In sales, the best time to reach out isn’t after someone fills out a demo form - it’s before they even know they need one.

That’s where intent signals come in.

At Revking, we’ve been studying what kinds of signals really move the needle for B2B sales teams. And we’ve found that some of the strongest early indicators of buying intent are hiding in plain sight - specifically in the compliance and security space.

If a company is announcing SOC 2 certification, starting an ISO 27001 journey, or hiring a CISO, they’re telling you (without telling you) that something big is coming and they’re likely about to spend money on tools, services, and vendors that help them get there.

Why compliance-related signals matter in sales

Security and compliance might not sound exciting unless you sell into those departments but they should be. Because these moves usually mean:

• Budget is already approved

• Leadership is aligned

• Internal urgency is high

And that’s exactly when you want to get in front of a buyer.

1. SOC 2 announcements mean they’re already spending

When a company starts working on SOC 2, they’re not dabbling, they’re committing to a process that can take months and cost tens (or hundreds) of thousands of dollars.

According to Secureframe, 72% of companies spend over $50,000 preparing for SOC 2. That budget often goes to things like:

• Audit automation tools

• Logging and monitoring solutions

• Identity and access management

• Compliance consulting

These aren’t nice-to-haves, they’re must-haves to pass the audit.

Example outreach ideas:

“Hey [First Name], congrats on starting your SOC 2 process! We’ve helped a few teams at this stage automate their evidence collection ahead of Type II - happy to share some tips.”

“Noticed your security team is going after SOC 2. That’s a big lift. If it helps, I can send over a quick audit checklist that others in your space have found useful.”

2. ISO 27001 is a sign of scale and enterprise readiness

Companies don’t just wake up one day and decide to get ISO 27001 certified. It usually means one of a few things:

• They’re expanding into new markets

• They’re targeting enterprise or government clients

• They’re preparing for M&A

All of these are moments when new vendors, tools, and workflows come into play.

Gartner reports that companies pursuing ISO 27001 are 58% more likely to invest in risk and compliance platforms within 12 months of certification.

Example outreach ideas:

“Saw you’re working toward ISO 27001 - exciting move. We’ve worked with a few similar teams to streamline third-party risk workflows as part of that process. Let me know if a quick walkthrough would be helpful.”

“Congrats on the ISO 27001 certification! A lot of our customers made that move before scaling into EU markets - happy to share a few tools they leaned on along the way.”

3. Hiring a CISO usually means big change (and big spend)

Bringing in a CISO or any senior security leader is a major signal that a company is maturing its security function. It often means the organization is:

• Getting serious about data protection

• Rethinking its tech stack

• Preparing for certifications like SOC 2, ISO 27001, or HIPAA

And these leaders often come in with a mandate (and a budget) to act fast.

IDC estimates that new CISOs typically influence $200K to $2M in purchases within their first year.

Example outreach ideas:

“Noticed you're hiring your first CISO - huge milestone. A lot of teams we talk to start evaluating vendors around this time. Happy to share what others have prioritized in the first 90 days.”

“Saw you brought on a new CISO - congrats! We’ve helped a few orgs at that exact stage get aligned quickly on their compliance roadmap. Let me know if it’s worth a chat.”

How to put this into action

If you're in sales, here’s how you can start using these intent signals:

1. Track the right signals. Tools like Revking can help you monitor SOC 2 mentions, ISO certifications, and CISO job postings across your ICP.

2. Segment your outreach. Are they pre-certification, mid-certification, or post-cert? Tailor your message to where they are.

3. Keep it helpful, not salesy. Focus on sharing insights, checklists, frameworks - things that align with what they’re likely tackling right now.

Final thoughts

Sales is no longer about waiting for inbound. It’s about showing up early with relevance.

Security and compliance moves like SOC 2, ISO 27001, and CISO hiring are some of the clearest signs that a company is about to invest. The sooner you catch those signals, the better your chances of starting a real conversation.

If you want to track these signals automatically, that’s exactly what we built Revking for.

Let us know if you want a personalized list of companies that are showing signs like these right now.