Enterprise deals die on the security questionnaire
Procurement teams at companies over 500 employees now run structured security questionnaires before any contract over $50K ARR. SOC 2 Type II is the baseline. ISO 27001 is required for international accounts. Pentest reports are requested as evidence. Incident response plans, BCP documentation, and vendor risk management policies are audited against your statements in the questionnaire.
Valtik works with B2B SaaS companies from seed stage through Series C preparing for this reality. We do the technical security work your compliance automation platform cannot do, in a sequence that supports your sales motion rather than blocking it.
The technology company security stack
Identity and access
SSO to every internal tool, MFA everywhere, privileged access management, access reviews quarterly or better. Most early-stage companies do this poorly and it becomes the primary audit exception.
Production security
Secrets management (Vault, AWS Secrets Manager, Doppler), IAM with least-privilege, container and Kubernetes security, serverless security, CI/CD security, supply chain (SBOM, dependency scanning, signing).
Application security
SAST in CI, DAST against staging, SCA for dependencies, security code review for critical paths, penetration testing annually plus before major releases.
Data security
Encryption at rest (KMS-backed), encryption in transit (TLS 1.2+), key rotation, data classification, customer data isolation, tenant isolation in multi-tenant systems.
Logging, monitoring, detection
Centralized logging with retention, security alerting, anomaly detection, EDR on endpoints, response procedures tested in tabletop exercises.
Vendor risk management
Every vendor handling data gets a risk assessment. High-risk vendors are reviewed annually. BAAs, DPAs, and cyber insurance requirements flow through vendor contracts.
Growth-stage engagements
Seed to Series A
Security baseline assessment, access review, penetration test of the production app, incident response plan. Typical engagement $15K-$40K. Gets you ready for the first enterprise customers who request security evidence.
Series A to B
SOC 2 Type I readiness, then SOC 2 Type II prep. Annual penetration test, quarterly access reviews, formal vendor risk management. Typical first-year spend $50K-$120K including the audit itself.
Series B+
Dual certification path (SOC 2 + ISO 27001), formal security program with dedicated engineering, bug bounty program, continuous penetration testing, threat modeling integrated into product development.
Services for technology companies
- SOC 2 Readiness Assessment
- ISO 27001:2022 readiness and dual-certification strategy
- Annual penetration testing (external + internal + application)
- Cloud security posture review (AWS, GCP, Azure)
- Kubernetes and container security
- API security testing (OWASP API Top 10)
- Incident response program design and tabletop facilitation
- Security questionnaire response support
- Bug bounty program design and triage
Platform-specific expertise
We have done deep security research across the stack modern SaaS runs on: Supabase, Hasura, Clerk, Auth0, Firebase, AWS, Kubernetes, Next.js, Docker, GitHub Actions, Terraform, Vault, Sentry, Elastic, and more. Our engagements apply that research directly to your environment. Our blog documents many of the attack patterns we find.