Demo, objections & the interview loop
Performance day: discovery, governance, workflow and value as field execution.
Performance day: the mindset before the demo
The demo is not a feature tour. It is a risk-removal exercise performed live. Every minute you spend showing speed without showing a control is a minute you spend confirming the buyer's fear. Walk in believing that and your whole rhythm changes.
The people in the room have seen a hundred AI demos that all looked the same: a todo app scaffolded in ninety seconds, a wave of applause, and then nothing they could ever ship. Your job on performance day is to be the opposite of that — to look boring in the most reassuring way possible. Reviewable. Governed. Evidenced. The wow comes from the fact that a serious enterprise change just happened inside their guardrails, not from raw token velocity.
A great Cursor demo proves one sentence: "the AI moved fast AND the change stayed inside your controls."
Speed alone is table stakes — Copilot, the intern, and a caffeinated senior can all produce code. The differentiated claim is governed velocity: throughput that an auditor, a security lead, and a staff engineer all sign off on.
Anchor on THEIR stack, never a clean-room toythe single biggest credibility lever
If you demo on a fresh Next.js scaffold, every senior in the room mentally files it under "toy" and stops listening. The repo you drive must look like their world: a 15-year Java monolith, a Spring app with a 4,000-line service class, a build that takes nine minutes, a test suite with flaky integration tests. Messy is the point. The harder and uglier the repo, the more the audience leans in — because that's the codebase they actually have to live in on Monday.
A real, gnarly monolith — ideally a fork of their repo (under their security review) or a faithful analog.
Legacy patterns: god classes, no tests on the path you touch, a confusing module boundary.
Their ticketing system, their CI, their PR template.
A todo app, a fresh create-react-app, anything green-field.
A repo you've secretly pre-warmed so the agent is suspiciously perfect.
Anything where the audience can't recognize their own pain.
"I'm not going to scaffold a todo app and call it a revolution. Let's open the ugliest 15-year-old service in your monolith and do real work in it — because that's the codebase your engineers actually wake up to."
Pre-warming the repo so the agent looks flawless is the fastest way to lose a senior engineer's trust. They can smell a rehearsed-to-perfection run.
If you cannot get their repo in time, say so explicitly and use the closest public analog — never pretend an analog is theirs.
Self-check
Demo craft: tell→show→tell and the per-segment arc
Unstructured demos drift. You start in Ask mode, someone asks a question, twenty minutes evaporate, and you never named a single control. The fix is two nested structures: a macro frame (tell→show→tell) wrapping the whole thing, and a micro arc that every individual segment runs through and ends the same way.
The macro frame: tell → show → tell
- 1Tell — state the claim and the control before you touch the keyboard. "I'm going to take a real ticket through to a reviewable PR, and the whole time the agent is fenced by your Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once.." The audience now knows what to watch for.
- 2Show — run the workflow. Narrate what you're doing and why, not just what's on screen. Let them see the agent think, plan, and get corrected.
- 3Tell — close the loop. "So what just happened: a ticket became a reviewed PR with tests and a BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. pass, and at no point did the agent step outside the rules you'd configure. The control there was the Project Rule plus the human approval gate."
The micro arc: every segment runs pain → workflow → guardrail → metric → NAME the control
This is the discipline that separates a field engineer from a demo monkey. Each chunk of the demo is a complete little story. You open on a pain the audience feels, show the workflow that addresses it, surface the guardrail that keeps it safe, point at the metric it moves, and then — this is the non-negotiable part — you name the control by its enterprise term. Not "see, it's safe." You say "that's separation of dutiesNo single person can author, approve, and deploy the same change. The core control AI autonomy has to respect." or "that's your ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run. evidence" out loud.
| Arc step | What you do | Example phrasing |
|---|---|---|
| Pain | Name a felt problem | "Onboarding to this service takes a new hire two weeks." |
| Workflow | Show Cursor doing the work | "Watch Ask mode map the call graph in 40 seconds." |
| Guardrail | Surface the safety mechanism | "Notice the agent can't touch the payments module — repo allowlist." |
| Metric | Tie to a number they care about | "That's the kind of ramp Box saw — +75% usage in 6 weeks." |
| NAME the control | Say the audit-grade term | "What you just saw is a model and repo allowlist — that's an access control your security team owns." |
Security and audit stakeholders don't buy 'it feels safe.' They buy named, ownable controls they can map to a framework.
When you say the words separation of dutiesNo single person can author, approve, and deploy the same change. The core control AI autonomy has to respect., ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run., evidence, blast radiusHow much breaks if a change goes wrong; the scope of potential damage., audit log — you're handing the champion the exact language they'll use to get this past their risk committee.
A demo that moves fast but never names a control is a demo the buyer cannot defend internally after you leave the room.
Don't narrate keystrokes ("now I click here, now I type this"). Narrate intent and control ("I'm asking it to plan first so the human reviews scope before any code is written").
If you finish a segment and realize you never named the control, stop and name it. The audience forgives a pause; they don't forgive a safety story that was never made explicit.
Self-check
QWhich sequence best describes the per-segment demo arc you should run for every chunk of a Cursor enterprise demo?
The 15–20 minute Northstar demo, in order
There is one canonical run that hits every persona at once: the developer sees speed, the staff engineer sees reviewability, security sees guardrails, and the auditor sees evidence. Memorize it cold so you can improvise around interruptions without losing the thread.
The spine of the run is a real ticket taken to a defensible PR. You're not coding for the sake of coding — you're walking a value streamThe end-to-end path a change takes from idea to running in production. from work-intake to merge-gate, and at each station you surface the control that lives there. Below is the order; the table after it maps each step to the persona it lands on and the control it names.
- 1Start from a ticket. Pull a real Jira/Linear item into context. The work begins with intake, not with a blank prompt — this signals you respect their value streamThe end-to-end path a change takes from idea to running in production..
- 2Explore in Ask mode. Use Ask (read-only) to map the relevant code, the call graph, the blast radiusHow much breaks if a change goes wrong; the scope of potential damage. of the change. No edits yet. This is the 'understand before you touch' beat that wins seniors.
- 3Generate a reviewable Plan. Have the agent produce a plan a human approves before code is written. The plan is the separation-of-duties artifact: intent is reviewed before execution.
- 4Make a small change under Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once.. Keep the change tight and let the audience see the agent constrained by
.cursor/rules— coding standards, forbidden patterns, architectural boundaries it cannot cross. - 5Write meaningful tests. Not snapshot fluff — a test that actually pins the behavior you changed. This is where you separate from 'AI writes garbage.'
- 6Produce a diff → PR with evidence. Open the diff, then the PR with a description, the linked ticket, the tests, and AI-authorship tracking attached. The PR is your evidence package.
- 7Run BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. under human reviewers. Let Bugbot review the PR — and be explicit that it advises, humans approve. Bugbot doesn't merge; it surfaces. (June 2026: ~90% of runs finish in under 3 minutes.)
- 8Triage a deliberately failing CI check. Have a CI gate fail on purpose, then show the human-in-the-loop triage. The failing gate is the proof that the pipeline catches problems — and that the human, not the agent, holds the merge key.
The same backbone — ticket → explore → plan → change → test → PR/evidence → review → gate — is both the order of the Northstar demo and the skeleton you use to answer any objection or interview question. Learn it once; reuse it everywhere.
| Step | Lands on | Control you name |
|---|---|---|
| Ticket intake | PM / delivery lead | Value-stream traceability |
| Ask mode explore | Senior / staff eng | Read-only blast-radius review |
| Reviewable Plan | Staff eng | Separation of duties (intent reviewed pre-execution) |
| Change under Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once. | Architect / security | Policy-as-config guardrail |
| Meaningful tests | QA / senior eng | Quality gate |
| Diff → PR + evidence | Auditor / compliance | ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run. evidence, AI-code tracking |
| BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. under reviewers | Security / eng lead | Automated review, human approval |
| Failing CI triage | Release manager / auditor | Merge gate, human holds the key |
"Notice what just happened: the agent wrote the code, but a human approved the plan, a human owns the merge, and the auditor has a full evidence trail. The AI accelerated the work — it never controlled the gate."
If an interviewer asks you to 'walk me through a demo,' the wrong answer is a list of features. The right answer is this ordered run, narrated with the persona and control at each step.
Saying 'ticket → Ask → Plan → change under rules → tests → PR with evidence → BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. under human reviewers → triage a failing CI check' from memory is itself the signal that you think in value streams and controls, not features.
Self-check
Planned imperfection beats fake perfection
The most trust-building moment in an enterprise demo is when something goes slightly wrong — and you recover calmly, in their guardrails. Engineers don't trust magic. They trust people who handle the failure case in front of them.
A demo where the agent nails every prompt first-try reads as either a toy problem or a rehearsed lie. Seniors have written enough code to know that's not how real work goes. So you engineer a moment of imperfection: the agent's first plan misses an edge case, or its initial change trips a Project Rule, or a test fails. Then you show the loop — you correct it, it adapts, the guardrail holds. That recovery is the demo.
How to stage a recovery without it looking staged
- 1Pick a spot where the agent realistically stumbles on their messy repo — a hidden coupling, an untested path, a naming convention buried in their rules.
- 2Let it stumble. Don't rescue it instantly. Let the room see the imperfect first attempt.
- 3Correct it the way a real engineer would — refine the prompt, point at the rule, add context. Show the agent is steerable, not autonomous-and-hope.
- 4Name what just happened: "That's the human-in-the-loop. The agent proposed, I reviewed, I corrected, the guardrail held. That's exactly the workflow your team would run."
"I don't know that off the top of my head — I'll verify and follow up." If a question lands outside what you can prove, that sentence builds more trust than any confident guess. Enterprise buyers are pattern-matching for people who won't oversell.
Fake perfection optimizes for applause. Planned imperfection optimizes for trust — and trust is what closes enterprise deals.
A recovered failure demonstrates the single most important enterprise property of the tool: it is steerable and reviewable, not a black box you have to take on faith.
Don't manufacture a failure so big it looks like the tool is broken. The imperfection should be a realistic stumble the human cleanly fixes — not a crash.
Never bluff an answer to a hard question to keep momentum. The 'I'll verify and follow up' line is a strength, not a retreat — and the follow-up email is a second touchpoint you'd otherwise never get.
Self-check
Objection fluency: the canonical seven
Objections are not attacks to be deflected — they're buying signals to be honored. The master move on every single one is the same: concede what's true first, then counter. The concession is what earns you the right to be heard.
Concede → reframe → prove → name the control. Never skip the concession. "You're right that..." disarms the room and signals you're not a hype merchant.
Then reframe to the real question, prove it with a guardrail or a metric, and name the control. It's the spine diagram applied to a conversation instead of a codebase.
The seven, with the concede-first answer
Concede: "You're right to be paranoid — your source is your crown jewels."
Counter: Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms, SOC 2 Type II, AES-256 at rest, TLS 1.2+, PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet./Cloudflare Tunnel, SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave./RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., model & repo allowlists, audit logs.
Name it: "That's your data-handling control plane — owned by your security team, not us." (Note: ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. does NOT apply if you use your own API keys.)
Concede: "Bundled pricing is real and hard to argue with on a spreadsheet."
Counter: You're not buying autocomplete, you're buying a governed agent — Plans, Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once., BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs., Cloud Agents, audit logs. The question isn't seat cost, it's throughput per governed engineer.
Name it: Reframe to value streamThe end-to-end path a change takes from idea to running in production., not license line-item.
Concede: "Good — skeptical seniors are exactly who you want gatekeeping this."
Counter: Cursor keeps the senior in the reviewer seat: Ask-mode exploration, reviewable Plans, human-owned merge. It amplifies judgment, doesn't replace it.
Name it: Human-in-the-loop / separation of dutiesNo single person can author, approve, and deploy the same change. The core control AI autonomy has to respect..
Concede: "Almost certainly true — ungoverned AI on a complex repo does write garbage."
Counter: The difference is Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once., context, Plans, and BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs.. Garbage comes from no guardrails. Show the same task with rules on vs off.
Name it: Policy-as-config + automated review.
Concede: "Real risk — copy-paste-without-understanding is a genuine failure mode."
Counter: Ask mode is a teaching tool (explain this call graph); Plans make juniors articulate intent; reviews still happen. Box ran mentorship → +75% usage in 6 weeks.
Name it: Review gate + mentorship motion.
Concede: "~$40/user/mo across thousands of seats is a real number."
Counter: Compare to throughput, not to zero. Box: 30–50% throughput lift, 80–90% less migration effort. Volume discounts kick in at 100+ seats; Enterprise is negotiated.
Name it: Cost-per-unit-of-shipped-work, not cost-per-seat.
Concede: "Legacy monoliths are genuinely the hard case — fair."
Counter: That's exactly why we demo on a 15-yr monolith, not a todo app. Context + Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once. + Ask-mode mapping are built for weird. 64% of the Fortune 500 are weird.
Name it: Context engineering + repo-scoped rules.
"You're right — and here's the part that changes the picture." Six words of concession buy you sixty seconds of genuine attention. Skip them and you're just another vendor arguing.
Don't over-promise on ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it.: zero-data-retention terms do NOT apply when the customer brings their own API keys. Get that wrong in a security conversation and you lose the whole room.
The BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. stat '~70% of flags resolved pre-merge' is an older directional number — verify before quoting it live. Safer current facts: ~90% of runs under 3 min, ~35% of autofix changes merged.
Self-check
QWhich is the single most important move when handling ANY of the canonical seven objections?
The 90-second POV, closing by interviewing them, and FE vs FDE
Two skills separate people who pass the loop from people who don't: the ability to compress your whole worldview into 90 seconds, and the instinct to close by interviewing the buyer instead of pitching at them.
The 90-second point of viewyour worldview, compressed
You will be asked, in some form, "why does this matter / what's your take on AI in the enterprise?" The answer is a rehearsed-but-natural 90 seconds that uses the spine as its skeleton: the shift is from ungoverned velocity to governed velocity; the unit that matters is throughput per governed engineer; the way you get there is a value streamThe end-to-end path a change takes from idea to running in production. where the AI accelerates every station and a human owns every gate. Land it with a proof point (64% of the Fortune 500; Box at 30–50% throughput) and a control (audit log, separation of dutiesNo single person can author, approve, and deploy the same change. The core control AI autonomy has to respect.).
- 0–15s — the shift
- Every company is adopting AI coding; the winners govern it instead of banning or YOLOing it.
- 15–45s — the unit
- The metric isn't seat cost or tokens — it's throughput per governed engineer across the value streamThe end-to-end path a change takes from idea to running in production..
- 45–70s — the mechanism
- AI accelerates every station (ticket→PR), a human owns every gate (plan approval, merge). Spine.
- 70–90s — the proof + control
- 64% of the Fortune 500 trust it; Box saw 30–50% throughput. And it's all auditable — SOC 2, audit logs, allowlists.
Close by interviewing THEM
Amateurs end a demo by asking "any questions?" Field engineers end by turning the table into a discovery conversation. You've earned credibility — now spend it learning their constraints so your follow-up is laser-targeted. The questions you ask reveal as much competence as the demo you ran.
- "Where does code review actually bottleneck for you today — is it reviewer availability or scope of changes?"
- "Who owns the merge gate, and what evidence does your audit team need to see on every PR?"
- "What's your blast-radius rule — which repos or modules would you fence off first with an allowlist?"
- "If you ran a pilot, what's the one metric that would make your VP say yes — cycle time, change-failure rate, onboarding time?"
- "What killed the last tool you tried — was it security review, senior pushback, or it just wrote garbage?"
FE vs FDE: where the interview emphasis differsknow which loop you're in
| Dimension | Field Engineer (FE) | Forward-Deployed Engineer (FDE) |
|---|---|---|
| Center of gravity | Demo, objection handling, persona translation | Hands-in-the-repo implementation at the customer |
| Interview proves | Can you make the room believe + name controls | Can you ship real change in a hostile legacy codebase |
| The demo is... | The performance — narrate, frame, close | The starting point — then you actually build with them |
| Failure mode they probe | Hype without substance, can't handle a skeptic | Can't navigate a 15-yr monolith, weak on guardrails in practice |
| Strongest signal | Concede-first fluency + 90-sec POV | Deep value-stream + DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate, and time to restore service. + ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run. fluency under real code |
For an FE loop, your demo is the deliverable — they're watching whether you can frame, name controls, and survive a hostile question with a concede-first reflex.
For an FDE loop, the demo is just proof you can start; they'll push on whether you can actually land change in their legacy mess and keep it inside the guardrails over weeks, not minutes.
Either way, the spine is your universal answer structure: when you don't know what to say, narrate the value streamThe end-to-end path a change takes from idea to running in production. and name the control at each station.
"Before I tell you what I'd build, let me ask what would make your VP say yes — because I'd rather solve that than demo something you don't need."