TRUST CENTER THESIS · #1

The Security Tax

Every B2B startup pays an invisible $48,000/year tax on security reviews. Here's the math nobody puts on a spreadsheet.

There's a line item that never appears on any startup's P&L. Not under engineering. Not under sales. Not under compliance. It doesn't have a budget code because nobody tracks it.

It's the security tax — the cumulative cost of responding to security questionnaires, assembling evidence for vendor evaluations, and fielding the same 47 questions from every prospect's procurement team.

The companies paying it know the feeling. The 11 PM questionnaire. The "can you also send your pen test report?" follow-up. The deal that stalls for three weeks because legal wants to see your incident response plan and your CTO is the only person who can write the answer.

The Math

The Annual Security Review Tax

Security questionnaires received per year

200

Average hours per questionnaire response

4 hrs

Total engineering hours consumed

800 hrs

Blended cost per engineering hour

$60/hr

Annual Security Tax

$48,000

That's a conservative estimate. The blended $60/hour rate assumes junior and senior time is mixed. In practice, it's often the CTO, the VP of Engineering, or the one person who "knows where the SOC 2 report is" doing most of the work. Their effective rate is $100-$150/hour.

At those rates, the real number is $80,000-$120,000/year. For a 20-person startup, that's an entire engineer's salary spent on copy-pasting from previous questionnaire responses.

Where the Time Goes

1.5

Locating documents
Searching drives, Slack, email for the right version of the right artifact

1.0

Translating answers
Converting internal language into the evaluator's framework and format

0.5

Review & approval
Getting sign-off from the right people before sending

1.0

Follow-ups
"Can you clarify #14?" "We also need your DPA." "Where's your subprocessor list?"

Four hours per questionnaire. But that's four hours of context-switching — pulled from product development, customer support, or the actual security work that would make the next questionnaire easier to answer.

The Hidden Multiplier: Deal Delay

The $48,000 calculation only counts the direct labor cost. It misses the larger number: revenue delayed or lost because the security review took too long.

Total Cost of a 3-Week Security Review Delay

Direct labor

$240

Delayed MRR

$750-$3,500

Lost deal risk

$5,000-$50,000

Hours spent answering

Revenue recognized later

Prospect chose a vendor who responded faster

A single lost enterprise deal because of a slow security review can exceed the entire annual security tax. The direct labor cost is the small number. The opportunity cost is the real tax.

"We lost a $40K ARR deal because the prospect's procurement team needed a security review completed before quarter-end. We couldn't turn it around in time. They went with a competitor who had a trust center."

— CTO, 35-person B2B SaaS (anonymized)

Why Nobody Budgets for This

The security tax is invisible for three reasons:

It's distributed. The cost is spread across engineering, sales, legal, and the founder's time. No single department "owns" it, so no single department measures it.
It's normalized. Answering security questionnaires has always been manual. It's treated as a cost of doing B2B business, like sales travel or legal review. Nobody questions it.
It scales silently. Going from 50 to 200 questionnaires per year happens gradually. The frog boils. By the time someone notices, it's consuming 800 hours of the team's year.

The Fix Is Not What You Think

The obvious reaction is "automate the questionnaire responses." Several companies have tried this — and some do a good job. But questionnaire automation treats the symptom, not the disease.

The disease is that your security posture is invisible. Evaluators send questionnaires because they have no other way to assess your security. The questionnaire is a workaround for missing infrastructure.

The Reactive Model

Wait for questionnaire. Search for answers. Assemble response. Send. Wait for follow-ups. Repeat 200 times.

$48K/yr

+ 800 engineering hours + deal delays

The Proactive Model

Publish your security posture. Evidence-backed. Continuously current. Evaluators self-serve. Questionnaires drop 60-80%.

$1,800/yr

+ ~10 hours setup + AI maintenance

The proactive model doesn't eliminate questionnaires entirely. Complex enterprise evaluations will still happen. But it reduces the volume by 60-80% because the simple questions — "Do you encrypt data at rest?" "Where's your SOC 2?" "What's your incident response process?" — are already answered, publicly, with evidence.

The Structural Observation

The security tax exists because security transparency is treated as an event (the questionnaire) rather than infrastructure (the trust center). Events scale linearly with headcount and deal volume. Infrastructure scales sublinearly. Every company that reaches 50+ deals per year hits the same wall. The question is whether they recognize the wall or just keep climbing.

Who Pays the Most

The security tax is regressive. It hits smallest companies hardest, because:

The questionnaires are the same size regardless of company size. A 10-person startup gets the same 200-question evaluation as a 2,000-person enterprise.
Smaller teams have fewer people to absorb the work. At a 10-person company, the CTO (who should be building product) is answering questions. At a 500-person company, there's a dedicated team.
The $15K-$50K/year trust center tools are priced for companies with dedicated security budgets. The companies that need them most are structurally locked out.

This is the part of the market that nobody has served well. Not because the technology is hard — AI can populate a trust center from a URL scan in minutes. Because the pricing models of incumbent tools assume enterprise procurement, not credit-card purchase.

"The irony is that the companies most burdened by security reviews are the ones least able to afford the tools that would reduce them. The market has a $15K minimum price floor, and the pain starts at $150/month worth of need."

— Analysis

What Changes in 2026

Three things are converging:

AI cost collapse. The same document extraction that cost $50/document two years ago costs $0.50 today. Automated trust center generation is now economically viable at $150/month price points.
Regulatory pressure. SEC cybersecurity disclosure rules, DORA, state privacy laws — every quarter adds a new reason for evaluators to demand more documentation from vendors.
Market consolidation. Three trust center acquisitions in 36 months removed the independent options. The vacuum needs to be filled before incumbents complete their bundling strategy.

The security tax has existed for a decade. What's new is that the economics of fixing it have shifted — and the regulatory environment is making the tax grow faster than ever.

The Thesis

Trust is proven, not claimed. The security tax is the cost of claiming trust manually instead of proving it automatically. Every company that eliminates the tax does it the same way: they make their security posture visible, evidence-backed, and continuously current. The specific tool matters less than the architectural shift from reactive to proactive.

Next in the series: what happens when trust centers die.

Next: The Trust Center Graveyard →

By Anton Lissone · Trust Center Thesis #1 · INeedTrust 2026