AI-Driven Research Company Establishes Security Program Ahead of Series B
How a 75-person AI-driven research company turned security from an investor concern into a maturity signal before closing their Series B.
A 75-person computational biology company was raising a Series B. Lead investors sent over a security questionnaire. The CEO forwarded it to IT with: "Can you handle this?"
IT's answer was mostly "I don't know" and "we should probably have that."
The investors flagged security program maturity as a concern. The CEO was fielding questions in partner meetings that he couldn't answer. One investor asked about their incident response plan, they didn't have one.
We did a gap analysis against what institutional investors typically ask about. The list wasn't long, but almost nothing was documented.
They had SSO through Entra ID, but 8 apps weren't connected to it. MFA was on for some people, not others. EDR was installed on laptops but not on the AWS instances running their models. No written policies, just "we do the right thing."
We connected the remaining apps to Entra (two of them required workarounds because they didn't support SAML properly). Enforced MFA everywhere. Extended EDR to cloud instances. Wrote actual policies based on what they were already doing, not aspirational nonsense.
The investor summary was the hard part, translating technical controls into language a VC partner would understand without their eyes glazing over.
I was getting questions in partner meetings I couldn't answer. Now I can actually talk about our security posture without sounding like I'm making it up.