What Enterprise Security Reviews Actually Check (and How SaaS Vendors Pass Them)

Closing a six-figure enterprise contract often comes down to a single PDF: the security questionnaire. Procurement holds the deal, legal holds the contract, and InfoSec holds the veto. If you're a SaaS founder or engineer who has watched a deal stall for weeks because of a CAIQ spreadsheet, you already know the cost of being unprepared.

Here's what enterprise security teams are actually looking for, the controls you need in place before the review starts, and the technical hygiene that decides whether you get fast-tracked or sent back with 80 follow-up questions.

What an enterprise security review actually covers

Most reviews pull from one of three frameworks: the CSA CAIQ (Consensus Assessments Initiative Questionnaire), SIG (Standardized Information Gathering), or a custom questionnaire derived from ISO 27001 / SOC 2 controls. Expect questions across these domains:

• Organizational security — background checks, security training, dedicated security personnel
• Access control — SSO, MFA, least privilege, joiner/mover/leaver process
• Data protection — encryption at rest and in transit, key management, data residency
• Application security — SDLC, code review, dependency scanning, pen testing
• Infrastructure security — network segmentation, hardening, patching cadence
• Incident response — runbooks, notification SLAs, post-mortem process
• Vendor management — your subprocessors and how you assess them
• Business continuity — RTO/RPO, backup testing, DR drills

If you can't answer 80% of these with a documented "yes" plus evidence, you're not ready.

The non-negotiables before you even start

1. Get SOC 2 Type II or ISO 27001

Without one of these, most Fortune 1000 buyers won't even open your questionnaire. SOC 2 Type II is the faster path for US-centric SaaS — budget 6–9 months and roughly $25,000–$60,000 for a first audit including a tool like Vanta, Drata, or Secureframe. ISO 27001 is preferred for European and multinational buyers.

2. Publish a trust center

A public trust page at trust.yourdomain.com with your SOC 2 report (NDA-gated), subprocessor list, security whitepaper, and uptime status answers half the questionnaire before it's asked. Tools like SafeBase, Drata Trust, or even a well-built static page work.

3. Enforce SSO and SCIM on enterprise plans

If SSO is locked behind a custom contract or priced as a premium add-on at a 5x markup, expect pushback. Enterprises want SAML 2.0 with their IdP (Okta, Azure AD, Google) and SCIM for automated user provisioning and deprovisioning.

4. Document your data flows

Maintain a clear data flow diagram showing: what customer data you collect, where it's stored, which subprocessors touch it, and how it's deleted. This single artifact answers dozens of questionnaire rows.

The technical controls that get scrutinized

Encryption

• TLS 1.2 minimum, TLS 1.3 preferred, on every public endpoint including marketing sites and status pages
• AES-256 at rest with managed keys (AWS KMS, GCP KMS, or Azure Key Vault)
• Field-level encryption for sensitive PII where feasible
• HSTS with a preload-ready policy

Web application security posture

Reviewers will often run their own external scan against your product domains. They'll check for missing headers, weak ciphers, exposed admin paths, and misconfigured CORS. A failing grade here triggers an immediate round of follow-ups even if your SOC 2 is clean.

Before submitting any questionnaire, run your production domains through WebSentry and fix anything below a B grade. The scan flags missing security headers, weak CSP, insecure cookies, certificate issues, and CORS misconfigurations — exactly the surface area enterprise scanners target.

Headers and CSP

At minimum, have:

• Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
• Content-Security-Policy with no unsafe-inline on script-src (use nonces or hashes)
• X-Content-Type-Options: nosniff
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy restricting camera, microphone, geolocation by default

Cookies

Every session cookie must carry Secure, HttpOnly, and an appropriate SameSite attribute. Missing HttpOnly on an auth cookie is a near-automatic rejection.

DNS hygiene

• SPF, DKIM, and DMARC configured with p=reject or at minimum p=quarantine
• CAA records limiting who can issue certs for your domain
• No dangling CNAMEs pointing to deprovisioned services (subdomain takeover risk)

Building your evidence library

The fastest way to turn a 4-week review into a 4-day review is having evidence ready. Maintain a shared folder (access-controlled) containing:

1. Latest SOC 2 Type II report and bridge letter
2. Pen test executive summary from the last 12 months
3. Vulnerability management policy and a sample monthly scan report
4. Incident response plan and a tabletop exercise log
5. BCP/DR plan with last test date and results
6. Information security policy, acceptable use policy, and code of conduct
7. Architecture diagram and data flow diagram
8. Subprocessor list with links to their compliance pages
9. Sample DPA (Data Processing Agreement) pre-signed by your DPO
10. Cyber insurance certificate

The pen test trap

Many SaaS companies treat the annual pen test as a checkbox. Enterprise reviewers don't. They will ask for:

• The methodology (OWASP, PTES)
• Scope — and if it excludes your main app, they'll notice
• Whether it was authenticated and unauthenticated
• Remediation evidence for any High or Critical findings

Use a reputable firm (NCC Group, Bishop Fox, Cobalt, Doyensec) and budget $15,000–$40,000 annually. A $2,000 automated scan labeled "pen test" gets caught immediately.

How to handle the questionnaire itself

Don't lie, don't pad, don't leave blanks

Reviewers compare your answers to your SOC 2 report and your live infrastructure. If you claim you encrypt all backups but your SOC 2 says "in progress," you've burned credibility for the whole review.

Use "compensating controls" honestly

If you don't have a specific control, describe the compensating control and the roadmap. "We do not currently support customer-managed encryption keys; data is encrypted with AWS KMS using per-tenant data keys. CMEK is on the H2 roadmap." That's an acceptable answer. "Yes" with no detail is not.

Pre-fill with a questionnaire automation tool

Loopio, Responsive (formerly RFPIO), or Vanta Questionnaire Automation can answer 60–80% of repeat questions from a knowledge base. The ROI shows up by the third deal.

Red flags that kill deals fast

• An SSL Labs grade below A on your production app
• A trust page with a SOC 2 report older than 14 months
• Public S3 buckets or open Elasticsearch instances discovered in OSINT
• Employees with personal Gmail addresses in your GitHub commits
• A privacy policy that hasn't been updated since 2019
• No DPA available, or one that excludes GDPR terms
• Marketing site running on the same origin as the app with weak CSP

Most of these are findable in under an hour by a competent reviewer. They will be found.

Run the external scan before they do

The single highest-leverage action before submitting any enterprise questionnaire: scan your own attack surface the same way the buyer will. Run your app, marketing site, status page, and admin subdomains through WebSentry for a free A–F security grade across SSL, headers, CSP, cookies, DNS, and CORS. Fix anything that grades below a B, then submit with confidence.