Foundations: the lens you carry all week
Understand the system you're walking into and what your job is inside it.
The job, stated plainly
After this you can state the field engineer's two-part job and reframe a skeptical buyer in one sentence.
Forget the IDE for a second.
You walk into a large company's existing engineering system and show two concrete things:
- Where an AI coding tool makes good changes easier to produce.
- Where it makes evidence cheaper to generate.
You do both without breaking a single control that someone relies on to pass an audit or keep their job.
The buyer is rarely the developer who loves the product. It's a VP of Engineering or a CISOChief Information Security Officer. The executive who owns security; usually the hardest and most important person to win over. who got burned by the last tool that promised speed and shipped them audit findings. They already run a delivery system that works. It's imperfect and expensive, but it ships and it passes SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting.. Your credibility starts with respecting that system and the fastest way to lose the room is to tell them it's broken.
Cursor is not a parallel SDLC. It doesn't replace your pipeline, your CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship., your branch protections or your reviewers.
It helps a team execute the standards they already have: better context on each change, faster feedback before merge and autonomy that stays inside the guardrails.
The moment you tell a team to 'throw out their process,' they'll stop listening. Instead, say 'it will help you run your process better.'
Hold both halves at once. Easier to produce is the developer-joy story: the demo, the velocity, the reason a champion shows up. Cheaper to evidence is the executive story: a trustworthy audit trail and logs that prove exactly what the AI touched. Tell only the first and you sound like every other vendor in the bake-off.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Produce earns the demo and a champion. Evidence survives security review and signs the contract. You need both, led by whichever half matches who is in the room.
"We're not asking you to change how you ship. We're making the system you already trust faster to run and cheaper to prove."
Takeaway. You sell execution of the standards the buyer already has - good changes that are easier to produce and cheaper to evidence.
Self-check
The five-layer delivery system
After this you can draw the five-layer delivery system from memory and name the one layer Cursor must never disturb.
Every large engineering org runs a delivery system, whether or not anyone has drawn it. You can break it into five layers. Four are flow: work moving from idea to running software. The fifth is a control plane that spans the other four. Carry this lens all week. In any customer environment you map their tools onto the layers and ask one question of each: does Cursor make this layer better or is this a layer I must not touch?
Interactive diagram. Step through it with the Next and Previous controls below, or Tab to a region to read its detail.
Layers 1–4 are flow: value, engineering, release, operations. Layer 5 is the control plane (separation of duties, ITGC, audit, access) spanning all four. Cursor improves 1–4 and must respect 5.
The four flow layerswhere Cursor adds impact
Intent: requirements, tickets, designs, acceptance criteria. The 'what' and the 'why.'
Cursor impact: pulls Jira/Linear context into the change and keeps the implementation tied to what was asked for.
The build: writing, refactoring, testing, reviewing code. The dense core of the day.
Cursor impact: home turf. Context-aware edits, agents, tests, BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. pre-merge review. The biggest velocity gains live here.
Shipping: CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often., build and test gates, environment promotion, change approval (CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship.), feature flags.
Cursor impact: generate and maintain pipeline config and IaCInfrastructure as Code. Managing servers and cloud resources through version-controlled config files (e.g. Terraform)., plus the evidence that the gates were satisfied.
Running it: monitoring, incidents, on-call, rollbacks, postmortems.
Cursor impact: triage from logs and traces, draft a fix against an incident, generate runbooks and a postmortem first draft.
Layer 5 - the control planespans all four; you respect it, you never bypass it
Layer 5 isn't a flow layer. It's the set of controls cutting across the other four to satisfy regulators and auditors:
- separation of dutiesNo single person can author, approve and deploy the same change. The core control AI autonomy has to respect. (the author can't also approve and deploy)
- ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved and how systems are run. (access, change and operations controls)
- an audit trail
- access control
- data residency
In a SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting.-relevant shop these aren't optional and they aren't yours to redesign.
The cardinal sin is implying Cursor lets a developer skip a control to go faster, e.g. 'the agent can just deploy straight to prod.'
That one sentence ends enterprise deals. Autonomy inside Layer 2 is welcome. Autonomy that crosses a Layer 5 boundary (author = approver = deployer) is a separation of dutiesNo single person can author, approve and deploy the same change. The core control AI autonomy has to respect. violation an auditor will flag.
Cursor makes Layer 5 cheaper to satisfy with better evidence, AI-code tracking and audit logs. It never removes the control.
- Layer
- 1 Value
- What it is
- Intent / requirements
- Cursor's role
- Improve - context in, intent preserved
- Layer
- 2 Engineering
- What it is
- Build / test / review
- Cursor's role
- Improve - biggest impact
- Layer
- 3 Release
- What it is
- Ship / gate / approve
- Cursor's role
- Improve - config + evidence
- Layer
- 4 Operations
- What it is
- Run / respond
- Cursor's role
- Improve - triage + drafts
- Layer
- 5 Control plane
- What it is
- SoDSeparation of Duties. No single person can author, approve and deploy the same change. The core control AI autonomy has to respect., ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved and how systems are run., audit, access
- Cursor's role
- Respect - make cheaper to satisfy, never bypass
| Layer | What it is | Cursor's role |
|---|---|---|
| 1 Value | Intent / requirements | Improve - context in, intent preserved |
| 2 Engineering | Build / test / review | Improve - biggest impact |
| 3 Release | Ship / gate / approve | Improve - config + evidence |
| 4 Operations | Run / respond | Improve - triage + drafts |
| 5 Control plane | SoDSeparation of Duties. No single person can author, approve and deploy the same change. The core control AI autonomy has to respect., ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved and how systems are run., audit, access | Respect - make cheaper to satisfy, never bypass |
Takeaway. Improve the four flow layers; respect layer 5, the control plane - make it cheaper to satisfy, never bypass it.
Self-check
QWhich statement correctly describes Cursor's relationship to the five layers?
Reference customer - Northstar Financial
After this you can map a real enterprise stack onto the five layers and locate where Cursor lands.
Keep one reference account in your head all week, so every abstract point has a concrete home. Northstar Financial is our running example: a 200-engineer fintech, SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting.-relevant, running the kind of messy large-company stack you'll actually meet. Each time you learn a concept, ask 'how would I say this to Northstar?'
- Engineers
- ~200
- Codebase
- Java monolith + TypeScript services + Terraform (IaCInfrastructure as Code. Managing servers and cloud resources through version-controlled config files (e.g. Terraform).)
- SCM / tickets / CI
- GitHub Enterprise · Jira · Jenkins
- Artifacts / runtime / flags
- Artifactory · Kubernetes · LaunchDarkly
- Observability / ITSM
- Datadog · ServiceNow
- Compliance posture
- SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting.-relevant; 5 environments; formal CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship. (Change Advisory Board)
Map that stack onto the five layers and the conversation organizes itself.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Hover any layer to see where Cursor lands at Northstar. The control plane is the one to read carefully - Cursor leaves those gates exactly where they are.
The control plane is the part to read carefully. SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting. means whoever authors a change can't single-handedly approve and deploy it. At Northstar the CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship. and the GitHub Enterprise approvals are that enforcement and Cursor leaves them exactly where they are. It just makes the change and the evidence around it, arrive faster.
Where Cursor lands at Northstar
- Engineering (L2): context-aware help across a 15-year Java monolith and modern TS services. The model carries codebase context a new engineer would take months to build.
- Release (L3): drafting and maintaining Terraform and Jenkins config; generating release notes and the change-ticket evidence the CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship. needs.
- Operations (L4): triaging a Datadog alert, proposing a fix against the failing service, drafting the ServiceNow incident and postmortem.
- Control plane (L5): Cursor's audit logs and AI-code tracking make the SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting. evidence cheaper to produce. The CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship. still approves and GitHub Enterprise still enforces who can merge.
When you get an abstract question, answer with Northstar. 'How does Cursor respect separation of dutiesNo single person can author, approve and deploy the same change. The core control AI autonomy has to respect.?' becomes: 'At a shop like Northstar, the author opens a PR in GitHub Enterprise. The agent never self-approves or deploys. The CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship. gate and branch protections stay exactly where they are; Cursor just makes the change and its evidence arrive faster.'
Grounding the answer in a named, realistic account signals you've actually done enterprise field work.
Takeaway. Carry Northstar Financial as your worked example: its CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship. and GitHub approvals are the separation-of-duties enforcement Cursor leaves intact.
Self-check
Contrast customer - Aurora Health
After this you can read an account's binding constraint and choose a safe opening demo from it.
Aurora Health is the counterweight to Northstar. It's the account where you do not lead with your favorite feature, because the environment forbids it. Know only the easy case and you get caught flat in the room.
- Engineers
- ~500
- Platform
- Azure DevOps (repos, pipelines, boards)
- Network posture
- Strict - locked-down egress, tight data-boundary requirements
- Hard constraint
- Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. are NOT approved
Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. (isolated cloud VMs, shipped in Cursor 3Cursor's agent-forward interface (also called the agent window or Glass), built to run and supervise many agents at once rather than edit one file..5, May 2026) are a genuinely strong capability: parallel multi-repo work with async report-back.
At Aurora they are not approved. Demoing them here is a self-inflicted wound - you've just shown a capability that violates their network and data posture.
Lead instead with what is approved: local and in-IDE agents, model and MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlists, terminal sandboxing, RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., audit logs. Meet the strict network where it is.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
The lens is identical at both accounts. What changes is the binding constraint - compliance at Northstar, the network at Aurora - and that decides what you show first.
How the two accounts sharpen the lens
- Dimension
- Size
- Northstar Financial
- ~200 eng
- Aurora Health
- ~500 eng
- Dimension
- Platform
- Northstar Financial
- GitHub Enterprise + Jenkins
- Aurora Health
- Azure DevOps
- Dimension
- Top constraint
- Northstar Financial
- SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting. + CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship. across 5 envs
- Aurora Health
- Strict network; data boundary
- Dimension
- Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop.
- Northstar Financial
- On the table (governed)
- Aurora Health
- NOT approved - do not lead with them
- Dimension
- Your opening move
- Northstar Financial
- Evidence + velocity story
- Aurora Health
- Network/data-posture-safe story first
| Dimension | Northstar Financial | Aurora Health |
|---|---|---|
| Size | ~200 eng | ~500 eng |
| Platform | GitHub Enterprise + Jenkins | Azure DevOps |
| Top constraint | SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting. + CABChange Advisory Board. A group that reviews and signs off on higher-risk production changes before they ship. across 5 envs | Strict network; data boundary |
| Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. | On the table (governed) | NOT approved - do not lead with them |
| Your opening move | Evidence + velocity story | Network/data-posture-safe story first |
The discipline is identical in both rooms: read the control plane and the network posture before you choose what to show. Northstar's gate is compliance and separation of dutiesNo single person can author, approve and deploy the same change. The core control AI autonomy has to respect.. Aurora's gate is network and data residency. Tailoring the demo to whichever constraint is binding is the entire skill.
"Tell me your hardest 'no' before I show you anything. I'd rather demo what you can actually deploy than dazzle you with something your security team will veto."
Takeaway. Same product, different gate: at Aurora the binding constraint is the network, so you lead with local agents and governance, never Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop..
Self-check
QAt Aurora Health, which is the safest capability to demo first?
How to use this week
After this you can run every new feature through the five-layer lens with the produce / evidence / respect-L5 test.
This week builds the lens first, then loads it with ammunition. Treat the five-layer model as the spine and everything else as muscle hung on it. Every module should resolve back to one question: where does this make good changes easier to produce or evidence cheaper to generate, without disturbing Layer 5?
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Two questions decide whether a feature is something to lead with or a constraint to flag: which half of the job it serves and whether it leaves layer 5 intact.
- 1Internalize the lens (this module). Five layers, the thesis, the two accounts. Can't draw the five layers from memory? You're not ready for the rest.
- 2Run every later concept through the lens. BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. is engineering-flow impact with pre-merge review evidence. Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. are engineering/release autonomy, governed. Audit logs are Layer 5 made cheaper.
- 3Anchor each concept to Northstar, then stress-test it against Aurora. If it only works at Northstar, you've found a constraint to flag, not a feature to lead with.
- 4Practice the one-liners aloud. Interview-grade means saying the thesis and the SoDSeparation of Duties. No single person can author, approve and deploy the same change. The core control AI autonomy has to respect. line cleanly under pressure, not just recognizing them.
- 5Separate the verified from the perishable. Know which stats are durable claims and which need 'verify before quoting.'
For any feature you learn, finish this sentence before moving on: 'This helps produce good changes / evidence them more cheaply by ___ and it respects Layer 5 because ___.'
If you can't fill in the Layer 5 half, you don't yet understand how to sell it to an enterprise.
Takeaway. For any feature, finish the sentence: 'this helps produce or evidence changes by ___ and it respects layer 5 because ___.'
Self-check
Verified facts - the durable ammunition
After this you can sort a security or product claim into 'durable' or 'verify before quoting' before you say it.
Enterprise credibility dies on a wrong number. Carry the verified facts precisely and label the perishable ones 'verify before quoting' instead of stating them as gospel. These are the load-bearing claims for the foundational pitch.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Durable claims (audited posture) you can state with confidence. Perishable ones (directional stats, dates, pricing) get verified the day you say them.
SOC 2 Type II; AES-256 at rest; TLS 1.2+ in transit; annual third-party penetration testing.
Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + zero-data-retention terms, with one caveat: ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. does NOT apply when you use your own API keys. Know this cold; it comes up with security teams.
Private connectivity via AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. + Cloudflare Tunnel. SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. (SAMLAn enterprise standard that powers single sign-on./OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth.), SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave., RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., model/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs./repo allowlists, hooks, terminal sandboxing, audit logs, AI-code tracking.
- Fortune 500 reach
- Enterprise page cites trusted by 64% of the Fortune 500
- Box case study
- 85%+ daily active; 30–50% throughput; 80–90% less migration effort; +75% usage in 6 weeks via mentorship
Agent surface & Bugbotcurrent, but mark dates
- Item
- Cursor 3Cursor's agent-forward interface (also called the agent window or Glass), built to run and supervise many agents at once rather than edit one file..1 (Apr 2026)
- What to say
- Added CLI /debug
- Caution
- Tie versions to dates
- Item
- Cursor 3Cursor's agent-forward interface (also called the agent window or Glass), built to run and supervise many agents at once rather than edit one file..7 (Jun 2026)
- What to say
- Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. with guided environment setup, reusable snapshots, .cursor/environment.json, /in-cloud subagents, /babysit and local/cloud handoff
- Caution
- Not approved everywhere (see Aurora)
- Item
- BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. (June 2026)
- What to say
- Average review time ~90 seconds, down from ~5 minutes; ~22% lower run cost; ~10% more bugs found; model not published by Cursor (don't assert one); /review runs before push
- Caution
- Pre-merge-resolution stats are older/directional - verify
- Item
- Organizations
- What to say
- GA to Enterprise on June 3, 2026: one admin plane over many teams, with Groups for cohort model-access/spend/agent permissions
- Caution
- Confirm effective settings because most-permissive wins
| Item | What to say | Caution |
|---|---|---|
| Cursor 3Cursor's agent-forward interface (also called the agent window or Glass), built to run and supervise many agents at once rather than edit one file..1 (Apr 2026) | Added CLI /debug | Tie versions to dates |
| Cursor 3Cursor's agent-forward interface (also called the agent window or Glass), built to run and supervise many agents at once rather than edit one file..7 (Jun 2026) | Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. with guided environment setup, reusable snapshots, .cursor/environment.json, /in-cloud subagents, /babysit and local/cloud handoff | Not approved everywhere (see Aurora) |
| BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. (June 2026) | Average review time ~90 seconds, down from ~5 minutes; ~22% lower run cost; ~10% more bugs found; model not published by Cursor (don't assert one); /review runs before push | Pre-merge-resolution stats are older/directional - verify |
| Organizations | GA to Enterprise on June 3, 2026: one admin plane over many teams, with Groups for cohort model-access/spend/agent permissions | Confirm effective settings because most-permissive wins |
Pricing - directional only
- Teams Standard lists at $40 monthly or $32 annual per seat; Teams Premium lists at $120 monthly or $96 annual per seat with 5x Standard usage.
- Teams usage is split into Auto + ComposerCursor's own fast coding model, tuned for the editor and priced well below frontier models; the recommended day-to-day model for executing a plan. and third-party API pools.
- Enterprise is negotiated, with volume discounts at 100+ seats.
- Never quote enterprise pricing as a fixed number. State the list anchor and pivot to value.
Older BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. pre-merge-resolution and timing shorthand can be less precise than the June 2026 average-review-time claim.
Pricing, Organizations and any feature-version claim can move, so confirm the day you quote them.
Anything you'd put in a slide for a CISOChief Information Security Officer. The executive who owns security; usually the hardest and most important person to win over.: if it's a number, source it the day you say it.
"We're SOC 2 Type II with AES-256 at rest and TLS 1.2+ in transit. One caveat I'll surface before your security team does: zero-data-retention does not apply if you bring your own API keys."
Takeaway. Carry the durable security posture precisely; label perishable stats 'verify before quoting' rather than stating them as gospel.