Series A–C B2B SaaS selling into mid-market and enterprise
Growth-stage SaaS teams losing deals at security review who need their first SOC 2.
"Map your current state to the AICPA Trust Services Criteria in an afternoon — before the audit firm clock starts."
See the self-service journey this ICP walks through (PDF) →
Tens of thousands of B2B SaaS companies, with new entrants hitting the SOC 2 wall every quarter as they move upmarket.
SOC 2 is a private-sector attestation governed by the AICPA, performed under SSAE 18 (now SSAE 21 for direct exam engagements), and built on the Trust Services Criteria (TSC) — 2017 version with the 2022 Points of Focus refresh. Reports come in two flavors: Type I (design of controls at a point in time) and Type II (operating effectiveness over a 3–12 month observation window).
Because SOC 2 is voluntary, the buyer-side pressure is what creates the market: enterprise procurement, security questionnaires, and InfoSec reviews now make a SOC 2 Type II effectively mandatory for any B2B SaaS selling into regulated or mid-market buyers. Vendor-risk platforms (Whistic, OneTrust, UpGuard) have made it easy for buyers to ask, and impossible to fake the answer.
The compliance automation category — Drata, Vanta, Secureframe, Sprinto, Thoropass — has trained the market to expect a tool-led path. But those platforms optimize for evidence collection during the audit window; they assume you already know your gap. The pre-readiness step (which 5 of the TSC categories apply, which controls are realistically in scope, where the biggest gaps are) is still where most teams burn 6–10 weeks.
Audits typically cost $15k–$50k for Type I and $25k–$100k+ for Type II. A messy readiness step extends both. Founders are looking for an honest, fast diagnostic that doesn't require committing to a 12-month platform contract before they even know what they're committing to.
How to filter your list.
- Employee count
- 20–500 (sweet spot 40–200)
- Funding stage
- Seed-extended through Series C; pre-IPO outliers
- Revenue
- $1M–$50M ARR
- Tech stack signals
- AWS/GCP/Azure, GitHub, Okta/Auth0, Datadog, Snowflake/RDS
- Buyer profile
- Sells to mid-market/enterprise — financial services, healthcare, govtech, retail
- Geography
- Primarily US, also UK/EU SaaS selling into US enterprises
- Industry
- B2B SaaS, fintech, healthtech, devtools, AI infra, vertical SaaS
Who's actually in the room.
CTO / Co-founder
- Owns
- Engineering org, security posture, and ultimately the audit relationship.
- Fears
- Engineering velocity tax. A failed audit blowing the next enterprise deal.
- Measured on
- Audit pass; engineering NPS; runway extended via larger deals.
- Where to find them
- Hacker News, Lenny's, technical founder Slacks, Latent Space, devtool conferences.
Head of Security / first security hire
- Owns
- GRC program, vendor reviews, security questionnaires, the SOC 2 project.
- Fears
- Being the bottleneck. Being asked for evidence they don't have. CEO blaming them for a lost deal.
- Measured on
- Time to clean security review; reduced engineering toil; closed audit findings.
- Where to find them
- Latio, Clint Gibler's tl;dr sec, SecOps Slack groups, BSides, Vanta/Drata user communities.
Head of Sales / RevOps
- Owns
- Closing deals that stall at security. Tracks lost-to-security.
- Fears
- Q-end slipping because a security review is open. Losing a logo to a competitor with a Type II.
- Measured on
- Win rate at enterprise stage; security-review cycle time; ACV.
- Where to find them
- Pavilion, RevGenius, sales leadership Slacks.
When the buying window opens.
For each trigger, here's how to detect it for free. Set Google Alerts, RSS, or LinkedIn Sales Navigator job-change alerts and you'll see them before competitors do.
What they're losing sleep over.
- !Lost a 6-figure deal because security review stalled
- !RFP requires SOC 2 Type II and the prospect just asked
- !Founder/CTO is the de facto security owner and is drowning
- !Drata/Vanta trial is open but no one has time to actually drive it
- !They have GitHub, AWS, Okta, Datadog — and no idea which controls map where
- !Engineering doesn't want to add 'compliance toil' to sprint planning
- !Auditor was hired but the team hasn't done the readiness step
- !Annual renewal: their last Type II had findings and they want a cleaner story
What converts.
"Stop losing deals at security review."
Map your current AWS + GitHub + Okta + Datadog posture to the Trust Services Criteria in one afternoon — get a ranked gap list before the auditor's clock starts.
"Know what you're buying before you sign a 12-month Vanta/Drata contract."
Run the readiness diagnostic first; bring the gap report to a platform demo and negotiate from knowledge, not panic.
"An honest readiness check that doesn't pretend to be an audit."
Mapped to AICPA TSC 2017 + 2022 Points of Focus; pinpoints the 8–15 controls that actually fail at first audits.
What you'll hear, and what to say.
"We already pay for Vanta / Drata / Secureframe."
→ Those platforms are excellent at evidence collection during the audit window. The readiness step — scope, applicable TSC categories, realistic gap ranking — is where teams still burn 6–10 weeks. Use the platform after you know what you're walking into.
"Our auditor will tell us the gaps."
→ Audit findings are billed at audit-firm rates and bracketed by the audit window. Pre-audit readiness compresses the window AND keeps remediation off the official report.
"We're too early — we'll do this next year."
→ Next year usually means after losing a deal that would have funded next year. If you're being asked for a SOC 2 in security reviews today, that's the signal.
"Type I or Type II?"
→ Type I in 4–8 weeks proves design and unlocks most enterprise pilots. Type II requires a 3–12 month observation window and is what large enterprise procurement insists on. Most teams ship Type I first, then start the Type II window the day it lands.
"Our infra is too unique for a templated assessment."
→ TSC is principle-based, not technology-prescriptive. The point is mapping your actual environment to criteria — modern infra (containers, ephemeral compute, IaC) maps cleanly when you start from the criteria, not from a checklist.
Copy. Paste. Replace the placeholders.
Six prompts tuned for this ICP. Replace {{placeholders}} with your real inputs. Each prompt names the AI engines it works best with.
Research {{company}} and produce a SOC 2 readiness brief.
Inputs:
- Website: {{website}}
- Recent funding (if known): {{funding}}
- Target buyer segment (if known): {{buyer_segment}}
Find and synthesize from public sources:
1. Stage signals
- Funding rounds, headcount range, hiring pace (LinkedIn).
- Customer segments named on their site — call out any regulated buyers (banks, payers, federal, education).
2. Existing trust posture
- Is there a /trust, /security, or /legal page? Does it mention SOC 2, ISO 27001, HIPAA, PCI?
- Public penetration test summaries or bug-bounty programs.
3. Tech stack inference
- Cloud (AWS, GCP, Azure) — guess from job postings.
- Identity (Okta, Auth0, Workforce, custom).
- Source control & CI (GitHub, GitLab, CircleCI, Buildkite).
- Observability (Datadog, Honeycomb, New Relic, Grafana).
- Data stores (Snowflake, BigQuery, RDS, Mongo, ClickHouse).
4. Security org
- Is there a Head of Security yet? VP Security? GRC manager? CISO?
- Recent hires in security or compliance roles in the last 6 months.
5. Trigger surface
- Recent enterprise customer wins (case studies, logos page).
- Job postings mentioning "SOC 2," "compliance," "security questionnaires."
- Public mentions of lost deals or RFP pain.
6. Outreach hook
- One sentence connecting a specific trigger to the Opsfolio SOC 2 readiness assessment.
Return as markdown. Cite every external claim with the source URL.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Build a list of 25 B2B SaaS companies that are likely 90–180 days from needing a SOC 2 Type II.
Filters:
- HQ: US (or UK selling US)
- Funding: Series A or B in the last 18 months
- Headcount: 25–250
- Sells to mid-market or enterprise (signal: case studies featuring buyers ≥1,000 employees, or buyers in fintech / healthtech / govtech)
- NO existing SOC 2 Type II on their /trust or /security page
- AT LEAST one of:
- Posted a "Head of Security," "GRC," or "Security Engineer" role in last 90 days
- Hired a VP Sales targeting enterprise in last 90 days
- Public mention of moving upmarket
Return as a table:
| Company | Funding stage | Last raise | Headcount | Sells to | Existing SOC 2? | Recent security hire? | CTO / Founder LinkedIn | Best opening hook |
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Write a 3-touch outbound sequence to {{first_name}} ({{title}} at {{company}}).
Context:
- {{company}} is a {{stage}} B2B SaaS selling into {{buyer_segment}}.
- Trigger: {{trigger_event}} (e.g. "just raised a $20M Series B," "posted a Head of Security role last week," "case study with [enterprise customer] dropped Monday").
- They likely do NOT have a current SOC 2 Type II.
- Sender: {{partner_name}}, {{partner_company}}.
Constraints:
- Touch 1: ≤100 words. Lead with the trigger. Bridge to "the deal where security review eats six weeks." Soft CTA = quick reply.
- Touch 2 (day 4): ≤70 words. Reference a specific failure pattern (e.g. CC6.1 logical access for first-time audits).
- Touch 3 (day 9): ≤40 words. Break-up.
- No "I hope this finds you well." No "circling back."
- CTA: {{affiliate_link}} for a self-service readiness check.
Return three labeled blocks: SUBJECT + BODY each.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Draft a LinkedIn outbound cadence to {{first_name}} ({{title}} at {{company}}).
1. Connection note (≤300 chars). Reference a specific public artifact: a post they wrote, a podcast they were on, a hire they made, or a customer they landed. Zero pitch.
2. Day-2 DM (≤500 chars): one specific observation about their security posture or their buyer base + a single open question.
3. Day-6 DM (≤300 chars): share {{affiliate_link}} framed as "a 1-hour TSC mapping, not a sales call."
4. Day-13 DM (≤200 chars): polite break-up, leave the door open.
Voice: peer founder / security leader. Reference TSC categories (Security/CC, Availability/A, Confidentiality/C, Processing Integrity/PI, Privacy/P) where natural. No buzzwords.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Build a 20-minute discovery call script for {{first_name}} ({{title}} at {{company}}).
Sections:
1. Open (90 sec): confirm time, restate hypothesis ("you're being asked for SOC 2 in security reviews and the existing tooling assumes you know your gap"), ask permission for 6 questions.
2. Six qualifying questions:
- How many open security questionnaires are sitting in your sales pipeline right now?
- What's the largest deal currently blocked by 'we need a SOC 2'?
- Type I, Type II, or both — what's the buyer-side request?
- Have you scoped which TSC categories apply yet, or is it still 'all of them'?
- Are you running Vanta / Drata / Secureframe today, or evaluating?
- Do you have an audit firm selected, and is there an observation window committed?
3. Bridge (2 min): map their answers to the self-service readiness assessment.
4. Close: book a working session OR send the {{affiliate_link}}.
Include branching: if they already have a Type II in progress with <2 months to report date, downgrade to "renewal prep" framing.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.You are a former SOC 2 audit partner responding to {{first_name}} ({{title}} at {{company}}).
They said:
"{{objection}}"
Reply in 3–5 sentences. Rules:
- Mirror their language first.
- Cite AICPA Trust Services Criteria categories (CC, A, C, PI, P) or specific criteria (e.g. CC6.1, CC7.2) when relevant.
- Reference SSAE 18 / SSAE 21 only when accurate.
- End with a forward-moving question, not a pitch.
- Never sound defensive. Never say "actually."
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Go deeper.
Authoritative public sources. Bookmark these — they're the source of truth your prospects' own teams are reading.
AICPA Trust Services Criteria (2017, 2022 Points of Focus)
The criteria SOC 2 reports are written against. The actual source of truth.
AICPA SOC 2 Description Criteria (DC-200)
The framework for the management description in a SOC 2 report.
AICPA SSAE 18 / SSAE 21 attestation standards
The professional standards your auditor operates under.
BARR Advisory — SOC 2 blog
Practical, plain-English coverage of SOC 2 from a working audit firm.
Schellman — Compliance insights
Top-5 SOC 2 audit firm. Their blog explains how auditors actually think.
Latio — Security platform analysis
James Berthoty's coverage of GRC / SOC 2 tooling. Helps you speak the buyer's language.
tl;dr sec — Clint Gibler
Weekly security newsletter heavily read by Heads of Security at SaaS startups.
ISACA — IS Audit & Assurance
Background on the auditing standards SOC 2 inherits.
Vanta / Drata / Secureframe public help docs
Know what your prospect's tooling can and can't do during readiness.
When NOT to pursue
These prospects won't convert through the self-service flow.
- ×Already has a clean SOC 2 Type II report less than 12 months old
- ×Pure B2C with no enterprise pipeline
- ×Pre-revenue with no security questionnaires yet
- ×Already 80%+ of the way through an existing audit engagement