The Security Questionnaire Evidence B2B SaaS Buyers Actually Accept
Maps the common security-questionnaire questions to the concrete artifacts buyers and auditors actually accept — and the prose answers they quietly reject. With the exact export command for each.
A 90-row security questionnaire just landed in a shared spreadsheet, the buyer's security team is CC'd, and the deal owner wants it back by Friday. A week later the auditor's PBC list (Provided By Client) asks for the same things in slightly different language. You start typing answers. Most of them begin with "We have a policy that..." or "Yes, we enforce...".
Here is what you need to know before you send it: the reviewer on the other end has read a thousand of those sentences. The trap most teams fall into: they answer the questionnaire in prose. Prose is what gets flagged, looped back, and turned into a follow-up call that delays the deal by two weeks. What clears the review on the first pass is a concrete export — a file, a config dump, a query result with real numbers in it.
This article maps the questions you will actually get to the artifacts that actually clear them, and names where to export each one.
Why prose gets rejected
A questionnaire answer is a claim. An auditor's job — and increasingly a buyer's security engineer's job — is to verify the claim, not believe it. "We enforce MFA for all admins" is unfalsifiable as written. An IdP export that lists every admin with their MFA enrollment status is falsifiable: the reviewer can count the rows and see zero exceptions. That is the entire difference.
So the rule for every row below is the same: answer with the artifact, not the adjective. Paste a one-line answer, then attach the file that proves it. The sections that follow give you both halves for each common question.
Access controls: IAM and least privilege
This is where most questionnaires lead, and where most get stuck.
| Question | What gets rejected | What gets accepted | Where to export it |
|---|---|---|---|
| Do you enforce least-privilege IAM? | "Yes, roles are scoped to need." | Per-role definition + member list showing no standing admin on prod | AWS IAM credential report; GCP gcloud projects get-iam-policy <project> |
| Who has production access? | "Only authorized engineers." | Generated list of every principal with a prod-write role, with owner and last-used date | AWS IAM credential report (CSV); GCP IAM policy export |
| Are there unused / stale privileges? | "We review access regularly." | Credential report column showing password_last_used / access_key_last_used per user | AWS IAM credential report |
What gets accepted: the AWS IAM credential report. One call —
aws iam generate-credential-report then aws iam get-credential-report — gives
you a CSV with every user, their MFA status, key age, and last-used timestamps.
On GCP, gcloud projects get-iam-policy <project> --format=json dumps every
binding. Reviewers accept these because they are machine-generated and you can't
hand-edit them into looking better without it being obvious.
The artifact teams skip: the last-used column. A reviewer who asks about least privilege is really asking "do you have standing admins who never use it?" The credential report answers that in a column you already have.
MFA enforcement
Nearly every questionnaire asks it. Almost nobody answers it correctly.
| Question | What gets rejected | What gets accepted | Where to export it |
|---|---|---|---|
| Is MFA enforced for all admins? | "MFA is enabled in our IdP." | IdP enforcement policy export + per-user enrollment report showing zero exempt admins | Okta / Entra / Google Workspace MFA-status report |
| Is MFA enforced on the cloud root? | "Root is locked down." | AWS IAM credential report row for <root_account> showing mfa_active = true | AWS IAM credential report |
| Is MFA enforced on the VCS org? | "GitHub requires it." | gh api orgs/<org> showing two_factor_requirement_enabled: true | GitHub org settings export |
The trap most teams fall into: confusing enabled with enforced. "Enabled" means the option exists. "Enforced" means a user with no second factor cannot sign in. Reviewers reject "enabled" because it permits exceptions. The accepted answer is the per-user enrollment report with no admin showing "not enrolled," plus the policy export proving the gate is mandatory.
Branch protection and change management
SOC 2 CC8.1 lives here. The buyer's concern is blunt: can one engineer push to production with nobody looking?
| Question | What gets rejected | What gets accepted | Where to export it |
|---|---|---|---|
| Are code reviews required before merge? | "All changes are peer-reviewed." | Branch-protection export showing required_pull_request_reviews ≥ 1 and enforce_admins: true | gh api repos/<org>/<repo>/branches/main/protection |
| Can admins bypass review? | "Admins follow the same process." | The enforce_admins.enabled: true field in that same export | Same protection export |
| Who owns review for sensitive paths? | "The relevant team reviews it." | CODEOWNERS file + branch protection requiring code-owner review | Repo CODEOWNERS + protection export |
What gets accepted: the raw JSON from
gh api repos/<org>/<repo>/branches/main/protection. It contains
required_pull_request_reviews, required_status_checks, and the
enforce_admins flag. A reviewer reads three fields and moves on. The prose
version triggers "please confirm admins cannot bypass" — which is exactly the
field you should have attached.
Audit logging
Auditors look for two things here: coverage (every prod account is logged) and proof the logs exist (not just that logging is turned on).
| Question | What gets rejected | What gets accepted | Where to export it |
|---|---|---|---|
| Do you log all production activity? | "CloudTrail is on." | Trail/sink config export plus a sample query result returning recent events from each account | aws cloudtrail describe-trails; GCP gcloud logging sinks list |
| How long are logs retained? | "We keep logs for a year." | Storage lifecycle policy + a query returning the oldest available log entry's timestamp | S3 lifecycle rule / GCS bucket lifecycle export + sample query |
| Are logs tamper-resistant? | "Access is restricted." | Object-lock / bucket-lock (WORM) configuration export | aws s3api get-object-lock-configuration |
The artifact teams skip: the sample query result. Anyone can show that a trail exists. The accepted evidence is the trail config and a query — for example a CloudTrail Lake or Logs Insights query — that returns rows from the last 24 hours for each production account, plus one that returns the oldest entry to prove retention. Config proves intent; the query proves it actually works.
Backup and restore testing
| Question | What gets rejected | What gets accepted | Where to export it |
|---|---|---|---|
| Are production databases backed up? | "Automated backups are enabled." | Backup config + last 7 successful backup timestamps | RDS / Cloud SQL backup config + backup history listing |
| Do you test restores? | "Backups are tested periodically." | A restore-test report: date, source backup, restored row counts, wall-clock runtime, integrity check result | Your own restore-test runbook output |
| What is your RPO / RTO? | "RPO 24h, RTO 4h." (numbers with no basis) | The same numbers tied to the restore-test report that demonstrates them | Restore-test report |
The single highest-leverage artifact in any questionnaire: the restore-test report. Most teams have backups configured and have never restored from them. "Backups are enabled" gets accepted at the config level but rejected the moment the reviewer asks "when did you last restore?" The accepted answer is a one-page report: restored the 2026-06-20 snapshot into a staging target, 4.2M rows in the orders table verified against source, completed in 18m32s, integrity check passed. Row counts and wall-clock time are the signal that it actually happened.
Dependency and secret scanning
Scanning being on is the easy half. The half that gets rejected is the absence of a remediation trail.
| Question | What gets rejected | What gets accepted | Where to export it |
|---|---|---|---|
| Do you scan dependencies for CVEs? | "Dependabot is enabled." | Scanner config + remediation log showing a recent critical CVE opened and closed within SLA | Dependabot/Snyk config + gh api repos/<org>/<repo>/dependabot/alerts |
| Do you remediate criticals within SLA? | "We patch promptly." | A specific dated example: alert raised 2026-06-04, PR merged 2026-06-06, well inside a 7-day SLA | Alert export + linked PR |
| Do you scan for committed secrets? | "Secret scanning is on." | Secret-scanning config + remediation log of any detected hit and its rotation | gh api repos/<org>/<repo>/secret-scanning/alerts |
The trap most teams fall into: answering "yes, scanning is enabled" to a question that is really about response. A buyer asking "do you remediate critical CVEs within 7 days?" wants one concrete instance proving it. "We have a policy" is not the answer; the dated alert-to-merge trail is. Export the alerts list once a quarter and keep the remediation log next to it.
Map your answers before you send them
| Questionnaire topic | Accept-on-first-pass artifact | One-line export |
|---|---|---|
| IAM / least privilege | AWS IAM credential report / GCP IAM policy | aws iam get-credential-report |
| MFA enforcement | IdP enrollment report + org 2FA flag | gh api orgs/<org> |
| Change management | Branch-protection JSON | gh api repos/<org>/<repo>/branches/main/protection |
| Audit logging | Trail/sink config + sample query result | aws cloudtrail describe-trails |
| Backup / recovery | Restore-test report (rows + wall-clock) | your restore-test runbook |
| Dependency / secrets | Scanner config + remediation log | gh api repos/<org>/<repo>/dependabot/alerts |
The pattern is consistent across all six: a machine-generated export plus, where the question is about an outcome, one dated example proving the outcome. Gather these once into a private evidence repo and you answer every future questionnaire by pasting a short line and attaching the matching file.
The kit and the next step
The free Cloud Controls Evidence Kit ships this exact layout — including worked questionnaire-answer examples that pair each common question with the export that clears it and the prose that doesn't. Drop it into your private compliance repo and start filling it in.
If you'd rather have an engineer walk your stack and produce the populated evidence folder — the IAM report, the branch-protection export, the restore-test report, all filled in with your actual data — that is what a Controls Review delivers.
When the next questionnaire lands, you want to be attaching files, not writing sentences. If you want help getting there before your next enterprise deal, book a fit call.