Skip to content
Defiant

Vertical Packs

Vertical packs are curated bundles of mandates tailored to a specific business model or regulated industry. Every project has exactly one vertical pack. The pack’s mandates activate on top of the 50 global mandates and affect how agents plan, build, and review code.

Choosing a vertical

When creating a project:

Terminal window
defiant projects create \
  --name "my-app" \
  --repo "github.com/yourorg/my-app" \
  --vertical b2b-saas

You can change the vertical later, but doing so re-runs mandate checks against all existing code:

Terminal window
defiant projects update proj_01hw... --vertical fintech
# Warning: changing vertical from 'b2b-saas' to 'fintech' will
# activate 22 additional mandates. Running compliance check...

Available verticals

Solo Founder

For solo developers and small teams moving fast. Lighter compliance overhead, focus on shipping.

B2B SaaS

Multi-tenant architecture, SSO support, org-level data isolation, usage-based billing.

Marketplace

Two-sided marketplace with buyer/seller isolation, escrow patterns, dispute resolution flows.

Fintech

PCI DSS, double-entry accounting, transaction integrity, fraud signals, regulatory reporting.

Healthcare

HIPAA PHI encryption, audit trails, access controls, minimum necessary access principle.

PE Portfolio

Portfolio company patterns: consolidated reporting, entity isolation, cross-entity analytics.

Solo Founder

Use when: You are building a new product alone or with a very small team. Speed is the priority. Compliance overhead is kept minimal.

Additional mandates (8): Basic security hygiene, semantic versioning, conventional commits, GDPR deletion endpoint, email unsubscribe, input validation, HTTPS-only, structured logging.

Agents typically skipped: Counselor, Commander (initiatives only), Marketer (optional).

Example projects: Personal tools, side projects, early-stage SaaS before product-market fit.

B2B SaaS

Use when: You are building software sold to organizations, with multiple users per account, SSO requirements, and enterprise procurement needs.

Additional mandates (12):

  • Multi-tenancy isolation (all queries scoped to org_id)
  • SSO support (SAML 2.0 or OIDC)
  • Org-level RBAC (role-based access control)
  • Usage metering (for usage-based billing)
  • Audit log per org (customers can export their audit log)
  • Data residency tagging (EU vs. US data segregation)
  • SLA monitoring endpoints
  • SOC 2 Type II evidence collection
  • Enterprise SSO onboarding flow
  • Admin impersonation with audit trail
  • Bulk user management API
  • SCIM provisioning support

Agents always included: Counselor (for ToS and compliance review).

Example projects: Project management tools, CRM, DevOps platforms, analytics dashboards sold to teams.

Marketplace

Use when: You are building a platform that connects two types of users (buyers/sellers, renters/owners, freelancers/clients) and handles transactions between them.

Additional mandates (15):

  • Buyer/seller data isolation (neither party can access the other’s private data)
  • Escrow pattern for payments (funds held until delivery confirmed)
  • Dispute resolution workflow (formal dispute states, evidence collection)
  • Commission calculation audit trail
  • Payout eligibility checks (KYC/AML for sellers above thresholds)
  • Fraud velocity checks
  • Listing content moderation hooks
  • Review and rating integrity (no self-review, verified purchase)
  • Stripe Connect integration pattern
  • 1099-K reporting hooks (for US marketplaces above IRS thresholds)
  • Search result ranking audit trail
  • Anti-collusion checks (seller cannot bid on their own listing)
  • Buyer protection policy enforcement
  • Refund workflow with audit trail
  • Trust and safety reporting API

Example projects: Freelancer platforms, rental marketplaces, service booking, creator content platforms.

Fintech

Use when: Your product handles financial transactions, lending, investments, or payment processing. Highest compliance overhead.

Additional mandates (22): See Vertical Pack Mandates for the complete list.

Key mandates:

  • PCI DSS card data handling (no raw card storage, Stripe/Adyen only)
  • Double-entry accounting for all balance changes
  • Idempotency keys on all financial mutations
  • Transaction audit trail (immutable, 7-year retention)
  • Fraud velocity checks
  • KYC/AML integration hooks
  • Regulatory reporting endpoints (SAR, CTR hooks)
  • OFAC sanctions screening hook
  • Interest calculation audit trail
  • Reconciliation export format

Example projects: Neobanks, lending platforms, investment apps, payment infrastructure, expense management.

Healthcare

Use when: Your product stores, processes, or transmits Protected Health Information (PHI) and must comply with HIPAA.

Additional mandates (19): See Vertical Pack Mandates for the complete list.

Key mandates:

  • PHI encrypted at rest (AES-256-GCM)
  • PHI transmitted only over TLS 1.2+
  • No PHI in logs
  • HIPAA audit trail (every PHI access logged with purpose)
  • Minimum necessary access principle
  • Business Associate Agreement tracking
  • Break-glass access workflow (emergency PHI access with mandatory review)
  • De-identification pipeline (Safe Harbor or Expert Determination)
  • Patient right of access (data export within 30 days)
  • Breach notification workflow (72-hour notification requirement)

Example projects: EHR/EMR systems, patient portals, telehealth platforms, clinical trial tools, health data analytics.

PE Portfolio

Use when: You are building software for a private equity portfolio company that needs to report up to a holding company and operate alongside sibling portfolio companies.

Additional mandates (14):

  • Entity isolation (portfolio companies cannot access each other’s data)
  • Consolidated reporting format (standard schema for roll-up reporting)
  • Cross-entity analytics (aggregated only, no row-level cross-entity access)
  • Holding company admin panel
  • EBITDA calculation audit trail
  • Carve-out data export (for portfolio company sales)
  • Fund-level user hierarchy
  • LP reporting format compliance
  • Waterfall calculation audit trail
  • Management fee calculation audit trail
  • Board reporting templates
  • Covenant monitoring hooks
  • 100-day plan integration
  • Synergy tracking module

Example projects: Portfolio management platforms, fund administration tools, operational dashboards for portfolio companies.

Switching verticals mid-project

Switching verticals is supported but has consequences:

  1. New blocking mandates may flag existing code that was compliant under the old vertical.
  2. A full mandate compliance scan runs automatically on the switch.
  3. Any violations are surfaced as inbox items — they do not immediately break the project, but must be resolved before the next sprint can complete.
Terminal window
defiant projects update proj_01hw... --vertical healthcare
# Scanning existing codebase for healthcare mandate compliance...
# [PASS] mandate_h3: TLS 1.2 enforcement — no HTTP URLs found
# [FAIL] mandate_h1: PHI encryption
#   Found: user_notes column in users table — not encrypted
#   File: supabase/migrations/001_initial.sql:34
# [FAIL] mandate_h2: HIPAA audit trail
#   Found: 3 PHI access routes without audit logging
# Vertical updated. 2 compliance issues require resolution.
# Run: defiant inbox list to see required actions.