From “We Have Security” to “Prove It”: How a Mid-Market Manufacturer Secured a $600K Contract in 90 Days

Apex Precision Components had security tools. What they didn’t have was anything to show for it.

The mid-market precision manufacturer had grown steadily over five years without formalizing its security program. Security decisions landed with the IT Director, who ran a two-person IT team. They had EDR on some endpoints, MFA on the VPN, and a decent firewall. What they didn’t have: written policies, a documented risk assessment, evidence of controls, or anyone who could speak to any of it in business terms.

Then a Fortune 500 prospect sent a 47-question vendor security questionnaire, and the contract decision was six months out.

The Problem Wasn’t Controls. It Was Documentation.

This is the distinction that trips up most mid-market organizations. Apex wasn’t exposed because they lacked security tools. They were exposed because they had no way to demonstrate what they had — and enterprise procurement processes don’t accept “trust us” as an answer.

The questionnaire wasn’t asking about intentions. It was asking for evidence: policies on file, last risk assessment date, MFA enforcement screenshots, backup testing logs, incident response plan documentation. Apex couldn’t produce any of it.

The stakes were real. The prospect represented $600,000 in annual revenue — roughly 17% of Apex’s total. Losing the contract wasn’t an abstract risk. It was a business continuity problem.

Compounding the pressure: Apex’s cyber insurance carrier had also sent a 40-question underwriting audit with a 60-day response deadline.

The Engagement: Three Phases, 90 Days

Apex engaged Principle Security on a vCISO Standard Tier retainer, structured in three phases.

Phase 1 (Days 1–30): Assessment and immediate gap closure

We started by doing what most security programs skip: actually looking at what was in place and comparing it to what was claimed. The assessment revealed the gap between tools and evidence.

Findings from the first 30 days:

• Three former employees with active domain accounts — two had left 14 months prior
• MFA enforced on the VPN but not on the Microsoft 365 admin portal or Azure console
• File backups running to a NAS device on the same domain as production — and the last restore test was 22 months old
• 17 active IT vendors with some level of network access; none had been assessed; no contracts included security incident notification clauses

We closed the most critical gaps immediately: disabled the orphaned accounts, enforced MFA on the admin portals, and built a documentation package for the cyber insurance audit. The questionnaire was submitted 14 days ahead of the deadline.

Phase 2 (Days 31–60): Building the actual program

With the urgent gaps closed and the insurance audit handled, we moved to implementation:

• EDR deployed across all endpoints — replacing passive antivirus with active behavioral detection
• Security awareness program launched, including first phishing simulation (baseline click rate: 28%)
• Incident response plan documented and tested via tabletop exercise with the leadership team
• Pre-contracted digital forensics relationship established
• Network segmentation assessment initiated between the corporate LAN and the OT/production environment

Phase 3 (Days 61–90): Documentation, evidence, and board-ready reporting

Controls without documentation are indistinguishable from controls that don’t exist when a prospect or regulator asks.

Deliverables from the final phase:

• Formal information security policy, acceptable use policy, and data classification policy
• 12 documented security procedures (access management, backup operations, patch management, incident response, vendor access, change management)
• Vendor risk program: all 17 vendors inventoried, tiered, security questionnaires sent, contract clauses updated
• First board-ready quarterly security report — translating risk posture into revenue exposure, contract risk, and regulatory exposure terms

The SOC 2 readiness documentation package was completed on day 87.

The Results: 90 Days of Measurable Change

NIST CSF maturity score: 42% before to 68% after
MFA on privileged accounts: Partial to Fully enforced
EDR coverage: Passive AV on some endpoints to Active EDR on 100% of endpoints
Backup restore testing: Last tested 22 months prior to Monthly procedure established
Vendor risk program: None to 17 vendors documented, tiered, assessed
Time to detect simulated alert: Unknown to 4.2 hours

Business outcomes:

• $600,000 enterprise contract signed. Fortune 500 prospect reviewed the SOC 2 evidence package and approved the contract.
• Cyber insurance renewed at existing coverage level. No premium increase. Insurance carrier accepted the completed audit documentation without follow-up questions.
• Board reporting cadence established. Quarterly security report now goes to the board with measurable risk indicators.
• First measurable security baseline established. First phishing simulation: 28% click rate. Training deployed.

Before we started, we had answers to security questionnaires and nothing to back them up. Now we can show a prospect, an insurer, or a regulator exactly where we stand — and we can prove it. The board report alone changed how our leadership team thinks about this.

— Apex’s CTO

What This Means for Your Organization

The gap is usually documentation, not controls. Most mid-market organizations have the right tools partially in place. The gap is documentation, evidence, and a program that can survive scrutiny.

External deadlines create urgency that internal motivation rarely does. Apex started because a contract was at stake. Organizations that wait for internal readiness typically start later, with more accumulated risk.

Board reporting changes security from an IT problem to a business priority. Before the first quarterly board report, security was the IT Director’s responsibility. After it, it had a budget, accountability, and executive attention.

The Engagement Economics

Apex’s initial 90-day engagement was delivered as part of the vCISO Standard Tier retainer. The contract they secured was worth $600,000 in annual revenue. Their cyber insurance renewal avoided a premium increase estimated at $18,000–$24,000. The program continues on a monthly retainer basis.

Ready to assess where your organization stands?

If your organization faces similar pressures — a vendor due diligence questionnaire you can’t answer, a cyber insurance audit that’s coming, or a board asking about security risk you can’t quantify — the path forward starts with a 90-day security readiness assessment.

Schedule a 30-minute consultation

Case study prepared by Principle Security LLC — 2026-06-11
Apex Precision Components is a fictional client representing a realistic mid-market archetype. All metrics and outcomes are modeled from comparable engagements and used with permission for illustrative purposes.