Blog · Page 15
Field notes.
Page 15 of 31. Browse the archive of RFP workflows, grounded-AI architecture, and proposal operations notes.
Three exec summaries I rewrote this week, part 7
The November installment of the rewrite series. A defense bid, a commercial RFP, and a security-questionnaire cover letter. Three before-and-afters and what each rewrite was actually doing.
Confidence-threshold tuning for DDQ auto-answer
Where we set the confidence bar for auto-answering a DDQ question. The precision/recall trade-off, explained with our own data and the number we actually use for security questionnaires.
DDQ answer voice: why consistency beats polish
Buyers forgive plain writing. They do not forgive a questionnaire that reads like it was stitched from eight different people. How to keep 300 DDQ answers sounding like one voice.
Turning a SOC 2 PDF into 140 KB blocks
The ingest, the extraction, the linking. A worked trace of how a SOC 2 Type II report becomes the set of KB blocks that DDQ answers cite — with the real pgvector row shape at the end.
The SOC 2 attestation is not the end of the questionnaire
A newly-attested SOC 2 Type II does not stop the questionnaires. Buyers still ask the same 200 questions, and what that tells us about how enterprise trust is actually built.
The annual security-questionnaire cycle, four industries
SaaS, healthcare, defense, finance. How the timing, volume, and question distribution differ across four regulated B2B industries, and why the cycle shape matters for staffing.
In preview: auto-attachment of evidence on DDQ answers
Auto-attachment of evidence PDFs — SOC 2, pentest, policy documents — to DDQ answers that cite them. In preview for design-partner tenants while DDQ workflows mature toward general availability.
The recycled-DDQ-answers audit
A one-afternoon audit that finds the 40 recycled answers in last year's questionnaires that are silently wrong now. What to look for, what to rewrite, what to retire.
Security questionnaires: the 80% that's really retrieval
The canonical Engineering pillar on DDQ automation. A 300-question security questionnaire is not 300 unique questions — it's mostly retrieval against a corpus that's already written, plus a small tail that isn't.
The security-questionnaire response team that actually ships
Three roles, one DRI, a 48-hour SLA. How regulated vendors staff the Q4 questionnaire wave without shipping stale answers or missing deadlines.
The evidence vault: where SOC 2 PDFs live and how they cite
How a DDQ answer citing 'SOC 2 report, section CC6.1' actually finds the right PDF, serves it to the right buyer, and keeps the audit trail. The storage, access, and audit layer underneath.
DDQ fatigue is a security risk, not a productivity problem
Opinion. Rushing a 300-question security questionnaire at 11pm on a Thursday does not just cost time. It degrades real security posture, and the industry keeps framing it as a staffing issue.
Prefer to see the product?
Take the 5-minute tour, or start a trial workspace and see PursuitAgent draft answers with citations.