The Deal that Security Nearly Killed

A seed-stage SaaS had landed their first enterprise customer. Then came the security questionnaire: 200 questions, demands for penetration testing evidence, encryption practices, and incident response plans.

The deal—worth more than their entire seed round—was now contingent on answers they didn't have. Eight engineers, no dedicated security function, and three weeks before the customer's security team decided their fate.

67% of companies have lost business because customers lacked confidence in their security. For a startup, that loss is existential.

The Fix: Triage, Then Act

Week One: Assess

We ran a focused grey-box assessment of the application, API, and cloud config. Automated tooling handled breadth; our testers focused on what actually matters—tenant isolation, authentication flows, and object-level access controls.

We found what we usually find: cross-tenant access gaps, over-permissive IAM roles, and unrotated secrets in the repository.

Week Two: Remediate by Risk

We fixed by real risk, not questionnaire order. Cross-tenant gaps went first—they were both the worst security risk and an automatic fail. Then IAM tightening and secret rotation.

We worked with their engineers, not around them. The team that would own the fixes implemented them, with reasoning explained so flaws wouldn't return.

Week Three: Prove It

Enterprise buyers want evidence. We retested every fix, produced a penetration test report with findings and resolutions, and helped them document the basics they were missing—access controls, encryption practices, and a lightweight incident response runbook.

The foundations of SOC 2 readiness for a startup.

The Outcome

The customer's security team approved the vendor. The deal closed on schedule.

More importantly, the company emerged with security engineered into their system—not patched over it. The next enterprise questionnaire, six weeks later, took two days instead of three weeks of crisis.

What Made the Difference

It wasn't heroics. It was sequence and judgement: testing what scanners miss, fixing by real risk, and producing evidence enterprise buyers actually need.

A security review is usually a small number of real gaps wearing a 200-question costume. Fix those, prove it, and move on.

That's a three-week problem—not a three-quarter one—if you know where to look.

Facing a Security Review?

Request a readiness assessment. ZeroSight360 will tell you, fast, exactly where the real gaps are between you and a "yes."