The starting point
A Series B fintech with 80 engineers, 40 enterprise prospects, and a security team of one. Their largest open deal, a Brazilian retail bank, was waiting on SOC 2 to sign. The internal estimate to ship SOC 2: six months. The deal had a sixty-day window.
What we did
Week one: a dedicated Slack channel went live with two Trust Architects and one AI GRC engineer. Vanta tenant configured by Friday. Baseline integrations to AWS, Okta, GitHub, and Notion connected within 48 hours.
Weeks two and three: AI-drafted policies tailored to their stack, 22 documents reviewed and signed off. Risk register populated from real systems. Vendor inventory imported from procurement records. Mock audit run by week four.
Week five: external SOC 2 Type I audit kicked off with a Big 4 firm. Closed clean by day 21 of the audit period. Customer's signature on the enterprise contract: three weeks ahead of the original deadline.
The next 60 days
While the SOC 2 letter was in hand, we ran ISO 27001 readiness in parallel. Stage-1 audit completed on day 75. Stage-2 followed at day 90. Both audits drew from the same evidence pipeline, no rework.
"They run our security program like an engineering team. Daily Slack, weekly review, quarterly board prep. We touch it for sign-off."
Outcomes
- SOC 2 Type I in 21 days, Type II window opened.
- ISO 27001 stage-2 closed in 90 days.
- Enterprise deal closed three weeks ahead of plan.
- Series C data-room ready with a customer-facing Trust Center.