This questionnaire is intended for founders and management teams of Series A and Series B companies to complete and deliver to venture deal teams as they perform their due diligence. It is designed to capture the full cybersecurity picture, including core security controls and newer risks tied to AI-assisted development, autonomous agents, SaaS identity, and AI-driven software supply chain threats.
1. Company, product, and data overview
1. Briefly describe the company’s main product(s), delivery model, and customer segments.
2. What categories of data does the company collect, process, store, or generate, including customer data, employee data, operational logs, source code, model inputs, and model outputs?
3. In which geographies are the company’s customers or users located?
4. Which regulations, contractual requirements, or industry rules are relevant to the business, such as GDPR, CCPA, HIPAA, PCI DSS, or sector-specific requirements?
5. What security and privacy commitments does the company commonly make in customer agreements?
2. Security ownership, governance, and training
6. Who is primarily responsible for cybersecurity and privacy, and what is that person’s role?
7. How often do leadership and the board review cybersecurity or privacy matters?
8. What written policies exist today for access control, acceptable use, incident response, vendor management, data handling, and privacy?
9. Does the company maintain a written policy or guidance for employee use of AI tools and LLMs? If yes, please describe or attach it.
10. What security awareness training do employees receive at onboarding and on an ongoing basis?
3. Identity, access, and devices
11. What systems are used for corporate identity, email, SSO, and device management?
12. For which systems is MFA required today, including email, cloud consoles, code repositories, CI/CD, SaaS platforms, and administrative tools?
13. Does the company use phishing-resistant authentication such as passkeys, hardware keys, or FIDO2-based methods for privileged users where supported? If not, is there a plan to adopt them?
14. How is access to production systems and sensitive data requested, approved, reviewed, and removed?
15. How quickly are departing employees or contractors deprovisioned?
16. Are laptops and workstations centrally managed, encrypted, patched, and protected with endpoint security?
17. Does the company permit BYOD access to sensitive systems? If yes, what controls are applied?
18. How does the company manage browser, session, token, or extension risk for privileged users, especially for administrative SaaS systems?
4. Cloud, infrastructure, secrets, and backup
19. Which cloud providers, hosting services, or major infrastructure platforms are in use?
20. How are production, staging, and development environments separated?
21. Are any databases, storage services, or internal administration interfaces exposed directly to the internet? If yes, please explain why and how they are protected.
22. How are secrets such as API keys, credentials, certificates, and tokens stored and rotated?
23. What backups exist for critical systems and data, how often are they taken, and where are they stored?
24. When was the last restore test performed and what were the results?
5. Software development and application security
25. Please describe the software development lifecycle from planning through production deployment.
26. Are pull requests or equivalent peer review required for changes to critical systems?
27. What security tooling is used in the development pipeline, such as dependency scanning, SAST, container scanning, or infrastructure-as-code scanning?
28. How are critical and high vulnerabilities tracked, prioritized, and remediated?
29. Has the company completed any third-party security assessment, penetration test, or application review in the last 24 months? If yes, please summarize the scope and status of remediation.
6. Data protection and privacy
30. Does the company maintain a data inventory or data map for important categories of personal, confidential, or regulated information?
31. Is sensitive data encrypted at rest and in transit?
32. What data retention periods exist for customer data, logs, backups, analytics, and other major data classes?
33. How does the company respond to deletion, access, export, or correction requests from customers or users?
34. Please provide the public privacy policy and summarize any internal privacy procedures.
7. Vendor, SaaS, and third-party risk
35. Please list the most important vendors, especially for identity, cloud, payments, communications, analytics, customer support, code hosting, and developer tooling.
36. What diligence is performed on critical vendors, such as reviewing SOC 2, ISO 27001, privacy terms, or security documentation?
37. Are security and privacy obligations, including breach notification and data handling terms, included in vendor agreements where relevant?
38. Have any key vendors had incidents that affected the company’s systems, customers, or operations?
8. Logging, monitoring, incidents, and insurance
39. What logs and monitoring exist for identity, cloud, endpoints, and production systems?
40. How does the company detect suspicious access, misuse of privileged systems, or possible data exposure?
41. Does the company maintain an incident response plan? If yes, please describe roles, escalation paths, communications, and containment steps.
42. Has the company experienced any notable cybersecurity incidents, near misses, or data breaches in the last three to five years? If yes, please summarize root cause, impact, and remediation.
43. Does the company maintain cyber insurance? If yes, please provide the main coverage details.
9. AI use and AI-assisted development
44. Where does the company use AI or LLMs today, including in the product, internal operations, support workflows, engineering, security operations, or analytics?
45. Which AI tools, model providers, coding assistants, and development agents are currently approved or commonly used?
46. What categories of company or customer data are employees permitted to share with approved AI tools, and what categories are prohibited?
47. Does the company use AI-generated code, tests, infrastructure definitions, or configuration in production workflows? If yes, please describe the main use cases.
48. Is all AI-generated code or configuration reviewed by a human before deployment, especially in security-sensitive areas such as authentication, authorization, cryptography, IAM, logging, and networking?
49. What testing or scanning is applied to AI-generated code and configuration before release?
50. How does the company reduce the risk of hallucinated, malicious, or typosquatted dependencies in AI-assisted development workflows?
10. AI agents, automation, and high-risk actions
51. Does the company use autonomous or semi-autonomous agents that can call APIs, access business systems, execute commands, or modify production-related settings? If yes, please describe each major agent and its purpose.
52. What credentials, permissions, or roles do these agents use, and how are those privileges scoped?
53. Are any agents permitted to take high-risk actions such as production changes, IAM changes, customer-impacting actions, or financial actions? If yes, what approval controls apply?
54. How are agent activities logged, reviewed, and investigated if behavior appears abnormal?
55. Does the company use agent plugins, MCP-style servers, public skills, or marketplace integrations? If yes, how are those third-party components vetted before use?
11. Prompt injection, AI logs, and AI vendor governance
56. Do any AI features or agents consume untrusted inputs such as user prompts, uploaded documents, web content, tickets, or emails that could influence their behavior?
57. What controls are in place to reduce prompt injection or unsafe agent behavior, such as tool restrictions, allow-listed actions, output checks, or human confirmation for risky tasks?
58. How are prompt logs, AI chat histories, agent traces, or model interaction logs retained, protected, and access-controlled when they may contain sensitive information?
59. Are AI vendors, model providers, coding assistants, and agent platforms included in the formal vendor inventory and risk review process?
60. Have contract terms with AI vendors been reviewed for data retention, model training on customer data, and incident notification obligations?
12. Roadmap and support needs
61. What are the company’s top three cybersecurity priorities for the next 12 months?
62. What are the top three priorities specifically for improving AI-related security, governance, or controls over the next 12 months?
63. Where does management believe the company is most exposed today?
64. What outside help would be most useful, such as introductions to security vendors, fractional security leadership, AI security testing, identity hardening, or application security support?
- Founder and Management Cybersecurity Questionnaire (Series A and B) - July 6, 2026
- Minimum Cybersecurity Expectations for Series A/B Companies - May 12, 2026
- What You Want in a Non-executive Chair - December 20, 2024
- Exit Advice from “Exits – Traps and Triumphs” CEOs - June 21, 2018
- Buying In – Cybersecurity Risk and Due Diligence - April 17, 2018
- A Panel of CEOs Speaking About Exits to CEOs and Business Owners - March 28, 2018
- What Worries CEOs When They Exit - January 1, 2018
- Cyber Security Problems in M&A – Real, Not Imagined, and Hitting Hard - July 17, 2017
- Cyber Security Summits – Great Content; Deep Learning; Excellent Connections - May 26, 2017
- The CEO at Exit: Prepare; Talk; Listen; Empathize - May 5, 2017
