From GTM Skills
Guides through security assessment workflows for B2B SaaS: penetration testing, vulnerability scanning, bug bounty programs, security questionnaires (VSAQ/SIG/CAIQ), incident response planning, and enterprise vendor risk reviews.
How this skill is triggered — by the user, by Claude, or both
Slash command
/gtm-skills:security-assessmentsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Every enterprise customer will ask: "Are you secure? Prove it." Your answer
Every enterprise customer will ask: "Are you secure? Prove it." Your answer cannot be "trust us." It must be: penetration test reports, security questionnaires, incident response plans, and compliance certifications. The mistake: waiting for the first enterprise deal to start thinking about security. By then, it's too late — the security review takes 4-8 weeks and the deal stalls. This skill covers the complete security assessment playbook: penetration testing, vulnerability management, bug bounties, security questionnaires, and incident response.
Trigger phrases: "security assessment", "penetration test for SaaS", "bug bounty program", "security questionnaire", "VSAQ response", "enterprise security review", "incident response plan", "vulnerability scanning", "vendor security assessment", "pass security review"
What it is: Third-party security experts attempt to hack your application and report vulnerabilities. Not the same as a vulnerability scan. Pen testers think like attackers, chain multiple vulnerabilities, and demonstrate business impact.
When to get one:
Types of pen tests:
| Type | What's Tested | When | Cost |
|---|---|---|---|
| Web Application | Your SaaS app — injection, auth, XSS, CSRF, logic flaws | Always — this is the minimum | $5-15K |
| API | REST/GraphQL APIs — auth, rate limiting, data exposure | If you have APIs (you do) | $3-10K |
| Infrastructure | Cloud config, network security, server hardening | Annually | $5-15K |
| Mobile | iOS/Android apps | If you have mobile apps | $5-10K |
| Social Engineering | Phishing, pretexting against your team | Annually | $3-8K |
How to hire a pen test firm:
What to expect in a pen test report:
What to do with findings:
Continuous scanning (not one-time). Unlike pen tests, vulnerability scans are automated and run regularly.
Tools:
Cadence:
Bug bounties are NOT a replacement for pen testing. They're a supplement. Pen tests are thorough, methodical, and time-boxed. Bug bounties are crowdsourced, ongoing, and unpredictable.
When to start a bug bounty:
Platforms:
Public vs Private:
Bounty ranges (guidelines):
The enterprise gauntlet. Every enterprise customer will send you a security questionnaire — usually a 200-400 question spreadsheet. Your job is to answer it truthfully and route it through your team efficiently.
Common questionnaire formats:
Strategy:
Tools for security reviews:
Every SaaS company needs one. If you don't have an incident response plan when a breach happens, you're making it up in real-time while regulators, customers, and lawyers demand answers.
Incident Response Plan template:
INCIDENT RESPONSE PLAN — [Company]
INCIDENT CLASSIFICATION:
- Sev 1 (Critical): Data breach, system compromise, active attack
- Sev 2 (High): Vulnerability with known exploit, suspicious activity
- Sev 3 (Medium): Policy violation, minor security concern
- Sev 4 (Low): Informational event, false positive
RESPONSE TEAM:
- Incident Commander: [name] — coordinates response
- Technical Lead: [name] — investigates and remediates
- Communications Lead: [name] — internal + external comms
- Legal: [name] — regulatory obligations
- Executive Sponsor: [CEO/CTO]
SEV 1 RESPONSE PLAYBOOK:
T+0-15 min: Detect. Acknowledge alert. Declare incident.
T+15-30 min: Incident Commander assembles response team.
T+30-60 min: Technical Lead begins investigation. Isolate affected systems.
T+1-2 hrs: Determine scope. What data/systems affected? Is attack ongoing?
T+2-4 hrs: Contain. Block attacker access. Preserve evidence.
T+4-24 hrs: Eradicate. Remove attacker presence. Patch vulnerability.
T+24-72 hrs: Recover. Restore systems. Monitor for re-entry.
T+72 hrs: Post-mortem. What happened? What failed? What changes prevent recurrence?
NOTIFICATION OBLIGATIONS:
- GDPR: Supervisory authority within 72 hours
- Customers: "Without undue delay" if high risk
- Cyber insurance: As soon as practical (they provide legal + forensic support)
- Law enforcement: If criminal activity (FBI, local police)
COMMUNICATION TEMPLATES:
- Customer notification: [template — what happened, what data, what we're doing,
what they should do, contact for questions]
- Internal notification: [template — incident declared, response team activated,
updates on [Slack channel / email thread], do not discuss externally]
What it is: A public page documenting your security posture for customers and prospects. Shows you take security seriously without requiring an NDA.
What to include:
Tools for trust centers: SafeBase, Conveyor, or custom page.
SECURITY PROGRAM — [Company]
PENETRATION TESTING:
- Last test: [date / pending]
- Provider: [firm]
- Next test: [date — annually]
- Findings: [X Critical, Y High, Z Medium, N Low]
- Remediation status: [X% fixed]
VULNERABILITY MANAGEMENT:
- SAST: [tool, cadence]
- DAST: [tool, cadence]
- Dependency: [tool, cadence]
SECURITY QUESTIONNAIRES:
- Knowledge base: [doc link]
- Response tool: [SafeBase / SecurityPal / manual]
- Average response time: [X days]
INCIDENT RESPONSE:
- Plan: [documented / needed]
- Team: [assigned / needed]
- Last tested: [date of last tabletop exercise]
TRUST CENTER: [URL / planned]
Before delivering, verify:
No pen test before enterprise deal. Customer asks for pen test report. You don't have one. Deal stalls for 4-6 weeks while you schedule and complete one. Fix: Pen test annually starting from your first mid-market deal.
Pen test findings not fixed. You have the report. You never fixed the findings. Next year's pen test finds the same issues. Customer's security team asks why. Fix: Track findings. Fix them. Get retest confirmation.
Answering security questionnaires without engineering. "Yes, we encrypt all data at rest" — but your engineering team knows you don't. You just committed to something in a contract. Fix: Route technical questions to the people who know the answers.
No incident response plan. Breach happens. Chaos. Everyone's emailing each other. Legal isn't looped in. Customer notification is delayed. Regulatory deadline missed. Fix: Document the plan. Assign the team. Test it with a tabletop exercise.
Relying on bug bounties instead of pen tests. Bug bounties catch the obvious stuff and miss the chained vulnerabilities that a methodical pen tester finds. Fix: Pen test annually. Bug bounty as supplement.
This skill provides general informational guidance based on publicly available frameworks and operator experience. It is NOT legal advice, accounting advice, tax advice, financial advice, insurance advice, or professional services advice.
Consult qualified professionals for your specific situation — attorneys for legal/equity matters, CPAs for tax and accounting, licensed brokers for insurance, and certified security assessors for compliance. This skill does not create a professional-client relationship. Use it as a starting point for research and preparation.
references/framework-notes.md — Named frameworks and reference tablestemplates/output-template.md — Deliverable shell for agent outputscripts/check-output.py — Lightweight deliverable validatorsoc2-compliance — SOC2 Type II certificationdata-privacy-compliance — GDPR, CCPA, privacy programslegal-for-founders — Legal foundationsvendor-contracts — DPAs, vendor security agreementsbusiness-insurance — Cyber insurance (requires security program)npx claudepluginhub leadmagic/gtm-skills --plugin gtm-skillsGuides security professionals in implementing defense-in-depth architectures, achieving compliance (SOC2, ISO27001, GDPR, HIPAA), threat modeling, risk assessment, incident response, and embedding security throughout the SDLC.
Conducts vendor security assessments evaluating posture, risks, and generating reports with recommendations. Supports onboarding, periodic reviews, incident response, and due diligence.
Routes security requests to specialists for secure coding, auditing, compliance, or penetration testing. Covers OWASP, SOC2, GDPR, authentication, encryption, and vulnerability management.