The sales-side director who lost a deal because the security questionnaire asked for egress-control evidence he didn't have

The director had been running this deal for four months. Procurement was happy, legal had the redlines down to two clauses, and the buyer's security team sent over a SIG Lite as the final gate. He treated it as paperwork. His company ran a next-gen firewall and tight security groups in front of the production VPC, so when the questionnaire asked about network controls he wrote "perimeter firewall, deny-by-default" and moved on.

That answer described the data center. The buyer was asking about the laptops. The reviewer wanted to know what stops an employee endpoint from resolving a malware command-and-control domain when the laptop is in a hotel or on a home network, nowhere near the firewall.

What modern vendor security questionnaires now ask about egress

Standardized questionnaires like the SIG and the CSA CAIQ have widened over the past few cycles, and inside the network-security family "we filter inbound" no longer closes the question. Reviewers ask specifically about outbound control: which destinations endpoints may reach, how that is enforced when the device is off the corporate network, and whether you can produce the decision log. Supply-chain risk has become its own line of inquiry, so the buyer's auditors are pushing them to ask how their vendors contain a compromised workstation.

Why "we have a firewall" fails the DNS-control question

A perimeter firewall only sees traffic that crosses the perimeter. Most attacker movement starts with a name lookup, and an endpoint that resolves a phishing or C2 domain over public 1.1.1.1 never touches your appliance. The reviewer knows this. Asked to describe DNS-layer enforcement on endpoints, answering with the firewall SKU signals that egress is uncontrolled once the laptop leaves the building. That answer moves a deal from "approved" to "remediation required," and a remediation flag on a quarter-end close means the deal slips a quarter.

The evidence a buyer's security team actually wants to see

Reviewers have stopped trusting prose. They want artifacts they can attach to their own risk file. In practice that is a short, specific set.

Hand over those four things in an afternoon and the security review becomes a formality. Schedule a call to explain why you can't, and you have already lost tempo.

Turning DNS enforcement and audit logs into a sales asset

The firms closing these deals flipped the script. They treat the egress evidence pack the way they treat a SOC 2 report: the sales engineer attaches it before the buyer asks. An export that says "here are two weeks of endpoint DNS decisions, here is the policy that produced them, here is the blocked-domain count" builds more trust than any slide. It moves you from claiming a control to demonstrating one, which is what ISO 27001 and NIS2 surveillance auditors reward.

Pre-building the security-review evidence pack

Do not assemble this under deadline pressure with a deal on the line. Stand up endpoint DNS filtering now, let it run for a few weeks so the logs have substance, and write down the policy decisions as you make them. When the questionnaire lands, the egress answer is a link and an attachment, not a meeting.

ClearScreen enforces DNS-layer egress at the endpoint and keeps it on whether the device is in the office or a coffee shop, so the BLOCKED log is real and exportable per policy group. Assign one policy group per buyer-facing fleet, pull the audit log when security review asks, and attach it. The director closed the rematch the next quarter because that evidence already existed. See how the enforcement and audit export works.