As cyber-attacks become more prevalent, sophisticated and frequent, internal audit teams, executive members of the board, C-suite, and other figures involved in the senior leadership of any mature organization are increasingly concerned about cybersecurity threats. Having a set of trusted partners to advise on cybersecurity matters, assess critical vulnerabilities and uncover your organization’s cyber risks is crucial. But how do you make sure you have chosen the right cybersecurity partner?
One of the answers lies in crafting a solid Request for Proposal (RFP). This guide aims to equip procurement professionals with the necessary knowledge to craft a pentest RFP that attracts top-tier penetration testing service providers. By focusing on the essentials and understanding what to prioritize, you’ll be on the right path to bolstering your organization’s cyber defenses.
This article was written for procurement specialists to educate this audience on the nuances of creating an effective penetration testing RFP that serves your organization’s security and budgetary needs.
Although this blog post’s main objective is to help pentest procurement, the article is a useful overview that serves as a blueprint for procuring other cybersecurity services.
Understanding the very basics of penetration testing
Penetration testing, often referred to as “pentesting,” is a form of ethical hacking and a proactive approach where cybersecurity professionals simulate, in a controlled way, cyberattacks on a system, application, network or entire organization to identify risks and security vulnerabilities before malicious actors can exploit them.
Roughly speaking, there are different types of penetration tests, each catering to specific needs:
- Black box testing: In this method, the pentester receives no prior knowledge of the system they’re assessing. They approach it like an outsider or a potential attacker, using publicly available information to find and exploit vulnerabilities. It provides insights into what a remote attacker might see and do.
- White box testing: Contrary to black box testing, the pentester has full knowledge of the system, including source code, architecture, and more. This method is exhaustive and usually uncovers more vulnerabilities since it lays the system bare for inspection.
- Grey box testing: A middle-ground approach where the pentester has some knowledge about the system, albeit limited. It aims to combine the best of the two methods above, using inside information and external tactics to discover vulnerabilities. It is the most common approach for the majority of the assessments. It emulates an often overlooked type of attacker: a malicious insider with a certain degree of access to the systems.
The primary objectives of these tests differ based on organizational needs, but common goals include:
- Vulnerability discovery: Identifying weak points in applications, networks, or processes that attackers could exploit.
- Risk assessment: Evaluating and categorizing vulnerabilities based on their potential impact. This helps organizations prioritize which issues to address first.
- Compliance adherence: Ensuring the organization meets specific cybersecurity standards, regulations or frameworks, such as SOC 2 or ISO 27001. For some sectors, regular pentesting is a requirement to remain compliant — for example, PCI DSS or GLBA mandate yearly pentests.
- Security awareness: Educating the internal team about potential vulnerabilities and fostering a culture of continuous security improvement.
Understanding these basics offers a foundation for defining your RFP’s purpose and objectives. Remember, the type of pentest and its primary goals should align with your organization’s specific security concerns and compliance requirements.
Setting clear objectives for your penetration test RFP
To attract the right penetration testing providers and ensure your organization’s needs are met, clarity is essential when outlining the objectives for the RFP. Without precise goals, there’s potential for misalignment between what you seek and what the vendors provide. Here’s how to refine your objectives:
- Define the purpose: Begin by articulating the primary reason behind seeking penetration testing services. Are you aiming for compliance with industry-specific regulations? Or are you more focused on security assurance for your stakeholders? Clarifying this will help potential vendors tailor their responses to your priorities.
- Desired outcomes: What do you expect at the end of the service? While identifying vulnerabilities is a given, perhaps you’re also seeking mitigation recommendations, remediation testing after fixing any discovered vulnerabilities, or a comprehensive presentation to senior management on the findings. By stating your organization’s desired outcomes, vendors can better gauge the depth of assessment, associated services, and reporting format they should propose.
- Scope of testing: In tandem with the type of pentest (black box, white box or gray box), provide specifics about which systems or applications need testing. Are you focusing only on external-facing web applications, or do internal networks and systems also need assessing? The clearer you are on this front, the more accurate proposals you’ll receive.
- Engagement timeline: If you have a project timeline in mind, specify when you’d like the testing to commence and the expected duration. If there are specific windows (like off-peak hours) when testing should occur, mention those.
Setting clear objectives makes the vendors’ job easier and increases the chances of your RFP attracting bids that align closely with your needs. This clarity reduces back-and-forth during the evaluation process and ensures a smoother engagement once a vendor is selected.
Detailing the scope of activities
As we saw in the section above, clearly defining the scope of activities in your RFP helps potential vendors understand the breadth and depth of testing required, ensuring their proposals are comprehensive and tailored. However, it’s a delicate balance, as providing too much detail might inadvertently expose sensitive information. Here’s how to navigate this:
- What to include: Outline the general systems, networks, applications, or devices you want to be tested. This could range from web application and mobile application security assessments to network penetration testing, cloud infrastructures, etc. For instance, you might want to test your e-commerce platform, especially if you’ve integrated new payment gateways recently, or assess the security of a newly developed mobile app before its launch.
- Potential examples: It’s beneficial to provide examples that elucidate the tests your organization’s IT security team envisions. For instance, you could mention: “External penetration testing of our payroll SaaS-based web application to simulate potential attacks from malicious users” or “Internal network testing to identify vulnerabilities within our network from the perspective of a compromised employee.”
- In-scope and out-of-scope: No penetration test should be a free-for-all — make sure to clearly define what’s off the table. For instance, certain live environments might be off-limits, or specific types of simulated attacks might be deemed too risky. Setting these boundaries ensures the security assessment remains controlled and prevents unexpected disruptions.
Sourcing potential bidders for your pentest RFP
Identifying and attracting the right penetration testing vendors is as crucial as the RFP itself. A well-crafted RFP is only effective when it reaches competent and qualified service providers. Here’s a step-by-step guide to sourcing potential bidders:
- Industry research: Begin by researching top cybersecurity companies specializing in penetration testing. Industry publications, cyber provider directories such as the one operated by CREST, AWS Marketplace and Bosch Cybercompare, as well as specialized industry sources such as Gartner, often have a list of pentest service providers. This can give you a solid starting point.
- Professional networks: Tap into your professional networks. Colleagues in similar roles or industries might have recommendations based on their experiences. LinkedIn groups or industry-specific associations can also be a valuable resource for recommendations. Your own security team or a company within the same group may know a provider they can recommend.
- Trade shows and conferences: Cybersecurity trade shows and conferences are excellent platforms to meet potential vendors face-to-face. Engage with them, understand their capabilities, and collect their portfolios. Events such as Black Hat in the United States, InfoSecurity Europe in the United Kingdom or IT-SA in Germany often feature booths of companies offering IT security services that may match your needs.
- Request references: Once you’ve shortlisted potential bidders, ask for references. It’s always beneficial to hear firsthand from their previous or existing clients. This can offer insights into the vendor’s professionalism, quality of services, and timeline adherence.
- Beware of the lowest bidder: While budget considerations are essential, the cheapest proposal might not always be the best. Penetration testing is a specialized skill, and quality often comes at a price. Ensure you’re not compromising expertise for cost. A failed or incomplete test can end up costing more in the long run if vulnerabilities go unnoticed.
By systematically sourcing potential bidders, you increase the chances of finding a partner that aligns with your organization’s requirements and expectations. It’s not just about who can do the job but who can do it best.
Do you have questions?
Get in touch with our cybersecurity experts
Evaluating candidate companies: Qualifications, reputation and expertise
Choosing the right penetration testing service provider is about partnering with a team you can trust with your organization’s most sensitive data and systems. Here’s how to evaluate the qualifications, reputation, and expertise of your potential bidders:
- Relevant industry certifications: Certifications provide a baseline assurance of a vendor’s competence. Look for providers with recognized industry certifications, such as CREST, whose technical members possess OffSec certifications (OSCP, OSCE, OSWE, OSEP, etc.) or other certifications deemed technically relevant to your needs. Suppliers with strong compliance and processes are more likely to meet your vendor compliance requirements, making SOC 2, ISO 27001 and ISO 9001 some of the certifications and attestations they should have. These certifications indicate that the company adheres to industry standards and practices.
- Company experience: How long has the company been offering penetration testing services? A longstanding history might indicate stability and expertise. However, don’t dismiss newer firms outright; they might bring innovative approaches or specialized skills or are composed of experienced security engineers who decided to start a venture.
- Reputation in the market: Seek out testimonials, case studies, and reviews. Industry forums or peer recommendations can provide invaluable insights into a company’s reliability and quality of service. Moreover, look out for any negative publicity involving the company.
- Track record and past projects: Request detailed case studies of their past projects. This can provide insight into their testing methodologies, the depth of their assessments, and the types of vulnerabilities they’ve uncovered in the past.
- Profiles of the team: Dive deep into the profiles of the actual individuals conducting the tests. What are their qualifications? How much experience do they have? Often, the expertise of individual pentesters can make a significant difference in the outcomes. Make sure the bidding company has people with the skillset your project requires.
- Insurance and liability: Ensure the company has appropriate insurance in place. In the rare event that their testing leads to data loss or other damages, you would want assurance that they’re covered. The minimum amount of insurance is up for your organization to decide. Frequently, we see companies requiring a minimum of $1,000,000 in insurance coverage, whereas those in the financial sector sometimes require over US$ 10,000,000.
- Value demonstration: Some companies might offer a preliminary test assessment or proof of value. This can provide a glimpse into their capabilities and the potential value they can bring to your organization.
- Price vs. value: While it’s essential to consider your budget, the cheapest option might not always be the best. Understand what you’re getting for the price quoted. Are they offering in-depth security testing, thorough reports, and post-test consultations?
By thoroughly evaluating potential vendors’ qualifications, reputation, and expertise, you’ll be well-placed to make an informed decision. Remember, it’s about building a partnership for security, so trust and confidence in your chosen vendor are paramount.
Demonstrating value with a sample test assessment
Organizations may sometimes request a sample pentest assessment when selecting an appropriate third-party provider for penetration testing. This request isn’t common in most RFPs and is not a standard across the industry. However, some organizations find value in this method to gauge the capabilities of a potential vendor. Here’s what you need to know about sample assessments:
What is a test assessment?
In the context of penetration testing procurement, a test assessment is a limited, often time-boxed, evaluation performed by a potential vendor to showcase their skills, methodologies, and reporting capabilities. It provides a “taste,” or a sample, of what the vendor can offer, albeit on a much smaller scale than a full engagement.
Why request a test assessment?
The primary reason for requesting a test assessment is to witness firsthand the vendor’s capabilities as proof of value. While certifications, testimonials, and reputation provide indicators of competence, a test assessment offers tangible, direct evidence of the vendor’s expertise.
Setting boundaries and scope
If you decide to request a test assessment, it’s essential to set clear boundaries. Define the specific systems or applications to be assessed and ensure both parties are aligned on the depth and breadth of the test. Remember, the goal isn’t a comprehensive evaluation but rather a demonstration of skills and approach.
Evaluating the sample assessment
Beyond the identification of vulnerabilities, pay attention to in conjunction with your cybersecurity technical team:
- Methodology: How systematic and thorough is the vendor in their approach?
- Reporting: Is their report detailed, clear, and actionable?
- Communication: How effectively do they convey findings, especially potential risks?
- The cost implication: It’s crucial to recognize that a test assessment, even if limited, requires time and resources from the vendor. While some may offer it as a goodwill gesture or an investment in a potential partnership, others might charge a fee. It’s also worth noting that some top-tier providers might decline such a request, given their established reputation and demand.
- Alternative approaches: If a test assessment isn’t feasible or if vendors are hesitant, consider alternative ways to gauge their value. Detailed case studies, walkthroughs of past assessments, or deep dives into their methodologies can also offer insights into their capabilities.
In conclusion, while a test assessment can be a valuable tool in the procurement process, it’s essential to approach it with clarity and respect for the vendor’s time and expertise. It’s not a common request and should be used judiciously, ensuring it brings tangible benefits to the RFP process.
Pricing, deliverables, and timelines
The core of any RFP is often centered around pricing, deliverables, and timelines. While price is undeniably a significant factor, it should be weighed alongside the scope of deliverables and the proposed timelines to ensure you get genuine value for your investment. Here’s a detailed breakdown of these crucial components:
Understanding pricing structures
- Fixed price: A set fee for the entire project regardless of the time taken. Suitable for well-defined scopes.
- Daily/hourly rates: Charges based on the time spent. This might offer flexibility but can vary depending on the duration of the assessment.
- Retainer-based: Suitable for ongoing engagements where vendors conduct periodic tests over a defined period.
We have written a detailed article on our corporate blog regarding penetration testing costs, their different pricing structures, and how to decode a pentest quote; we recommend reading it if you’re still unfamiliar with how they work.
- Depth vs. price: The cheapest option might not provide the depth of assessment needed. Conversely, the most expensive option might offer services beyond your requirements. Understand what’s included.
- Hidden costs: Ensure all potential costs, including post-test consultations, retests, travel expenses, or additional software/tool costs, are explicitly mentioned and accounted for.
- Cost vs. value: Remember, the primary goal is security assurance. Sometimes, paying a premium might be justified if it ensures comprehensive coverage and detailed reporting.
- Initial assessment report: This preliminary report provides an overview of the findings.
- Detailed pentest report: A comprehensive document outlining vulnerabilities, their potential impact, and recommended remediations.
- Debriefing sessions: Interactive sessions where the security consultants discuss their findings, debate risk, answer questions, and provide clarification.
- Remediation assistance: Some vendors might offer guidance on how to address identified vulnerabilities.
- Retesting: Post-remediation consultation, some vendors might retest to ensure vulnerabilities have been effectively addressed.
Setting clear timelines
- Project start date: The commencement of the actual testing process.
- Duration of testing: How long is the assessment expected to last? The depth and breadth of the testing scope can influence this.
- Report delivery: Specify when you expect to receive the preliminary and detailed reports.
- Review and feedback: Allocate time for discussions, feedback, and clarifications post-delivery of reports.
- Completion date: A clear end date ensures that both parties are aligned on project closure.
- Flexibility and adjustments: Recognize that cybersecurity assessments might uncover unexpected challenges or complexities. Be prepared for potential adjustments in timelines or slight variations in deliverables.
Balancing costs, the thoroughness of deliverables, and reasonable timelines are essential for an effective and well-managed penetration test RFP. By being clear on expectations and ensuring alignment with potential vendors, you set the stage for a successful and beneficial engagement with the chosen external provider.
Confidentiality and data handling
In the realm of penetration testing, the handling of sensitive information is of paramount importance. Ensuring the confidentiality, integrity, and proper handling of data can mitigate potential risks and liabilities. Here’s what to consider:
- Non-Disclosure Agreements (NDAs):
- Ensure any cybersecurity firm you engage with is willing and ready to sign an NDA. This legally binding document ensures that any data they access, or insights they gain remain confidential.
- Data handling protocols:
- Storage: Determine how the vendor will store any data they collect during the assessment, even if temporary. Opt for encrypted storage solutions and understand the duration of storage.
- Transmission: If data must be transmitted, ensure it’s done securely using encrypted channels.
- Disposal: After the assessment, understand the firm’s measures to delete data securely and its data retention policy.
- Scope and data access:
- Clearly define the scope of data the pentesters can access. Restrict access to especially sensitive or personal data unless absolutely necessary for the assessment.
- Ensure there are mechanisms to log and audit the data accessed during the test.
- Other regulatory considerations:
- Depending on your industry, specific regulations might govern data handling (e.g., GDPR, HIPAA, CCPA). Ensure the vendor is compliant with these regulations and understands their implications.
Questions to include in a penetration test RFP
A well-crafted pentest RFP elicits comprehensive, actionable responses. To achieve this, the questions you include are vital. Here are some must-ask questions that you should have answers for to back the evaluation:
Evaluating responses and making a decision
The journey from issuing an RFP to finally selecting a penetration testing provider is intricate and pivotal. This stage demands a meticulous analysis of all responses to ensure that your selection aligns with your immediate testing needs and fortifies your cybersecurity stance in the longer term.
Initial screening & technical evaluation
- Basic compliance: Immediately exclude responses that neglect to meet essential criteria or exhibit substantial omissions.
- In-depth scrutiny: Evaluate their proposed methodologies, tools, and technological capabilities. Validate these against your specific requirements and projected outcomes.
Team and cost evaluation
- Expertise analysis: Thoroughly examine the credentials and experience of the team members proposed for your project.
- Value vs. cost: Beyond the sheer financial investment, appraise the overall value delivered, including depth of assessment, post-test support, and additional provisions.
Past performance & communication
- Historical analysis: Review provided case studies, past reports, and testimonials to discern their consistency and reliability.
- Interaction assessment: Engage in dialogues or interviews with potential vendors to resolve doubts and gauge the potential for collaborative synergy.
- Scoring system: Implement a matrix or scoring method to categorize each vendor based on parameters such as expertise, methodology, cost, historical performance, and communicative efficacy.
- Final selection: Choose the vendor that most harmoniously aligns with your requirements, presents solid value, and with whom a productive collaboration is anticipated.
Red flags: What to watch out for
Identifying potential red flags during the evaluation process is imperative to avoid pitfalls and ensure a robust cybersecurity partnership:
Incorporating these red flags into your evaluation criteria ensures a well-rounded, vigilant selection process, facilitating a decision that fortifies your cybersecurity defenses and aligns with your business objectives.
Creating a well-managed RFP stands out as an important step for cybersecurity procurement. The selection process balances quality with cost-effectiveness, ensuring that the value derived from a third-party provider isn’t measured by price alone but by the depth and applicability of the test results and associated services and deliverables.
As we encapsulate the key concepts of this guide, it’s clear that the journey toward robust cybersecurity is complex. Beyond the immediate scope of penetration testing, it encompasses a series of important related activities, including analyzing test results, implementing security enhancements, and maintaining a posture of vigilance against emerging threats. The ability to conduct effective penetration tests is not just about technical acumen; it’s about fostering a culture where security is continuously prioritized and integrated into all aspects of your organization.
Ultimately, the goal is to create a cybersecurity environment where regular assessments, proactive threat detection, and swift response mechanisms are the norm. It’s about making strategic choices that revolve around who you typically choose as your security partner and how you integrate the insights from penetration tests into a broader cybersecurity program.
This guide serves as a roadmap for procurement professionals to navigate these critical decisions, ensuring that your efforts in cybersecurity yield tangible, enduring benefits for your organization.