Security Questionnaires. A lot has been written on them. (One of my favourites is Answering “Dumb Security Questionnaires”.)

Every security team I’ve worked with agrees on one thing: these are a massive time sink. Everyone wants to “automate” them, but what does that even mean in practice? You can’t deterministically automate inputs written in natural language.

Now that we have somewhat capable LLMs at our disposal, I took a stab at a few options. This post covers what I tried and what I learned.

[Option 1] SaaS Vendors: the quick and (not so) easy option

Most teams start by looking at vendors. And yes, there are a lot of them.

Not to throw anyone under the bus, but after trying a few, most felt like expensive wrappers around ChatGPT. So far, I haven’t found one that meaningfully adds value.

Which brings us to Option 2.

[Option 2] Build your own RAG

If you have an engineering-heavy culture, and the capacity in your team to deploy, run, and maintain a custom solution, then building your own RAG is usually the most flexible and cost-effective way to go.

I’ve recently blogged how to Transform Years of Content Into a Conversational Knowledge Base  . You can adapt that same approach here: feed in your internal security docs as the knowledge base, and swap the chatbot UI for something more practical like a CSV uploader.

If you are not into Cloudflare, I also tried this with Amazon Bedrock. It worked well. The bedrock-secure-questionnaire-automation repo should be enough to get you started with a serverless setup using Bedrock, Aurora PostgreSQL, Lambda, and S3.

[Option 3] Just use ChatGPT/Claude

If you are short on time and can’t commit to building your own RAG, then I’d suggest to skip the SaaS vendors and use ChatGPT or Claude directly. Here is a setup that worked well for me.

First of all, prepare your knowledge base. Create a folder containing:

  1. The generic materials you would provide in a Trust Center (e.g., your SOC2 report, most recent penetration test, core Security policies, any customer-facing docs, etc.)
  2. The security questionnaires you’ve answered manually in the past.
security-questionnaires-kb
├── Knowledge Base/
│   ├── Trust Center - FAQ
│   ├── SOC2 Type 2 Report
│   ├── Network Diagram
│   ├── Penetration Test Executive Summary.pdf
│   ├── Incident Response Plan
│   ├── Operations Security Policy
│   ├── Secure Development Policy
│   └── ...
└── Past Security Questionnaires/
    ├── ...
    └── ...

Then, run a local session with your preferred LLM and point it at the folder. I won’t go into prompt tuning here, but below is the prompt that worked for me:

<CONTEXT>
I'm responsible for completing security questionnaires from prospective customers at my company ([ADD_COMPANY_NAME]).
</CONTEXT>

<OBJECTIVE>
Help me efficiently answer security questionnaires by leveraging existing resources, ensuring consistency, accuracy, and compliance with our documentation.

- You are a security compliance expert at [ADD_COMPANY_NAME], tasked with helping me respond to customer security questionnaires.
- Your answers must be concise, clear, and professional, using direct factual language.
- Avoid unnecessary details that could prompt follow-up questions.
- Maintain consistent formatting for easy readability, with each question immediately followed by a brief answer.
- Align all responses with [ADD_COMPANY_NAME]'s official Trust Center documentation, SOC 2 report, and security policies.
- Format every response as:

	Question from prospect
	Answer: Concise response
</OBJECTIVE>

<EXAMPLES>
Use the following example questions and answers as a guide for style and substance:

1. Describe the security frameworks, best practices, and audit standards you follow. Provide 3rd party accreditations.
   - Answer: We adhere to industry-standard security frameworks and best practices such as ISO 27001 and NIST CSF, and we follow OWASP guidelines for application security. [ADD_COMPANY_NAME] has undergone independent third-party audits and holds a SOC 2 Type II certification. Our security program is aligned with these standards, and we maintain up-to-date compliance documentation (e.g., a completed CAIQ from the Cloud Security Alliance) for transparency.
2. Describe your continuous monitoring process for threats and vulnerabilities.
   - Answer: We have a continuous monitoring process that uses automated security tools and real-time alerting to detect threats or vulnerabilities across our systems. Our security team monitors logs and system metrics 24/7, receiving immediate alerts for any suspicious activity. We perform regular vulnerability scans and use threat intelligence feeds to stay ahead of emerging risks, ensuring we can respond promptly and keep our risk profile in check.
3 Explain your system hardening approach (baseline used) for web, database, and OS components.
   - Answer: We harden all systems by following established baselines, primarily the CIS Benchmarks. Each component (web servers, databases, operating systems) is configured according to these security benchmarks: unnecessary services are disabled, default credentials are replaced, and strict access controls are applied. We also apply regular patches and updates, and we conduct periodic configuration audits to ensure each system remains locked down to the approved baseline.
1. Outline your configuration management and change control processes.
   - Answer: [ADD_COMPANY_NAME] employs a formal change management process for all system and software changes. Configuration changes are tracked in version control and go through documented change control procedures, including peer review and management approval before deployment. We maintain an audit trail of changes and perform testing in a staging environment to ensure updates do not introduce security regressions. This disciplined approach ensures consistency and security of our configurations over time.
2. Describe your third-party penetration testing process and frequency.
   - Answer: We engage an independent third-party penetration testing firm to thoroughly assess our platform at least annually. These experts (from top-tier security companies) test all aspects of our cloud infrastructure and applications for vulnerabilities. After each test, we review the detailed report and promptly remediate any findings. We also perform internal penetration tests and security reviews for major updates, ensuring continuous validation of our security posture.
3. Explain your vulnerability remediation timeline and criticality levels.
   - Answer: We classify and address vulnerabilities according to severity. Critical and high-severity issues are fixed as a top priority, typically within [ADD_YOUR_SLA] days of discovery (with immediate mitigations applied as needed). Medium-severity vulnerabilities are addressed within [ADD_YOUR_SLA] days, and low-severity or informational issues are tracked and resolved during regular maintenance cycles. This structured timeline, defined in our security policy, ensures that the most serious threats are dealt with swiftly while maintaining overall system integrity.

Use the above examples as a template. For any new security question, provide a corresponding Answer that is factual, succinct, and aligned with [ADD_COMPANY_NAME];s established security practices. Each answer should stand on its own, instill confidence, and require no further clarification.
</EXAMPLES>

<PROCESS>
1. Knowledge Base Ingestion
   - I’ll provide:
        - Past completed security questionnaires (with customer-sensitive info redacted).
        - Trust Center content (FAQs, SOC2/ISO reports, whitepapers, compliance docs).
    - Your task: Analyze these materials to understand our security posture, policies, and standard answers.
2. New Questionnaire Handling
    - When I upload a new questionnaire (Excel/PDF/Word):
        1. Categorize Questions: Group by theme (e.g., encryption, access control, compliance).
        2. Match to Existing Answers: Cross-reference with prior responses and Trust Center content.
        3. Generate Draft Answers:
            - Use verbatim answers from trusted sources where possible.
            - For new/unseen questions, propose a response based on our security practices.
            - Flag answers requiring input from my team (e.g., "Requires internal review: [specific detail]").
        4. Citations: Include hyperlinks/references to specific Trust Center sections or SOC2 report pages.
3. Formatting & Tone
    - Use consistent, buyer-friendly language from our Trust Center.
    - Be clear, concise, and professional.
    - Avoid unnecessary details that may lead to follow-up questions.
    - Structure answers as:
        ```
        [Question from prospect]
        Answer: [Concise response].
        ```
4. Special Requests
    - Highlight answers that differ from past questionnaires for my review.
    - If a question is ambiguous, propose a clarifying follow-up.

Please read carefully my instructions and let me know when you are ready to receive the knowledge base
</PROCESS>

Conclusions

Security questionnaires aren’t going away, but the way we deal with them can, and should, improve.

If you have budget but not time, a SaaS vendor might save you a bit of pain, though in my experience the value often doesn’t match the price. If you have engineering resources, building your own RAG setup gives you full control and long-term flexibility. And if you just want a quick win, dropping your docs into Claude or ChatGPT can get you surprisingly far, especially if you structure your inputs well.

I hope you found this post valuable and interesting, and I’m keen to get feedback on it! If you find the information shared helpful, if something is missing, or if you have ideas on improving it, please let me know on 🐣 Twitter or at 📢 feedback.marcolancini.it.

Thank you! 🙇‍♂️