DEV Community

GrimLabs
GrimLabs

Posted on

Our Biggest Enterprise Deal Almost Died Because We Didn

#enterprise #auditlogging #sales #saas

We were 8 weeks into a sales cycle with a Fortune 500 company. $240K ACV deal. Our biggest ever. The champion loved our product. The technical evaluation went great. The pilot was successful.

Then it hit the security review.

Their CISO's team sent us a security questionnaire. 187 questions. And question 43 asked: "Describe your audit logging capabilities including what events are logged, retention period, integrity controls, and access to audit log data."

Our answer was basically: "We log errors to Datadog."

The deal went silent for two weeks. When our champion got back to us, he said the security team had flagged us as "does not meet minimum audit trail requirements" and recommended against the purchase.

We almost lost a quarter million dollar deal because we didnt have audit logs.

The Security Review Wall

If your selling B2B SaaS, you will hit this wall eventually. And its getting worse. Every year, enterprise security teams get more rigorous about vendor evaluations.

Here's what they typically want to see:

  1. Comprehensive event logging for user actions, authentication, data access, and configuration changes
  2. Immutable logs that cannot be modified or deleted
  3. Retention policies that meet their compliance requirements (often 12+ months)
  4. Access controls on the logs themselves (who can view audit data?)
  5. Export capability so their security team can ingest your logs into their SIEM
  6. Tenant isolation proving that one customer's audit data can't leak to another

And they want evidence. Not a checkbox that says "yes we do audit logging." They want screenshots, architecture diagrams, sample log entries, and sometimes a live demo.

Why Application Logs Don't Cut It

Our initial response to the security team was "we have comprehensive logging in Datadog." Thats application logging. Error logs, request logs, performance metrics. And the security team saw right through it.

Application logs and audit logs serve completely different purposes:

// This is an APPLICATION log - useful for debugging
console.log(`[INFO] User ${userId} accessed /api/invoices`);

// This is an AUDIT log - useful for compliance
const auditEvent = {
  eventType: 'data.accessed',
  actor: {
    id: userId,
    email: 'jane@company.com',
    role: 'billing_admin',
    ipAddress: '203.0.113.42',
    sessionId: 'sess_abc123',
  },
  resource: {
    type: 'invoice',
    id: 'inv_789',
    owner: 'tenant_456',
  },
  action: 'read',
  result: 'success',
  timestamp: '2026-03-15T14:23:01.000Z',
  context: {
    tenantId: 'tenant_456',
    requestId: 'req_xyz',
    source: 'web_app',
  },
};
Enter fullscreen mode Exit fullscreen mode

The difference isnt just the amount of detail. Its the purpose, the guarantees, and the lifecycle. Application logs get rotated and deleted. Audit logs must be retained. Application logs can be modified. Audit logs must be immutable. Application logs are for developers. Audit logs are for compliance teams, legal teams, and auditors.

What We Scrambled to Build

When we realized the deal was dying, we went into crisis mode. Two senior engineers dropped everything for 3 weeks to build a basic audit logging system.

Here's what we built in those 3 weeks:

// Emergency audit logging middleware
// Built in 3 weeks under deal pressure
// Would not recommend this approach

import { Request, Response, NextFunction } from 'express';

interface AuditConfig {
  eventType: string;
  captureRequestBody?: boolean;
  captureResponseBody?: boolean;
  sensitiveFields?: string[];
}

const AUDIT_ROUTES: Record<string, AuditConfig> = {
  'POST /api/users': {
    eventType: 'user.created',
    captureRequestBody: true,
    sensitiveFields: ['password', 'ssn'],
  },
  'DELETE /api/users/:id': {
    eventType: 'user.deleted',
  },
  'PUT /api/settings': {
    eventType: 'settings.modified',
    captureRequestBody: true,
  },
  'POST /api/auth/login': {
    eventType: 'auth.login',
    sensitiveFields: ['password'],
  },
  // ... 40 more routes
};

function auditMiddleware(req: Request, res: Response, next: NextFunction) {
  const routeKey = `${req.method} ${req.route?.path}`;
  const config = AUDIT_ROUTES[routeKey];

  if (!config) return next();

  const startTime = Date.now();

  // Capture the original json method to intercept response
  const originalJson = res.json.bind(res);
  res.json = (body: any) => {
    recordAuditEvent({
      eventType: config.eventType,
      actor: extractActor(req),
      request: config.captureRequestBody
        ? redactSensitive(req.body, config.sensitiveFields)
        : undefined,
      response: config.captureResponseBody ? body : undefined,
      statusCode: res.statusCode,
      duration: Date.now() - startTime,
      timestamp: new Date(),
    });

    return originalJson(body);
  };

  next();
}
Enter fullscreen mode Exit fullscreen mode

It worked. Barely. We got enough logging in place to satisfy the security team's minimum requirements and the deal closed. But the implementation was fragile, incomplete, and created performance issues we spent the next two months fixing.

The Numbers That Should Scare You

Our experience isnt unique. I've talked to other SaaS founders who've hit the same wall. Some numbers:

  • The average enterprise security review takes 4-8 weeks
  • 70% of enterprise deals require some form of security questionnaire
  • According to Vanta's State of Trust report, 76% of organizations have delayed or abandoned a purchase due to security concerns about the vendor
  • Deals that fail security review rarely come back. The trust deficit is hard to overcome.

For context, research from Gartner shows that security and compliance requirements are now involved in over 60% of B2B software purchase decisions. Its not a nice-to-have anymore. Its table stakes.

What We Should Have Done

Looking back, we should have built audit logging as a core feature from the start, not as an emergency response to a dying deal. Heres why:

1. Its easier to build early than to retrofit

Adding audit logging to an existing codebase means touching every endpoint, every service, every data access layer. If you design for it from the beginning, its just part of the architecture.

2. Your customers need it too

Enterprise customers dont just want YOU to have audit logs. They want access to audit logs for their own users. "Show me everyone who accessed this report in the last 30 days" is a standard admin feature request. If you dont have audit logging, you cant build this.

3. It compounds over time

The longer your audit logs exist, the more valuable they become. An auditor wants to see 12 months of logs. If you just built audit logging, you have 0 months of data.

The Fix

This exact scenario is why I built AuditKit. Migrating to it takes about a week, which is way less than the 3 weeks most teams spend building a custom system (plus the inevitable months of bug fixes after).

But the real lesson isnt about which tool to use. Its about when to start. If your building B2B SaaS and you think enterprise deals are in your future, build audit logging now. Not when a deal is dying. Not when a security questionnaire lands on your desk. Now.

Because when that $240K deal hits security review, you want to be the vendor that sends over comprehensive audit logs in 10 minutes. Not the vendor that scrambles for 3 weeks and almost loses it.

We were lucky. We saved the deal. But it cost us 3 weeks of engineering time, 2 months of stabilization work, and a lot of stress. All because we thought audit logging could wait.

It cant.

Top comments (0)