Y5 — Discovery Call Script + Qualification Questionnaire

Asset: Y5 | Workstream: [GTM] | Ownership: [SH] | Owners: Sagar (lead) · Nidhi (compliance depth) Status: drafted | Feeds: A5 (discovery trigger) · the G-series audit framing

Purpose: The human counterpart to the G-tool audit. A compliance-focused MEDDIC/BANT-lite script for the discovery + findings-review call that qualifies hard and maps every captured pain to a claude.md §4 remediation asset — the same discipline G2 enforces with remediation_asset_id.

0. When this runs

Two moments, same script: 1. Discovery call — after a positive reply to Y4 outreach, before/while the free audit runs. Goal: qualify + scope the audit + set up the findings review. 2. Findings review — walking the prospect through their G3 report. Goal: convert findings into a Y6 proposal.

Use Y1 for all framing, reframes, and objection handling.

1. Call flow (30–40 min)

Phase	Min	Goal
1. Frame	2	Set the agenda; this is a fit conversation, not a pitch.
2. Context	5	Their stack, stage, team.
3. The driver	8	Why now — the compliance/deal/funding trigger. The heart of qualification.
4. Current state	8	Cloud/CI maturity, controls, gaps (the audit quantifies this).
5. Decision + economics	6	Who decides, budget reality, timeline.
6. Next step	5	Book the audit (call 1) or send the proposal (findings review).

2. The questionnaire (MEDDIC/BANT-lite, compliance-flavored)

Ask conversationally — don't read it like a form. Capture answers into HubSpot (Y13 properties).

M — Metrics / impact (what does solving this unlock?)

"What happens for the business when this is solved — a deal closes, a round clears, a customer signs?"
"Roughly how big is the deal/round that's gated on this?" (sizes the urgency + justifies price.)

E — Economic buyer

"Who signs off on a project like this — you, the CEO, the board?"
"Is there a budget line for security/compliance/platform this year, or does this get created?"

D — Decision criteria

"If you brought in help here, what would make it a clear yes? What would kill it?"
"Build it in-house, hire for it, or bring in a partner — where's your head at?" (surfaces the Y1 §6 alternative to position against.)

D — Decision process

"Walk me through how a decision like this actually gets made and by when."
"Anyone else who needs to be in the room — security, eng leadership, legal?"

I — Identify pain (the compliance core — map each to a §4 asset)

"What's driving the compliance conversation — a customer, an auditor, a regulator, the board?"
"Which framework: SOC 2, ISO 27001, HIPAA, PCI? Where are you in it — exploring, mid-audit, deadline?"
"How's the cloud built today — IaC or click-ops? GitOps or manual deploys?"
"How do humans get access to prod? Long-lived secrets, shared accounts, or scoped/just-in-time?"
"What's your evidence story today — could you answer an auditor's request in an afternoon, or is it a scramble?"

C — Champion

"Who internally feels this pain most acutely?" (That person is the champion — arm them with Y8.)

B — Budget / A — Authority / T — Timeline (BANT closeout)

"Ballpark budget range you're working with?" (Anchor with Y2 ranges if asked.)
"Hard deadline driving this?" (Audit date / deal date / board date.)

3. Pain → remediation-asset map (say this in the findings review)

When a pain surfaces, name the SnowOps asset that fixes it. This is what makes the call land as engineering, not advice. (Aligns with the G2 rule pack's remediation_asset_id.)

Pain you hear	Maps to §4 asset(s)	One-liner
"We deploy by hand / click-ops"	C1–C3, F0–F8	"GitOps pipeline — every change via PR → plan → policy gate → apply."
"No SOC 2 / failing the questionnaire"	D3, E0, the Y7 matrix	"Policy-as-code gates + evidence emitted on every deploy."
"Long-lived cloud secrets / shared admin"	B2 (OIDC), H1–H3 (MFA/CA/PIM), H5 (rotation), H7 (break-glass)	"Identity over secrets — zero long-lived creds, least-privilege, just-in-time."
"No network isolation / public PaaS"	F2, F5, N5, N6	"Hub-spoke + private endpoints + default-deny."
"No audit logs / can't prove what changed"	J1, J6, G6	"Immutable logging + WORM forwarding."
"Containers unsigned / unscanned"	C2, D4, F4	"Build → sign → scan → admission-gate. Unsigned images can't run."
"No drift detection / config rots"	S1, S2 (retainer)	"Scheduled plan + issue-per-drift — caught before the auditor finds it."
"Encryption gaps / weak TLS"	M1, M2, M3, D3	"Encryption-deny policy + CMK + TLS floor."
"No budget controls / cost surprises"	U1, U2	"Budget + tag enforcement as policy."

Assets not yet shipped (E0/S1/S2/M-series/N-series, etc.) → present as the roadmap the engagement delivers, not as live today. Never imply shipped.

4. Qualification scorecard (fill at end of call)

Criterion	Strong (work now)	Weak (nurture/disqualify)
Driver / "why now"	Deal or audit on the line, dated	"Eventually, no pressure"
Framework clarity	Named framework + deadline	"Not sure what we need"
Cloud fit	Azure + GitHub	AWS-primary (M4) / GitLab (M3)
Economic buyer	Identified + reachable	Unknown
Budget	Range stated or createable	"No budget at all"

3+ strong → ICP, push to proposal. Route per Y3/A2.
Mostly weak → nurture (Y10) — the free audit + roadmap, revisit on a trigger.

5. Closing the call

Discovery call → "Let's get the free audit running so the next conversation is about your data, not generalities. Takes ~20 min of your time, read-only." → A5 fires the offer email (Y4 §4) + G4 dispatch.
Findings review → "I'll turn these findings into a scoped, fixed-price plan — you'll have the proposal in [X days]." → Y6 + A3 render.

Definition of Done (Y5)

Run against 2 synthetic personas; every captured pain resolves to a real §4 asset (G2-style discipline). (§3 map covers the common pains; validate on personas.)
Questionnaire fields reconciled with Y13 HubSpot properties.
Nidhi review for compliance-depth + claim accuracy.

Sign-off

Reviewer: _ | Date: _ | Result: PASS / FAIL
Notes: