Vendor security questionnaire

Pass the vendor questionnaire with evidence, not assertion.

CREST-accredited researchers run targeted pentest plus security-questionnaire response support: SIG, CAIQ, VSA, custom enterprise questionnaires. Independent pentest evidence backs the answers your enterprise buyer's InfoSec team will verify.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Vendor security questionnaires are won on evidence, lost on assertion.

  • Self-attested answers to SIG / CAIQ / VSA / enterprise questionnaires get bounced when the buyer's InfoSec asks for evidence.

  • Without pentest evidence backing answers on access control, vulnerability management, incident response, and data protection, the deal cycle stalls.

  • Enterprise InfoSec reviewers want CREST + reproducer + re-test status, not a tickbox grid.

Here is what we ship.

Why teams pick us

Independent evidence, not self-attestation.

  • Pentest evidence per question

    Findings tagged to questionnaire questions: access control, vulnerability management, incident response, data protection.

  • SIG / CAIQ / VSA mapped

    Standard questionnaire formats covered. Custom enterprise questionnaire mapping available.

  • Re-test verified answers

    Once fixed, re-test confirms the answer the buyer's InfoSec will verify.

How it works

From questionnaire receipt to verified answers in two to three weeks.

  1. Scope on the call

    Questionnaire format, buyer's InfoSec scope, and timeline confirmed on the call.

  2. Researchers test for the questions

    Findings tagged to questionnaire questions so each answer has independent pentest evidence.

  3. Verified questionnaire response

    Answers backed by pentest evidence, re-test status, and the CREST attestation buyer's InfoSec accepts.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Which questionnaires?
SIG, SIG Lite, CAIQ, VSA, custom enterprise security questionnaires. Healthcare and finance variants covered.
Will the buyer's InfoSec accept the evidence?
Yes. CREST + reproducer + re-test status is the standard enterprise security-review artefact.
Self-attestation OK?
Self-attestation rarely survives enterprise InfoSec. Independent pentest evidence is what closes the questionnaire.
Fixed-price?
Yes. Fixed-price, fixed-scope, scope confirmed on the first call.
Re-test included?
Yes. Criticals re-tested so the answer to the buyer InfoSec is verifiable.

Ready to answer the vendor questionnaire with evidence?

20-minute scoping call with the lead pentester. Pentest plus questionnaire-mapping in one engagement.

CREST · CERT-In · SOC 2 · ISO 27001