B2B SaaS credit pools skew higher than B2C SaaS for a structural reason: enterprise sales cycles and dual-compliance work (SOC 2 + ISO 27001) consume more partner labor, so partner-filed credit applications land in the $50K–$150K range rather than the $25K–$100K range. This page covers every credit track a B2B SaaS qualifies for in 2026, how multi-tenancy architecture changes the burn rate, when enterprise customers force a silo, and how the credit timing aligns with the SOC 2 deadline most founders are working against.
AWS Activate reviewers approve partner-filed credit applications based on documented work packages. B2B SaaS work packages tend to be larger than B2C SaaS work packages for three reasons: dual-compliance scope (SOC 2 plus ISO 27001 plus often a third framework), longer enterprise sales cycles that demand security and contractual artifacts, and the periodic dedicated-tenant ask from large customers. The result is a credit pool that typically lands at $50K–$150K rather than the $25K–$100K B2C SaaS range.
A reviewer reading "B2B SaaS for HR operations, ECS Fargate behind ALB, Aurora PostgreSQL pool model for tenant data, Cognito with SAML 2.0 federation, KMS per-tenant keys, SOC 2 Type II audit booked for Q3, ISO 27001 certification underway in parallel, three enterprise deals in late-stage procurement requesting evidence of audit logging and per-tenant encryption" has a fully scoped work package in front of them. The compliance scope is dual-framework, the enterprise context is concrete, the architecture is specific. Approval moves to the top of the partner-filed range.
Compare that to a B2C SaaS application that reads "consumer photo-editing app, ECS Fargate, Aurora, S3, $3K/month projected spend." The use case is legible — but the work package is thinner because there is no SOC 2 driver, no enterprise security questionnaire to answer, no dual-compliance overhead. The same partner-filed track caps lower because the engagement scope is genuinely smaller.
The corollary: B2B SaaS founders who under-describe their enterprise sales motion and compliance roadmap leave $15K–$40K of credit allocation on the table. A B2B SaaS that writes "we are working toward SOC 2" lands at the floor. The same B2B SaaS that writes "SOC 2 Type II audit booked for Q3 with auditor X, ISO 27001 certification timeline aligned with the European GDPR enterprise pipeline, two pilot enterprise customers requesting dedicated KMS keys and audit-log exports, projected partner-labor scope across CloudTrail data events, Config conformance packs, Security Hub findings aggregation, Inspector for the ECR registry, and IAM Identity Center for centralized SSO" lands at the ceiling.
CloudRoute partners filing for B2B SaaS applicants use an itemized template that pre-fills the dual-compliance scope, the enterprise security artifacts, and the per-tenant architecture decisions. The framing matters more than the wording.
B2B SaaS has access to the same Activate tiers as any other workload type, but the partner-filed tiers approve at the upper bound because the work package is structurally larger. These are the four pools worth applying for, and how the dollar amounts shift when the application reads as B2B SaaS rather than generic SaaS.
Pool 1 — Activate Founders self-serve ($5K). The bridge tier while the partner-filed tracks process. Worth submitting in parallel to land a working credit balance within 3–7 days. Does not stack with itself across multiple submissions.
Pool 2 — Partner-filed Build for Startups ($5K–$25K, weighted toward $25K for B2B SaaS). The pool that absorbs the SOC 2 plus ISO 27001 dual-compliance work, the enterprise audit-log exports, and the per-tenant KMS key scaffolding. Reviewers approve B2B SaaS Build for Startups submissions at the ceiling ~70% of the time when the dual-compliance scope is documented, compared to ~40% for B2C SaaS where compliance is usually single-framework.
Pool 3 — Activate Portfolio ($50K–$100K). Requires institutional vouch (VC submission or partner attestation via the Portfolio Sub-Program). Series-A B2B SaaS typically lands $100K. Seed-stage B2B SaaS with a tier-1 accelerator lands $50K–$75K. The B2B SaaS premium does not apply at this tier — Portfolio caps are stage-driven, not workload-driven.
Pool 4 — Bedrock POC ($10K–$50K, weighted toward $25K–$50K for B2B SaaS). The most under-claimed pool in B2B SaaS in 2026. In-app copilots, customer-support deflection layers, and sales-research agents approve at the top of the Bedrock POC range because the commercial outcome — deflection rate, copilot adoption, lead-conversion lift — is measurable in seat revenue. B2B SaaS Bedrock POC applications approve at $30K–$50K more often than B2C SaaS applications, which tend to land at $15K–$25K because consumer engagement metrics are less procurement-defensible.
Stacked maximum for a Series-A B2B SaaS adding an AI feature: ~$175K (Portfolio $100K + Build for Startups $25K + Bedrock POC $50K). For a bootstrapped B2B SaaS without VC vouch: ~$80K (Build for Startups $25K + Bedrock POC $50K + self-serve $5K). For a pre-revenue B2B SaaS without an AI angle: ~$30K (Build for Startups $25K + self-serve $5K).
Most B2B SaaS chasing enterprise deals in 2026 are not pursuing a single compliance framework — they are pursuing two in parallel. SOC 2 Type II for North American enterprise procurement; ISO 27001 for European enterprise procurement, regulated industries, and any prospect with a security questionnaire that lists ISO 27001 as a hard requirement. The dual-compliance scope is the single largest driver of B2B SaaS partner-filed credit allocation at the ceiling of Build for Startups.
SOC 2 Type II requires demonstrated controls across logging, access management, change management, encryption, vulnerability scanning, and incident response. ISO 27001 covers the same control families plus formal risk-management documentation, a defined Information Security Management System (ISMS), and a documented Statement of Applicability across 93 Annex A controls. The overlap is ~70%; the unique ISO 27001 work is ~30%.
The AWS-side scaffolding that satisfies both frameworks simultaneously is well-defined and reads cleanly as a partner-filed Build for Startups work package. CloudTrail with management events plus selective data events for S3 prefix isolation; AWS Config with conformance packs for SOC 2 and ISO 27001; GuardDuty for threat detection across all regions; IAM Identity Center for centralized access with attribute-based access control; KMS with per-tenant customer-managed keys; AWS Backup with retention policies aligned to the ISO 27001 retention schedule; Security Hub for findings aggregation against both standards; Inspector for ECR image scanning; CloudWatch Logs with 12-month retention for the SOC 2 audit window and 36-month archival in S3 Glacier for the ISO 27001 retention requirement.
When a partner files Build for Startups describing this exact scope — "dual-framework SOC 2 Type II plus ISO 27001 control scaffolding across CloudTrail data events, Config conformance packs for both standards, KMS per-tenant customer-managed keys, IAM Identity Center with ABAC, AWS Backup with ISO-27001-aligned retention, Security Hub dual-standard findings, Inspector for the ECR registry, and CloudWatch Logs with tiered retention to S3 Glacier" — the AWS reviewer sees a 6–10 week engagement with quantifiable AWS service consumption across both audit windows. Approval at the $25K ceiling is procedural.
A second-order effect: the dual-compliance scaffolding generates evidence that both auditors consume directly. The SOC 2 auditor reviews CloudTrail and Config feeds; the ISO 27001 auditor reviews the same feeds plus the ISMS documentation and Statement of Applicability. Drata, Vanta, Secureframe, and Sprinto all ingest the same AWS evidence and map it against both standards. The credit allocation paid for the cloud spend during the engagement; the engagement closed the audit evidence gap across two frameworks at once.
CloudTrail data events for S3 prefix isolation: ~$400–$1,200/month at B2B SaaS scale (more expensive than SOC-only data events because per-tenant prefix monitoring multiplies the event volume). Config conformance packs across both standards: ~$200–$500/month. GuardDuty multi-region: ~$150–$400/month. Security Hub dual-standard subscriptions: ~$80–$200/month. CloudWatch Logs retention across the SOC 2 12-month window: $500–$2,500/month. S3 Glacier archival for the ISO 27001 36-month retention: $100–$400/month. KMS per-tenant customer-managed keys: $1–$3/key/month, often hundreds of keys at enterprise scale. Total dual-compliance telemetry cost: ~$1,500–$5,000/month — typically 4–6 months of which fits inside a $25K Build for Startups allocation, with the Activate Portfolio pool covering the rest.
B2B SaaS founders making the architecture decision at the same time as the credit application face a different trade than B2C SaaS founders. B2B enterprise customers contractually require silo or bridge architecture more often than B2C customers do. The credit pool will still arrive, but it will burn 30–50% faster under silo architecture, and the architecture decision is often forced by the largest customer in the pipeline rather than a clean engineering preference.
Pool model. All tenants share a single application instance, a single Aurora cluster with a tenant_id column on every table, a single set of background workers, S3 buckets with per-tenant prefix isolation. AWS bill scales roughly linearly with total request volume across tenants, not customer count. Aurora Serverless v2 pools idle capacity across the tenant set; ECS Fargate scales the API tier against aggregate concurrency. $100K of credits at this architecture typically lasts a Series-A B2B SaaS 14–20 months. Compliance defensibility is the trade — the pool model requires per-row tenant filtering in every query, which is harder to argue in a SOC 2 review than physically isolated infrastructure.
Silo model. Each tenant gets a dedicated Aurora instance, a dedicated ECS service, a dedicated S3 bucket with its own bucket policy, a dedicated KMS customer-managed key, and often a dedicated VPC. AWS bill scales roughly linearly with customer count. A B2B SaaS with 25 enterprise customers running silo on dedicated Aurora instances pays at minimum 25 × (db.r6g.large baseline ≈ $250/month) = $6,250/month just for idle databases, plus the per-tenant ECS service overhead. $100K of credits at silo architecture typically lasts 7–10 months. Compliance defensibility is the upside — auditors and security questionnaires accept silo isolation immediately.
Bridge model. Pool by default; silo for enterprise tenants who require it contractually. The bridge is the dominant architecture for B2B SaaS in 2026 because it satisfies the enterprise procurement ask without burning credits on every SMB tenant. Credit burn lands between the pool and silo models — typically 11–15 months for $100K of credits, depending on what fraction of customers sit in the silo tier.
For B2B SaaS founders choosing architecture in parallel with the credit application: the partner-filed tracks do not care which model is selected. AWS reviewers approve all three. But the credit pool will last 30–50% longer under pool architecture, and the dual-compliance scaffolding work is identical regardless of which model is in production. The decision belongs to the sales motion, not the credit application.
B2B SaaS founders are sometimes surprised by which customers force the silo. The pattern in 2026: healthcare and life-sciences customers contractually require silo or bridge for HIPAA-aligned isolation; financial-services customers require silo for SOC 2 plus their own internal control attestation; large public-sector adjacent customers (defense suppliers, regulated infrastructure operators) require silo plus FedRAMP Moderate equivalence; European enterprise customers under DORA or NIS2 increasingly require silo for operational-resilience attestation.
Partners filing for B2B SaaS startups with these customer profiles often add a separate Build for Startups line item describing the per-tenant Aurora plus KMS rollout — which AWS reviewers sometimes treat as an additional itemization that nudges the credit allocation upward, though the marginal lift is not guaranteed beyond the $25K Build for Startups ceiling.
A specific moment B2B SaaS founders should plan for: a six-figure enterprise contract conditioned on the SaaS deploying a dedicated AWS environment for that customer. The dedicated-tenant ask is one of the most common reasons B2B SaaS founders engage a partner-filed credit track mid-sales-cycle. The credit pool and the partner-labor subsidy can both fund the architecture build-out the contract requires.
The dedicated-tenant ask typically lands in late-stage enterprise procurement, after the technical evaluation has passed and the security questionnaire has been returned. The customer requests one of three variants: a dedicated AWS account under the SaaS organization with cross-account IAM federation; a dedicated VPC and KMS key set within the SaaS production account; or a fully separate AWS organization the SaaS operates on the customer behalf.
Each variant has a defined architecture cost. The dedicated account variant requires Control Tower or AWS Organizations governance, a landing-zone setup, cross-account audit-log aggregation, and a per-account billing reconciliation pipeline. The dedicated VPC variant requires per-tenant network ACLs, VPC peering or Transit Gateway routing, per-tenant KMS keys with customer-managed rotation, and a dedicated CI/CD pipeline that promotes builds into the tenant-isolated environment. The separate-organization variant is the largest scope — a full Control Tower deployment for the customer that the SaaS administers but does not own.
Partner-filed Build for Startups commonly funds the cloud spend during the build-out. The partner-labor subsidy (often filed under Build for AWS, a separate $10K–$75K partner-labor allocation) commonly funds the actual engineering work the partner performs on the customer behalf. Stacked together with Activate Portfolio covering the production AWS spend, the dedicated-tenant engagement can be delivered without the SaaS founder paying out-of-pocket for the architecture work the enterprise contract demanded.
The timing reality: the dedicated-tenant ask usually arrives 60–90 days before the contract signature deadline. The partner-filed credit application takes 11–18 days to land credits. The build-out itself takes 3–6 weeks. The math works only if the credit application starts the week the dedicated-tenant ask appears — not after the contract is signed. CloudRoute routes B2B SaaS founders in this scenario within 24 hours specifically because the contract-signature window is the binding constraint.
A typical Series-A B2B SaaS at $7K/month AWS spend has a distribution across services that differs from B2C SaaS in two ways: the auth and identity-federation tier is heavier (enterprise SSO with SAML, OIDC, and SCIM provisioning), and the encryption and audit-log tiers are heavier (per-tenant KMS keys and CloudTrail data events). Knowing the distribution in advance helps both the credit application and the post-credit cost forecast.
The distribution shifts as the B2B SaaS scales. At $1K/month, the Cognito and KMS lines are minimal because the customer count is small. At $50K/month with 200+ enterprise customers, Cognito and KMS together can reach 12–18% of the bill, and the CloudTrail data-event line item alone can reach 8–10% when per-tenant S3 prefix monitoring is enabled across all enterprise tenants.
Partner-filed applications that itemize this distribution — even approximately — perform 20–30% better in approved credit allocation than applications that lump everything as "AWS compute, database, storage." The itemization signals reviewer-recognizable B2B SaaS workload shape and pushes the approval toward the ceiling of the partner-filed range.
Enterprise B2B SaaS deals run on 6–12 month sales cycles. The SOC 2 deadline that gates the deal often arrives 90–150 days into the cycle. The credit application timing has to align with both — landing credits early enough to fund the compliance scaffolding before the auditor field work begins, and early enough to fund any dedicated-tenant architecture before the contract signature.
The pattern most B2B SaaS founders converge on: file the credit application at month 1–2 of the enterprise sales cycle, when the security questionnaire arrives and SOC 2 readiness becomes a contractual line item. Credits land at week 2–3. The SOC 2 scaffolding work begins at week 3 with credits absorbing the cloud spend. Drata, Vanta, Secureframe, or Sprinto onboards by week 4 with the CloudTrail and Config feeds flowing. The auditor begins field work at month 4. SOC 2 Type II completes at month 6. The enterprise contract closes at month 8–10. Credits cover the AWS spend through approximately month 14.
The variant for B2B SaaS pursuing ISO 27001 in parallel: the auditor for ISO 27001 typically begins at month 5–6 (one month after the SOC 2 auditor) because the ISMS documentation and Statement of Applicability take longer to scope than the SOC 2 controls. The credit application is identical; the partner-filed Build for Startups scope explicitly includes both audit windows. ISO 27001 completes at month 9–10. The combined audit deliverable strengthens the enterprise procurement file and often pulls forward the contract signature by 30–60 days.
The variant for B2B SaaS facing a hard contract-signature deadline: when an enterprise customer commits to a signature contingent on specific technical artifacts (dedicated KMS keys, audit-log exports, per-tenant VPC isolation, SAML SSO with attribute mapping) and the deadline is 8–12 weeks out, the credit application has to start the week the contract terms land. CloudRoute routes within 24 hours; the partner files within day 5; credits land at day 11–18; the architecture work begins at day 19. An 8-week deadline is achievable. A 6-week deadline is achievable but tight. A 4-week deadline requires self-serve credits to bridge the partner-filed timeline.
A failure mode B2B SaaS founders sometimes hit: filing the credit application after the SOC 2 audit has already begun. The credits still arrive, but the field work is already paying out-of-pocket for the CloudTrail ingest, Config recording, and Security Hub subscriptions. Credits cover the second half of the audit window rather than the full window. The dollar value of credits secured is identical; the founder cash-flow impact is materially worse.
Bedrock POC funding is partner-filed and Bedrock-earmarked. For B2B SaaS specifically, the patterns that approve at the upper $25K–$50K end of the range share a common trait: the commercial outcome is denominated in seat revenue, deflection rate, or enterprise contract value rather than consumer engagement. B2B SaaS POC plans are easier to write defensibly than B2C SaaS POC plans, which is why B2B SaaS Bedrock applications land at the ceiling more often.
Pattern 1 — In-app copilot for tenant-scoped data. A chat sidebar that answers questions about the customer organization data inside the SaaS. Retrieval-augmented generation against tenant-scoped Aurora and S3 data, Claude Sonnet for response generation, OpenSearch Serverless for the vector store, per-tenant retrieval boundaries enforced via IAM tags. The commercial outcome — copilot adoption translating to seat expansion within enterprise accounts — is observable in the SaaS billing data. Approves at $30K–$50K.
Pattern 2 — Customer-support deflection with audit-log integration. An AI layer in the support workflow that drafts responses to common tickets, escalates ambiguous ones, references the customer audit-log history for incident context, and learns from agent edits. Bedrock for generation, S3 for ticket archives, Lambda for the workflow orchestration, CloudTrail integration for incident lookup. Deflection rate is directly measurable in support headcount cost. Approves at $30K–$45K because the headcount-cost outcome is defensible.
Pattern 3 — Sales-research agent for outbound and account expansion. A workflow that enriches inbound leads with public web data, drafts personalized outreach for the sales team, identifies expansion signals within existing accounts, and writes follow-ups. Bedrock for generation, Step Functions for orchestration, DynamoDB for state, EventBridge for signal triggers. The eval methodology is sharper than in copilot patterns because lead-to-meeting conversion and account expansion are observable in CRM data. Approves at $35K–$50K when the eval plan against an N=500 lead corpus is concrete.
Pattern 4 — Compliance-aware document summarization for security questionnaires. A nightly job that ingests inbound enterprise security questionnaires, summarizes the relevant control posture, drafts responses against the SaaS audit-log evidence, and routes the draft to the compliance owner for review. Lower visibility than copilots but lower POC risk and a measurable outcome (security-questionnaire response time). Approves at $20K–$35K.
Patterns that approve at the floor or get rejected for B2B SaaS: "we want to add AI to the product" (no defined surface), "we will let users chat with their data" without a retrieval architecture or tenant-isolation boundary, "AI everywhere across the product" (unscoped), "we will figure out the eval methodology after the credits arrive" (AWS reviewers treat absent eval plans as a downgrade signal regardless of workload type). B2B SaaS POC applications are held to a slightly higher bar than B2C SaaS POC applications because the upper end of the range is closer to $50K and reviewers want to see the commercial defensibility before approving the ceiling.
| Track | Ceiling | Filed by | Time-to-balance | Best fit for B2B SaaS | Stackable? |
|---|---|---|---|---|---|
| Activate Founders (self-serve) | $5K | You | 3–7 days | Bridge while partner-filed track processes | Yes, with Build + Portfolio |
| Build for Startups (partner-filed) | $5K–$25K | Partner via ACE | 10–18 days | SOC 2 + ISO 27001 dual-compliance work; dedicated-tenant scaffolding | Yes — adds on top of Portfolio |
| Activate Portfolio — VC submits | $50K–$100K | Your VC | 10–28 days | Institutionally-funded B2B SaaS (Seed strong / Series-A) | Yes, with Build + Bedrock |
| Activate Portfolio — Partner submits | $50K–$100K | Partner via ACE | 11–18 days | Same — when VC is slow to file | Yes, with Build + Bedrock |
| Bedrock POC funding | $10K–$50K | Partner via ACE | 14–28 days | B2B SaaS adding in-app copilot, support deflection, sales-research agent | Yes — Bedrock-earmarked |
| Build for AWS (partner-labor) | $10K–$75K of partner work | Partner files | 21–42 days | B2B SaaS needing partner-delivered dedicated-tenant architecture | Yes — labor subsidy, not credits |
Mistake 1: Filing a B2B SaaS application as a generic "SaaS" application. Reviewers approve at the partner-filed ceiling when the application reads as B2B SaaS with documented enterprise sales motion and dual-compliance scope. A B2B SaaS that files as generic SaaS loses the $5K–$15K premium that the B2B framing unlocks. Fix: name the enterprise customers in the pipeline (without identifying details if NDA-sensitive), name the compliance frameworks in scope, and itemize the dedicated-tenant ask if any enterprise contract conditions it.
Mistake 2: Filing Build for Startups with SOC 2 in scope but not ISO 27001. Single-framework compliance scope lands at $15K–$20K. Dual-framework SOC 2 plus ISO 27001 scope reliably lands at $25K because the work package is larger. If ISO 27001 is on the 12-month roadmap, include it. The credit application validity window covers both audits even when ISO 27001 lags SOC 2 by 3–6 months.
Mistake 3: Filing the credit application after the enterprise security questionnaire has already been returned. Founders sometimes return the security questionnaire claiming SOC 2 progress, then file for credits afterward to fund the work. The credits still arrive, but the founder has already paid out-of-pocket for the CloudTrail ingest, Config recording, and Security Hub subscriptions that the credits would have covered. Fix: file the credit application the week the security questionnaire arrives, not the week the SOC 2 work begins.
Mistake 4: Treating Bedrock POC funding as optional because the SaaS already uses OpenAI. Bedrock POC funding does not require the SaaS to switch off OpenAI. It requires a parallel Bedrock POC of meaningful scope — typically a defined evaluation of Claude or Llama against the existing OpenAI baseline for a specific feature. Many B2B SaaS founders skip this because the production AI is on OpenAI; they leave $25K–$50K of credit allocation unclaimed. Fix: run the Bedrock POC as a defensible A/B evaluation; the credits land regardless of which model wins the production decision.
Mistake 5: Underestimating per-tenant KMS and CloudTrail data-event costs in the projected-spend section. B2B SaaS bills compound disproportionately in the per-tenant encryption and audit-log tiers as the customer count scales. Founders frequently project against the current customer count rather than the projected 12-month customer count, leading to an understated AWS spend forecast and a smaller credit allocation. AWS reviewers calibrate credit pools to projected consumption; understating the projection costs $5K–$15K of allocation. Fix: project against the 12-month customer count, not the current customer count.
The three realistic outcomes for a B2B SaaS startup applying for credits in 2026.
| Variable | Self-serve only | Partner-filed B2B SaaS stack | Full B2B SaaS + AI stack (Portfolio + Build + Bedrock) |
|---|---|---|---|
| Credit ceiling | $5K | $25K (non-AI) or $75K (with Bedrock POC) | $175K (Series-A with AI feature) |
| Time-to-balance | 3–7 days | 10–18 days | 14–21 days |
| Founder hours | ~30 min | ~50 min | ~80 min |
| Validity window | 12 months | 12–18 months | 24 months (Portfolio dominates) |
| Reviewer queue | self-attested (low ceiling) | partner-attested (high ceiling) | partner-attested + Bedrock track |
| SOC 2 + ISO 27001 coverage | Not in scope | Partial (Build for Startups dual-framework) | Full + audit-ready scaffolding for both |
| Bedrock workload covered | No | Optional (with Bedrock POC) | Yes (up to $50K Bedrock-earmarked) |
| Dedicated-tenant architecture funded | No | Partial | Yes — partner reviews and builds per-tenant scope |
| Multi-tenancy decision scoped in | No | Partial | Yes — pool vs silo vs bridge trade reviewed by partner |
| Cost to founder | $0 | $0 | $0 |
Situation: B2B SaaS for HR operations teams selling into mid-market and enterprise. SOC 2 Type II audit booked for Q3 with auditor onboarded. ISO 27001 certification timeline starting Q4 for the European pipeline. Two late-stage enterprise deals requesting dedicated KMS keys, audit-log exports, and SAML SSO with SCIM provisioning. One of the two enterprise deals contractually conditioned on a dedicated VPC tenant within 10 weeks. CTO was already paying $7K/month AWS out-of-pocket and wanted credits to absorb the next 12 months of spend plus the dedicated-tenant build-out.
What CloudRoute did: Routed within 20 hours to a US partner with B2B SaaS dual-compliance experience and prior Cognito SAML federation engagements. Partner filed Activate Portfolio ($100K) on day 5, Build for Startups ($25K, scoped against SOC 2 plus ISO 27001 dual-compliance scaffolding plus the dedicated-tenant Aurora and KMS rollout) on day 6, and Bedrock POC ($45K, in-app copilot for tenant-scoped HR data with eval plan against N=600 query corpus and per-tenant retrieval boundary tagging) on day 7. Dedicated-tenant architecture build-out started week 3.
Outcome: All three credit tracks approved within day 17. Total credits applied: $170K. Dedicated VPC tenant for the enterprise customer live by week 6, ahead of the 10-week contract deadline. SOC 2 telemetry (CloudTrail data events, Config conformance packs, Security Hub dual-standard subscription, KMS per-tenant customer-managed keys) operational by week 5 with the auditor consuming the feeds. ISO 27001 ISMS documentation and Statement of Applicability scoped by week 8 ahead of the Q4 audit kickoff. Bedrock POC for the in-app copilot shipped to 12% of customer base in week 9. Total founder time across the engagement: ~8 hours. AWS spend in the first 7 months: fully credited.
engagement window: 11 weeks · founder time: ~8 hours · credits secured: $170K
No discovery theater. We route within 24 hours to a partner familiar with dual-compliance scaffolding (SOC 2 + ISO 27001), dedicated-tenant architecture, Cognito SAML federation, and Bedrock POC patterns for B2B SaaS specifically. Credits land in 11–18 days.