Cornerstone

The Stalled Enterprise Deal Playbook: How to Unblock Security Reviews in 14 Days

Your enterprise deal is stuck in security review. The 14-day diagnostic-to-unblock sequence: pinpoint the actual blocker, generate the missing artifacts, restart procurement momentum. For US SaaS with India GCC operations.

By Hemant Attri, Founder, Attri Edge Updated June 1, 2026 8 min read

There’s a specific moment every founder dreads. You’ve been working a deal for months. The product fit is strong. The economic buyer is signed on. You’re past the verbal commitment stage. And then procurement arrives — and the deal stops moving.

The questions start coming. “Where’s your SOC 2 Type 2?” “Please complete our 387-question Standardized Information Gathering questionnaire by Friday.” “We need details on how your India engineering team accesses production data.” “What’s your AI governance posture?” Each question is answerable, but the buyer’s tempo is slow and your responses keep generating follow-ups.

Three weeks pass. Then four. Your sales rep is increasingly anxious. The buyer’s procurement contact is responsive but non-committal. The deal is, in industry euphemism, “in security review.”

I’ve worked enough of these situations to know they follow predictable patterns. Some are recoverable in 2 weeks with the right sequence. Some are recoverable but take 6–8 weeks. A few are unrecoverable and you need to know that early enough to redirect resources. This article walks through how to diagnose which situation you’re in, what the 14-day unblock sequence looks like, and how to prevent the next one.

The first 48 hours: diagnosis

Before doing anything else, get clarity on what’s actually blocking the deal. Three distinct failure modes look superficially similar but require different responses.

Failure mode 1: Missing artifact. The buyer needs a specific document or attestation you don’t have. Most common version: “We need your SOC 2 Type 2 report” when you don’t have one. This is the most common stall and often the most recoverable, because you have leverage to negotiate alternatives.

Failure mode 2: Questionnaire bottleneck. You have most artifacts but the buyer’s questionnaire is generating endless cycles. They ask 400 questions, you answer, they have follow-ups, you answer, they have more follow-ups. This is often a process problem more than an artifact problem.

Failure mode 3: Genuine control gap. The buyer has identified a specific control deficiency that they consider a deal-blocker. Examples: “your India contractors use personal devices without MDM,” “you store customer data in regions we don’t permit,” “your incident response SLA doesn’t meet our regulatory floor.” This is harder to recover from in 14 days.

Diagnosing which mode you’re in requires direct communication with the buyer’s security or procurement contact. Email is okay; a 30-minute call is better. The questions to ask:

  1. “Specifically, what’s currently blocking forward progress?” (Don’t accept generic answers like “we’re still reviewing.”)
  2. “Is there a particular artifact, response, or remediation that would unblock the next step?”
  3. “What’s your team’s bandwidth and timeline for the review?”
  4. “Are there alternatives to the artifact you’ve requested that you’d accept?”

If the buyer answers these honestly, you know your situation. If they’re vague, the deal may already be deprioritized on their side and you have a different problem (sales/relationship rather than security).

The 14-day unblock sequence

This is the sequence I use for stalled deals where the diagnosis points to recoverable situations. Adjust the timeline based on your starting position.

Days 1–2: Confirm the blocker and scope the response

Confirm via direct conversation what specifically is needed. Get it in writing where possible. The worst version of this is solving the wrong problem — spending 14 days producing a SOC 2 Type 1 when what the buyer actually needed was a completed CAIQ.

Outputs for days 1–2:

  • Documented blocker (specific artifact, questionnaire, or control)
  • Acceptance criteria (what “good enough” looks like to the buyer)
  • Buyer’s internal timeline (do they need the artifact in 1 week, 4 weeks, or “whenever”)
  • List of acceptable alternatives if the primary ask is infeasible

Days 3–5: Inventory existing evidence

Before generating new artifacts, find what you already have. Most companies have more compliance evidence than they realize — it’s just disorganized.

Inventory check:

  • Existing SOC 2 (Type 1 or 2), ISO 27001, HIPAA, PCI artifacts
  • Penetration test reports (recent, ideally within 12 months)
  • Vulnerability scan reports
  • Security policies (information security, access control, incident response, business continuity, data classification)
  • Privacy policy
  • DPAs with sub-processors
  • Insurance certificates (cyber liability)
  • Trust center / public assurance page
  • Architecture diagrams
  • Data flow diagrams
  • Vendor risk assessments
  • Employee security training records
  • Background check evidence
  • Access review records (last quarter)
  • Incident response runbook

For each item: do you have it, is it current, can you produce evidence?

In a typical stalled-deal situation, this inventory reveals 60–80% of what the buyer needs is already in place. The work is locating it, packaging it, and making it accessible.

Days 6–8: Build or update the trust center

A trust center is a single public (or gated) page that consolidates your compliance artifacts. If you don’t have one, build one this week. If you have one but it’s outdated, update it.

Minimum viable trust center:

  • Current compliance attestations (with download or NDA-gated access)
  • Penetration test summary (full report under NDA)
  • Security policies (or summaries)
  • Sub-processor list
  • Privacy policy and DPA template
  • Security and privacy points of contact
  • Status page or uptime history
  • Last-updated date prominently displayed

Hosted at /trust or /security on your main site. Tools like Vanta Trust Center, Drata Trust Center, Sprinto Trust, SafeBase, or a simple custom-built page all work.

A solid trust center deflects roughly half of generic security review work. The buyer can review the trust center, decide what specific follow-up they need, and skip questions already answered.

Days 9–11: Generate the missing artifacts or responses

Now you address the specific gap.

If the gap is a complete SOC 2 Type 2: You can’t generate this in 11 days. The alternatives:

  • Type 1 (point-in-time) which can be issued in 8–12 weeks with focused effort and an auditor willing to move fast
  • Independent audit letter or attestation from a vCISO/auditor confirming your control posture
  • ISO 27001 Statement of Applicability with control descriptions
  • Customer reference letter from another enterprise customer who completed your security review
  • Detailed self-attestation with auditor-style evidence (gap analysis report, control narrative, evidence samples)

Sell the alternative with the timeline: “We don’t have SOC 2 Type 2 yet. We have [Y, Z, etc.] and we’re committed to Type 2 by [date]. Would [alternative] satisfy your interim need?”

If the gap is questionnaire completion: Pre-populate the standard frameworks. The investment of 12–20 hours building a SIG Lite response, a CAIQ response, and a generic security questionnaire response (300–400 standardized answers) pays back in every subsequent deal. Tools like Vanta Questionnaire Automation, Drata Questionnaire Automation, ResponseHub, or even Notion + a tagging system work.

If the gap is a specific control: Implement the compensating control or commit to remediation with dates. Examples:

  • BYOD India contractors → implement VDI or strict conditional access; document the controls
  • Encryption gap → enable encryption at rest with KMS-managed keys; document the architecture
  • Logging gap → enable centralized log aggregation; document retention and access

Days 12–13: Reverse-engineer the response

Now compile the response back to the buyer.

A well-structured response includes:

  • Executive summary (1 page): your current security posture, recent achievements, in-flight initiatives
  • Specific answer to the buyer’s blocking question
  • Supporting artifacts (trust center URL, redacted SOC 2 if applicable, completed questionnaire)
  • Remediation commitments with dates for any genuine gaps
  • Proactive offers (security architecture review call, customer reference, technical deep-dive)

The tone matters. Confident, transparent, specific. Not defensive, not apologetic, not vague.

Day 14: Re-engage with momentum

Send the response. Schedule a follow-up call within 5 business days. Ask the buyer’s security team if a 30-minute walkthrough would help them assess. Many security teams welcome the offer — they’d rather hear the vendor explain than re-read documents.

If you’ve done the work in days 1–13, the response document plus the offer to walk through it is enough to restart momentum in most cases.

What if it doesn’t work?

Some deals don’t recover from security stalls regardless of what you do. Indicators:

  • The buyer’s security team has explicitly recommended against approval
  • Procurement is non-responsive to specific scheduling requests for 2+ weeks after your full response
  • The deal has been “in security review” for 12+ weeks with no concrete next step
  • The buyer’s economic buyer is no longer engaged

When you see these signals, the right call is often to deprioritize the deal explicitly: “We understand the security review is taking longer than expected on your side. We’re happy to circle back when timing is better for you.” This frees your team to focus on closable deals and signals to the buyer that you’re not desperate.

Surprisingly often, this re-prioritization shakes the deal loose. Buyers who see the vendor stop chasing them sometimes accelerate their own decision. Sometimes not — but you’ve at least controlled your own resources.

Preventing the next one

Once you’ve unblocked a deal, the work isn’t done. The patterns you’ve just navigated — missing artifacts, questionnaire bottlenecks, control gaps — will recur on the next deal unless you turn the response into a system.

Build the security questionnaire response library. Every question you’ve answered for one buyer should be saved, tagged, and reusable. By the time you’ve done 10 enterprise deals, you should have 80%+ of any incoming questionnaire pre-answered.

Maintain the trust center as a living artifact. Update monthly. Refresh artifacts as they renew. Add new attestations as they’re issued.

Tier your sales pipeline by security maturity. Some deals will be easy (mid-market buyers, simpler questionnaires). Some will be hard (regulated industries, custom requirements). Plan resources accordingly.

Get SOC 2 Type 2 done. If you’ve been working enterprise deals for 12+ months without SOC 2 Type 2, the trajectory is clear: you’ll keep losing deals or stalling them. The investment ($60K–$150K all-in for first audit) recovers itself in 2–4 deals.

Establish quarterly compliance reviews. Once a quarter, walk through your trust center, your questionnaire library, your control posture, your in-flight initiatives. Update everything. Fix what’s stale.

Plan for the next wave of questions. AI/ML governance is the current 2026 wave. Identity sprawl, non-human identities, Shadow AI. Build evidence and controls ahead of buyers asking, not in response.

Where Attri Edge fits

A diagnostic engagement ($999, 48-hour deliverable) maps your full compliance gaps and includes a stalled-deal recovery plan if you have one in-flight. Active Retainer ($7,500–$9,000/month) covers ongoing security questionnaire response, trust center maintenance, and gap remediation. We handle the unblock work so your engineering team stays focused on building.

If you have a deal stuck right now, the diagnostic is the right starting point. We’ll identify whether it’s recoverable in 14 days, 60 days, or only in the next budget cycle, and what the specific path looks like. Book the diagnostic →

Related reading:

Frequently asked questions

How long does a typical enterprise security review take?
For vendors with mature compliance posture (SOC 2 Type 2, complete trust center, pre-populated SIG/CAIQ responses), 2–4 weeks is typical. For vendors with gaps, 6–16 weeks is common, with some deals stalling indefinitely. The gap-driven cases are usually solvable in 2–4 weeks if approached correctly — which is what this playbook covers.
Should we tell the buyer we don't have SOC 2 yet?
Yes, with a credible alternative. Buyers respect transparency more than they respect evasion. The message that works: 'We're in the middle of our SOC 2 Type 2 engagement, with Type 1 due [specific date]. In the interim, here's our trust center with [specific artifacts] and we're happy to walk your security team through our control set in detail.' Specific dates and specific artifacts. Vague timelines kill deals.
What's the difference between SIG and CAIQ?
SIG (Standardized Information Gathering) questionnaire from Shared Assessments has a Lite version (~100 questions) and Core version (~800–1,200 questions). It's the most common enterprise-grade questionnaire. CAIQ (Consensus Assessments Initiative Questionnaire) from Cloud Security Alliance has 261 questions specifically for cloud services. Most enterprise buyers use a variant of SIG; some sectors prefer CAIQ. If you've pre-populated both, you can respond to 80% of incoming questionnaires by mapping.
Can we deflect the security questionnaire by sending our SOC 2 report?
Sometimes, depending on the buyer. The 'reverse questionnaire' strategy — building a trust center robust enough that buyers waive their custom SIG — works for some buyers, particularly those who outsource vendor risk to firms like UpGuard, BitSight, SecurityScorecard. For others, particularly large financial services or government, the custom questionnaire is mandatory. The right move: offer the deflect first ('Here's our SOC 2, trust center, and pre-populated SIG Lite — would these satisfy your review?') and respond to the custom questionnaire if pushed.
What if the buyer is asking for things we genuinely don't have?
Acknowledge honestly, provide compensating evidence, commit to remediation with dates. 'We don't currently have [thing X]. We have [related control Y] which addresses [Z risk]. We're implementing [thing X] by [date] and will provide evidence on completion.' This is how mature vendors handle gaps. Buyers know perfect vendors are rare; they're looking for vendors who are honest, capable, and improving.
Does an India team make security reviews harder?
Yes, but solvable. Reviewers will ask additional questions: how India staff access data, background check standards, BYOD vs MDM, India-specific privacy compliance, cross-border data flows. If you have answers ready (with specific evidence), India operations stop being a friction point. If you don't, expect 3–6 weeks of additional back-and-forth. Build an India operations evidence pack as part of your trust center.
How much does it cost to unblock a stalled deal?
Depends on the gaps. Pre-populating a security questionnaire response library: $5K–$15K consulting work. Type 1 SOC 2 from a standing start: $25K–$60K and 3–5 months. Trust center build: $3K–$10K consulting plus internal time. For a stalled deal worth $50K+ ARR, the math works overwhelmingly in favor of investment. The harder question is timing — can you do the work fast enough to keep the deal alive?