Dual-use startups: the founder ethics test before you sell to national security
Dual-use startups can serve civilian and security buyers, but vague ethics can ruin the company. Use this founder test before you build or raise.
Refusing to build for national security does not make a founder morally clean.
It may only leave the hardest choices to people with fewer questions, bigger budgets, and no interest in explaining themselves.
TL;DR: Dual-use startups build technology that can serve both civilian and military or security buyers. That can create real markets in drones, cyber, AI, space, energy, sensors, manufacturing, biotech, logistics, and infrastructure protection. It also creates misuse risk, export-control duties, procurement delays, investor pressure, and ethical lines that must be written before the first contract. A dual-use founder should define allowed users, banned use cases, audit trails, human oversight, export rules, and a civilian revenue path before taking defense money.
A product that can serve civilian and security markets needs boundaries, accountability, export-control awareness, and buyer filters early. Avoiding the question does not make the technology neutral.
Founders building drones, cyber tools, AI decision support, satellite data, secure comms, or industrial security products.
Which dual-use markets fit your principles and which uses you will reject.
An ethics table, buyer filter, funding boundary, and copyable ethics file starter.
I am Violetta Bonenkamp, founder of Mean CEO, CADChain, and F/MS Startup Game. CADChain put me close to engineering data, CAD files, IP protection, manufacturing workflows, and the boring security layer nobody claps for until something leaks. That experience changes how I look at dual-use startups.
The product is never only the feature.
The product is also who can use it, who can misuse it, who controls access, who has proof, and who gets harmed if the founder hand-waves the hard part.
That is why dual-use ethics cannot be a slide at the end of the deck.
It has to be part of the product spec.
What Dual-Use Startups Are
Dual-use startups build goods, software, data products, or technical systems that can serve civilian markets and military, security, intelligence, border, emergency, or public-safety markets.
The European Commission’s dual-use export page defines dual-use items as goods, software, and technology that can be used for both civilian and military applications. It also explains that EU controls cover export, transit, brokering, and technical assistance, with rules under Regulation 2021/821.
For founders, dual-use can mean:
- A drone platform for agriculture and border monitoring.
- A satellite tool for climate risk and military awareness.
- A secure communications product for hospitals and soldiers.
- A cyber tool for banks and public agencies.
- A sensor system for factories and military logistics.
- A CAD security tool for manufacturers and defense suppliers.
- A data product for ports, energy grids, and emergency response.
This is why defense tech VC in Europe frames the adjacent buyer decision. Venture capital is moving into the market, but the ethics problem does not disappear because the category got fashionable.
The Founder Lie About Dual-Use
The lazy founder line is: "We are just a platform."
No.
If the product can guide, monitor, identify, automate, secure, target, track, simulate, or restrict access, the founder has responsibility for how the tool is sold.
Dual-use founders often hide behind three excuses:
- "We only sell the tool. The customer decides the use."
- "The civilian market proves we are safe."
- "We will handle the policy later."
That is not a strategy. That is a legal bill warming up.
The founder needs to decide early:
- Who can buy?
- Who cannot buy?
- Which use cases are allowed?
- Which use cases are rejected?
- What data is stored?
- What logs exist?
- What can be audited?
- Which countries are excluded?
- What human review is required?
- What happens when an investor wants faster defense revenue?
If you cannot answer those questions, you are not building a dual-use startup.
You are building ambiguity with a landing page.
Why Europe Is Pushing Dual-Use Technology
Europe is paying more attention to dual-use technology because security, competitiveness, economic security, and sovereignty now sit in the same room.
The EU’s White Paper on R&D with dual-use potential explains the policy gap between civil research and defense R&D, especially around software and technologies that may serve both civil and military purposes.
NATO is moving too. The NATO DIANA accelerator exists to find and accelerate dual-use capacity across the Alliance. It offers selected companies contractual funding, accelerators, test centres, mentors, investors, and routes toward NATO markets.
The founder takeaway is simple:
Dual-use is no longer a strange corner of the market.
It is part of Europe’s security and technology policy.
That means more money, more attention, more rules, and more pressure.
The Dual-Use Ethics Table
Use this before you call the product "dual-use."
Agriculture, inspection, logistics
Border monitoring, reconnaissance, delivery
Ban autonomous lethal use and define human review
Climate risk, insurance, shipping
Awareness, infrastructure monitoring, targeting support
Limit sensitive customers and log data access
Bank defense, hospital security
Public-sector threat response, military networks
Reject offensive misuse and keep audit trails
Operations planning, triage, maintenance
Faster field decisions, sensor overload support
Keep human accountability and explain decisions
Healthcare, legal, journalism, logistics
Military, police, disaster response
Define retention, lawful access, and banned customers
Manufacturing IP protection
Defense supplier file control
Track access, ownership, and supplier permissions
Grid resilience, field power, data centers
Bases, mobile units, emergency response
Avoid unsafe deployment claims and test under stress
The table is not moral decoration.
It is a product requirement list.
If your startup cannot translate ethics into access control, contract terms, logs, pricing, buyer checks, and product limits, the ethics are theatre.
Export Controls Are Not Optional
Dual-use founders in Europe need to understand export controls before selling across borders.
The EU dual-use export rules cover exports, transit, brokering, technical assistance, end-use controls for certain non-listed items, record keeping, and national authority cooperation. The same page notes that member states can add controls on non-listed items for public security or human rights reasons.
This matters for startups because software, source code, technical documentation, models, datasets, support, and remote access can create obligations.
Do not assume export control applies only to hardware in a shipping container.
Your code can be the export.
Your support call can be technical assistance.
Your customer location can change the answer.
The Commission Recommendation on internal compliance programmes for dual-use research says organisations can put internal policies and procedures in place to identify, manage, and reduce export-control risks. That was written for research organisations, but startup founders should steal the operating logic.
You need a lightweight internal compliance programme before the company scales into trouble.
Yes, that phrase sounds boring.
Boring is useful when customs, sanctions, defense buyers, and investors are involved.
The Dual-Use Founder Ethics File
Create a one-page ethics file before your first serious buyer call.
It should answer:
- What the product does.
- What the product must never do.
- Which buyer types are allowed.
- Which buyer types are rejected.
- Which countries are blocked.
- Which use cases need founder approval.
- Which use cases need legal review.
- What logs must exist.
- What data must never be stored.
- What human review is required.
- Which contract clauses are non-negotiable.
- Which investor terms would force the company past its line.
This file should not live in your feelings.
It should live in:
- Sales qualification.
- Product permissions.
- Terms of service.
- Customer contracts.
- Investor updates.
- Support policies.
- Data retention rules.
- Incident response.
If you are building autonomy, AI, drones, or surveillance-adjacent tools, connect this to drone autonomy and the economics of surveillance, logistics, and defense. Autonomy makes every vague line more dangerous because the system can act faster than human review.
The Buyer Filter
Before selling to a defense or security buyer, run this filter.
1. What job are they hiring the product to do? If the answer is vague, do not sell.
2. Who will operate it? The buyer organisation is not enough. Know the operator role.
3. What data enters the system? Classify personal data, location data, sensitive industrial data, and classified or restricted data.
4. What decision does the product affect? Monitoring, triage, logistics, access, surveillance, targeting support, emergency response, or evidence.
5. What happens if the product is wrong? Write the harm scenario in plain language.
6. Who can override it? If no human can override a high-risk action, stop.
7. What proof does the buyer need? Field test, audit trail, reliability, false positives, explainability, legal fit, or operator training.
8. What contract terms protect the line? Allowed use, banned use, data limits, audit rights, termination rights, export-control duties, and change-of-use notice.
This is not bureaucracy.
This is how a founder avoids selling something she later regrets.
Where Female Founders Fit
Female founders are often told to enter "safer" markets.
Cute.
Security markets are already shaping budgets, data rights, AI rules, hardware, compute, procurement, and public trust. Women should be in the room before those systems harden.
F/MS covered Europe’s defense tech startup scene, including dual-use drone work, public funding, and startup tools for founders trying to test serious ideas. F/MS Startup Game also gives first-time founders a practical way to move from idea to first customer without treating a scary market as an excuse to freeze.
The female founder angle is not "women make technology nicer."
No.
The angle is this:
Women should help decide what gets automated, monitored, secured, funded, denied, and sold.
If we are absent from dual-use markets, the products will still be built. They will just be built without our questions.
CADChain And The Unsexy Security Layer
Dual-use founders often chase the dramatic product category: drones, AI, space, cyber, battlefield software.
The unsexy layer matters too.
Engineering files, supplier access, CAD geometry, audit logs, IP ownership, contract permissions, and manufacturing data can decide whether a company can safely work with defense buyers.
CADChain’s CAD file protection guide explains why design data needs access control, encryption, and ownership trails. CADChain’s DRM compliance monitoring guide goes further into tracking who accessed what, when, and under which rights.
That matters for dual-use startups because sensitive design files can move across suppliers, pilots, partners, public agencies, and investors.
If you cannot protect your own technical assets, why should a defense buyer trust you with theirs?
For bootstrappers, this can be the entry path.
You do not need to build a weapons platform. You can build the trust layer around data, suppliers, evidence, and control.
Funding Without Losing Your Line
Dual-use startups attract money because they sit between urgent public demand and commercial technology.
That can help.
It can also bend the company.
Use public-private funding for European deep tech as the money filter. Grants, accelerators, public buyers, and venture capital should move the startup toward proof. They should not turn the founder into a contract hunter with no boundary.
Before taking money, ask:
- Does this investor accept our excluded use cases?
- Does this grant force a use case we do not want?
- Does this buyer require product changes we would not defend in public?
- Does this public program create reporting work that slows buyers?
- Does this contract create export-control exposure we cannot handle?
- Does this round make us dependent on defense revenue before we have a civilian base?
If the money needs you to become morally blurrier, it is expensive money.
The Dual-Use Startup SOP
Use this process before you build, sell, or raise.
Write what the product helps a user do in one sentence.
List the allowed civilian uses and allowed security uses separately.
Do not leave it implied. Name the customer types, countries, and product uses you reject.
Review whether your software, data, documentation, support, or hardware may fall under EU or national rules.
Track access, changes, exports, model outputs, operator decisions, and customer permissions where relevant.
Write where human review is mandatory and where automation is allowed.
A civilian wedge gives the founder more control when defense buyers move slowly or investor pressure rises.
Sales promises are weak. Contract terms matter.
Do not assume a safe use in one country is safe in another.
You do not need to reveal sensitive details, but you should state your buyer logic, oversight principles, and refusal lines.
Use this before a dual-use customer or investor asks you to move faster than your principles.
Product capability: What can this product do in civilian and security contexts?
Allowed uses: Which use cases are acceptable and why?
Restricted uses: Which use cases need extra approval, logging, or human review?
Banned uses: Which customers, geographies, or deployments are off limits?
Misuse risk: How could the product harm people, rights, or infrastructure?
Controls: What technical, legal, operational, or contract limits reduce misuse?
Review process: Who decides when a risky customer appears?
Walk-away rule: What money or partnership would we refuse?
Mistakes To Avoid
- Calling a product dual-use because defense investors are active.
- Refusing the whole category without understanding the use case.
- Selling first and writing ethics later.
- Assuming civilian traction makes military use safe.
- Ignoring export controls because the product is software.
- Taking money from investors who push for customers you reject.
- Letting one public buyer shape the whole product.
- Building autonomy without human override.
- Storing sensitive data without a clear reason.
- Forgetting audit logs.
- Saying "we are neutral" when your product changes power.
- Treating ethics as PR instead of product design.
The mistake is not entering dual-use.
The mistake is entering with soft thinking.
What To Do This Week
If you are building or considering a dual-use startup, do this now:
- Write your allowed-use list.
- Write your banned-use list.
- Map your civilian market.
- Map your defense or security buyer.
- Read the EU dual-use export-control page.
- Ask one lawyer or export-control advisor what might apply.
- Add audit logs to the product plan.
- Define the human review point.
- Draft contract terms for allowed use and banned use.
- Decide which investor pressure you will reject.
That is the grown-up start.
Not a slogan.
Not moral panic.
Not a hot category chase.
A company with a spine.
A company whose product can be used in both civilian and defense or security contexts.
A living record of allowed uses, banned uses, review rules, and buyer boundaries.
A requirement that people remain responsible for important product decisions and outcomes.
Records that show who did what, when, and under which authorization.
Legal limits on selling or transferring sensitive technology across borders or to certain parties.
A process for deciding which customers fit the company’s mission, law, and principles.
Bottom Line
Dual-use startups are not automatically evil.
They are not automatically noble either.
They are companies building technology that can move between civilian and national security markets. That means they need more discipline, not more theatre.
Build if you can define the buyer, the use, the boundary, the legal exposure, the audit trail, and the human oversight.
Stay out if you only want the funding wave.
What are dual-use startups?
Dual-use startups build goods, software, data products, or technical systems that can serve both civilian and military or security uses. Examples include drones, cyber tools, satellite data, secure communications, sensors, AI decision support, energy systems, manufacturing tools, and engineering data protection.
Are dual-use startups ethical?
They can be ethical, but only when the founder defines allowed customers, banned customers, accepted use cases, rejected use cases, oversight, audit logs, and legal duties. A product that can be used for security work needs real controls. Good intentions are not enough.
What is the difference between defense tech and dual-use tech?
Defense tech is built mainly for military, defense, or security buyers. Dual-use tech can serve both civilian and security markets. A satellite data startup, drone company, or secure communications tool may have civilian buyers and defense buyers. The founder must define which uses are acceptable.
Why does Europe care about dual-use technology now?
Europe cares because security, industrial strength, public resilience, AI, drones, cyber, space, energy, and sovereignty now overlap. Public buyers and investors want technology that can serve urgent needs without waiting for slow legacy systems. That creates openings for startups, but also more rules and scrutiny.
What are export controls for dual-use startups?
Export controls are rules that restrict the export, brokering, transfer, transit, and technical assistance around certain goods, software, and technology. In the EU, Regulation 2021/821 governs the dual-use regime. Founders should check whether their product, source code, documentation, support, or customer location creates obligations.
Should a founder sell to military buyers?
Only if the founder can defend the use case, buyer, contract terms, oversight, and risk. Selling to military buyers is not automatically wrong, but it is not ordinary sales. The founder needs legal advice, buyer checks, product limits, and a no-go list before the first serious deal.
How can bootstrapped founders enter dual-use markets?
Bootstrapped founders can start through civilian wedges such as cyber defense, secure data workflows, supplier verification, simulation, logistics, energy monitoring, CAD security, or compliance evidence. These areas can generate revenue while keeping optionality for security buyers later.
What should be in a dual-use ethics file?
A dual-use ethics file should include allowed uses, banned uses, allowed buyers, rejected buyers, excluded countries, legal review triggers, export-control checks, data rules, audit logs, human oversight, contract terms, and investor boundaries. It should guide product, sales, and funding decisions.
What is NATO DIANA?
NATO DIANA is NATO’s accelerator for dual-use technology across the Alliance. It gives selected companies access to funding, accelerators, test centres, mentors, investors, and routes toward NATO markets. For founders, the useful part is not the logo. It is buyer feedback, testing, and operational proof.
What is the biggest dual-use startup mistake?
The biggest mistake is hiding behind ambiguity. Founders call the product a platform, delay the hard decisions, and assume customer use is not their responsibility. In dual-use markets, vague boundaries become product risk, legal risk, investor risk, and moral risk.