The Calculation Nobody Runs

Before adopting AI coding tools, most engineering organizations evaluate productivity gains in detail. The math is obvious: if a 10-person team gets 20% more productive and average fully-loaded cost is $200K per engineer, that is $400K in productivity per year.

Nobody runs the exposure calculation on the other side of the ledger.

This post does that calculation. The numbers are constructed from public breach data, litigation records, and industry analyst reports. The goal is not to scare you out of using AI coding tools. The goal is to give you the data to make a risk-adjusted decision.

What IP Exposure Actually Means

When proprietary code identifiers reach an LLM provider's infrastructure, several things can happen:

**Training data inclusion**: If the session is used for model training (the default for consumer products, opt-out for most enterprise tiers), your identifier names and code patterns become part of the model's training corpus. This is recoverable only if the provider purges the training data, which requires legal action and is rarely successful.

**Breach of LLM provider infrastructure**: AI providers are high-value targets. A breach of Anthropic or OpenAI's infrastructure exposes the last 30 days of retained prompts. If your prompts contain proprietary algorithm implementations, an attacker who acquires that data has acquired your IP.

**Insider threat at provider**: LLM providers have contractual provisions allowing employee access for safety review. Insider threats at technology companies occur at a measurable rate. Proprietary code in prompts is accessible to those employees.

**Contractual obligation breach**: If your organization has client contracts that prohibit transmitting client system details to third parties, sending code that includes client-specific identifiers through an AI tool may be a breach of those contracts, independent of whether any exfiltration occurs.

The Cost Model

The expected cost of an IP exposure incident has four components: direct breach remediation, legal costs, customer impact, and reputational damage.

Direct Breach Remediation

The IBM Cost of a Data Breach Report (2025 edition) puts average breach remediation at $4.45 million for enterprise incidents. For IP-specific incidents, the relevant subset is trade secret exposure.

Trade secret litigation costs: The median cost to defend a trade secret misappropriation lawsuit in the US is $2.5 million through discovery, according to the American Intellectual Property Law Association's economic survey. Plaintiff-side litigation costs are similar.

Technical remediation: When proprietary identifiers are exposed, the response includes: rotating all affected API keys and credentials (1 to 2 weeks of engineering time), refactoring affected systems to change identifier names (4 to 8 weeks for a medium-sized codebase), auditing all AI tool usage history to understand scope, and notifying affected parties if client data is involved.

At fully-loaded engineering costs of $200K to $250K per engineer-year, 8 weeks of remediation for a 5-engineer team costs $200K in engineering time alone.

Legal and Regulatory Costs

If the exposure involves client-specific data or configurations, the legal costs extend beyond internal remediation to client notification, contract renegotiation, and potential litigation. For regulated industries (financial services, healthcare, defense), regulatory reporting obligations add compliance counsel fees typically ranging from $50K to $200K.

Outside counsel for trade secret matters bills at $500 to $900 per hour. A contested case through summary judgment is 500 to 2,000 billable hours, or $250K to $1.8 million in legal fees.

Customer Impact

For B2B software companies, a disclosed IP exposure incident affects renewal rates and new logo acquisition. The magnitude depends on how the incident is disclosed and whether any customer data was involved.

A conservative estimate for a mid-market SaaS company: 5 to 10 percent of ARR at risk on renewal, plus a 3 to 6 month pipeline slowdown while prospects assess risk. For a company with $10M ARR, that is $500K to $1M in at-risk revenue.

Reputational Damage

Security incidents affect recruiting, partner relationships, and investor confidence. These costs are real but difficult to quantify precisely. Industry research on the long-term revenue impact of disclosed security incidents suggests a 1 to 3 year period of elevated churn and reduced acquisition efficiency.

The Expected Value Calculation

Expected cost = Probability of incident x Cost per incident.

The probability of an IP exposure incident is not the probability of a catastrophic breach. It is the probability of any incident that requires remediation: a prompt containing proprietary code ending up in a place it should not be, a developer discovering that a personal Copilot account was active during work sessions, a client noticing their system details appear in a competitor's product.

At an industry level, the reported rate of material AI-related data incidents among organizations with AI tool usage is approximately 8 to 12 percent over a two-year period (Source: Gartner AI Security Survey, 2025). This is for reported incidents. The actual rate of exposures that never surface as incidents is estimated at 3 to 5x higher.

Using conservative numbers:

- Probability of a material incident over 3 years with unprotected AI tool usage: 15 percent - Cost per incident (all-in, conservative case): $250K - Expected cost over 3 years: $37,500

Using realistic numbers for a mid-market software company:

- Probability of a material incident over 3 years: 25 percent - Cost per incident (legal, remediation, customer impact): $750K - Expected cost over 3 years: $187,500

The Cost of Protection

Pretense pricing for a 10-person engineering team:

- Pro plan: $29 per seat per month x 10 seats = $290 per month - Annual: $3,480 per year - 3-year cost: $10,440

Enterprise plan (100 seats): $99 per seat per month = $9,900 per month, or $118,800 per year. The enterprise plan includes SSO, on-premise deployment, custom mutation rules, and dedicated support.

The ROI Calculation

For a 10-person team, conservative scenario: - Expected cost of unprotected incident: $37,500 - Cost of Pretense over 3 years: $10,440 - Net risk reduction value: $27,060 - ROI: 259 percent

For a 100-person team, realistic scenario: - Expected cost of unprotected incident: $187,500 - Cost of Pretense over 3 years: $356,400 - This scenario: protection cost exceeds expected single incident cost

The ROI model changes significantly when you factor in the audit trail value: for organizations undergoing SOC2 Type II, the Pretense audit log is a required artifact that replaces manual evidence collection that would otherwise cost 40 to 80 hours of security engineer time per audit cycle. At $150 per hour, that is $6,000 to $12,000 per audit cycle, which most organizations run twice per year.

Audit value per year: $12,000 to $24,000. Pretense cost for a 10-person team per year: $3,480. The audit time savings alone justify the cost before counting any incident prevention.

What Pretense Changes in the Expected Value Model

Pretense does not eliminate all IP exposure risk. It eliminates the risk from the specific vector it addresses: proprietary identifier transmission through AI API calls.

Post-Pretense, the probability of an incident from AI API exfiltration approaches zero. The residual risks are:

- Developers using web-based AI tools (Claude.ai, ChatGPT.com) outside the proxy - Copilot completions in IDEs that are not routed through the proxy - Intentional data theft by insiders

Pretense addresses the first two with CI/CD gates that verify proxy routing and team-wide proxy enforcement. The third requires separate insider threat controls.

A realistic post-Pretense incident probability from AI tool usage: 2 to 3 percent. Expected cost over 3 years: $15,000 to $22,500. Risk reduction from Pretense: $15,000 to $165,000 depending on scenario.

The Argument for Acting Now

Incident costs grow with company size and customer contract complexity. The cost of deploying Pretense today for a 5-person startup is $1,740 per year. The cost of deploying it after a disclosed incident is $1,740 per year plus the remediation costs already incurred.

The calculation does not improve by waiting.

[Start your free trial at /trial](/trial) or [review enterprise pricing at /pricing](/pricing).