Jordan: You should not be selling SSO implementation as part of your retainer.
I know. You just spent the last month getting your Trust Center up, mapping your answers to CAIQ-Lite, building the autofill flow — all the stuff we covered in episode nine. And now your enterprise prospect says "great, we also need SSO." And your instinct is to say "sure, I'll include that."
Don't. Because the moment you bundle SSO into your existing engagement, you've done two things wrong. You've hidden a high-value deliverable inside a line item the client will never appreciate. And you've created scope that has no boundary — because "set up SSO" without a defined number of apps, a specific identity provider, and a clear protocol is not a deliverable. It's a blank check.
What you should do instead is name it. Price it. Put it on a one-pager next to your Trust Center and your questionnaire turnaround and your SLA tiers. Call the whole thing your Enterprise Solo Pack. Hand it to the buyer during a ten-minute demo. And let them see — in one page — that you are procurement-ready without a team behind you.
That's what I did. And the last three enterprise deals I closed, the buyer's procurement team approved me faster than the four-person agency they were also evaluating. Not because I had more credentials. Because I had a security portal template they could actually read, answers they could verify, and a price sheet with no surprises.
Jordan: So here's what you're walking away with today. A named, priceable add-on — the Enterprise Solo Pack — with four components: your public Trust Center, a questionnaire autofill flow backed by a CAIQ-Lite answer library, an SSO configuration add-on with hard scope boundaries, and tiered SLAs. Plus the exact ten-minute demo sequence I run on calls that gets procurement teams to yes without them ever asking "how big is your team." I'm Jordan. This is Headcount Zero.
Jordan: Okay, quick context for anyone who missed episode nine. That episode was about building the foundation — the Trust Center page, the CAIQ-Lite answer library, the Make flow that autofills questionnaires and routes them for your approval. If you haven't built that yet, go back and do it first. Today is about what comes after. You've got the security posture. Now you need to package it, price it, and sell it in a way that makes procurement teams move fast.
Because here's what I learned the hard way. Having a Trust Center is necessary. But it's not sufficient. The buyer's procurement team doesn't just want to see that you take security seriously. They want to see a defined scope of work, a price, SLA commitments, and — increasingly — SSO. And they want to see all of that in one place, in a format they can forward to their legal team without a phone call.
The deal that taught me this was a mid-market fintech company. Sixty-five employees. They loved the automation proposal. They'd already seen the Trust Center. Their IT director had even run through my CAIQ-Lite answers and said — and I'm paraphrasing — "this is cleaner than what we got from the last three vendors." Great. And then procurement sent back a list of four items they needed before the contract could move. SSO integration with their Okta instance. A defined SLA with response times and credit terms. A questionnaire turnaround commitment. And a single pricing document that covered all of it.
I didn't have that document. I had pieces. The Trust Center was live. The answer library was mapped. But the SSO scope was buried in an email thread, the SLA was a paragraph in my master services agreement that nobody had read, and the pricing was... verbal. I'd quoted it on a call.
So I spent a weekend building the one-pager. And that one-pager — the Enterprise Solo Pack pricing sheet — has closed more enterprise deals for me than any case study, any testimonial, any demo I've ever done. Because it answers the question procurement is actually asking, which is not "are you good at automation." It's "can we buy from you without creating risk for ourselves."
Jordan: Let me walk through the backbone first, because this is what makes the whole pack credible. In January of this year, the Cloud Security Alliance released the CCM-Lite and CAIQ-Lite version four bundle. If you're not familiar — CCM is the Cloud Controls Matrix. It's the framework that maps security controls. The full version four point one has two hundred and seven controls across seventeen domains. CAIQ is the Consensus Assessments Initiative Questionnaire — the question set that maps to those controls. Full CAIQ version four point one has two hundred and eighty-three questions.
Those are big numbers. And for a solo operator, answering two hundred and eighty-three questions is a week of work the first time through. But CCM-Lite trims that to ninety-six controls. And CAIQ-Lite trims the question set to a hundred and thirty-eight questions across the same seventeen domains. Same structure. Same domain coverage. Roughly half the surface area.
And here's the part that matters for your pack — as of October twenty twenty-four, CCM-Lite submissions are accepted into the CSA STAR Registry. So you're not using some off-brand shortcut. You're using the official streamlined artifact that CSA designed specifically for small and medium enterprises as a stepping stone toward full Level One self-assessment.
Your answer library maps to those hundred and thirty-eight CAIQ-Lite questions. Each answer in your Notion database or CSV has the question ID, the CCM domain, your approved answer, a link to gated evidence, and an autofill alias that your Make or n8n flow uses for fuzzy matching when a buyer sends their own questionnaire. We built all of this in episode nine. Today, that library becomes a line item in your pack — "CAIQ-Lite mapped answer library, initial load, with autofill and human approval for questionnaire turnaround in twenty-four to forty-eight hours."
Jordan: Now — SSO. This is where most solo operators either give it away or avoid it entirely. Both are wrong.
I looked at how boutique firms actually price identity work. And the range is wild. EPC Group — an identity consulting practice — publishes fixed-fee Entra ID implementations starting at twenty-five thousand dollars and going up to three hundred thousand. Volobyte, a boutique IAM consultancy in the UK, cites twelve to thirty thousand pounds for a typical SMB SSO and MFA project. Those are team-sized scopes. Multiple apps, lifecycle automation, the whole identity stack.
You are not doing that. You are connecting one to three applications to a client's existing identity provider — Okta, Entra ID, Google Workspace — using SAML two point oh or OIDC. You're mapping a handful of groups and claims. You're running a test plan with their test users. And you're handing them a runbook and rollback notes.
That is a bounded, fixed-fee deliverable. And the market signals say it's priceable as a standalone line item. Adelante — a public sector supplier in the UK — lists "SSO implementation cost" as a separate add-on in their government cloud catalogue. Advanced AI Partners in Japan publishes fixed-price packages that include SSO and JIT configuration as an explicit deliverable. This is not unusual. This is how procurement expects to see it.
So on your one-pager, SSO is an optional add-on. You list the supported identity providers. You list the protocols — SAML, OIDC, SCIM if you offer provisioning. You define the scope — up to three apps, one identity provider, a set number of test users. And you define what's out of scope — new IdP procurement, custom SSO for legacy apps without standard protocols, mobile SDK changes. That boundary is everything. It's what keeps a three-day project from becoming a three-month project.
Jordan: SLA tiers are the third piece. And honestly, this is the easiest part to set up and the part that signals maturity the loudest. You offer three tiers. Standard — included with the pack — gives business-hours response times and a reasonable fix window. Priority bumps the response time and the fix window for an additional monthly fee. Premium is your fastest tier.
The key is that these are on the one-pager. The buyer sees them. They pick one. There's no negotiation about "well, what if something breaks at midnight" because you've already defined what happens at midnight for each tier. And if you built the SLA automation pipeline from episode ten, you've already got the credit math and the status page integration running. The SLA tier on your one-pager is just the client-facing label for infrastructure you've already built.
So the one-pager has four sections. Core deliverables — Trust Center setup, questionnaire intake workflow, CAIQ-Lite answer library, one autofill-plus-approval cycle. SSO add-on — optional, fixed fee, scoped. SLA tiers — pick one. And proof chips — your actual ninety-day uptime, your p95 latency, your questionnaire turnaround time. Real numbers from your own systems.
One page. That's it. No twelve-page proposal. No "let's schedule a follow-up to discuss pricing." One page that procurement can forward to legal in thirty seconds.
Jordan: Now — the demo. This is where the pack becomes a deal-closer instead of a PDF that sits in someone's inbox.
Ten minutes. Not thirty. Not an hour. Ten. And the structure matters because you're not selling features. You're selling speed and trust.
First minute — outcome first. You open with your proof chips. "In the last ninety days, here's my uptime. Here's my p95 latency. Here's my average questionnaire turnaround." You're leading with evidence, not promises. And you're showing the live Trust Center — the public page — while you say it.
Minutes one through three — Trust Center tour. Live status, SLA targets, data flow, subprocessor list, evidence index. The buyer sees that this is not a marketing page. It's an operational artifact with links to gated evidence behind an NDA.
Minutes three through five — answer library and autofill. This is where most buyers lean in. You show the CAIQ-Lite mapped table in Notion. You run a quick demo — drop a sample questionnaire into the intake, show the fuzzy match pulling answers, show the draft landing in your approval queue. The buyer sees that their hundred-and-thirty-eight-question form is going to come back in hours, not weeks. And every answer has been human-approved.
Minutes five through seven — SSO scope. You show a past runbook — redacted — so they can see what the deliverable actually looks like. You confirm which identity providers and protocols you support. You walk through the scope boundaries on the one-pager. This is where you prevent scope creep before it starts, because the buyer sees exactly what's included and what triggers a scope change.
Minutes seven through nine — the pricing one-pager itself. Core pack, SSO add-on, SLA tiers. You pause here. You let them ask questions. This is the only part of the demo where you stop talking and listen.
Last minute — next steps. You send the NDA, the data-sharing link, target delivery dates, and a decision checklist. The buyer leaves the call with everything they need to move internally. No "I'll send that over later." It's already sent.
Jordan: Now — I'd be lying if I said this works for every buyer. It doesn't.
Some buyers — especially in regulated industries, financial services, healthcare — are going to look at your CAIQ-Lite answers and say "we need the full CAIQ version four point one." Or they'll want a SIG questionnaire. Or they'll want SOC two evidence you don't have. And some buyers treat SSO as table stakes — they expect it included, not priced as an add-on.
This is real. And the way you handle it is not by pretending it won't happen. It's by having an escalation path on the one-pager itself. A single line that says — "Full CAIQ version four point one and STAR Level One registry submission available on request within five business days." Because CSA's STAR Level One uses the CAIQ version four spreadsheet as the formal submission artifact. Your CAIQ-Lite library maps cleanly to it — you maintain a crosswalk table from Lite question IDs to full CAIQ question IDs, so expanding your answers is a lookup, not a rewrite.
For SSO pushback — if a buyer expects SSO included, that's a pricing conversation, not a scope conversation. You can fold the SSO fee into the core pack price for that specific deal. But you keep it visible on the one-pager for every other deal, because most buyers respect transparent pricing more than they resist add-on fees. The boundary protects you. And honestly, it protects them too — because a scoped SSO deliverable with a runbook and rollback notes is better than "yeah, we'll figure out SSO as we go."
The pack is not a universal answer. It's a default path that handles eighty percent of enterprise procurement conversations in a format that makes you look like you've done this a hundred times. The other twenty percent gets the escalation track. And having both paths documented — on one page — is what separates you from the solo operator who's scrambling to answer "do you support SAML" in a Slack thread at eleven PM.
Jordan: So let me bring this back to where we started. You should not be selling SSO as part of your retainer. You should not be quoting SLA terms verbally on a call. And you should not be walking into enterprise deals with your security posture scattered across a Trust Center here, an email thread there, and a pricing conversation you half-remember from last Tuesday.
Name the pack. Price the pack. Put it on one page. Rehearse the ten-minute demo until you can run it without thinking about what comes next. Because the buyer's procurement team is not evaluating your technical skills. They're evaluating whether buying from you is going to create a problem for them. The Enterprise Solo Pack is your answer to that question — and it fits on a single sheet.
If you want the templates — the Trust Center page, the CAIQ-Lite answer library with the autofill schema, and the pricing one-pager with SSO scope boundaries and SLA tiers already laid out — grab the Enterprise Solo Pack from the Resources page. Fill in the brackets, publish the Trust Center, and price it this afternoon.
One thing to do this week. Pick your next enterprise prospect. Run the ten-minute demo on them. Not a practice run — a real call. You'll find out in ten minutes whether your pack holds up or whether something needs to change. Either way, you'll know.
I'm Jordan. This is Headcount Zero. Go ship it.