You were making progress on a deal. The demo went well, pricing was aligned, and the prospect seemed genuinely interested. Then an email arrived from someone on their security or procurement team with a spreadsheet attached. Somewhere between 50 and 300 questions about your encryption standards, access controls, incident response process, and whether your platform has been independently tested for vulnerabilities.
If this is the first time it has happened to you, the instinct is to panic. The questions look technical, the stakes feel high, and you are not sure how many of your honest answers are going to hold up to scrutiny.
Here is what is actually happening and what you need to do about it.
What a Security Questionnaire Actually Is
An enterprise security questionnaire is a formal risk assessment. The buyer’s security or procurement team sends it to every vendor that will have access to their data or systems. They are not trying to catch you out. They are trying to build a picture of your security posture so they can determine whether working with you introduces unacceptable risk to their organization.
Every enterprise that has been through a serious breach or a regulatory audit has learned the same lesson: your security is only as strong as your weakest vendor. That is why these questionnaires exist and why they are non-negotiable for any company selling to enterprise buyers, regardless of how good your product is.
The document itself usually follows one of a handful of standard formats — SIG, CAIQ, VSA, or a proprietary version the buyer has built internally. The format varies but the underlying categories are almost always the same.
What They Are Actually Asking About
Most enterprise security questionnaires cover the same core topics, regardless of how they are formatted or how many questions they contain.
Access controls. Who has access to your systems and customer data, and how do you manage that access? They want to know whether you enforce least privilege, use single sign-on, require multi-factor authentication, and have a formal process for revoking access when someone leaves the company. This section is about whether the right people have access and whether the wrong people cannot get in.
Encryption. How is data protected at rest and in transit? They want to see that you are using current standards — TLS 1.2 or higher for data in transit, AES-256 for data at rest — and that you have thought about key management.
Vulnerability management and penetration testing. This is where most early-stage SaaS founders hit their first real gap. The questionnaire will ask whether you conduct regular security testing, who performs it, when the last test was done, and whether you can share a summary of findings. They are asking this because an independent penetration test is the closest thing to proof that your security controls actually work, not just that they exist on paper.
Incident response. Do you have a documented process for detecting, responding to, and recovering from a security incident? Have you tested it? Can you tell them how quickly you would notify them if their data was involved in a breach?
Data handling. Where is data stored, how is it backed up, and how is it separated from other customers’ data? Multi-tenancy is a specific concern for SaaS buyers — they want to know that one customer cannot access another’s data through your platform.
Compliance certifications. Do you have SOC 2, ISO 27001, HIPAA, or another relevant certification? A SOC 2 report does not eliminate the questionnaire — buyers will still send it — but it significantly shortens the answers you need to provide and increases their confidence in your responses.
Vendor and supply chain security. Who are your subprocessors? Do your own vendors go through security reviews? This one surprises a lot of founders. The buyer is not just evaluating you — they are evaluating everyone you share their data with.
The One Question That Decides Whether the Deal Moves Forward
Of all the categories above, penetration testing is the one that most commonly stalls deals for early-stage SaaS companies. Here is why.
A buyer’s security team can read your policy documents and take your word for your encryption configuration. But when they ask “when was your last penetration test and can you share the results,” there is no good answer other than having done one recently with a credentialed firm and being willing to share an executive summary of the findings.
If you do not have a recent pentest, the deal does not necessarily die — but it slows down significantly. The buyer’s security team has to escalate, get a risk exception approved, or put the vendor review on hold pending a future test. None of those outcomes are good for your sales cycle.
If you have a pentest from 18 months ago that predates your current infrastructure, that raises questions too. Enterprise security teams know that your attack surface changes as you ship code and scale your product. A stale report provides limited assurance.
The SaaS companies that move through enterprise security reviews fastest are the ones that can respond to the questionnaire with a current pentest report, an executive summary of findings and remediation status, and a SOC 2 report or a clear timeline for when one will be available.
How to Respond When You Have Gaps
The worst thing you can do is misrepresent your security posture. Enterprise security teams review hundreds of questionnaires and they are good at identifying answers that are technically true but misleading. Getting caught in an exaggeration damages trust in a way that is very difficult to recover from.
The right approach when you have gaps is to be direct and pair the gap with a plan. If you do not have a SOC 2, say so and explain that you are in the process of implementing the controls required and targeting a specific timeline. If your last pentest was 18 months ago, acknowledge it and tell them you have one scheduled. Most enterprise security teams are not expecting perfection from a seed or Series A vendor. They are evaluating whether you are thoughtful and honest about your security posture, not whether it is flawless.
What they cannot work with is no answer, a vague non-answer, or an answer that turns out to be inaccurate when they dig deeper.
What to Do Before the Next One Arrives
The founders who handle security questionnaires most smoothly are the ones who prepared before receiving one, not after.
That means getting a penetration test done before an enterprise prospect asks for one. It means implementing the controls that a SOC 2 audit would cover, even if you are not ready to go through a formal audit yet. It means documenting your incident response process, your access review cadence, and your vendor review process in a way that is easy to reference when questions arrive.
None of this has to happen all at once. But the gap between having a credible security program and not having one is exactly where enterprise deals get stuck.
If you have received a security questionnaire and are trying to figure out where your program stands, a gap assessment is the fastest way to understand what you can answer confidently and what needs to be addressed before the deal progresses.
Packet33 works with SaaS and HealthTech startups to build the security programs that enterprise buyers expect — penetration testing scoped and documented for security questionnaires and compliance audits, audit readiness advisory, and ongoing compliance management.
Talk to us about where your program stands before the next questionnaire arrives.