How to Write a Penetration Testing RFP: Template and Evaluation Guide
Even for small engagements, a structured request gets better quotes. Comparing proposals requires standardised questions and consistent evaluation criteria.
RFP Structure: Section by Section
1. Company Overview
Brief description of your organisation, industry, and security posture. Include company size, technology stack overview, and the business context for this engagement.
Example: 'Acme Corp is a Series B SaaS company with 150 employees. We operate a multi-tenant web application on AWS serving 500+ enterprise customers. We are pursuing SOC 2 Type II certification and require an independent penetration test.'
2. Scope Definition
Detailed scope statement including assets, access level (black/grey/white box), in-scope and out-of-scope items, testing environment, and any restrictions.
Reference our scoping guide for templates. Include: number of applications, IPs, user roles, API endpoints, cloud accounts. Specify testing hours, no-test zones, and escalation procedures.
3. Compliance Requirements
List all compliance frameworks the pentest must satisfy. Specify required report formats, evidence requirements, and any tester certification mandates.
Example: 'Test must satisfy SOC 2 CC6.1 and PCI DSS Requirement 11.4. Report must include CVSS scoring and mapping to relevant controls. Testers must hold OSCP or CREST CRT.'
4. Timeline
Desired start date, maximum engagement duration, report delivery deadline, and retest window. Include any compliance audit deadlines driving the timeline.
Example: 'Testing must commence by 1 May 2026. Maximum duration: 10 business days. Final report due within 5 business days of testing completion. Retest within 60 days of remediation.'
5. Evaluation Criteria
How you will score proposals. Sharing criteria upfront helps vendors tailor their responses and ensures you receive comparable submissions.
See our evaluation scoring framework below. Sharing weighted criteria ensures you compare proposals on equal terms.
6. Pricing Format
Specify how you want pricing presented: fixed fee, day rate, or both. Request breakdown by phase (testing, reporting, retesting). Ask for multi-year pricing if relevant.
Example: 'Provide pricing as a fixed fee for the defined scope. Include itemised breakdown: testing, report delivery, and one retest. Separately quote a 2-year retainer option with quarterly testing.'
7. Deliverables
What you expect to receive: executive summary, technical report, raw findings data, retest evidence, presentation to stakeholders.
Example: 'Deliverables must include: executive summary (max 3 pages), technical findings report with CVSS scores, remediation guidance per finding, raw evidence archive, and a 30-minute executive debrief call.'
8. Terms and Conditions
Confidentiality/NDA requirements, data handling procedures, professional liability insurance minimums, right to audit testing procedures.
Example: 'Provider must carry minimum $2M professional liability insurance. All testing data must be destroyed within 30 days of engagement completion. Mutual NDA required.'
Evaluation Scoring Framework
Score each proposal on these criteria. The weighting reflects what matters most for quality outcomes:
| Criteria | Weight | What to Evaluate | Score (1-5) |
|---|---|---|---|
| Technical Methodology | 30% | Testing approach, tools, manual vs automated ratio, OWASP/PTES alignment, methodology documentation | 5 = Comprehensive manual methodology. 1 = Scanner-only approach. |
| Team Qualifications | 25% | Individual tester certifications (OSCP, CREST), years of experience, relevant industry experience, sample reports | 5 = OSCP/CREST certified, 10+ years. 1 = No certifications, generic team. |
| Pricing | 20% | Total cost, cost per day, retest inclusion, multi-year pricing, hidden fees, comparison to market benchmarks | 5 = Competitive with retesting included. 1 = Significantly above market. |
| References | 15% | Client references in similar industry/size, case studies, testimonials, verifiable past performance | 5 = Strong references in your industry. 1 = No references available. |
| Reporting Quality | 10% | Sample report structure, CVSS scoring, remediation guidance depth, executive summary quality, compliance mapping | 5 = Comprehensive developer-ready report. 1 = Generic scanner output. |
Total weighted score = (Methodology x 0.3) + (Qualifications x 0.25) + (Pricing x 0.2) + (References x 0.15) + (Reporting x 0.1). Maximum score: 5.0.
Internal Budget Justification Template
Use this structure to get pentest budget approved internally:
Penetration testing is a standard security control that identifies exploitable vulnerabilities before attackers do. The average data breach costs $4.88M (IBM 2024). Our proposed testing investment represents 0.3-0.6% of this potential exposure.
We process [PII/financial data/health records] for [X] customers. Our attack surface includes [Y] web applications, [Z] cloud accounts, and [W] internal network segments. We have not conducted a formal pentest in [timeframe].
[Framework] requires annual/periodic penetration testing. Our next audit is scheduled for [date]. Without pentest evidence, we risk [non-compliance consequences: fines, lost certification, contract breach].
Based on our scope and company size, the recommended annual testing budget is [$X-$Y]. This covers: penetration testing ($A), remediation support ($B), retesting ($C), and vulnerability scanning ($D).
We have identified [3] qualified providers. Evaluation criteria: technical methodology (30%), team qualifications (25%), pricing (20%), references (15%), reporting quality (10%).
Statement of Work: Key Clauses
Once you have selected a provider, these clauses should appear in your statement of work:
Scope Definition
Exact list of in-scope and out-of-scope assets. Reference the scoping document as an appendix.
Timeline and Milestones
Start date, testing window, report delivery date, retest window. Include buffer for finding remediation.
Deliverables
Executive summary, technical report, raw data archive, retest report. Specify format (PDF, online portal, both).
Confidentiality
Mutual NDA. All testing data treated as confidential. Data destruction timeline after engagement.
Data Handling
How the provider handles any sensitive data encountered during testing. Encryption requirements. No data exfiltration to external systems.
Escalation Procedures
Immediate notification for Critical findings. Contact names and phone numbers for emergency escalation during testing.
Retesting Terms
Number of retests included, window for retesting, scope of retest (Critical and High only, or all findings).
Liability and Insurance
Professional liability insurance minimums. Limitation of liability. Indemnification for damage caused during testing.
6 Common RFP Mistakes
Vague Scope
Define exact assets, user roles, and access levels. Vague scope leads to inflated quotes and scope creep.
No Evaluation Criteria
Without shared criteria, you cannot compare proposals objectively. Vendors do not know what to emphasise.
Comparing Fixed-Fee to T&M
Insist all vendors quote in the same format. Fixed-fee and time-and-materials quotes are not comparable.
Ignoring Retest Costs
Always ask for retest pricing upfront. It is cheaper to include in the original contract.
Not Specifying Qualifications
Require named testers with specific certifications. Otherwise you may get junior staff.
Unrealistic Timeline
Good pentesting takes time. Rushing the engagement reduces finding depth. Allow 2-4 weeks for scheduling.