Back to Blog
Sales Enablement13 min read

What to Do When a Big Customer Sends You a Security Questionnaire (and You Don't Have SOC 2)

A

Alexander Sverdlov

Security Analyst

5/6/2026
What to Do When a Big Customer Sends You a Security Questionnaire (and You Don't Have SOC 2)

Vendor Security · Sales Enablement · May 2026

Your biggest prospect just sent you a 220-question security assessment. The deal is worth more than your last round. The deadline is seven days. You don't have SOC 2. Here is what to do, in order, written from a decade of getting small companies through this exact moment.

Key Takeaways

  • Most vendor security questionnaires are not really asking what they ask - they are asking "can we trust you with our data?"
  • You do not need SOC 2 to win the deal. You need credible evidence that you take security seriously and that an independent professional has looked at your environment
  • A Third-Party Security Attestation Letter from a reputable firm satisfies enterprise procurement in most cases. It costs a fraction of SOC 2 and ships in two weeks
  • Never write "N/A" on a security questionnaire. Every "N/A" looks like "I don't know what this means" to a procurement reviewer
  • A trust portal with seven specific documents will end about 70 percent of follow-up questions before they are asked
  • SOC 2 is worth pursuing once you have three or more enterprise prospects asking for it within a single sales cycle, not before

Last quarter we picked up the phone to a five-person dev shop. Their CEO had that flat, slightly-too-calm voice that comes after the third coffee and the realization that the company's largest contract ever might not happen.

The story was familiar. They had been in talks for four months with a Fortune 500 retailer. The contract was $640,000 in year one with a three-year option. They had aced the technical evaluation. Then the procurement team sent a 217-question vendor security assessment with a seven-day turnaround and a one-line note: "Please complete in full. Incomplete responses cannot be processed."

They had no SOC 2. They had no ISO 27001. They had no formal information security program. They had a smart engineer who had set up reasonable AWS defaults two years ago and an MDR alert that had never fired. They wanted to know if they should buy Vanta on the spot, sprint to SOC 2, or just write "N/A" 217 times and hope.

None of those are the right answer. The right answer is the playbook below, and we walked them through it on a Thursday afternoon. They closed the deal eleven days later.

📋

Step One

What Is Actually Inside a Vendor Security Questionnaire

Before you answer a single question, understand what the document actually is. Vendor security questionnaires (VSQs) are written by procurement teams who do not entirely trust their own security teams to be reasonable about every supplier. They are templates. The big retailer that just sent you 217 questions sent the same 217 questions to a payroll vendor and a printing service.

The most common templates you will encounter are the SIG (Standardized Information Gathering) Lite, SIG Core, the CAIQ (Consensus Assessments Initiative Questionnaire) for cloud providers, and a long tail of homegrown templates that tend to be Frankenstein quotations from all of the above. Once you can recognize them, you can prepare a single set of answers and reuse them everywhere.

Anatomy of a Vendor Security Questionnaire Anatomy of a Vendor Security Questionnaire Six recurring sections that account for ~85% of all questions Governance Policies, owners, training ~12% of questions Access & Identity MFA, SSO, offboarding ~18% of questions Data Protection Encryption, retention ~22% of questions Operations Patching, backups, monitoring ~16% of questions Incident Response Detection, breach notification ~10% of questions Vendor & Subcontractors Subprocessors, due diligence ~7% of questions Remaining ~15% covers product-specific items: payment data, PHI, child data, country-of-residence, custom contractual flags. These are the questions you actually have to think about. The other 85% should come from a reusable answer library.
Figure 1. Six categories cover roughly 85% of all questions you will ever see in a vendor security questionnaire.

The implication is liberating. You will answer the same 200 questions, in slightly different wording, again and again across customers. Build the answer library once and the questionnaire stops being a panic event and becomes a document copy-paste exercise that takes you about ninety minutes.

Step Two

The Five Worst Things You Can Do

We have seen all of these. Most of them in the same week.

1. Writing "N/A" everywhere

Every "N/A" reads as "I do not understand this question" to the reviewer. If a control truly does not apply (you do not store payment cards, so PCI-DSS does not apply), say so explicitly: "Not applicable: we do not store, process, or transmit payment card data; payments are handled by Stripe and we use the Stripe-hosted checkout." One sentence. The "N/A" becomes a thoughtful answer.

2. Lying or stretching the truth

If you do not encrypt data at rest in your database, do not write "yes." Procurement teams routinely re-issue the same questionnaire eighteen months later. Inconsistent answers across years are the single fastest way to lose a renewal. They are also why some companies end up in lawsuits when a breach reveals the original answer was a fabrication.

3. Sprinting to buy SOC 2 compliance software at 11pm

SOC 2 is a six-to-twelve month exercise. You will not have a Type 1 report in seven days, and the existence of a Vanta dashboard with 73% of controls red is not an answer. The marginal credibility you gain from "we are pursuing SOC 2" is real, but it is much smaller than the credibility from a third-party security attestation letter that lands inside the deadline.

4. Letting your most senior engineer answer it alone

Your senior engineer is the right person to answer the technical questions. They are usually the wrong person to answer the policy questions, the legal questions, and the procurement-language questions. A questionnaire mixes all four. Without coordination, the engineer answers literally ("we do not have a written incident response policy") when the truthful answer is contextual ("we have an incident response runbook in our team handbook, and we are formalizing it; the runbook is attached as Appendix C").

5. Ignoring the deadline and asking for a six-week extension

Procurement teams interpret extension requests as a signal that you are unprepared. Sometimes you genuinely need extra time. Ask for two extra business days, not six weeks. Frame the ask around quality of answers, not difficulty: "We want to give you accurate, evidence-backed answers rather than a rushed first pass. May we have until Tuesday?"

Step Three

The Five Right Moves, In Order

1. Read the entire questionnaire end to end before answering anything

Half the questions overlap. You will see "Do you encrypt data at rest?" three times in three sections, and you will see contradictory questions ("Do you store cardholder data? / What is your card data retention period?"). Reading first lets you answer consistently and helps you spot the questions that genuinely require you to talk to your AWS account or your legal counsel.

2. Decide your three flagship answers and write them carefully

There are three answers procurement reviewers actually read in detail: encryption (in transit and at rest), incident response and breach notification, and access management (especially MFA and offboarding). Write these three as if they were a press release. Use specific evidence: TLS 1.3 minimums, AES-256 with KMS, 24-hour notification commitments, mandatory MFA via Okta/Workspace/AAD. Specificity beats marketing language.

3. Get a Third-Party Security Attestation Letter

This is the single highest-leverage move. A reputable security firm performs a focused two-week assessment of your environment and issues a signed attestation letter on letterhead, stating that the assessment was conducted, scoped, and that no critical findings remain open at the time of the letter. It is not SOC 2 and does not pretend to be. But for procurement teams it is a different person other than the founder vouching for the company - which is the actual question they are asking. We deliver these from $5,000 in two weeks; this is exactly the engagement we built our IT Security Audit service around.

4. Build a one-page Trust Portal and link to it

A trust portal is a single password-protected page (or a public page if you are confident) on your domain at /trust or trust.yourdomain.com that hosts the seven documents listed in Section 5 below. Reference it from your questionnaire answers ("see Trust Portal section 3"). Reviewers love it. They are also human - they prefer downloading a PDF to typing the same question forty times.

5. Build the answer library and reuse it

Every question you have answered carefully once goes into a private repository (Notion, a Google Doc, your favorite tool). When the next questionnaire arrives, your job is to find the existing answer and decide if it still applies. The first questionnaire takes ninety hours of work. The fifth questionnaire takes ninety minutes.

Wrong vs Right Approach to Vendor Security Questionnaires Wrong vs Right - Vendor Security Questionnaire Response Wrong Right - "N/A" or blank fields - Stretch the truth on encryption - Buy SOC 2 software at 11pm - Senior engineer answers alone - Six-week extension request - Marketing language as answer - One-off effort, no reuse - Explanatory non-applicability - Specific tech: TLS 1.3, AES-256 - Third-party attestation letter - Cross-functional review team - 48-hour ask framed as quality - Evidence-backed precise answers - Build a reusable answer library
Figure 2. The seven decisions that change a questionnaire response from a panic exercise into a routine sales motion.
🔐

Step Four

The Minimum Viable Security Package You Can Ship in Seven Days

If you have nothing today and a deadline of next Friday, here is the absolute minimum that will get you through. Every item on this list can be done in a week without buying any new software. We have shipped this exact package to dozens of clients before they had any compliance program at all.

Item Why it matters Time
MFA enforced everywhereIf you cannot answer "yes" to mandatory MFA, the questionnaire is dead. Use Google Workspace, Microsoft 365, or Okta enforcement.2 hours
Written information security policyA 6-page document covering scope, ownership, classification, access, incident response, vendor due diligence. Use NIST CSF or ISO 27002 as a skeleton.1 day
Incident response runbookA two-page document: who to call, when to escalate, breach notification clock, communications template. Tabletop-tested with the team.half day
Acceptable use policySigned by every employee. Tells them what they can and cannot do on company devices. Procurement loves seeing this exists.2 hours
Encryption at rest and in transit confirmedRDS/S3/EBS encryption enabled with KMS-managed keys, TLS 1.2 minimum on all endpoints. Verify, screenshot, document.3 hours
Asset and subprocessor inventoryA spreadsheet listing all SaaS tools that touch customer data, every cloud account, every third-party processor. Procurement always asks.half day
Vulnerability scanning baselineOne run of an automated scanner (e.g. AWS Inspector, Tenable, or even open-source nuclei) against your prod environment. Save the report.2 hours
Third-party security attestation letterExternal independent confirmation. The single most credible artifact you can hand a reviewer who has been told "we cannot SOC 2 in time."2 weeks

If your timeline is seven days, items one through seven are immediately reachable on your own. The attestation letter requires an external firm and is the part where most companies bring us in. Two weeks from kickoff to signed letter, fixed pricing from $5,000, paid only after delivery. We sit with your engineering team, review the controls, document the evidence, and produce both the technical report and the procurement-friendly letter you can attach to the questionnaire.

Step Five

The Seven-Day Crash Plan

Seven-Day Crash Plan for a Vendor Security Questionnaire The Seven-Day Crash Plan Day-by-day from "we got the questionnaire" to "we hit submit" 1 Triage Read end to end Identify owners Engage external firm 2 Stabilize Enforce MFA Encryption baseline Scanner first run 3 Document Info-sec policy IR runbook AUP signed 4 Inventory Asset list Subprocessors Data flow map 5 Draft answers Three flagship items Trust portal page Cross-team review 6 Polish Legal review Evidence attached CEO sign-off 7 Submit Trust portal live Letter on letterhead Follow-up plan Critical path: Engage the external attestation firm on Day 1. Two-week delivery means the letter is in your hand on Day 14 - past the original deadline, but the most credible artifact in the package. Submit the questionnaire on Day 7 with a note: "Independent third-party attestation expected by [Day 14]; we will share the signed letter immediately."
Figure 3. A realistic seven-day crash plan from "questionnaire received" to "submit." The attestation letter delivery is the only item that extends past Day 7.
🌐

Step Six

The Seven Documents That Belong in Your Trust Portal

A trust portal is a single page on your domain (typically /trust or trust.yourdomain.com) where prospects and existing customers can find security documentation without emailing your sales rep. The page can be public or gated behind a simple email form. Every document should have a "last reviewed" date.

  1. Information Security Policy - 6 to 8 pages, mapped to NIST CSF or ISO 27002 categories. Approved and signed by your CEO.
  2. Acceptable Use Policy - one page, signed by every employee on hire and annually. Procurement reviewers love this.
  3. Incident Response Plan - one to two pages. Who, when, how, and the breach notification clock you commit to.
  4. Subprocessor List - which third-party services touch customer data. Hosted publicly is best; updates are easier and customer trust is higher.
  5. Data Processing Addendum - GDPR DPA template, with EU SCCs ready to sign. If you cannot offer a DPA in 24 hours, you will lose EU deals.
  6. Most Recent Security Assessment Letter - the third-party attestation, redacted as needed. Single biggest credibility item on the page.
  7. Vulnerability Disclosure Policy - one paragraph. Tells security researchers how to report issues. Signals maturity.

When a procurement reviewer can answer 70 percent of their questions by clicking through your trust portal, you save them time and you save yourself an entire pass of the questionnaire. The first time you build it takes a week. After that it is a quarterly maintenance task that takes about an hour.

🎯

Step Seven

When Does SOC 2 Actually Become Worth Pursuing?

SOC 2 is real work. A first Type 1 typically costs $30,000 to $80,000 all-in (auditor plus implementation help) and takes three to six months. Type 2 adds a 6 to 12 month observation period. It is not a question of whether the standard is good - it is a question of when the cost makes sense.

Decision Tree: When to Pursue SOC 2 When Does SOC 2 Become Worth Pursuing? Are 3+ enterprise prospects asking for SOC 2 in one cycle? No Yes Use a Third-Party Attestation Letter for now Will the deals close before SOC 2 can be delivered? Yes No Bridge with attestation, start SOC 2 in parallel Start SOC 2 Type 1 now, target 12-week delivery Rule of thumb: SOC 2 pays for itself when the next 12 months of deal flow contains $500K+ in committed pipeline that lists SOC 2 as a procurement requirement.
Figure 4. A simple decision tree for the "should we just sprint to SOC 2" question. The answer is usually "not yet."

Most early-stage companies fail this decision because they make it once, in panic, after one prospect demands SOC 2. They commit to the spend, and then no other prospect asks for it for nine months. Wait for the pattern. The pattern is usually three or more enterprise asks in a single quarter.

How Atlant Security Helps

Two-Week Third-Party Security Attestation

When a deal is on the line and SOC 2 is months away, our IT Security Audit gives you a credible independent assessment in two weeks. We review your environment against a 20-domain framework, document the evidence, and issue a signed attestation letter on Atlant Security letterhead suitable for sharing with enterprise procurement.

  • Fixed pricing from $5,000
  • Two-week delivery from kickoff
  • Pay after you receive and review the report
  • Senior consultant on every engagement, never juniors
  • Letter and full technical report - one for procurement, one for your engineers

Book a 30-minute call →

Frequently Asked

Questions We Hear Every Week

How long does a Third-Party Security Attestation Letter actually take?

Two weeks from kickoff to signed letter for a typical SaaS environment with under 50 employees. Larger environments or multi-region cloud setups can take three weeks. We have not had an engagement run longer than that since 2022.

Will an attestation letter actually satisfy a Fortune 500 procurement team?

In our experience, yes - in roughly 80 percent of cases. The letter answers the underlying question ("has anyone independent looked at this company's security?") even when it is not a SOC 2. The remaining 20 percent are companies whose internal procurement policy hard-codes SOC 2 as a requirement. For those, you bridge with the attestation while you start SOC 2.

Can you help us actually answer a 200-question questionnaire, not just give us a letter?

Yes. As part of the audit engagement, we provide draft answers to common SIG and CAIQ questions based on what we observed during the assessment. This is usually a multi-day exercise on its own and clients tell us it is one of the more valuable parts of the report.

Does Vanta or Drata replace this?

Vanta and Drata are excellent compliance automation platforms. They are not security assessments and they do not produce attestation letters. They monitor controls; an external firm validates that the controls are real and effective. The two are complementary - we work alongside Vanta and Drata regularly.

What happens if the assessment turns up a critical finding mid-engagement?

We tell you immediately, recommend remediation, and either help you remediate before issuing the letter or note the open finding in the letter with the remediation plan and target date. We will not issue a clean letter when there is something material that customers should know about.

We are not a SaaS company. Can you still help?

Yes. The same engagement works for fintech, healthtech, manufacturing, professional services, and non-profits. The control framework adjusts to the environment. We have done attestation work for an EdTech, an asset manager, a five-person dev shop, and a global manufacturer in the same quarter.

If you are reading this on a Wednesday with a Friday deadline, the most important thing you can do in the next sixty minutes is decide which of the eight items in Section 4 you are going to ship by tomorrow. The next most important thing is whether you want an external firm in the loop for the attestation. Both decisions get easier the moment you stop treating the questionnaire as a final exam and start treating it as a sales artifact.

Your prospect is not trying to fail you. They are trying to give their procurement team a story they can defend. Give them that story.

Need help by Friday? Book a 30-minute consultation or email alexander@atlantsecurity.com directly.

Alexander Sverdlov

Alexander Sverdlov

Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.