Vendor security questionnaires are broken. Signed scan attestations are replacing them.

The Consensus Assessments Initiative Questionnaire (CAIQ) is 261 yes-or-no questions about a vendor's security posture. The SIG questionnaire is 800+ questions. Many enterprise buyers send both. The vendor's security team spends two weeks filling them out. The buyer's security team spends two weeks reviewing them. At the end, neither side has proof of anything - just two PDFs of yes/no answers and "compensating controls" footnotes.

This process exists because of a coordination failure. Buyers cannot verify vendor claims, vendors cannot prove their own claims at scale, and questionnaires are the lowest-common-denominator workaround. Both sides hate it.

What buyers actually want

We have asked. Buyers want:

• Evidence the vendor actually ran the scan, not just answered "yes" to a question.
• A way to verify the evidence was not tampered with.
• A mapping from the evidence to controls the buyer cares about (ISO 27001, SOC 2, OWASP).
• Continuous evidence, not point-in-time. A scan from 6 months ago is not evidence about today.

A questionnaire delivers exactly none of these.

What a signed scan attestation delivers

A NANOTESTING scan attestation delivers all four. Every scan produces a PDF with:

• The exact scan job id, queryable at /verify/scan/<id>.
• A SHA-256 fingerprint of the inputs. Recomputable. Any byte that changes the report breaks the hash.
• A per-finding mapping to OWASP A0X / ISO 27001 Annex A / SOC 2 TSC controls.
• A timestamp, with the option to run the scan again on demand for the buyer.

The buyer can stop trusting the vendor's word and start verifying the data. The vendor can stop spending two engineering weeks on a CAIQ and send a 12-page PDF instead. Both sides win the same evidence the questionnaire was trying to approximate.

What this does NOT replace

Real procurement still needs DPAs, sub-processor lists, audit reports (SOC 2 Type 2 if you have it), and the legal stack. NANOTESTING does not replace the contract. It replaces the questionnaire.

In the next twelve months we expect to see large buyers (above 1,000 employees) start accepting a signed scan attestation as the security-questionnaire equivalent. The CAIQ will not disappear - it will be reserved for vendors that cannot produce verifiable scan evidence. Both will coexist.

If you are a vendor and want to stop filling out questionnaires, run a scan on the dashboard and share the PDF on your next deal.