Security Review Readiness
8 min read

The Security Questionnaire Evidence B2B SaaS Buyers Actually Accept

Maps the common security-questionnaire questions to the concrete artifacts buyers and auditors actually accept — and the prose answers they quietly reject. With the exact export command for each.


A 90-row security questionnaire just landed in a shared spreadsheet, the buyer's security team is CC'd, and the deal owner wants it back by Friday. A week later the auditor's PBC list (Provided By Client) asks for the same things in slightly different language. You start typing answers. Most of them begin with "We have a policy that..." or "Yes, we enforce...".

Here is what you need to know before you send it: the reviewer on the other end has read a thousand of those sentences. The trap most teams fall into: they answer the questionnaire in prose. Prose is what gets flagged, looped back, and turned into a follow-up call that delays the deal by two weeks. What clears the review on the first pass is a concrete export — a file, a config dump, a query result with real numbers in it.

This article maps the questions you will actually get to the artifacts that actually clear them, and names where to export each one.

Why prose gets rejected

A questionnaire answer is a claim. An auditor's job — and increasingly a buyer's security engineer's job — is to verify the claim, not believe it. "We enforce MFA for all admins" is unfalsifiable as written. An IdP export that lists every admin with their MFA enrollment status is falsifiable: the reviewer can count the rows and see zero exceptions. That is the entire difference.

So the rule for every row below is the same: answer with the artifact, not the adjective. Paste a one-line answer, then attach the file that proves it. The sections that follow give you both halves for each common question.

Access controls: IAM and least privilege

This is where most questionnaires lead, and where most get stuck.

QuestionWhat gets rejectedWhat gets acceptedWhere to export it
Do you enforce least-privilege IAM?"Yes, roles are scoped to need."Per-role definition + member list showing no standing admin on prodAWS IAM credential report; GCP gcloud projects get-iam-policy <project>
Who has production access?"Only authorized engineers."Generated list of every principal with a prod-write role, with owner and last-used dateAWS IAM credential report (CSV); GCP IAM policy export
Are there unused / stale privileges?"We review access regularly."Credential report column showing password_last_used / access_key_last_used per userAWS IAM credential report

What gets accepted: the AWS IAM credential report. One call — aws iam generate-credential-report then aws iam get-credential-report — gives you a CSV with every user, their MFA status, key age, and last-used timestamps. On GCP, gcloud projects get-iam-policy <project> --format=json dumps every binding. Reviewers accept these because they are machine-generated and you can't hand-edit them into looking better without it being obvious.

The artifact teams skip: the last-used column. A reviewer who asks about least privilege is really asking "do you have standing admins who never use it?" The credential report answers that in a column you already have.

MFA enforcement

Nearly every questionnaire asks it. Almost nobody answers it correctly.

QuestionWhat gets rejectedWhat gets acceptedWhere to export it
Is MFA enforced for all admins?"MFA is enabled in our IdP."IdP enforcement policy export + per-user enrollment report showing zero exempt adminsOkta / Entra / Google Workspace MFA-status report
Is MFA enforced on the cloud root?"Root is locked down."AWS IAM credential report row for <root_account> showing mfa_active = trueAWS IAM credential report
Is MFA enforced on the VCS org?"GitHub requires it."gh api orgs/<org> showing two_factor_requirement_enabled: trueGitHub org settings export

The trap most teams fall into: confusing enabled with enforced. "Enabled" means the option exists. "Enforced" means a user with no second factor cannot sign in. Reviewers reject "enabled" because it permits exceptions. The accepted answer is the per-user enrollment report with no admin showing "not enrolled," plus the policy export proving the gate is mandatory.

Branch protection and change management

SOC 2 CC8.1 lives here. The buyer's concern is blunt: can one engineer push to production with nobody looking?

QuestionWhat gets rejectedWhat gets acceptedWhere to export it
Are code reviews required before merge?"All changes are peer-reviewed."Branch-protection export showing required_pull_request_reviews ≥ 1 and enforce_admins: truegh api repos/<org>/<repo>/branches/main/protection
Can admins bypass review?"Admins follow the same process."The enforce_admins.enabled: true field in that same exportSame protection export
Who owns review for sensitive paths?"The relevant team reviews it."CODEOWNERS file + branch protection requiring code-owner reviewRepo CODEOWNERS + protection export

What gets accepted: the raw JSON from gh api repos/<org>/<repo>/branches/main/protection. It contains required_pull_request_reviews, required_status_checks, and the enforce_admins flag. A reviewer reads three fields and moves on. The prose version triggers "please confirm admins cannot bypass" — which is exactly the field you should have attached.

Audit logging

Auditors look for two things here: coverage (every prod account is logged) and proof the logs exist (not just that logging is turned on).

QuestionWhat gets rejectedWhat gets acceptedWhere to export it
Do you log all production activity?"CloudTrail is on."Trail/sink config export plus a sample query result returning recent events from each accountaws cloudtrail describe-trails; GCP gcloud logging sinks list
How long are logs retained?"We keep logs for a year."Storage lifecycle policy + a query returning the oldest available log entry's timestampS3 lifecycle rule / GCS bucket lifecycle export + sample query
Are logs tamper-resistant?"Access is restricted."Object-lock / bucket-lock (WORM) configuration exportaws s3api get-object-lock-configuration

The artifact teams skip: the sample query result. Anyone can show that a trail exists. The accepted evidence is the trail config and a query — for example a CloudTrail Lake or Logs Insights query — that returns rows from the last 24 hours for each production account, plus one that returns the oldest entry to prove retention. Config proves intent; the query proves it actually works.

Backup and restore testing

QuestionWhat gets rejectedWhat gets acceptedWhere to export it
Are production databases backed up?"Automated backups are enabled."Backup config + last 7 successful backup timestampsRDS / Cloud SQL backup config + backup history listing
Do you test restores?"Backups are tested periodically."A restore-test report: date, source backup, restored row counts, wall-clock runtime, integrity check resultYour own restore-test runbook output
What is your RPO / RTO?"RPO 24h, RTO 4h." (numbers with no basis)The same numbers tied to the restore-test report that demonstrates themRestore-test report

The single highest-leverage artifact in any questionnaire: the restore-test report. Most teams have backups configured and have never restored from them. "Backups are enabled" gets accepted at the config level but rejected the moment the reviewer asks "when did you last restore?" The accepted answer is a one-page report: restored the 2026-06-20 snapshot into a staging target, 4.2M rows in the orders table verified against source, completed in 18m32s, integrity check passed. Row counts and wall-clock time are the signal that it actually happened.

Dependency and secret scanning

Scanning being on is the easy half. The half that gets rejected is the absence of a remediation trail.

QuestionWhat gets rejectedWhat gets acceptedWhere to export it
Do you scan dependencies for CVEs?"Dependabot is enabled."Scanner config + remediation log showing a recent critical CVE opened and closed within SLADependabot/Snyk config + gh api repos/<org>/<repo>/dependabot/alerts
Do you remediate criticals within SLA?"We patch promptly."A specific dated example: alert raised 2026-06-04, PR merged 2026-06-06, well inside a 7-day SLAAlert export + linked PR
Do you scan for committed secrets?"Secret scanning is on."Secret-scanning config + remediation log of any detected hit and its rotationgh api repos/<org>/<repo>/secret-scanning/alerts

The trap most teams fall into: answering "yes, scanning is enabled" to a question that is really about response. A buyer asking "do you remediate critical CVEs within 7 days?" wants one concrete instance proving it. "We have a policy" is not the answer; the dated alert-to-merge trail is. Export the alerts list once a quarter and keep the remediation log next to it.

Map your answers before you send them

Questionnaire topicAccept-on-first-pass artifactOne-line export
IAM / least privilegeAWS IAM credential report / GCP IAM policyaws iam get-credential-report
MFA enforcementIdP enrollment report + org 2FA flaggh api orgs/<org>
Change managementBranch-protection JSONgh api repos/<org>/<repo>/branches/main/protection
Audit loggingTrail/sink config + sample query resultaws cloudtrail describe-trails
Backup / recoveryRestore-test report (rows + wall-clock)your restore-test runbook
Dependency / secretsScanner config + remediation loggh api repos/<org>/<repo>/dependabot/alerts

The pattern is consistent across all six: a machine-generated export plus, where the question is about an outcome, one dated example proving the outcome. Gather these once into a private evidence repo and you answer every future questionnaire by pasting a short line and attaching the matching file.

The kit and the next step

The free Cloud Controls Evidence Kit ships this exact layout — including worked questionnaire-answer examples that pair each common question with the export that clears it and the prose that doesn't. Drop it into your private compliance repo and start filling it in.

If you'd rather have an engineer walk your stack and produce the populated evidence folder — the IAM report, the branch-protection export, the restore-test report, all filled in with your actual data — that is what a Controls Review delivers.

When the next questionnaire lands, you want to be attaching files, not writing sentences. If you want help getting there before your next enterprise deal, book a fit call.

Book fit call