Security due diligence has become a standard component of Series A fundraising for B2B SaaS, fintech, healthtech, and infrastructure companies. Tier-1 VCs now routinely assign technical advisors to evaluate security posture during the diligence process. A weak security posture doesn't necessarily kill a round — but it does introduce risk pricing, request for pre-closing remediation, or post-close conditions that create ongoing friction. Understanding exactly what investors and their technical advisors look for allows you to prepare proactively rather than scramble when the diligence questionnaire arrives.
TL;DR: The eight areas that matter most in Series A security diligence are: documentation/policy, access controls, penetration testing evidence, compliance status, vulnerability management, vendor risk, incident history, and security ownership. For each: what investors ask, what good looks like, and what raises red flags.
1. Documentation and Policy
The first thing a technical advisor reviews is whether your security program is intentional and documented — or ad hoc and undocumented. Required documentation at Series A:
- Information security policy. A written policy documenting your security principles, responsibilities, and program scope. This does not need to be 50 pages — a well-written 5-page policy demonstrates intent.
- Incident response plan. A documented process for detecting, responding to, and recovering from security incidents. Investors want to know there is a plan before there is an incident.
- Data classification policy. What data do you hold? How is it classified (public/internal/confidential/restricted)? Who can access each classification?
- SDLC security requirements. Is security part of your development process? Do engineers follow secure coding guidelines? Is there code review? Dependency scanning?
What raises red flags: No written security policy at all; incident response plan that references tools or people no longer at the company; data classification policy that classifies everything as "internal" with no differentiation.
2. Access Controls
Access control hygiene is one of the most operationally visible signals of security maturity. Investors' technical advisors check:
- MFA adoption rate and enforcement. Is MFA required for all employees, or just recommended? What percentage are enrolled? Is there a policy for contractors and vendors?
- SSO implementation. Are business applications managed through a central SSO provider (Okta, Google Workspace, Azure AD)? SSO means access can be revoked from a single point when employees leave.
- Offboarding procedure. Is there a documented, consistent process for revoking all access when an employee or contractor leaves? Evidence of recently offboarded employees with active accounts is a major red flag.
- Privileged access management. Who has production environment access? Is it logged and audited? Is there separation between development and production access?
What good looks like: 100% MFA enrollment enforced (not just recommended), SSO for all business applications, automated offboarding checklist with documented completion evidence, production access limited to named individuals with documented justification.
3. Penetration Testing
This is the single most discussed security item in Series A diligence and the one where the quality of evidence varies most dramatically between companies. What investors want to see:
- A pentest was done — and recently. Within the past 12-18 months, against production or production-equivalent systems. A pentest from 2022 on a system that has since been replaced is not useful evidence.
- The scope was meaningful. The test covered the application your enterprise customers use, the API, authentication mechanisms, and admin interfaces — not just an external IP range scan.
- Real findings were identified. A report with only informational and low findings from a comprehensive scope is suspicious. Investors' technical advisors know that most applications have medium or higher issues. A clean report signals either narrow scope or a firm that avoids findings to keep clients happy.
- Critical and high findings were remediated. Evidence that findings were tracked, fixed, and (ideally) retested. This signals a functional security process, not just a compliance event.
What moves the deal forward: "We ran a comprehensive pentest in Q3, found three high and two medium findings, remediated all of them within 60 days, and have a scheduled annual test for next quarter." This narrative signals maturity, accountability, and a functioning security program.
4. Compliance Status
Compliance certification is not required at Series A — investors understand the timeline — but it signals direction and seriousness:
- SOC 2 Type 2 (ideal). Clean report signals a mature, audited security program. Even with exceptions, a SOC 2 Type 2 shows you've been through a formal audit cycle.
- SOC 2 Type 1 or In-Progress (good). Shows commitment and a timeline. Credible if you can describe the gap between your current state and completion.
- No compliance but credible roadmap (acceptable). "We're targeting SOC 2 Type 2 by Q4, have engaged an audit firm, and are using this funding round to accelerate the controls work" is a credible answer at Series A for a company that has been focused on product-market fit.
5. Vulnerability Management
How you handle known vulnerabilities between pentests signals operational security maturity:
- Dependency scanning. Are you running automated dependency vulnerability scanning (Dependabot, Snyk, or equivalent) in CI/CD? What is the process when critical CVEs are flagged?
- Patch SLAs. Is there a written policy for how quickly critical/high/medium findings must be patched? Is there evidence of compliance with that SLA?
- Infrastructure patching. How quickly are critical OS and infrastructure CVEs patched? Is there a documented process?
6-8. Vendor Risk, Incident History, and Security Ownership
| Area | What Investors Ask | Good Answer | Red Flag |
|---|---|---|---|
| Vendor Risk | What critical third parties have access to customer data? How are they vetted? | Vendor inventory with data classification, DPAs in place, annual questionnaire for critical vendors | No vendor inventory; DPAs not in place; "we trust all our vendors" |
| Incident History | Have you had any security incidents? How were they handled? | Transparent disclosure with timeline, root cause, and what changed as a result | Minimizing or hiding incidents; undisclosed breaches discovered by investors |
| Security Ownership | Who owns security? What is their background? Is security part of the roadmap? | Named DRI with security responsibility; post-funding plan to grow security function | "We all own security" with no named individual; no post-funding security investment plan |
Preparing for Diligence: What to Do Now
If you're planning a Series A within the next 12 months, the actions that will most directly improve your diligence outcome in order of priority:
- Get a comprehensive penetration test. This is the highest-signal item. Book a test that covers your production application, API, and authentication mechanisms — not a narrow compliance-only scan.
- Enforce MFA company-wide. Run the access control audit and find the gaps. 100% MFA enrollment with SSO is achievable in weeks.
- Assign a named security DRI. Even if it's your CTO or an engineer with a security interest, having a named person responsible is far better than "the whole team."
- Write a two-page incident response plan. It doesn't need to be complex. It needs to exist and be current.
- Start the SOC 2 process. Even if you won't have Type 2 before the round closes, being able to say "we've engaged [firm] and have a target date of [Q]" demonstrates intent.
Lorikeet Security works with pre-Series A companies on exactly this preparation — providing the penetration test evidence, access control review, and security posture documentation that investors' technical advisors ask for.
Preparing for Series A security diligence?
Lorikeet Security helps growth-stage companies build the security posture and evidence packages that investors want to see — starting with a comprehensive penetration test and working through the full diligence checklist.
