Announcing Our Series A | $32M at a $300M Valuation
INDEX
Example
Example
SHARE THIS ARTICLE
Copy link
Post on LinkedIn
Post on X
Ready to get compliant?
Whether you're getting compliant for the first time or want to make your next audit less painful, Delve gets you across the finish line faster.
SOC 2 progress bar showing 96% completed with steps labeled Tools, Evidence, Policies, Pass audit, and Ship faster.
Book a Demo
Book a Demo
Abstract gradient background blending teal, black, and orange hues.
All articles
No items found.

GitHub Configuration Checklist for SOC 2 Compliance

Posted:
Jul 21, 2025
|
Last updated:
Jan 6, 2026
Arda Akman
Founding Engineer, Delve
10
min read
No items found.

Key Takeaways

  • GitHub SOC 2 compliance requires six configurations: branch protection with PR approvals, organization-wide MFA, CODEOWNERS for sensitive paths, Dependabot vulnerability scanning, secret scanning with push protection, and audit log streaming to external storage for one-year retention.
  • These settings map directly to AICPA Trust Services Criteria: CC6.1 for access controls, CC8.1 for change management, CC3.2 for risk assessment and CC 7.1 for SIEM events.
  • GitHub detected 39 million leaked secrets in 2024, underscoring the need for push protection to block credentials before they reach your repository.
  • Audit logs must be streamed externally because GitHub retains them for only 90 days, and auditors require a full year of evidence.
  • Team-based permissions with quarterly reviews replace individual access grants and simplify offboarding when employees leave.
  • Third-party OAuth apps and GitHub Apps are supply chain risks that auditors increasingly ask about during reviews.
  • What works for a 10-person startup breaks at 50 and again at 200, so integrate GitHub with your identity provider via SAML SSO to keep access in sync with HR

Your GitHub configuration is either helping or hindering your SOC 2 audit. There is no in-between. The difference comes down to six settings that take an afternoon to configure but save weeks of scrambling later.

Auditors focus on two things when reviewing your repositories: who can access your code and how changes are approved. Under the AICPA Trust Services Criteria, these fall under access controls (CC6) and change management (CC8). Get these right, and your GitHub becomes automated evidence instead of a compliance headache.

Table: SOC 2 Control Mapping against GitHub features

GitHub Feature SOC 2 Control Evidence Gathered
Branch Protection CC8.1 PR approval history, merge logs
MFA Enforcement CC6.1 Authentication logs, member status
CODEOWNERS CC8.1 Review assignments, approval records
Dependabot CC3.2 Vulnerability alerts, remediation PRs
Secret Scanning CC6.1 Detection logs, push blocks
Audit Log Streaming CC7.2 SIEM events, activity history

GitHub Configuration Requirements for SOC 2

These settings show up in every SOC 2 audit. Each one maps to a specific control in the AICPA framework. Configure them once, and your repository compliance is largely handled.

1. Branch Protection on Main

No direct pushes to production. Every change is submitted as a pull request with at least one approval.

Settings > Branches > Add branch protection rule:

  • Require pull request reviews before merging
  • Dismiss stale approvals when new commits are pushed
  • Require status checks to pass before merging
  • Restrict force pushes

One person writes code, another approves it. This separation of duties is exactly what NIST access control guidelines recommend. Find full setup in GitHub's branch protection docs.

2. Organization-Wide MFA

Everyone with code access requires two-factor authentication. No exceptions. Contractors and temporary contributors included.

Organization Settings > Authentication security > Require two-factor authentication.

GitHub removes anyone without MFA when you enable this. Check your member list first. This satisfies NIST authentication requirements that auditors reference.

3. CODEOWNERS File

CODEOWNERS defines who must approve changes to sensitive paths. Authentication code, infrastructure configs, CI/CD workflows.

Create .github/CODEOWNERS:

/src/auth/          @security-team
/terraform/         @platform-team
/.github/workflows/ @platform-team

Enable Require review from Code Owners in branch protection. Changes to critical paths now require the right approvals.

4. Dependabot Alerts

Your dependencies have vulnerabilities. Dependabot finds them and can auto-generate fix PRs.

Go to:
Organization Settings > Code security and analysis > Enable Dependabot alerts.

Also enable Dependabot security updates. The GitHub Advisory Database covers over 20,000 reviewed vulnerabilities. Set response SLAs: critical within 24 hours, high within a week.

5. Secret Scanning with Push Protection

GitHub detected 39 million leaked secrets in 2024. API keys, passwords, and tokens accidentally committed to repositories. To avoid getting your secrets leaked, go to:

Organization Settings > Code security and analysis > Enable secret scanning.

Also enable Push protection. This blocks secrets before they ever reach your repository. According to GitHub's docs, it catches credentials during the push and stops them immediately. Better than explaining to auditors why AWS keys are in your commit history.

6. Audit Log Streaming

GitHub retains audit logs for 90 days. SOC 2 auditors want a full year. Audit log streaming sends logs to external storage, where you control retention.

Enterprise Settings > Audit log > Log streaming.

GitHub streams natively to Splunk, Datadog, Azure Event Hubs, and AWS S3. This provides the evidence auditors need and lets you detect suspicious activity.

Repository Security Basics

Branch Protection Configuration

Branch protection rules enforce your workflow at the repository level. These four settings matter most.

  1. Require pull request reviews. Every change needs at least one other person to review it before merging. For sensitive paths, configure this to require reviews from designated CODEOWNERS.
  2. Dismiss stale reviews. When a developer pushes new commits after getting approval, they need fresh reviews. This prevents anyone from sneaking in unreviewed changes after the green light.
  3. Require status checks. Your CI/CD tests must pass before code can merge. This creates a quality gate that keeps broken or vulnerable code out of protected branches.
  4. Restrict force pushes. Force pushes can rewrite commit history and potentially hide unauthorized changes. Blocking them keeps your audit trail intact.

Access Control

  1. Use team-based permissions. Create teams aligned with your org structure. Assign permissions to teams, not individuals. When someone leaves, remove them from the team. Access disappears automatically.
  2. Run quarterly reviews. Every three months, audit who has access to what. Remove what is no longer needed. Document it. This follows NIST SP 800-53 account management guidelines. The IBM Cost of a Data Breach Report found breaches cost $4.88 million on average in 2024.
  3. Default to least privilege. Start with read-only. Escalate only when necessary. Limit admin access to two or three people. Per GitHub's docs, organization owners should be essential personnel only.

Code Security

  1. Enable secret scanning. Enable secret scanning organization-wide and establish a clear response process for alerts. 
  2. Turn on push protection. This blocks secrets before they ever reach your repository. According to GitHub's docs, it catches credentials during the push and stops them immediately.
  3. Keep no secrets in code. Use GitHub Secrets or an external secret manager like Vault. Add pre-commit hooks to catch errors before they reach your repository.

Development Workflow Compliance

Pull Request Requirements

  1. Document your review standards. Write down what reviewers should check for, how quickly they should respond, and how to handle disagreements. Put it in a doc and link it in your README. Auditors want to see a documented process, not a perfect one.
  2. Make CI/CD checks required. Every pull request should run your test suite before it can be merged. Set this up in your branch protection rules so failed tests block the merge automatically.
  3. Plan for emergencies. Sometimes production is on fire, and you need to move fast. Document your emergency fix process ahead of time, and make sure you review any exceptions after the fact. Auditors accept this as long as it is documented.

Secrets Management

  1. Use external secret managers for production. AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault all work. The rule is simple: never store credentials in code or config files.
  2. Use GitHub Secrets for CI/CD. Encrypted secrets work well for deployment keys and test credentials. Limit who can access them using environment protection rules.
  3. Set a 24-hour response SLA. When secret scanning alerts fire, rotate the exposed credentials immediately. Then, audit where they might have been used and determine how they were exposed in the first place.

Monitoring and Audit Logging

Audit Requirements

  1. Export logs to an external system. Configure audit log streaming so your logs are preserved even if someone compromises your GitHub access. Use webhooks or the API to send events to your SIEM or log storage.
  2. Monitor admin actions closely. Permission changes, repo deletions, and security setting modifications are high-risk events. Set up alerts for these in your monitoring system so you catch problems early.
  3. Track every access change. Every permission grant or revocation should be logged and reviewed as part of your quarterly access certification. Keep these logs for at least one year.

Security Monitoring

  1. Route Dependabot alerts to someone who acts on them. GitHub published over 2,000 CVE records in 2024, so vulnerability alerts will come. Define response SLAs so they do not pile up.
  2. Subscribe to security advisories. GitHub's security advisories give you early warning about vulnerabilities in GitHub itself or commonly used Actions.
  3. Audit third-party app access regularly. Check what OAuth apps and GitHub Apps have access to your org. Remove anything you are not actively using. These are supply chain risks that auditors increasingly ask about.
  4. Watch for failed authentication patterns. Monitor your audit logs for repeated failures or unusual access attempts. Route anything suspicious to your security team.

Scaling GitHub Compliance As Team Grows

What works for a 10-person startup breaks at 50. What works at 50 breaks at 200. Your GitHub structure needs to evolve with your team.

  1. Consider separate organizations for different environments. Splitting production and development into separate GitHub organizations creates clear security boundaries and simplifies your compliance scope. Auditors appreciate the clarity.
  2. Centralize your security policies. Use GitHub Enterprise security policies or automation to enforce consistent settings across all your organizations. Nobody should be able to create a repo without branch protection.
  3. Automate user provisioning. Integrate GitHub with your identity provider using SAML SSO so access mirrors your HR systems automatically. When someone leaves the company, their GitHub access should be removed the same day.
  4. Design team structures that scale. Map your GitHub teams to your org chart and use nested teams for inheritance. This makes quarterly access reviews much easier because you can validate team membership directly against HR records.

Why Manual GitHub Compliance Breaks

The initial GitHub setup is the easy part. The challenge comes later, when settings quietly drift, new repositories go live without branch protections, scheduled reviews get deprioritized, and someone connects an OAuth app that shouldn't have access.

Platforms like Delve connect to GitHub and run daily compliance checks. When something drifts, you find out immediately instead of during audit prep. AI-powered guidance tells your team how to fix issues without becoming compliance experts.

The goal: security that runs in the background while you build. GitHub compliance should not require a dedicated person. It should just work.

Want to automate GitHub compliance? Talk to our team to see how Delve handles SOC 2 preparation, including automated monitoring and evidence collection.

Talk yo our team
Talk yo our team

About the authors

No items found.

Key Takeaways

  • GitHub SOC 2 compliance requires six configurations: branch protection with PR approvals, organization-wide MFA, CODEOWNERS for sensitive paths, Dependabot vulnerability scanning, secret scanning with push protection, and audit log streaming to external storage for one-year retention.
  • These settings map directly to AICPA Trust Services Criteria: CC6.1 for access controls, CC8.1 for change management, CC3.2 for risk assessment and CC 7.1 for SIEM events.
  • GitHub detected 39 million leaked secrets in 2024, underscoring the need for push protection to block credentials before they reach your repository.
  • Audit logs must be streamed externally because GitHub retains them for only 90 days, and auditors require a full year of evidence.
  • Team-based permissions with quarterly reviews replace individual access grants and simplify offboarding when employees leave.
  • Third-party OAuth apps and GitHub Apps are supply chain risks that auditors increasingly ask about during reviews.
  • What works for a 10-person startup breaks at 50 and again at 200, so integrate GitHub with your identity provider via SAML SSO to keep access in sync with HR

Your GitHub configuration is either helping or hindering your SOC 2 audit. There is no in-between. The difference comes down to six settings that take an afternoon to configure but save weeks of scrambling later.

Auditors focus on two things when reviewing your repositories: who can access your code and how changes are approved. Under the AICPA Trust Services Criteria, these fall under access controls (CC6) and change management (CC8). Get these right, and your GitHub becomes automated evidence instead of a compliance headache.

Table: SOC 2 Control Mapping against GitHub features

GitHub Feature SOC 2 Control Evidence Gathered
Branch Protection CC8.1 PR approval history, merge logs
MFA Enforcement CC6.1 Authentication logs, member status
CODEOWNERS CC8.1 Review assignments, approval records
Dependabot CC3.2 Vulnerability alerts, remediation PRs
Secret Scanning CC6.1 Detection logs, push blocks
Audit Log Streaming CC7.2 SIEM events, activity history

GitHub Configuration Requirements for SOC 2

These settings show up in every SOC 2 audit. Each one maps to a specific control in the AICPA framework. Configure them once, and your repository compliance is largely handled.

1. Branch Protection on Main

No direct pushes to production. Every change is submitted as a pull request with at least one approval.

Settings > Branches > Add branch protection rule:

  • Require pull request reviews before merging
  • Dismiss stale approvals when new commits are pushed
  • Require status checks to pass before merging
  • Restrict force pushes

One person writes code, another approves it. This separation of duties is exactly what NIST access control guidelines recommend. Find full setup in GitHub's branch protection docs.

2. Organization-Wide MFA

Everyone with code access requires two-factor authentication. No exceptions. Contractors and temporary contributors included.

Organization Settings > Authentication security > Require two-factor authentication.

GitHub removes anyone without MFA when you enable this. Check your member list first. This satisfies NIST authentication requirements that auditors reference.

3. CODEOWNERS File

CODEOWNERS defines who must approve changes to sensitive paths. Authentication code, infrastructure configs, CI/CD workflows.

Create .github/CODEOWNERS:

/src/auth/          @security-team
/terraform/         @platform-team
/.github/workflows/ @platform-team

Enable Require review from Code Owners in branch protection. Changes to critical paths now require the right approvals.

4. Dependabot Alerts

Your dependencies have vulnerabilities. Dependabot finds them and can auto-generate fix PRs.

Go to:
Organization Settings > Code security and analysis > Enable Dependabot alerts.

Also enable Dependabot security updates. The GitHub Advisory Database covers over 20,000 reviewed vulnerabilities. Set response SLAs: critical within 24 hours, high within a week.

5. Secret Scanning with Push Protection

GitHub detected 39 million leaked secrets in 2024. API keys, passwords, and tokens accidentally committed to repositories. To avoid getting your secrets leaked, go to:

Organization Settings > Code security and analysis > Enable secret scanning.

Also enable Push protection. This blocks secrets before they ever reach your repository. According to GitHub's docs, it catches credentials during the push and stops them immediately. Better than explaining to auditors why AWS keys are in your commit history.

6. Audit Log Streaming

GitHub retains audit logs for 90 days. SOC 2 auditors want a full year. Audit log streaming sends logs to external storage, where you control retention.

Enterprise Settings > Audit log > Log streaming.

GitHub streams natively to Splunk, Datadog, Azure Event Hubs, and AWS S3. This provides the evidence auditors need and lets you detect suspicious activity.

Repository Security Basics

Branch Protection Configuration

Branch protection rules enforce your workflow at the repository level. These four settings matter most.

  1. Require pull request reviews. Every change needs at least one other person to review it before merging. For sensitive paths, configure this to require reviews from designated CODEOWNERS.
  2. Dismiss stale reviews. When a developer pushes new commits after getting approval, they need fresh reviews. This prevents anyone from sneaking in unreviewed changes after the green light.
  3. Require status checks. Your CI/CD tests must pass before code can merge. This creates a quality gate that keeps broken or vulnerable code out of protected branches.
  4. Restrict force pushes. Force pushes can rewrite commit history and potentially hide unauthorized changes. Blocking them keeps your audit trail intact.

Access Control

  1. Use team-based permissions. Create teams aligned with your org structure. Assign permissions to teams, not individuals. When someone leaves, remove them from the team. Access disappears automatically.
  2. Run quarterly reviews. Every three months, audit who has access to what. Remove what is no longer needed. Document it. This follows NIST SP 800-53 account management guidelines. The IBM Cost of a Data Breach Report found breaches cost $4.88 million on average in 2024.
  3. Default to least privilege. Start with read-only. Escalate only when necessary. Limit admin access to two or three people. Per GitHub's docs, organization owners should be essential personnel only.

Code Security

  1. Enable secret scanning. Enable secret scanning organization-wide and establish a clear response process for alerts. 
  2. Turn on push protection. This blocks secrets before they ever reach your repository. According to GitHub's docs, it catches credentials during the push and stops them immediately.
  3. Keep no secrets in code. Use GitHub Secrets or an external secret manager like Vault. Add pre-commit hooks to catch errors before they reach your repository.

Development Workflow Compliance

Pull Request Requirements

  1. Document your review standards. Write down what reviewers should check for, how quickly they should respond, and how to handle disagreements. Put it in a doc and link it in your README. Auditors want to see a documented process, not a perfect one.
  2. Make CI/CD checks required. Every pull request should run your test suite before it can be merged. Set this up in your branch protection rules so failed tests block the merge automatically.
  3. Plan for emergencies. Sometimes production is on fire, and you need to move fast. Document your emergency fix process ahead of time, and make sure you review any exceptions after the fact. Auditors accept this as long as it is documented.

Secrets Management

  1. Use external secret managers for production. AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault all work. The rule is simple: never store credentials in code or config files.
  2. Use GitHub Secrets for CI/CD. Encrypted secrets work well for deployment keys and test credentials. Limit who can access them using environment protection rules.
  3. Set a 24-hour response SLA. When secret scanning alerts fire, rotate the exposed credentials immediately. Then, audit where they might have been used and determine how they were exposed in the first place.

Monitoring and Audit Logging

Audit Requirements

  1. Export logs to an external system. Configure audit log streaming so your logs are preserved even if someone compromises your GitHub access. Use webhooks or the API to send events to your SIEM or log storage.
  2. Monitor admin actions closely. Permission changes, repo deletions, and security setting modifications are high-risk events. Set up alerts for these in your monitoring system so you catch problems early.
  3. Track every access change. Every permission grant or revocation should be logged and reviewed as part of your quarterly access certification. Keep these logs for at least one year.

Security Monitoring

  1. Route Dependabot alerts to someone who acts on them. GitHub published over 2,000 CVE records in 2024, so vulnerability alerts will come. Define response SLAs so they do not pile up.
  2. Subscribe to security advisories. GitHub's security advisories give you early warning about vulnerabilities in GitHub itself or commonly used Actions.
  3. Audit third-party app access regularly. Check what OAuth apps and GitHub Apps have access to your org. Remove anything you are not actively using. These are supply chain risks that auditors increasingly ask about.
  4. Watch for failed authentication patterns. Monitor your audit logs for repeated failures or unusual access attempts. Route anything suspicious to your security team.

Scaling GitHub Compliance As Team Grows

What works for a 10-person startup breaks at 50. What works at 50 breaks at 200. Your GitHub structure needs to evolve with your team.

  1. Consider separate organizations for different environments. Splitting production and development into separate GitHub organizations creates clear security boundaries and simplifies your compliance scope. Auditors appreciate the clarity.
  2. Centralize your security policies. Use GitHub Enterprise security policies or automation to enforce consistent settings across all your organizations. Nobody should be able to create a repo without branch protection.
  3. Automate user provisioning. Integrate GitHub with your identity provider using SAML SSO so access mirrors your HR systems automatically. When someone leaves the company, their GitHub access should be removed the same day.
  4. Design team structures that scale. Map your GitHub teams to your org chart and use nested teams for inheritance. This makes quarterly access reviews much easier because you can validate team membership directly against HR records.

Why Manual GitHub Compliance Breaks

The initial GitHub setup is the easy part. The challenge comes later, when settings quietly drift, new repositories go live without branch protections, scheduled reviews get deprioritized, and someone connects an OAuth app that shouldn't have access.

Platforms like Delve connect to GitHub and run daily compliance checks. When something drifts, you find out immediately instead of during audit prep. AI-powered guidance tells your team how to fix issues without becoming compliance experts.

The goal: security that runs in the background while you build. GitHub compliance should not require a dedicated person. It should just work.

TechCrunch

21-year-old MIT dropouts raise $32M at $300M valuation led by Insight

Delve gets $32 million from Insight Partners to scale its platform that automates regulatory compliance with AI agents.
Read More
Read More
Jan 9, 2026

Inside Delve's Trusted Compliance Process

Delve's trusted compliance process combines AI evidence validation, dedicated human review, and vetted firms to deliver compliance reports that have closed the majority of the F500.
Charles Nwatu
Head of Security and Compliance, Delve
Jan 6, 2026

Why MCP is the Future of AI Data Strategy

MCP is the future of AI data strategy, but only with the right governance. Discover the sandbox model, invisible compliance, and 7-step implementation framework.
Charles Nwatu
Head of Security and Compliance, Delve
Dec 17, 2025

Get HITRUST-Ready with Delve

Learn the 8-phase process to get HITRUST-ready with Delve's AI-native platform and Com-Sec's vCISO leadership. Timelines, controls, and evidence explained.
Farbod Fakhrai
Founder, Com-Sec

Don't let manual compliance slow you down.

With Delve, companies prove compliance faster, close deals quicker, and stay compliant as they scale.
Book a Demo
Book a Demo
Abstract gradient background with vertical rectangular segments blending from teal on the left to dark, then orange on the right.

How to build and run a billboard campaign

Dark gradient background transitioning from warm brown tones on the left to cooler blue tones on the right.

In fall of 2025 for a period of three months, Delve ran one of the largest out-of-home campaigns of all time to make a splash for our brand and make sure everybody in the city of San Francisco, New York City, and Austin knows who we are. We learned a ton throughout the process, and we want to share every mistake, every learning, and every success to demystify the out-of-home channel.

Billboard advertising, or as it's called in the industry, out-of-home advertising, is any advertising that somebody has to go outside of their home to see (in contrast to other formats of paid media like newsletters, ads, TV, or radio). Here is our comprehensive guide on how to plan for an out-of-home campaign, execute on it, and analyze how much of an impact it had.

Abstract blurred background with gradient colors transitioning from teal to black and orange.
Download our OOH planning template and guidebook
We've received your information and you'll receive the materials via email shortly!
Oops! Something went wrong while submitting the form.

Planning

This is some text inside of a div block.
Date
1
min read

When is the right time for OOH?

Out-of-home is how you make a brand splash. It's a we’ve-arrived statement. The only right time to do that is when you have achieved a moderate degree of PMF, you have steady lead flow, a strong pre-existing pipeline that is heavily driven by word-of-mouth, and stable processes. When you’re ready to punch past a certain number of leads, revenue, or make a massive announcement, that’s the time to go out of home.

Those hallmarks usually are seen after the Series A (or whatever the current fundraising environment is in SF :) or a company-changing product release that you’re ready to bet it all on.

Keep in mind that OOH is an expensive and top-of-funnel strategy, so your average annual contract size should be able to support the cost of putting this on. If we think about attribution purely in the sense of pipeline and closed won:

OOH Campaign ACV Contracts Closed (Attr. OOH)
$500,000 $5,000 100
$1,000,000 $5,000 200
$1,500,000 $5,000 300
$2,000,000 $5,000 400

This is a crude analysis, but you get the idea. Make sure you can sell enough (even on a multi-touch attribution model) to justify the spend.

How much should I budget?

The cardinal saying is “Go big or don’t go out of home.” Out-of-home is not a channel to try a small spend of $50k and see how it goes. Out-of-home only succeeds when you create a sense of omnipresence, a moment where you take over and everywhere prospects go, all they see is you.

Text saying 'Go big or don’t go out of home' over a gradient background blending dark blue, orange, and light beige colors.

Kasper Koczab, the Head of OOH Media at Brex puts it like this:

I often talk to founders who want to “test” OOH by booking a single billboard and seeing how it performs. That’s not how this medium works.

If you’re confident in your product and you know where your prospects live, work, and play, the most effective strategy is to create a sense of omnipresence. It’s not enough to reach your ICP on their commute — your message should be there when she’s walking her dog or taking her kids to soccer practice, too. Frequency matters.

In a first-time out-of-home campaign, it’s all about frequency. You need to be everywhere, all the time, so they can’t escape you. Managers who want to champion your product will feel more confident when they know their VP has seen your bus ad. Top-tier recruits will feel much more excited knowing that the company offering them has their name plastered all over the city. There’s a part of the human psyche that thinks “if this startup can afford this and pull it off, they must be legit.”

Once you define exactly what your goals are, how big of a reach you want, and who you’re trying to sell to, you’ll be able to compare your goals to the cost of media. Towards the back-end of 2025, media prices are at an all-time high with a frothy AI marketplace and well-funded startups taking over almost every available media. In a congested space, you’ll need even more dollars to stand out.

A good framework is:

  1. Why do we want to do this?
    1. We want to do a massive splash and announce our product, recruiting, etc.
  2. How long will it take to accomplish that goal?
    1. We estimate 2-3 mo of omnipresence will help us accomplish that
  3. If we had to pick one city where our prospects are mostly concentrated, where would it be?
    1. San Francisco, New York, Los Angeles, etc.

Great! Now we know we want to do a 2-3 month campaign in SF. To pull that off, we’d likely need a set of 40-50 panels, an anchor placement on a major highway, and a set of bus wraps. Total spend = $750,000.

Man with a beard and traditional cap drawing a flowchart on a transparent board with two blurred people watching.
Four men standing around a table with printed materials and a laptop in a modern office with large windows.

How Far in Advance Should You Plan and Book OOH?

Start planning early. Ideally, begin the process a few months in advance of when you want your ads to go live. Popular billboard locations and transit media can book up quickly, so you need lead time to secure the spots you want.

A good rule is to book 3-6 months ahead for high-demand markets or premium locations. For example, Times Square billboards in NYC might even require 6+ months lead time, and Los Angeles’ Sunset Strip or SF’s 101 freeway boards can be reserved several months out (especially around major events). In Austin, if you want coverage during SXSW, you’d better be talking to vendors at least 3+ months before the festival.

Besides reserving the inventory, you also need time for creative production. Designing the ads, iterating on copy, getting approvals, and then printing physical posters or vinyl (if not digital) all add time. If you’re starting from scratch, imagine that before that you’ll also go through brand-building sessions with your team, creatives design, multiple (up to 20!) rounds of feedback, and then finally arrive on something the team is aligned with.

If you’re on a tighter timeline, you may still find last-minute opportunities (sometimes unsold digital billboard slots can be nabbed weeks or even days before, at a discount). But generally, to get the locations and dates you want, earlier is better.

For example, say you’re targeting a product launch in September. You’d want to begin planning by early summer, confirm your media buys by mid-summer, and have creative finalized and in production by August so the ads can be installed on time. Some smaller formats like bus shelters might have shorter lead times than giant billboards, but just play it safe.

We started the process in April for an August 11th deployment, about 4 months out. This still made things incredibly tight.

Back into it like so:

Flight Date (Launch) → When your campaign goes live.

4 weeks before → Final creatives are due.

8 weeks before creatives are due → Creative design and production begin.

8 weeks before creative prep → Media planning and vendor selection start.

That puts you square at 5 months.

We’ve put together some great tracking spreadsheet templates to show you how to Gantt this all out. Download our guidebook at right to get access.

Execution

This is some text inside of a div block.
Date
1
min read

What is a good time of year to do this?

This is highly industry-dependent. If we look at the year:

Q1: Reset and Re-Acceleration

Teams return from holidays energized, focused on executing annual plans and budgets. It’s prime time for B2B: decision-makers are back, budgets are open, and industry kickoffs like CES drive high audience concentration. Finance and accounting tools benefit from tax season, while consumer brands face the post-holiday “slump” except in fitness and self-improvement. Cold, wet weather means more drive-time and delivery ad exposure, less walking traffic.

Q2: Spring Surge

Conference season peaks (RSA, SaaStr, Collision), boosting opportunities for geo-targeted OOH near airports and venues. Warmer weather brings foot traffic back and hybrid work stabilizes. As teams race to close H1 targets, quick-win B2B products perform well. College graduations fuel hiring and employer-brand campaigns.

Q3: Summer Slowdown → Autumn Gold

Mid-summer is quiet: decision-makers and investors vacation, buying stalls, and morale-driven campaigns see lower engagement. Exceptions: travel, beverage, and leisure brands. We chose early September through early November as the strongest OOH window of the year where B2B spending restarts, the weather’s ideal, and major conferences (Dreamforce, Inbound, Disrupt, etc.) cluster. It’s the moment to drive pipeline and capture leftover budgets before holiday freezes.

Q4: Holiday Wind-Down

After mid-November, corporate attention shifts to holidays and fiscal wrap-ups; B2B conversions dip. Consumer and retail campaigns thrive between Black Friday and Christmas, while enterprise deals largely pause until January.

Who are the major operators of OOH media?

Diagram showing Clear Channel Outdoor (CCO) in the center connected to four smaller circles labeled Lamar, JC Decaux, Intersection, and Outfront.

Across the United States, there’s about a set of major operators that run all of OOH media. The 3 most important are:

  1. Clear Channel Outdoor (CCO)
    1. Across the US, CCO owns about 40,000 billboards. In San Francisco, Clear Channel owns the transit shelters, a lot of very high quality premiere panels/billboards in the city and along the Skyway/US 101, and Muni platforms.
  2. Outfront
    1. Outfront similarly owns about 40,000 billboard across the US. In San Francisco, Outfront owns the BART, CalTrain, and MUNI stations (Embarcadero, Montgomery, Powell, etc.) as well as many excellent billboards on the highways and in the cities. They also own the NYC city subway cars, the stations, and many incredible placements all over the New York.
  3. Lamar
    1. Lamar is by far the largest operator, owning over 116,000 billboard faces all over the US. They have a good selection across many metros, but we did not contract with Lamar as most of their high-profile units were taken.

Collectively, these three own about ~250,000 of the estimated 400,000 billboard faces in the US, or about 62%.

Additional notable vendors include:

  1. Intersection
    1. In San Francisco, they own the entire SFMTA - so all types of bus advertising goes through them. Full bus wraps, bus headliners or kongs, or even half-wraps.
  2. JC Decaux
    1. Most of San Francisco’s street furniture is owned by JCD. This includes information kiosks/pillars that create an impact directly on the passerby. Units are usually sold in packages - for example JCD’s Moscone center street furniture package has 10 information kiosks that directly target the Moscone center.

Capital Outdoors, Reagan Outdoors, Silvercast, and a few others make up the rest of the landscape of out-of-home.

What are the different types of media? What should I get?

1. Bulletins/Billboards

These are the classic large-format displays you see along highways, rooftops, or major city arteries.

  • Use for: Big brand moments, awareness plays, or category leadership statements.
  • Strengths: Huge reach, high prestige, long dwell time on highways.
  • Weaknesses: Expensive in Tier 1 cities; limited flexibility once installed.

(Examples: US-101 and I-280 corridors in SF, the Sunset Strip in LA, Times Square in NYC.)

Crown jewel pieces in a campaign - any major bulletin on the way up or down from SFO will generate the highest quality impressions and capture everyone. Anchor pieces like these really tie campaigns together.

Billboard reading 'Today, compliance is done in days, not months. It's done in Delve. Delve.co' against a clear blue sky and urban backdrop.

2. Premiere Panels & Wallscapes

High-impact, high-traffic urban billboards placed at major intersections, bridges, or downtown walls.

  • Use for: Company launches, investor signaling, or head-turning creative campaigns.
  • Strengths: Prime city visibility, often photographed and shared on social media.
  • Weaknesses: Limited inventory; typically booked months in advance.

(Examples: City-32 premiere panel network,SoMa wall murals, NYC SoHo wallscapes.)

Workhorse units. These target your ICP when they are out for dinner, going to watch a game, picking up their kids from school. Pick them carefully.

Two stacked billboards on a building with text about compliance audits and colonoscopy prep, advertising Delve.co.

3. Street Furniture

Includes transit shelters, bus stops, benches, and public kiosks. Managed by JC Decaux, ClearChannel, others.

  • Use for: City-wide brand saturation and repetition.
  • Strengths: High pedestrian frequency, affordable packages, consistent daily visibility.
  • Weaknesses: Smaller format means your creative must be ultra-simple and bold.

(Example: JC Decaux’s Moscone Center package with 10 information kiosks, CCO’s 3rd St Triptychs targeting YC.)

Great for specific targeting of particular accounts or geographies and for creating a consistent sense of your brand on the streets.

Bus stop ad for Delve.co stating compliance is done before your co-founder drops a 'what B2B SaaS taught me' post, with the tagline 'It's done in Delve.'

4. Transit Advertising

Bus wraps, train station takeovers, subway car interiors, and airport displays.

  • Use for: Targeting commuters and travelers, especially in major metros.
  • Strengths: Excellent for frequency and brand recall; high engagement for mobile users.
  • Weaknesses: Creative must adapt to motion and varying environments.

(Examples: Station dominations via Outfront; full-bus wraps via Intersection, bus shelters via CCO.)

This make sense when some set of your ICP commutes in from suburbs or uses the subway regularly - like enterprise middle management. If you’ve coordinated during conferences, you’ll get some additional exposure from public transit enthusiasts.

A public transit bus with advertisements for Delve.co, displaying messages about compliance and clean air vehicles.
View of a train station platform with a white and red train, a person in a yellow safety vest standing at the open door, a man walking on the platform, and large advertisements on the walls featuring compliance-related slogans.

5. Digital OOH (DOOH)

LED or LCD billboards that can rotate creatives dynamically or be updated programmatically.

  • Use for: Time-sensitive campaigns, A/B testing, or creative experimentation.
  • Strengths: Flexible, measurable (via impression tracking), and visually striking.
  • Weaknesses: Limited premium placements; shorter dwell time than static boards.

(Examples: Subway station liveboards via CCO/Outfront that play your ad in a fixed set )

Digital boards are usually cherry-on-top for a larger static campaign and then used in subsequent campaigns when people are mildly aware of your brand and you’re looking for consistent performance. Since your Share of Voice is already >10% in this media, you’re not yielding as much value.

Three vertical digital screens on a wall display a message: 'Today, compliance is done in Delve.' with the Delve.co logo.

Your ideal campaign should bring all these media types together under one package to create the sense of omnipresence in the city.

How should I start putting my campaign together?

When thinking about putting a campaign together, you first want to nail down your goals. Ask yourself these questions in an exercise:

  1. Why exactly are you doing this?
    1. What do you really care about? Are you viewing this as a pure brand play?
  2. Who are you selling to? Who is the exact ICP? Who are the stakeholders?
    1. Don’t try to sell to too many people in one campaign. Be very specific
  3. What are we trying to convey about our brand?
    1. What are we selling? Can we convey it simply and distinctly? Can we avoid becoming beige?

Once you’ve asked yourself these hard questions - and they can change - you’re ready to go to the whiteboard and start figuring out what you want. Research your audience’s physical world habits. Unlike online ads, OOH success depends on placing messages in the real locations your targets frequent. Map out where they live, work, commute, and congregate. If you’re aiming at, say, startup founders in the Bay Area, concentrate on high-density tech corridors (e.g. SOMA, Market Street, Caltrain routes) and highways like the 101 that they drive on. Stych famously did exactly this, plotting out commuting routes and conference venues in SF, then selecting billboard and transit ad locations near those hotspots to maximize impressions among their audience

Delve did something very similar when starting our campaign. We pulled all of our customer addresses from Docusign contracts and plotted them into a map. We also aggregated in data from larger partners to figure out where prospective customers from our Dream 100 (top 100 clients we’d like to sign) are as well. We’d recently run a massive physical marketing campaign, so we had some other address data on hand. We plugged all that into kepler.gl to figure out exactly where we wanted to focus our efforts:

Heatmap of San Francisco showing high-intensity data points concentrated in downtown and eastern neighborhoods.

Who else is involved in an OOH Campaign?

Diagram listing parties involved in an OOH campaign: Media Operators, Media Buying Agency/Broker, Creative Designers/Agency, Marketing/Growth Team (Internal) on an orange gradient background.

Running an OOH campaign is a team effort that involves both external partners and your internal team. Key players include:

  • Media Operators: These are the companies who own the billboards, transit ads, bus benches, etc., such as Lamar, Outfront Media, Clear Channel, and local vendors. They provide the inventory and handle installation. You can work with them directly if you’re experienced, but if it’s your first time - find a broker that can take care of this for you. The operator’s job is to lease you the ad space and ensure your creative goes up on schedule.
  • Media Buying Agency/Broker: As mentioned earlier, a specialized OOH agency or media broker can plan and negotiate the buy on your behalf They interface with all the operators (so you don’t have to individually call Lamar, Outfront, etc.), get quotes, and secure the best locations within your budget. They also handle a lot of logistics. For a first campaign, having an experienced media buyer is a huge help – they know the landscape and can advise on format mix, flight duration, and fair pricing. Their fee or commission is usually baked into the buy (often a percentage), but a good broker often pays for themselves by stretching your dollars further.
    • For our campaign, we worked with Kasper Koczab, Head of OOH Media at Brex. His understanding of OOH all over the country is unmatched and he was able to help us navigate the complexities of media and secure a really solid package.
  • Creative Designers/Agency: You’ll need someone to design the actual ads – the visuals and copy that go on the billboard or poster. This could be your in-house design team if you have one (as many startups do), or an external creative agency or freelancer. Some brands use their general creative agency; others hire specialists who understand OOH design principles.
    • If you’re doing multiple formats (billboards, bus wraps, etc.), designers will need to adapt the creative to various specs and formats
    • Pro tip: There’s so many moving parts to a large campaign, that having an experienced team that knows the ad format, the production specs, and can keep you on top of all the details can make life way easier and potentially save $10,000’s in lost media.
    • We worked with Josh and the team at Division of Labor to put our campaign together. They helped us run through multiple design reviews, settle on our brand and visual identity, and caution us through many potential pitfalls.
  • Marketing/Growth Team (Internal): Within your startup, your marketing and growth team will quarterback the campaign and work with everyone above. Be prepared for some cross-functional input, for instance, leadership might want to review the billboard messaging, or sales might chime in with an opinion. Align stakeholders early so you can move quickly on execution.

How do you think about copy?

All of marketing is about standing out. How can you be really different? Billboards offer you the opportunity to be among the top 1% of companies that make it off the incessantly bombarded screen and get into the real world. Don’t think that gives you the freedom to finally spew product and feature copy all over. Your campaign is won or lost by the words you put on the billboard. Here’s how to approach it:

Be someone. Thousands of companies come out with stock, harmless, slogans cooked up in a boardroom that won’t elicit any response. Larger enterprises care too much about brand integrity to try anything out-of-the-box and already have enough recall. How can you be truly different?

You need out-of-the-box, contextualized ideas that tap into societal and cultural cues. Think about how you can use your brand, your industry keywords to devise copy that makes someone think “Ha! That’s clever.” That’s how you’ll win. It will take time, revision, and work - but it’s the only way to really win.

If your leadership is willing, make your copy or graphics a little controversial. Bland’s “Still hiring humans?” campaign famously generated incredible engagement. Recently, Friend.com took over social media with ads being defaced all over the subway. It’s your prerogative on how far you want to go, but creating an identity is much better than being invisible.

Simplicity is king. The best billboard messages are extremely short, clear, and instantly graspable – think 7 words or fewer as a rule of thumb. Drivers or pedestrians only glance for a few seconds, so you have to communicate one idea fast. This means one simple message or tagline, with text in a huge, high-contrast font so it’s legible from a distance. An industry saying goes “short copy sticks”– and it’s especially true for billboards.

Beyond brevity, out-of-home is all about sparking emotion. If you can elicit a chuckle, an intrigued eyebrow raise, or an “aha” recognition, your ad will be memorable. No one looks at billboards in pursuit of a mathematical challenge. Frankly, they’re pretty annoyed that they're being marketed to all the time. It's your job to make it as funny, as evocative, and as emotion-inducing as possible.

Now, few practical tips and hygiene for copy/design:

  • Contrast and readability: Use large, blocky fonts and strong color contrast (light text on dark background or vice versa). No one should squint to read your ad. Test by printing your design small and see if you can read it from across the room. Product designers often design for small screens, so it’s a conscious adjustment.
  • One theme, one idea, one CTA: Memorable campaigns come together around one unifying theme. You’ll have hundreds of pieces of creative, and you want them all to come together and tell a story, not fight for attention. When someone looks at your media, they should subconsciously feel familiarity with it because it matches the tone and theme. Think about “Just do it” or “Think differently”. Delve’s take on this was “Compliance is done in Delve” - and all the creative came back to this idea.
  • Let visuals help: A striking image or bold and creative graphic breaks up text and makes it fun to look at. Think about motifs and symbols around your brand that you can incorporate. For example, if you’re building something that makes a process faster - create a leaderboard graphic!
  • Test for the “5-second rule”: Imagine a person seeing your ad for 5 seconds or less. Will they get the gist? If not, simplify it. Cut unnecessary words and elements. Many experts literally suggest 7 words, 1 image max for a standard billboard.

In summary: short, bold, and resonant. Your copy should be punchy and easy-to-digest, with a design that grabs attention at a glance. Marry that clarity with a spark, whether humor, emotion, or intrigue that makes people remember it.

Great creative connects on an emotional level, not a rational one. You’re talking to humans — make them laugh, make them excited, make them curious.
Kasper Koczab - Head of OOH Media, Brex

Analysis

This is some text inside of a div block.
Date
1
min read

How Should You Think About Attribution for OOH?

Attribution in OOH is famously fuzzy. Unlike digital ads, you won’t get a precise click-through or conversion rate tied to each billboard, and that’s okay. Physical ads don’t have pixels or UTM tags, so you need to embrace indirect and longer-term metrics. Successful startups view OOH as a brand awareness play that lifts many metrics collectively, rather than a direct response channel.

So how do you gauge if it’s working? There’s 3 main methods we used:

  1. Branded Search Uplift
    1. The industry-standard figure is to anticipate around a 10-20% uplift in branded search.
  2. First-party mentions
    1. In your lead form or in sales calls, track how many times billboards is mentioned as a referral source. We used that to attribute a certain amount of each deal that closed to OOH and built a rough financial model.
  3. CPM
    1. Based on the quoted impressions from your media operators + the social media impressions you generated you can calculate a rough opportunity cost of CPM in this channel vs others. (Not high signal, but good for marketers to have a number.)

Some brands leverage QR codes or short URL’s on transit ads or billboards; just be realistic that not everyone will stop to scan a specific code or URL. It’s much more effective to use that real estate in better ways, when prospects will just type in “[company name]” into Google.

Overall, you’ll have to accept that OOH’s value is largely multi-touch and long-term. It plants seeds in your audience’s mind that may pay off weeks or months later. As one marketing leader said, don’t expect a single “ROAS” number – instead, look for a mix of leading indicators (like branded search uptick, social media buzz, word-of-mouth) and anecdotal evidence that your message is sinking in. If you see those, your OOH is doing its job even if you can’t attribute every dollar of revenue to a specific billboard.

It’s rather important however to look at it from more angles than just pipeline. You’re building brand - and that has value everywhere. You should evaluate:

Graphic showing five labeled layers with connecting lines: Pipeline, Recruitment, Company Morale, Investor Confidence, and Customer Strength.
  1. Pipeline
    1. Ultimately, it’s a business and revenue needs to be generated. More visibility, more credibility, more deals closed.
  2. Recruitment
    1. If pipeline is the gas, recruitment is the driver. The value your talent acquisition team gets from cementing the brand and building credibility with high profile recruits is unmatched. Talk to those teams and see how it’s affecting them!
  3. Company Morale
    1. For your founding team, recent hires, and even the leadership, OOH can feel like a coming-of-age moment for the company. To see your brand amongst Apple, Google, Hubspot and more is a rewarding and uplifting feeling that an expensive offsite can’t match.
  4. Investor Confidence
    1. Investors are some of the biggest fans of OOH campaigns. They love to see their portfolio companies under the spotlight.
  5. Customer Strength
    1. When customers see their startup vendor making it big, it gives them a lot of confidence in your ability to keep winning and solving problems for them. It can help allay churn risk, provide credibility to your internal champions, and help explore more use cases.

Attribution will always be fuzzy in OOH, but if your brand is optimized for this channel, you’ll do well. Don’t sweat it.

With out-of-home advertising, you should make the investment because the logic makes sense. While you should try to get a directional read on OOH impact, you also have to use your best judgment around where your audience is and what message they respond to. Intuition can carry you far in marketing.

- Brandom Camhi, Head of Marketing at Rippling

Sources and Citations

Huge thanks to Reid from Stych for his work on this article that helped us a ton and provided a lot of useful data repurposed in this article. In addition, here were some other helpful articles that we referenced as we put together our billboards campaign and this article:

Abstract blurred background with gradient colors transitioning from teal to black and orange.
Download our OOH planning template and guidebook
We've received your information and you'll receive the materials via email shortly!
Oops! Something went wrong while submitting the form.