You were close. Months of work. A champion inside the company. Budget approved, legal reviewed the MSA, and the prospect kept saying the word ‘partner’ in every call. Then an email arrived from their IT security team.
It had a spreadsheet attached. Two hundred rows. Questions about penetration testing history, SOC 2 attestation, encryption standards, data residency, incident response timelines, employee security training, and vendor risk management policy.
You had none of it documented. The deal stalled. Sometimes it closes six months later after a compliance sprint. Sometimes the champion loses patience and the competitor who already had their SOC 2 gets in first.
This is how most early-stage B2B SaaS companies lose enterprise deals. Not on product, not on price, not on fit. On a spreadsheet that arrived at the worst possible moment.
What the questionnaire is actually asking
Enterprise security questionnaires aren’t bureaucratic hazing. They exist because the company on the other end is accountable to their own customers and regulators for the security of every vendor in their stack. If your platform gets breached and their customer data is in your database, their CISO gets the 2am call.
The questions fall into five buckets:
Are you actively protecting your application? WAF, endpoint protection, access controls.
Do you test yourself? Penetration tests, vulnerability scans.
Is it documented? Policies, procedures, governance.
What happens when something goes wrong? Incident response plan, breach notification timelines.
Who are you, really? Your subprocessors, data flows, residency.
None of these questions are unreasonable. They’re the same questions a security-conscious founder would ask about their own stack.
Why this always arrives at 20-30 employees
Enterprise deals start arriving when you’ve got a few salespeople and real pipeline, usually 18 to 24 months post-launch. At that stage, you’ve built an excellent product but you haven’t built a documented security program. Your infrastructure is on AWS with reasonable defaults, you use 1Password and have MFA on most things, and you’ve never had a security incident.
That posture is genuinely reasonable for your current customer base. It’s not documented, audited, or structured enough for enterprise procurement.
The gap isn’t in your actual security. It’s in the evidence. Enterprise teams aren’t just checking that you’re secure. They’re checking that you can prove it.
The compliance-first trap
Most founders respond by signing up for Vanta or Drata immediately. These are good tools. They connect to your cloud environment, collect evidence automatically, and help you prepare for a SOC 2 audit. That’s valuable.
The problem is that compliance platforms collect evidence of security. They don’t build security.
If you have a WAF running, endpoint protection on every device, proper access controls, and continuous cloud monitoring, a compliance tool structures all of that into auditable evidence. That combination works beautifully.
If you skip straight to the compliance tool without the underlying infrastructure, you end up with what people in this industry call compliance theater. The audit passes. The certificate looks right. But there’s nothing behind it that would stop an actual attack.
Enterprise IT teams who do vendor reviews for a living can often feel this. The penetration test scope was unusually narrow. The remediation log is thin. The controls are documented but the timestamps don’t add up.
The one thing that changes everything
Prepare your security posture before you need it. Not the week the questionnaire arrives. Before your first enterprise sales conversation.
The benchmark is straightforward:
-
✓
A WAF protecting your application layer -
✓
Endpoint detection and response on every team device -
✓
Zero trust access to production -
✓
Continuous cloud posture management -
✓
An annual penetration test with documented remediation
Running that stack doesn’t require a dedicated security hire. It requires a platform that manages it on your behalf, a quarterly review process, and a structured annual audit. The output is a security program that can answer any enterprise questionnaire in days instead of months.
When the next questionnaire arrives, you forward it to your security vendor, get the completed response back in 48 hours, and the deal keeps moving.
The founders who build security infrastructure before they need it close enterprise deals. The ones who build it after spend six months catching up, if the deal waits.
There’s a reason companies like Vanta, Drata, and Oneleet exist and are growing fast. The problem is real and the market is large. What they validate is that security posture is now a prerequisite for B2B growth, not an afterthought.
The good news: at 20-30 people, the cost of building proper security infrastructure is a fraction of one lost enterprise deal. The math is not complicated. It just requires running it before the questionnaire arrives, not after.
Platforms like Osto exist precisely for this window — when you’re too early for an in-house security team but too far along to leave enterprise deals on the table. Learn more today.