// Posted 2026-07-05

Your Security Questionnaire Sat in the AE Inbox for Nine Days

Your AE forwards a 214-question security review Monday, opens it Tuesday, the buyer goes cold on day nine. Security review is a function you never staffed.

Stacked translucent questionnaire panels in dark space with one amber panel frozen mid-answer and pink unanswered rows branching to a separate control matrix

It is Tuesday, 3:41 PM. Your AE opens the vendor security questionnaire the prospect sent Monday morning. 214 questions across access control, data handling, sub-processors, incident response, and business continuity. The Excel file has six tabs. Three tabs are copies of the same control set the buyer's parent company ships to every vendor.

The AE opens the shared drive. The last completed questionnaire lives in a folder named Acme Corp Response Final v3. It shipped seven months ago. The buyer this week is a $220M revenue insurance carrier with a Q3 close date and a legal team that reads every answer. The AE reads the first tab, closes the file, and forwards it to engineering with a note that reads any chance you can look at this by Friday.

The head of engineering opens the file Wednesday at 5:12 PM between two on-calls. She copies 47 rows to a Slack channel with a message asking who owns access reviews now. The DPO answers on Thursday. The head of infrastructure answers Friday morning. The AE sends the buyer a status note on Monday that reads working through it, should have something by end of week. Friday hits with 68 rows still blank. The buyer forwards the thread to a second vendor.

Security review is a function. Most companies past their first enterprise deal have not staffed it because the last questionnaire got answered in a Zoom room with the CTO, the DPO, and a Google Doc. The function lives in the gap between the AE who owns the deal, the sales engineer who owns the demo, the head of infrastructure who owns the controls, the head of engineering who owns the SDLC answers, the DPO who owns the data map, the compliance operator who owns the SOC 2 report, and the legal review that lands after the questionnaire clears. On the org chart it sits under Security or Compliance. In practice it sits inside an Excel file the AE forwards on a Monday.

The nine days that lost the deal

Pull the last four enterprise security questionnaires from your shared drive. Count the calendar days from receipt to ship. Most Series B and C companies find seven to twenty-one day turnarounds with two of the four sitting past day fourteen. Two out of four lose the deal or trigger a legal escalation that pushes the close into the following quarter.

Walk the nine-day gap. Day one is the AE receiving the file at 9:04 AM Monday, day two is the forward to engineering at 4:47 PM Tuesday, day three is the head of engineering opening the file at 5:12 PM Wednesday. Day four is the Slack question landing without an owner, day five is the DPO responding on one tab, day six is Friday with three tabs partially complete and the AE sending a status note. Days seven and eight are the weekend, day nine is Monday morning with the buyer asking for an update and the AE not having one.

The team that should own this knows it is broken. The head of engineering cannot answer 214 questions between two on-calls. The DPO answers the same data-handling questions every quarter and cannot find the last shipped copy. The head of infrastructure rebuilds the access-review answer from memory because the SOC 2 evidence folder sits three clicks deep in a drive nobody organized. The AE writes the same email to the same three internal owners on every enterprise deal. The function sits unstaffed while a $340K ACV deal drifts into the next quarter.

Hiring a security operations lead is the slow answer

The textbook fix is a security operations lead or a GRC analyst. Loaded comp in the US runs $140K to $210K a year for a GRC lead, $160K to $230K for a security operations manager. Months one through two go to mapping the current control set, reading the last four completed questionnaires, and building a control library that ties to the SOC 2 report. Months three through six are when questionnaire turnaround moves from twelve days to seven days as the lead catches the recurring questions and drafts a library of canonical answers.

The fractional version is faster to start and stops at the same wall. Seven to twelve thousand a month buys eight to twelve hours a week of senior GRC time. The first month builds a control library and clears the queued questionnaire. Two months in, the fractional operator gets pulled into a customer's audit or a SOC 2 renewal, and the next questionnaire sits for eleven days before anybody opens it.

Both versions assume the work is a person answering a spreadsheet. The work itself is parsing every incoming questionnaire against a canonical control library within an hour of receipt, mapping every question to the SOC 2 report, the data flow diagram, the sub-processor list, and the access-review evidence. Drafting an answer with the specific evidence attached, routing the seven to twelve rows that need a human review to the right owner with the dollar impact of the deal on the line, watching the buyer's legal team for a follow-up question, and shipping the completed file inside 72 hours. On four enterprise deals a quarter that is 40 to 60 hours a month of senior security operations time, done on a calendar somebody defends.

What a fractional AI security review function does

Hand the SOC 2 report, the data flow diagram, the sub-processor list, the access-review evidence, and the last four completed questionnaires to a fractional AI agent that runs on a per-questionnaire cadence with a nightly refresh on the control library. Add the incident response runbook, the business continuity plan, and the AE inbox. The agent does the work a GRC analyst, a security operations lead, and a technical writer would do together. The cadence is per-questionnaire on drafts, weekly on control-library updates, monthly on the evidence refresh, and quarterly on the SOC 2 gap review.

Questionnaires parsed inside an hour of receipt, not forwarded at 4:47 PM. The Excel, Word, or portal questionnaire drops into a shared inbox at 9:04 AM Monday. The agent parses 214 questions into a canonical control map by 10:00 AM, ships a first-pass draft with 170 rows answered and evidence attached by 11:30 AM, and routes the remaining 44 to the four internal owners with a specific evidence request on each. The AE gets a status line on the deal by lunch.

Answers tied to live SOC 2 evidence, not seven-month-old copy. The agent reads the current SOC 2 Type II report, the access-review log, the sub-processor list, and the DPIA library and pulls the exact clause and screenshot for each answer. The access-review answer names the last review date and the tool that ran it. The sub-processor answer names the eleven live vendors and their SOC 2 status. The buyer's legal team reads a version that ties to evidence, not a version that reads good.

Recurring questions cleared against a canonical library. The same 90 to 130 questions land on every enterprise questionnaire. Encryption in transit, encryption at rest, MFA enforcement, employee background checks, incident response tabletop cadence, sub-processor list, data residency, deletion timelines. The agent maintains one canonical answer per control, versioned against the SOC 2 report, so the AE ships the same answer across four deals without four re-drafts. Same shape as the case study library on the marketing side, run on the security side.

Novel questions escalated to the right owner with the deal on the line. The 44 rows that need a human answer route to the head of infrastructure, the DPO, or the head of engineering with the question, the two closest canonical answers, a draft response, and the deal size and close date. The head of infrastructure spends four minutes confirming a draft instead of thirty minutes writing one from scratch. The escalation shape borrows from the routing pattern already running on the sales side, so the AE watches one status line, not four Slack threads.

Every questionnaire tracked against a 72-hour clock. The agent watches the questionnaire against a target ship date 72 hours from receipt. Any deal sitting past 48 hours triggers a Monday brief for the AE and the head of security with the specific rows blocking, the owner assigned, and the buyer's most recent inbound. The nine-day silent gap becomes an escalation on hour 49, not a status email on day five.

Glowing indigo control-mapping nodes flowing through translucent pipeline stages with one amber node stalled at a review gate and pink evidence threads branching to a separate audit shelf

The unit economics of a stalled security review

A Series B company at $14M ARR working four enterprise deals a quarter is burning three specific things when security review sits at nine days. The head of engineering, the head of infrastructure, and the DPO spend a combined 30 to 55 hours a month on questionnaires against a fully loaded hour of $250 to $420. That is $7,500 to $23,000 a month of senior technical time on work a canonical library covers, before the questionnaire ships. The controller sees the same dollars land as G&A leakage across four quarters.

The deal-slip line is the second one. A questionnaire that ships on day nine instead of day three costs six calendar days on the buyer's close cycle. On four deals a quarter at $180K to $420K ACV, one deal slipping a quarter costs $180K to $420K in pulled-forward revenue and pushes the next quarter's plan below the board number. Two deals slipping compounds into the following fundraise conversation.

The competitive-loss line is the third. When the buyer's legal team gets a partial answer on day five, the buyer's procurement team forwards the RFP to a second vendor. The second vendor ships in four days, your deal goes to the second round of diligence, and the incumbent wins the renewal. A security operations hire runs $150K to $210K loaded with a three-month ramp, and two of those months are the same nine-day turnaround the AE watches on the next four deals.

A 14-day sprint to stand up the agent runs in the low to mid five figures. Ongoing cost lands closer to one contractor than a GRC hire. The first questionnaire ships in week two of the sprint at 72 hours from receipt. The canonical library covers 90 to 130 recurring questions before the sprint closes.

What changes after the sprint

Picture the same Tuesday, 3:41 PM moment, thirty days after the sprint ships. The Monday questionnaire from the insurance carrier landed at 9:04 AM. The first-pass draft shipped to the AE at 11:14 AM the same day with 172 rows answered and evidence attached. The head of infrastructure confirmed 22 rows on Monday afternoon. The DPO cleared 14 rows Tuesday morning. The AE shipped the completed questionnaire to the buyer at 4:22 PM Tuesday, 55 hours from receipt.

By Thursday the buyer's legal team came back with seven follow-up questions on data residency and deletion timelines. The agent drafted the answers overnight against the DPIA and the sub-processor list. The AE shipped the follow-ups Friday morning, the buyer scheduled a legal review call for the following Wednesday, and the deal closed the Friday after at $340K ACV, inside the Q3 forecast, on the original close date. The head of engineering never opened the file.

If your security questionnaire currently lives in an Excel forward the AE sends to engineering on a Monday, the version where the first-pass draft ships in ninety minutes and the completed file goes out inside 72 hours is fourteen days away. Security review is a function. You can hire a GRC lead for it, you can retain a fractional security operator for it, or you can scope a sprint and have it running this month. The work is the same. The math is not.

// Related notes