The Revenue Architect

The Revenue Architect

How to close enterprise deals while your SOC 2 is still in progress

Keep it boring and procedural

Arnie Gullov-Singh's avatar
Arnie Gullov-Singh
Mar 05, 2026
∙ Paid

Early-stage founders are often taken by surprise when a prospective enterprise customer asks for their SOC 2 report, having assumed it wasn’t required this early and underestimated how long it takes to complete.

While this can seem like an immediate deal-killer the reality is you can still close the deal while your SOC 2 is still in progress. What actually wins enterprise deals is confidence, documentation, transparency, a predictable roadmap and no surprises. Basically make it boring and procedural.

Here’s how:

  • Control the narrative early

  • Build a SOC 2-in-progress security packet

  • Anchor on risk, not on checking the box

  • Offer compensating controls

  • Use social proof and exec pressure strategically

  • Separate security review from legal review

Control the narrative early (pre-questionnaire)

Don’t wait for procurement to escalate your lack of SOC 2 Type II. As soon as the deal starts moving, bring it up proactively:

“We’re currently in the final stages of SOC 2 Type I, with Type II following. I’m happy to share our control matrix, policies, and timeline.”

This signals maturity, prevents surprise objections and keeps you in control.

Build a SOC 2-in-progress security packet

Buyers mainly want proof you know your risk surface. Create a reusable folder that includes your:

  • SOC 2 timeline: date the auditor was engaged, audit period dates, expected issuance date and Type I vs Type II clarity

  • Control matrix: covering security, availability, processing integrity, confidentiality and privacy.

  • Core policies: for access control, incident response, data retention, secure SDLC and vendor management.

  • Subprocessor list: include vendors like AWS, Stripe, Open AI

  • Pen test executive summary

Anchor on risk, not on checking the box

Security teams ultimately care about risk transfer. Your controls matter more than the Type II certificate itself.

Frame your response as:

This post is for paid subscribers

Already a paid subscriber? Sign in
© 2026 Arnie Gullov-Singh · Privacy ∙ Terms ∙ Collection notice
Start your SubstackGet the app
Substack is the home for great culture