faster than they can hire. Cyberbase is the AI-native compliance automation platform we spun out of YSecurity in 2024, after watching the same painful workflows happen across every customer — contract redlining, security questionnaires, trust portal access requests — and realizing none of it should still be manual.
We sponsored MicroConf US 2026 as YSecurity. Two reasons.
First, the room. MicroConf is the longest-running conference for non-VC-track founders, and the audience skews exactly where we live: B2B SaaS, 6- to 8-figure ARR, security-conscious because their customers are starting to ask hard questions. Around 230 attendees, 32% over $100K MRR, half first-timers, more than ten countries represented. Small enough that you actually meet people. Big enough that the diversity of problems is real.
Second, MicroConf is the room where we want to talk about Cyberbase eventually — but not yet. This year, we showed up to listen.
The conversation everyone was actually having
If you only looked at the agenda, you'd see a normal SaaS lineup. Rob Walling on AI in SaaS. Amanda Natividad on the zero-click problem. Jason Cohen on growth ceilings. Gia Laudi on GTM moats. Anthony Eden on AI-generated apps. Craig Hewitt on "SaaS After Software."
But underneath all of those talks was the same question, asked sideways:
If AI can write your code, what is your moat actually made of?
Not a new question. Definitely the question of 2026.
What was different at MicroConf was that nobody was theorizing. These are operators with real ARR. So the answers were specific. Distribution moats. Workflow embedding. Integration depth. Brand. Community. The model doesn't have proprietary data. The "agentic" version of your category before someone else gets there.
What you didn't hear much: "feature parity." That ship sailed.
Sasha's takeaway from Craig Hewitt's session was worth writing down: when code stops being scarce, what's scarce is judgment about which code to write. Which is just another way of saying — context. The thing the model doesn't have access to. The reason a generic LLM can't actually do your work, even when it can technically write the syntax.
That's basically the entire thesis behind the Cyberbase Context Engine, so we may have nodded too hard in the back row.
The hallway track, as advertised
Jon was right about this part. The best conversations happened between sessions.
A few that we keep thinking about:
A founder doing $4M ARR in vertical SaaS told us he stopped responding to security questionnaires manually six months ago, and his sales cycle dropped by ~3 weeks. He uses a competitor of ours. He was happy. We were happy he was happy — that's the actual market we're trying to grow, not steal.
A two-person team in a regulated industry asked us, point blank, "How do we get a Trust Portal up without paying $15K a year?" We told them about the Cyberbase Trust Portal being free forever. They thought we were joking until we pulled it up on a phone.
A solo founder building an AI agent for legal ops asked Jon how to think about ISO 42001 when you're pre-revenue. Jon's answer, which we'll paraphrase: don't chase the certificate, build the system. The certificate is a side effect.
A repeat attendee told us — about MicroConf, not us — "there's something special about being in a room full of startup founders who can relate with this crazy journey." Cliché-sounding, true.
What we're bringing back to Cyberbase
Three things:
1. Stop describing the product. Start describing the outcome. We watched a session on positioning where the speaker showed two homepages side by side — same product, two different framings. The outcome-led one converted more than 2x better. Our team has been quietly rewriting Cyberbase landing pages for weeks. This was the kick to finish.
2. The "certified-to-deal-ready" gap is even bigger than we thought. Multiple founders told us a version of: "We have SOC 2, but our enterprise deals still take 90 days because of DDQs and redlining." That's the gap Cyberbase exists to close. The fact that founders at MicroConf — the most operationally sharp room in SaaS — still feel that pain told us we're early, not late. Our most recent customer, Augment Code, saved 743 hours and ran 155 contracts through Cyberbase in their first year, which their team estimated as roughly 13:1 ROI. That's the story we want every founder in that hallway to know is possible.
3. Bootstrapping is back in fashion, and that matters for security. A weird thing has happened in the last 18 months: the most interesting AI companies are increasingly capital-efficient. Smaller teams, faster revenue, less dilution. Which means they need security and compliance to be self-serve, fast, and not gated behind a six-figure Vanta-plus-consultancy bundle. That's the business we're building. MicroConf reminded us why.
A few small things we loved
- The Nines as a venue. Quiet, central, easy to find people.
- Portland International Airport really is good. Direct flights from 84 destinations, including Frankfurt and Amsterdam.
- The fact that MicroConf has stayed intimate at around 250 people on purpose. There's a reason it sells out.
- Lianna Patch as an emcee. If you know, you know.
A few things we wish we'd done differently
We tried to do too much on day one. By Tuesday afternoon, Sasha was running on espresso, and Jason Cohen quotes. Pace yourself.
We also didn't book enough 1:1s in advance. Next year we will. If you're a founder we met and we said "let's continue this," and we haven't followed up yet — we will. (We took notes. We promise.)
See you next year
MicroConf Europe is later this year. MicroConf US 2027 will likely be in another city we'll happily fly to. We'll be there.
If you're building something in compliance, contract redlining, DDQs, or trust portals — or if you just want to argue about whether the moat is distribution or context — find us. Both companies, both inboxes are open.
Grab 15 minutes with us
We kept this offer open at MicroConf and we're keeping it open here. Book a free 15-minute call directly on our calendar — Jon or Sasha will show up, no SDR funnel in between.
👉 Book a 15-min call with the Cyberbase founders →
No prep needed. Bring whatever's on your mind — pricing, positioning, the AI moat question, or how to stop losing 90 days to enterprise security review. Whichever is loudest.
About the authors: Jon McLachlan and Sasha Sinkevich are co-founders of Cyberbase and YSecurity. Co-hosts of The Security Podcast of Silicon Valley.
Frequently Asked Questions
What was MicroConf US 2026?
MicroConf US 2026 was the flagship US edition of MicroConf, the longest-running conference for non-venture-track, bootstrapped SaaS founders. It ran April 12–14, 2026, at The Nines in Portland, Oregon, with around 250 attendees, roughly 32% of whom were over $100K MRR, and around half attending for the first time.
Who spoke at MicroConf US 2026?
Speakers included Rob Walling (Co-founder, MicroConf) on using AI in SaaS, Amanda Natividad (VP of Marketing, SparkToro) on the zero-click problem, Jason Cohen (Founder, WP Engine) on growth ceilings, Gia Laudi (Forget The Funnel) on GTM moats, Alex Pham (Palmetto & Pine) on price increases, Craig Hewitt (Castos) on SaaS after software, and Anthony Eden (DNSimple) on AI-generated apps.
What was the dominant theme at MicroConf US 2026?
The dominant theme was the AI moat question: when generative AI can write code on demand, what protects a SaaS business from being commoditized? Operators kept landing on the same answers — distribution, workflow embedding, integration depth, brand, community, and proprietary context that the model doesn't have access to.
What is the difference between YSecurity and Cyberbase?
YSecurity is an on-demand cybersecurity services firm for startups, founded by Jon McLachlan and Sasha Sinkevich in 2021, handling SOC 2, ISO 42001, penetration tests, DDQs, and security sales support. Cyberbase is an AI-native compliance automation platform spun out of YSecurity in 2024, with three core products — AI Contract Redlining, DDQ Automation, and a free-forever Trust Portal — unified by a shared Context Engine.
Why did YSecurity sponsor MicroConf US 2026?
YSecurity sponsored MicroConf US 2026 because the audience — bootstrapped, capital-efficient B2B SaaS founders selling into security-conscious buyers — is exactly the customer profile YSecurity has supported since 2021. The conference is also where many of these founders first encounter the certified-to-deal-ready gap that Cyberbase was built to close.
When is the next MicroConf event?
MicroConf Europe 2026 is the next flagship event. MicroConf US 2027 will be held in a future city to be announced. Tickets for both typically sell out in advance, and the upcoming-events page on microconf.com is the best place to check.
Share this post:
