How to write a solid pentest RFP: A guide for procurement

Pentest RFP for procurement professionals

SHARE

Loading the Elevenlabs Text to Speech AudioNative Player...

A strong pentest RFP is the foundation for finding the right cybersecurity partner. For procurement specialists, writing a Request for Proposal that’s clear, focused, and aligned with both security and budget requirements can make the difference between a successful engagement and a poor fit.

Written for procurement specialists, this guide aims to equip them with the necessary knowledge to craft a detailed RFP that attracts top-tier penetration testing service providers. By focusing on the essentials and understanding what to prioritize, you’ll be on the right path to bolstering your organization’s cyber defenses.

Setting clear objectives for your penetration testing RFP

As cyber-attacks become more prevalent, having a set of trusted partners to assess critical vulnerabilities and uncover your organization’s cyber risks is increasingly important.

To attract the right penetration testing providers, clarity is essential when outlining the security testing objectives. Without precise goals, there’s potential for misalignment between what you seek and what the vendors provide. Here’s how to refine your objectives:

  • Define the purpose: Begin by articulating the primary reason for seeking penetration testing services. Are you aiming for compliance with industry-specific regulations? Or are you more focused on security assurance for your stakeholders?
  • Desired outcomes: What do you expect at the end of the service? While identifying vulnerabilities is a given, perhaps you’re also seeking mitigation recommendations, remediation testing after fixing vulnerabilities, or a comprehensive presentation to senior management.
  • Scope of testing: In addition to stating the type of pentest (black box, white box, or gray box), clearly outline what needs to be tested, like web applications, internal networks, internal systems, or a combination of these. A clear scope helps vendors provide more accurate proposals.
  • Engagement timeline: If you have a project timeline in mind, specify when you’d like the testing to commence and the expected duration. If there are specific windows (such as off-peak hours) when testing should occur, mention them.

Detailing the scope of the security assessment

Clearly defining the scope of the security assessment helps vendors understand the breadth and depth of testing required, enabling them to submit accurate and relevant proposals. At the same time, it is important not to disclose sensitive information unnecessarily.

Already know your scope?

Skip the RFP and get a quote directly from our team.

In your RFP, describe the general systems, networks, applications, or devices you want tested, such as web applications, mobile applications, internal networks, or cloud environments. It can also help to include brief examples of the type of assessment your security team needs, such as external testing of a SaaS web application or internal network testing from the perspective of a compromised employee.

Just as importantly, make clear what is out of scope, whether that includes live production environments or attack scenarios considered too risky.

Important note for procurement professionals and pentest RFP writers

Sourcing potential bidders for your pentest RFP

Identifying and attracting the right penetration testing vendors is as crucial as the RFP process itself. A well-crafted RFP is only effective when it reaches qualified service providers. Here’s a step-by-step guide to sourcing potential bidders:

Start by researching cybersecurity companies that specialize in penetration testing. Useful sources include industry publications, provider directories such as CREST, AWS Marketplace, and Bosch Cybercompare, as well as specialist analyst firms such as Gartner.

Your professional networks can also be a good resource. Recommendations from colleagues, LinkedIn groups, and industry associations can provide valuable insight based on real experience. Trade shows and conferences such as Black Hat, InfoSecurity Europe, and IT-SA are also useful for discovering providers and meeting security vendors directly.

Once you have a shortlist, ask for references from previous clients. And while pricing will always matter, be cautious about choosing the lowest bidder. The cheapest proposal might not always be the best. Penetration testing is a specialized skill, and quality often comes at a price. An incomplete test can end up costing more in the long run if critical findings go unnoticed.

Evaluating potential companies: Qualifications, reputation and expertise

Choosing the right penetration testing service provider means partnering with a team you can trust to handle your organization’s most sensitive data and systems. Here’s how to evaluate the qualifications, reputation, and expertise of potential bidders:

  • Relevant industry certifications: Look for providers with recognized industry certifications, such as CREST, whose technical members hold OffSec certifications (OSCP, OSCE, OSWE, OSEP, etc.) or other certifications relevant to your needs. Suppliers with strong compliance and processes are more likely to meet your requirements, and can actually get your own company to be certified for SOC 2, ISO 27001 and ISO 9001, for instance.
  • Company experience: How long has the company been offering penetration testing services? A long history might indicate stability and expertise, but don’t dismiss newer firms outright, as they may bring innovative approaches or specialized skills.
  • Reputation in the market: Seek out testimonials and reviews. Industry forums or peer recommendations can provide invaluable insights into a company’s reliability and quality of service.
  • Track record and past projects: Request detailed case studies of their past projects. This can provide insight into their testing methodologies, the depth of their assessments, and the types of vulnerabilities they’ve uncovered in the past.
  • Profiles of the team: Dive deep into the profiles of the actual pentesters conducting the tests. What are their qualifications? How much experience do they have?
  • Insurance and liability: Ensure the company has appropriate insurance in place. In the rare event that their testing leads to data loss or other damages, you would want assurance that they’re covered. Frequently, we see companies requiring a minimum of $1,000,000 in insurance coverage, whereas those in the financial sector sometimes require over US$ 10,000,000.
  • Price vs. value: Understand what you’re getting for the price quoted. Are they offering in-depth security testing, thorough reports, and post-test consultations? Try to understand how automated and manual testing are balanced, since automated scans should complement, not replace, manual testing.

By thoroughly evaluating potential vendors’ qualifications, reputation, and expertise, you’ll be well-placed to make an informed decision.

Pricing, deliverables, and timelines

The core of most RFPs is often pricing, deliverables, and timelines. While price is undeniably a significant factor, it should be weighed alongside the scope of deliverables and the proposed timelines to ensure you get genuine value for your investment. Here’s a detailed breakdown of these crucial components:

Understanding pricing structures

  • Fixed price: A set fee for the entire penetration testing project regardless of the time taken. Suitable for well-defined scopes.
  • Daily/hourly rates: Charges based on the time spent. This might offer flexibility, but it can vary depending on the assessment’s duration.
  • Retainer-based: Suitable for ongoing engagements where vendors conduct periodic tests over a defined period, or even for the Pentest as a Service model.

If you’re still unfamiliar with how these work, we have a detailed article on our corporate blog regarding penetration testing costs, their different pricing structures, and how to decode a pentest quote.

Evaluating cost

Cost should be assessed in terms of value, not just price. The cheapest proposal may lack the depth required, while the most expensive may include unnecessary services. Your RFP should also make room to identify any hidden costs, such as retesting, travel, consultations, or tool fees. Ultimately, the best option is the one that provides the right level of security assurance for your organization.

Defining deliverables

Clearly defining deliverables in your Request for Proposal helps ensure both parties are aligned from the start. Common deliverables include an initial assessment report, a detailed pentest report, and a debriefing session to review findings and answer questions. Some organizations may also require remediation assistance and retesting as part of the engagement.

Setting clear timelines

Clear timelines help keep a pentest engagement on track and aligned with expectations. In your RFP, outline the proposed start date, the expected duration of testing, and the deadlines for report delivery. You should also include time for review and follow-up discussions, while allowing some flexibility in case the assessment uncovers unexpected complexities.

Balancing costs, the thoroughness of deliverables, and reasonable timelines is essential for an effective penetration testing RFP. By being clear on expectations and ensuring alignment with potential vendors, you set the stage for a successful and beneficial engagement.

Confidentiality and data handling

The handling of sensitive information is of paramount importance. Ensuring the confidentiality, integrity, and proper handling of data can mitigate potential risks and liabilities. Here’s what to consider:

  • Non-Disclosure Agreements (NDAs):
    • Ensure any cybersecurity firm you engage with is willing and ready to sign an NDA. This legally binding document ensures that any data they access or insights they gain remain confidential.
  • Data handling protocols:
    • Storage: Determine how the vendor will store any data they collect during the assessment, even if temporary. Opt for encrypted storage solutions and understand the storage duration.
    • Transmission: If data must be transmitted, ensure it’s done securely using encrypted channels.
    • Disposal: After the assessment, understand the firm’s measures for securely deleting data and its data retention policy.
  • Scope and data access:
    • Clearly define the scope of data the pentesters can access. Restrict access to especially sensitive or personal information unless necessary for the assessment.
    • Ensure there are mechanisms to log and audit the data accessed during the test.
  • Other regulatory considerations:
    • Depending on your industry, specific regulations might govern data handling (e.g., GDPR, HIPAA, CCPA). Ensure the vendor is compliant with these regulations and understands their implications.

Questions to include in a penetration test RFP

A solid Request for Proposal elicits comprehensive, actionable responses. To achieve this, the questions you include are vital. Here are some must-ask questions that can help you evaluate a pentest company:

10 questions to ask your pentest provider

Evaluating responses and making a decision

The journey from issuing an RFP to selecting a penetration testing provider requires meticulous analysis of all responses to ensure your choice aligns with your immediate testing needs and strengthens your cybersecurity posture over the long term.

Initial screening & technical evaluation

Begin by filtering out responses that fall short of basic compliance or include major gaps. From there, evaluate each vendor’s methodology, tools, and technical capabilities against your specific requirements to assess how well they align with your expected outcomes.

Team and cost evaluation

Assess both the expertise of the proposed team and the value behind the cost. Review the qualifications and experience of the consultants assigned to your project, and weigh the price against factors such as the depth of testing, post-test support, and any additional services offered.

Past performance & communication

Assess past performance by reviewing case studies, sample reports, and client testimonials to understand the vendor’s reliability and consistency. At the same time, evaluate their communication style through conversations or interviews to assess how clearly they answer questions and how effectively they are likely to collaborate with your team.

Decision-making framework

A structured decision-making framework helps you evaluate vendors consistently and objectively. Using a scoring system or matrix, you can compare providers across areas such as expertise, methodology, cost, past performance, and communication, and select the one that best aligns with your needs.

Red flags: What to watch out for

Identifying potential red flags during the evaluation process is imperative to avoid pitfalls and ensure a robust cybersecurity partnership:

Pentest Request for Proposal red flags

Conclusion

Creating a well-crafted pentest RFP is an important step in cybersecurity procurement. The selection process balances quality with cost-effectiveness, ensuring that the value derived from a third-party provider isn’t measured solely by price but by the depth and applicability of the test results, associated services, and deliverables.

Ultimately, the goal is to create a cybersecurity environment where regular assessments, proactive threat detection, and swift response mechanisms are the norm. It’s about making strategic choices that center on who you typically select as your security partner and how you integrate penetration test insights into a broader cybersecurity program.

This guide serves as a roadmap for procurement professionals to navigate these critical decisions, ensuring that your cybersecurity efforts yield tangible, enduring benefits for your organization.

About the author

Picture of Julio Fort

Julio Fort

Julio has been professionally in the field of cybersecurity for over 15 years. With extensive international experience, he worked as a security consultant for London Olympics 2012, and served as a senior application security advisor at a global investment bank. Julio holds a master’s degree from Royal Holloway, University of London, in application security and fuzzing.

RELATED POSTS

Ready to take your security
to the next level?

We are! Let’s discuss how we can work together to create strong defenses against real-life cyber threats.

Stay informed, stay secure

Subscribe to our monthly newsletter

Get notified about new articles, industry insights and cybersecurity news