# Aphoria Demo Script > **Duration:** 15-20 minutes + Q&A > **Target Buyer:** Marcus Thompson (VP Platform Engineering, Series C fintech, 400 engineers) > **URLs:** Slides at `localhost:3001` --- ## Pre-Demo Checklist ```bash # Terminal 1: Build Aphoria cd applications/aphoria && cargo build --release # Terminal 2: Create demo project with intentional violations mkdir /tmp/aphoria-demo && cd /tmp/aphoria-demo # Create a Go file with TLS skip violation cat > main.go << 'EOF' package main import ( "crypto/tls" "net/http" ) func main() { client := &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: true, // VIOLATION: Disables cert verification }, }, } _ = client } EOF # Create a config with weak TLS version cat > config.yaml << 'EOF' server: tls: min_version: "1.2" # VIOLATION: Should be 1.3 ciphers: - TLS_RSA_WITH_AES_128_CBC_SHA # VIOLATION: Weak cipher EOF # Create a JWT config with weak algorithm cat > auth.go << 'EOF' package auth import "github.com/golang-jwt/jwt/v5" func CreateToken() { // VIOLATION: Using HS256 instead of RS256 token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ "user": "admin", }) _ = token } EOF # Terminal 3: Start slides cd applications/aphoria-pitch && npm run dev ``` **Verify before presenting:** - [ ] `aphoria scan` runs without error on demo project - [ ] Violations are detected (BLOCK for TLS skip, WARN for weak cipher) - [ ] Slides load at `localhost:3001` - [ ] Press `S` to verify speaker notes appear --- ## Part 1: Slides (localhost:3001) ### Slide 1: The Hook **On screen:** "SOC 2 audit prep takes **180 hours**. 60% is proving 'who approved what.'" **Say:** > "How long did your last SOC 2 audit take? For most Series C companies, it's about 180 hours of engineering time. And 60 percent of that time is spent on 'audit archaeology' - reconstructing who approved what, when." > > "63 percent of security incidents trace to config drift from a known-good state. Not new vulnerabilities. Drift from what you already knew was correct." **Then:** Press -> to reveal "The problem isn't missing policies. It's proving you enforced them." --- ### Slide 2: Why This Keeps Happening **On screen:** Three pain points **Say (reveal each with ->):** > "AI generates code that looks correct. Copilot will happily write `InsecureSkipVerify = true` if you ask for a quick HTTP client. Does your PR review catch it? Every time?" > > "Your staff engineer wrote a best practices wiki. New hires don't read it. Contractors don't know it exists." > > "An auditor asks 'who approved this exception?' You spend 3 hours digging through Slack threads from 2023." **Key point:** "Your security team writes policies. Nobody can prove they're followed. That's the gap." --- ### Slide 3: Introducing Aphoria **On screen:** Aphoria logo + tagline **Say:** > "Aphoria is a code-level truth linter. We don't pattern-match like Semgrep. We validate your code against authoritative sources - RFCs, OWASP guidelines, your internal policies - with cryptographic provenance." **Don't linger** - next slide explains the approach. --- ### Slide 4: Every Policy Has a Source **On screen:** Three benefits **Say (reveal each with ->):** > "Cryptographic attribution. Every policy is signed by an approver. Not 'the linter said so.' It's 'signed by @security-team, Acme Security Standard version 3.2.'" > > "Sub-second scanning. Under 100 milliseconds for staged files, under 1 second for full scans. Fast enough for pre-commit hooks. Your developers won't disable it." > > "AI guardrails. Copilot generates insecure code. This catches it instantly, before the PR." --- ### Slide 5: What This Enables **On screen:** Three capability cards **Say:** > "Policy governance - your security team publishes once, 400 engineers inherit instantly. No more 'update 50 repos.'" > > "Drift detection - 'TLS config changed from 1.3 to 1.2' - caught before production, not during the incident." > > "Compliance export - SOC 2 evidence in 15 minutes, not 3 days. Full JSON with provenance." **Reveal:** "Every exception tracked with reason and timestamp." --- ### Slide 6: Demo Preview **On screen:** CLI output preview **Say:** > "This is what you're about to see. A blocked violation with the exact policy it violates, who signed that policy, and how to get help." > > "I'm going to run this exact command live..." **Then:** Switch to Terminal for live demo --- ## Part 2: Live Demo (Terminal) ### Demo Step 1: Speed **Command:** ```bash cd /tmp/aphoria-demo time aphoria scan ``` **What they see:** - Scan completes in under 1 second (typically ~650ms for full scan) - 3 violations detected **Say:** > "Under a second for a full scan. Under 100 milliseconds for staged files only. That's fast enough for a pre-commit hook. Your developers won't disable it because they don't notice it." **AMAZE MOMENT:** "This is pre-commit ready. No waiting. No 'I'll run it later.'" --- ### Demo Step 2: Attribution **What they see in the output:** ``` BLOCK code://go/aphoria-demo/main/tls/cert_verification Your code: TLS certificate verification is disabled (main.go:12) Regulatory: Boolean(true) (Tier 0) Action: Fix or acknowledge with: aphoria ack --reason "..." ``` **Note:** After importing a Trust Pack with `aphoria policy import`, output includes: ``` Source: Acme Security Standard v1.0 (5a3c7b...) ``` **Say:** > "Look at the output. This isn't 'rule 47 failed.' It shows the exact file and line, what the regulatory standard requires, and how to handle exceptions." > > "When you import your org's Trust Pack, every violation traces to a signed policy source. When an auditor asks 'what's your policy on TLS verification?' - this is your answer. Not a wiki page. A cryptographically signed assertion." **AMAZE MOMENT:** "The audit trail is built into every violation." --- ### Demo Step 3: Acknowledgments **Command:** ```bash aphoria ack code://go/aphoria-demo/main/tls/cert_verification \ --reason "Integration test environment - legacy system migration" ``` **What they see:** ``` Conflict acknowledged. ``` **Re-scan shows the conflict now marked as ACK in the summary table:** The violation appears with an `ACK` verdict instead of `BLOCK`, indicating it has been acknowledged. The acknowledgment reason and timestamp are stored in the audit trail. **Say:** > "Sometimes you need an exception. Not every violation is a real problem. Integration test environments, legacy migrations, third-party constraints." > > "This isn't `.sonar-ignore`. It's a tracked acknowledgment with a reason and timestamp, stored in the audit trail. When you re-scan, it shows as ACK instead of BLOCK." **AMAZE MOMENT:** "Exceptions are tracked, not hidden." **Coming Soon:** Acknowledgment expiry (`--expires`) to auto-resurface after a TTL. --- ### Demo Step 4: Drift Detection **Command:** ```bash # First scan with persistence aphoria scan --persist # Modify the config to introduce drift sed -i '' 's/min_version: "1.2"/min_version: "1.1"/' config.yaml # Second scan aphoria scan --persist ``` **What they see:** ``` DRIFT code://config/tls/min_version Previous: 1.2 Current: 1.1 Changed: 2024-02-06T14:32:00Z ``` **Say:** > "Drift detection. Someone changed the TLS version from 1.2 to 1.1. Maybe it was intentional. Maybe it was a merge conflict gone wrong." > > "Either way, you know. Before production. Not during the incident." **AMAZE MOMENT:** "63% of security incidents are config drift. This catches them." --- ### Demo Step 5: Compliance Export **Command:** ```bash aphoria scan --format json | jq '.violations | length' aphoria scan --format json | jq '.acknowledgments' aphoria scan --format json > soc2-evidence.json ``` **What they see:** - Full JSON output with provenance - Acknowledgments with reasons and timestamps - Export-ready for SOC 2 **Say:** > "15 minutes, not 3 days. Your SOC 2 auditor asks for evidence of policy enforcement. You give them this JSON file." > > "Every violation. Every acknowledgment. Full audit trail. Machine-readable. Auditor-friendly." **AMAZE MOMENT:** "SOC 2 evidence generation goes from days to minutes." --- ## Part 3: Return to Slides ### Slide 7: Questions **Page:** Back to localhost:3001, press -> to reach Q&A slide **What they see:** Recap of what they just saw **Be ready for:** | Question | Answer | |----------|--------| | "Why not just write better Semgrep rules?" | "Semgrep rules don't track who approved exceptions. Aphoria has cryptographic provenance. Every policy traces to a signer." | | "What's the false positive rate?" | "We check against authoritative sources, not pattern matching. False positives are policy disagreements, not tool bugs. And those surface as conversations, not ignored warnings." | | "I already have pre-commit hooks." | "Hooks catch violations. Aphoria proves who approved the policy and when. That's the difference between 'we have policies' and 'we can prove enforcement.'" | | "SOC 2 certified?" | "We help you generate evidence. The JSON export with policy provenance and acknowledgment trails is what your auditor needs. We're working on control mapping documentation." | | "Why not Postgres?" | "You could build this. 6-9 months, 2-3 engineers. We've done the hard work. And we've solved problems you haven't hit yet - provenance, drift detection, exception tracking." | | "How does this work with existing CI?" | "Pre-commit hook or CI step. Same `aphoria scan` command. JSON output for automation, human-readable for developers." | | "What about secrets/credentials detection?" | "Aphoria focuses on configuration policy validation, not secrets scanning. Use Gitleaks for secrets. Use Aphoria for 'is this config compliant with our policies.'" | --- ## The Five Aha Moments (Summary) | # | Moment | What Impresses Them | |---|--------|---------------------| | 1 | Speed | <100ms staged, <1s full scan - fast enough for pre-commit without developer complaints | | 2 | Attribution | Policy sources traced to signed Trust Packs - audit trail built in | | 3 | Acknowledgments | Exceptions tracked with reason and timestamp - not `.sonar-ignore` | | 4 | Drift Detection | "TLS version changed from 1.3 to 1.2" - caught before production | | 5 | Compliance Export | SOC 2 evidence in minutes - JSON with full provenance | --- ## Keyboard Shortcuts (Slides) | Key | Action | |-----|--------| | `->` / `Space` | Next slide/fragment | | `<-` | Previous | | `S` | Speaker notes (new window) | | `ESC` | Overview mode | | `B` | Blackout | | `F` | Fullscreen | --- ## If Something Goes Wrong | Problem | Recovery | |---------|----------| | Aphoria not found | Run `cargo build --release` in applications/aphoria | | No violations detected | Check demo files exist in /tmp/aphoria-demo | | Slides won't load | Check port 3001, run `npm run dev` | | Slides won't advance | Click in the slide area first | | Drift not showing | Ensure you ran `--persist` on both scans | --- ## Marcus Thompson Persona Notes **Who he is:** - VP Platform Engineering at Series C fintech - 400 engineers, scaling fast - Burned by SonarQube, Snyk, Semgrep "shelfware" - Needs proof, not promises **What he cares about:** - Developer velocity (won't slow down CI) - Audit readiness (SOC 2 is on the roadmap) - Signal vs noise (hates false positives) - Proof of enforcement (not just "we have policies") **What makes him skeptical:** - "We tried Semgrep. Developers ignored it." - "Snyk alerts are noise. Nobody reads them." - "SonarQube was a 6-month project. Then everyone turned it off." **What wins him over:** - Speed (<100ms staged means pre-commit is viable) - Attribution (policy sources traced to signed Trust Packs) - Tracked exceptions (not .ignore files) - Drift detection (proactive, not reactive) - JSON export (audit evidence generation) --- *Last updated: 2026-02-06*