B2B SaaS vendor — emergency Sentinel XDR deployment for an enterprise audit

« Our enterprise customer demanded an independent security audit within 4 weeks, or no contract. We had nothing in place. Hexceos deployed Sentinel in 3 weeks, the auditor cleared us, we signed. »

Context

A French 120-staff B2B SaaS vendor, fast-growing product adopted by SMBs and mid-market firms, in pipeline with a first CAC 40 enterprise customer — a 1.4 M€ ARR reference contract on a 3-year term, decisive for the Series B fundraising six months later.

After commercial negotiations, the enterprise customer required an independent security audit conducted by a third party of their choice within 4 weeks, gating the contract signing. The vendor had no SOC, no EDR deployed in production, a one-person internal security engineering team, and a heterogeneous fleet (135 Mac/Windows/Linux workstations, 22 cloud servers, coexisting Entra ID and Google Workspace).

The vendor called Hexceos on a Friday evening. First meeting Monday morning. Operational kick-off Tuesday.

Scope delivered

Express 3-week mission to reach an acceptable cyber maturity level against an independent audit, including deployment of Hexceos Sentinel and activation of the 24/7 SOC.

Week 1 — Mapping and endpoint deployment

• Exhaustive fleet inventory (135 workstations, 22 cloud servers, 4 production-critical SaaS providers).
• Sentinel deployment on the full workstation fleet in 4 days via existing MDMs (Jamf Pro for Mac, Intune for Windows).
• Cloud server onboarding (AWS, Azure) — Sentinel agents + API connectors.
• First wave of trivial remediations (OS updates, baseline hardening).

Week 2 — Identity integration and hardening

• Sentinel connection to Entra ID and Google Workspace for identity correlation.
• Activation of behavioural detection rules (MITRE ATT&CK mapping).
• Conditional Access rollout (phishing-resistant MFA for admins, standard MFA elsewhere, device posture required).
• Hardening of cloud services — rotation of exposed API keys, removal of dormant accesses, environment segmentation (prod / staging / dev).
• Documentation for the auditor — security architecture diagram, access management policy, incident response process.

Week 3 — SOC activation and audit preparation

• Official cutover to 24/7 SOC with contractual MTTR under 30 minutes for critical incidents.
• Incident response procedures drafted and tested (table-top exercise with internal team).
• Documentation package for the auditor — password policy, logging, business continuity, third-party management.
• Auditor defence session preparation (3 hours of documentation defence).

Week 4 — Independent audit and defence

• Independent audit conducted by the third party chosen by the enterprise customer (international firm, SOC 2 Type I-derived approach).
• Hexceos engineer present at the defence session to answer technical questions.

Results

• Full deployment in 3 weeks between kick-off and end of integration phase (4th week dedicated to the audit and its defence).
• 100% of the fleet under telemetry (workstations, servers, identities, main cloud workloads) by end of week 2.
• 12 critical vulnerabilities found during deployment (exposed API keys, dormant administrator accounts, misconfigured cloud services, unintentional public file shares).
• Independent audit cleared with no major reservation, 4 minor points to fix within 90 days (all handled within 6 weeks).
• 1.4 M€ ARR contract signed three days after favourable audit report.

What changed

The Series B planned 6 months later went well — the signed enterprise contract served as commercial proof in due diligence. Six months later, the vendor converted two more enterprise customers using the same audit playbook, including a healthcare customer who appreciated the consistency of the Hexceos setup with HDS certification on other parts.

The internal security engineer, who was about to leave before the mission (burnout from carrying security alone), stayed — they became the customer-side technical reference, with Hexceos handling 24/7 operations. The internal organisation restructured around a monthly mixed security committee (customer + Hexceos).

Anonymised at the customer’s request. Figures presented reflect real measurements on a single customer in 2025.