The Playbook · Chapter 3: Demo calls · Lesson 1 of 2

How to handle security questions in a demo

How does this hold up in a security review?

One vague answer ends this.

Be specific or be scheduled. Answer what you know precisely, and park the rest with a named follow-up and a date. The only wrong answer is vague reassurance, because that's the answer they came to catch.

The read

Why they say it

For the person asking, this isn't a detail. A vendor that fails review burns the internal capital they spent sponsoring you, so the question is a tripwire: they're listening for whether you actually know, or whether you reassure.

Vague confidence is the worst answer in the room. Security people are professionally trained to treat smoothness as a flag; a precise partial answer beats a polished complete-sounding one.

The move

Be specific or be scheduled, in practice

Answer what you know with specifics: named certifications, named practices, where data lives, who can see it. Specificity is the credential.

Park what you don't know with a commitment, not a shrug: a named document, a named person, a date. “I'll have our security overview and an answer on data residency to you tomorrow” keeps trust intact.

Never improvise a compliance claim. One invented yes, discovered later, retroactively poisons every other claim you made in the room.

Same exit, other doors

Variations you'll hear

Where does the data live? Answer in one sentence with the region and provider. Hesitation here reads as not knowing your own product.

Has this been pen-tested? Yes or no, with the date, or a parked follow-up. Nothing in between.

We'd need this on-prem. A requirement, not a question. Confirm whether it's hard or habit; plenty of on-prem demands are openers.

Hear this objection handled

A sample call against an AI buyer who leads with it, scored and broken down

Charles Whitaker
9

Sarah successfully scheduled a technical demo with Charles by adhering to the 'be specific or be scheduled' rule, countering his security objections with precise compliance standards.

0:00/0:00

Your turn against the same buyer

Same persona, same objection, same scorecard

Charles Whitaker

Outbound Call to Apex Logistics

Your objective is to secure a 15-minute technical demo with Charles and his Lead Security Architect. When Charles asks about how FleetLock holds up in a security review, you must follow the 'be specific or be scheduled' rule: answer exactly what you know with precision (such as SOC2 compliance, end-to-end AES-256 encryption, or firmware signing), and park any deeper technical details with a commitment to follow up with a specific resource on a exact date. Avoid vague, hand-waving reassurances, as Charles will view them as a red flag and end the call.

Uses your mic. Hang up anytime. Scorecard at the end.

Practice it until it stops working on you.

Start practicing