Ideal customer profile

Who to send. Who to skip.

The self-service flow only converts when the right organization arrives at the right moment. Each ICP below has a full deep-dive: market context, firmographics, personas, trigger events, messaging, objection handling, copy/paste AI prompts, and curated external references.

See the self-service journeys these ICPs walk through (PDF) →

CMMC L1

Sub-tier DIB suppliers handling FCI only

Small DoD subcontractors who need a self-attested SPRS score, fast.

Top trigger: Prime contractor sends a flow-down letter or DFARS 252.204-7021 clause appears in a new subcontract
Tested angle: "Get to an SPRS-ready Level 1 score in a single working day, not a quarter."

Open deep dive

CMMC L2

Mid-market DIB suppliers handling CUI

Mid-size defense suppliers who have to face a C3PAO and need an honest baseline first.

Top trigger: DFARS 252.204-7021 inserted into a new contract or modification
Tested angle: "Know your real 110-control posture before a C3PAO walks in the door."

Open deep dive

SOC 2

Series A–C B2B SaaS selling into mid-market and enterprise

Growth-stage SaaS teams losing deals at security review who need their first SOC 2.

Top trigger: Job posting for first 'Head of Security,' 'GRC Manager,' or 'Security Engineer'
Tested angle: "Stop losing deals at security review."

Open deep dive

HIPAA

Digital health, RCM, health-tech & HIPAA business associates

Health-tech vendors who handle PHI and need to walk into a BAA conversation with documented readiness.

Top trigger: New BAA request from a hospital, payer, or large BA
Tested angle: "Walk into your next BAA conversation with documented readiness."

Open deep dive

Shared playbook

Trigger-event detection sources.

Free, public, and fast. Bookmark these and you'll catch buying windows before anyone else in the conversation.

SAM.gov — federal contract opportunities →USAspending.gov — every federal award →HHS OCR Breach Portal — HIPAA breaches ≥500 →Cyber AB Marketplace — C3PAOs, RPOs →Federal Register — track new rules →LinkedIn Sales Navigator — job-change alerts →Crunchbase — funding signals →Google Alerts — keyword triggers →

How to get the most out of the AI prompts

Always replace every {{placeholder}} before running. Half-filled prompts produce generic output.
Pair research prompts with browsing. Use ChatGPT-4o with browsing, Claude with web tools, Gemini 2.5 Pro, or Perplexity for anything that needs current public data.
Cite, don't trust. Verify every contract amount, regulation cite, and exec name before putting it in an email.
Personalize after generation. Treat AI output as a 70% draft. The last 30% is what earns the reply.
Save your best variants. Once a prompt produces a great pattern for your voice, save it as your reusable template.

Do NOT pursue

These targets won't convert through self-service and will cost you cycles without payouts.

×Fortune 500 enterprises with existing GRC teams and tooling
×Federal agencies (we sell to their suppliers, not them)
×Orgs not currently in a compliance buying window
×Consultancies looking to white-label our assessment

Read partner requirements →