Security

An Enterprise Security Review Is Blocking Your Deal. Here Is What Happens Next

It arrives at the best and the worst possible moment at once. The deal is late stage, your champion is bought in, legal has seen the paperwork, and then their security team attaches a spreadsheet with a sentence that freezes everything: we will need to complete our vendor security review before we can finalize.

Then nothing moves. Not because anyone said no. Because the review landed in an inbox with no owner, and the one person qualified to answer it is the same engineer you need shipping product. Here is what an enterprise security review actually is, why deals die in this exact spot, and what to do in the first week.

A questionnaire is not a review

These two get used interchangeably, and that is the first place teams misjudge the work in front of them.

A security questionnaire is one document. It might be a standard format like SIG, SIG Lite, CAIQ, or a VSA, or it might be a custom spreadsheet somebody at the buyer built years ago and nobody has retired since. You fill it in and send it back. It is finite. It can be long and tedious, but you can see the end of it from the beginning.

An enterprise security review is a process. The questionnaire is one artifact inside it. The rest is evidence requests, architecture questions, policy documents, your subprocessor list, penetration test results, insurance certificates, and usually a live call where their security engineers ask questions in real time and listen to how you answer. It has rounds. Each round costs a week.

The failure mode is treating the second thing like the first. You answer the questionnaire, you feel finished, and then a follow-up lands asking for the evidence behind answer 47, and it starts over. Scope the whole process on day one or you will keep being surprised by it.

Why deals stall here

Deals rarely stall because a company failed the review. They stall for duller reasons.

Nobody owns it. Sales assumes engineering has it. Engineering assumes it is a sales form. The founder is the fallback owner of everything, so it joins the same pile as the other twelve things.

The work needs someone fluent in both directions. Your engineer knows exactly how logging is configured but not what the buyer means by a documented retention policy. Your account executive knows what the buyer wants but cannot answer a question about key management. The review sits in the gap between them.

Latency compounds. A review is a series of round trips. Take five days to respond and the buyer takes five days to come back. A review containing maybe fifteen hours of actual work stretches across two months, your champion loses momentum, and the quarter closes without you.

The security posture is often fine. The response process is what is broken. That is good news, because a process is fixable in days.

What buyers are actually checking

It helps to know that the reviewer is not trying to fail you. They are answering one question for their own management: if we put our data in this vendor and something goes wrong, does it come back on me.

Underneath the specific questions, they are checking four things.

  • Do you know where customer data lives. Which systems hold it, who can reach it, and what happens to that access when someone leaves.
  • Can you prove what you claim. Anyone can tick a box that says access is reviewed quarterly. They want the artifact from the last one.
  • Is there an owner. A named person accountable for security, or is it spread across whoever had time that week.
  • Do you tell the truth. This is the one teams misjudge most, and it deserves its own section.

How to answer when the answer is not yet

The instinct is to make every answer sound like a yes. It is the wrong instinct, and experienced reviewers catch it immediately.

Reviewers read questionnaires for a living. They know what a company your size actually has. When a twelve-person startup claims a fully staffed 24/7 security operations centre, the reviewer does not think you are impressive. They think you are confused or overselling, and now every other answer is suspect. One inflated answer costs you the credibility of the entire document.

The answer that works is specific, honest, and bounded in time. Something closer to this: we do not currently run formal access reviews on a fixed cadence; access is provisioned through our identity provider and removed at offboarding; quarterly access reviews are being implemented as part of our SOC 2 program, with the first one scheduled for October.

That answer says no. It also says we understood the question, we know why you are asking it, we know what we do today, and we have a date. Reviewers accept answers like that constantly. What they do not accept is a yes that dissolves the moment they ask for evidence.

So never invent a control. If the review surfaces a real gap, that is information, not a verdict. Close the deal-blocking ones and commit credibly to the rest.

What to do in the first week

Speed early is worth more than polish later. Five moves, in order.

Name one owner. One person who holds the whole review, tracks every open item, and sends every reply. Not a committee. If it is not you, tell the buyer who it is and introduce them.

Get the full scope in writing. Ask your champion for the entire list: every questionnaire, every document, whether there is a live call, and who signs off at the end. Reviews that arrive in pieces stall in pieces. Ask what the real deadline is and what happens if it slips.

Ask what would satisfy them. The highest-leverage question you have, and almost nobody asks it. Sometimes the answer is a SOC 2 report. Sometimes it is a penetration test from the last twelve months. Sometimes it is a signed policy set and one call. You cannot plan the work until you know the bar.

Put your evidence in one place before you need it. Policies, architecture diagram, latest pen test, insurance certificate, subprocessor list, access control documentation, incident response plan. A lot of the delay in a review is hunting for files, not producing them.

Reply within 48 hours even when you are not done. A short note naming your owner and the date they will have the full response keeps the review alive. Silence kills more deals than gaps do.

When a SOC 2 report short-circuits the whole thing

This is the part worth understanding before your next enterprise deal rather than during it.

A SOC 2 Type II report is an independent CPA firm attesting that your controls were designed properly and actually operated over a period of months. That is where its weight comes from. It is not your word about your own security, which is exactly the problem the reviewer is trying to solve.

For a lot of buyers, handing over a current report collapses the review from weeks into days. The questionnaire gets shorter or disappears. A large share of the evidence requests are answered by the report itself. The architecture conversation becomes a formality.

It does not delete reviews. Regulated buyers, and anyone handling sensitive data, will still run their own process, and a report never stops a determined security team from digging. But it changes the conversation from prove it to confirm it, and that shift is most of the calendar time.

The catch is timing. SOC 2 does not rescue the deal that is blocked today, because a Type II needs an observation window to observe. Which is the real argument for starting before a buyer forces you to. If there are more enterprise logos in your pipeline, the review you are fighting right now is not the last one. It is the first one.

For the deal on the table today, you can often still keep it warm with a signed engagement and a credible date. More buyers accept that than founders expect. It is worth the conversation with your champion.

Where we come in

We are the prep partner, not the auditor, and running these reviews on behalf of startups is one of the things we do most. Our enterprise security review response covers the whole process end to end: the questionnaires, the evidence requests, a remediation list ranked by deal impact, and the buyer call when it helps to have an experienced security voice answer their team directly. If it really is just one document, security questionnaire completion is the smaller version of the same work.

Our founder is a published security researcher with six CVEs, which matters here for one reason: the answers have to hold up when the buyer's engineers push on them. And if the reason these reviews keep hurting is that you have no report to hand over, the fix is upstream. Read the playbook on SOC 2 for Canadian SaaS.

Is a deal sitting in a security review right now?

Tell us who is asking, what they sent, and when they need it back. We will come back with a straight plan for clearing it. Toronto-based, led by a published CVE researcher.

Talk to us

Not ready for a call? Same.

Get the playbook, not a sales pitch

If this was useful, Jacob sends a few short, practical notes on locking down your startup without a big security team. No fluff, unsubscribe in one click. Just reply if you want to talk; it reaches him directly.

From Jacob Masse, founder of traztech. No spam, unsubscribe in one click.

Need help with any of this?

We help startups build secure, scalable infrastructure. Book a free strategy call and let's talk about your stack.

Book a free consultation