The Questionnaire That Killed a $2M Deal: What Enterprise Buyers Actually Check

A $2M deal is 45 days in. The technical evaluation is clean. Legal terms are close. Then a 200-question security questionnaire lands, due in two weeks, and the sales cycle stalls.

By day 60, the questionnaire is three quarters complete. The buyer asks about SOC 2. You reply that it is in progress. By day 75, the buyer has moved to a vendor that had SOC 2 Type 2 and could answer the questionnaire in three days.

The deal was not lost on the product. It was lost on a set of patterns enterprise buyers check that mid-market sellers usually underestimate.

The visible document has 200 specific questions. The questions behind it are five:

• Do they have a security program, or are they just running IT?
• Is there a named security owner we can hold accountable?
• Can they prove their claims with evidence we can show an auditor?
• Will they respond to an incident in a way that protects us, or just themselves?
• Are they actually doing this every day, or only when someone asks?

The 200 specific questions are the way the buyer triangulates the five. Answer the 200 without internalizing the five and you will still lose.

Specific questions whose answers are binary gates for many enterprise procurement teams:

1. "Do you have SOC 2 Type 2, ISO 27001, or an equivalent?"

"In progress" is usually a soft no. If your buyer's procurement team has a policy that requires it, the conversation pauses until you have it. The cost of SOC 2 Type 2 is almost always less than one enterprise deal.

2. "Who is your CISO or security lead, and what are their qualifications?"

"Our CTO handles security" is a flag. Enterprise buyers want a named role with independent accountability. A fractional CISO is a legitimate answer. No named owner is a hard stop for many procurement teams.

3. "Please attach your incident response plan and evidence of the most recent tabletop exercise."

If you do not have both, you are signaling that incidents will be improvised. Buyers at scale have seen that play out badly enough that many of them will not risk it.

4. "Please attach your most recent penetration test report."

Your bug bounty page is not the same thing. Your MSP's vulnerability scan is not the same thing. A current third-party pentest with remediation notes is the expected artifact.

Being enterprise-ready means you can produce the following in days, not weeks:

• A current SOC 2 Type 2 report under NDA
• A current pentest report, less than 12 months old, with remediation notes
• A security policies document set, approved and dated
• Your IR plan with tabletop evidence
• A signed subprocessor list
• MFA coverage report
• Named security lead with title, role, and escalation path

The above fits in a folder. The question is whether that folder is ready to send on day 1 of the security review, or whether you are building it during the review.

A questionnaire returned in three days tells the buyer you have your act together. A questionnaire returned in three weeks tells them you do not. Response time is the single most undervalued sales signal in enterprise procurement.

Short response time requires a living knowledge base of your controls, not a scramble. The company that answers in three days built that knowledge base months ago.

We maintain that record of controls and evidence inside your portal, answer questionnaires on your behalf, and compress response time from weeks to days. When the buyer wants proof, we hand it over through the Evidence Vault: watermarked, time-bounded, scoped to the framework they asked about. For companies selling up market, this is frequently the highest-leverage thing we do. We do not close your deals. We stop questionnaires from killing them.