Writing an Effective Penetration Testing RFP

In the past, we have explored how to find penetration testing Requests For Proposals or RFPs. Today, we are going to explore how to effectively write a penetration testing RFP. Often times, government entities or commercial industry companies are forced to leverage an RFP process to ensure a fair and objective assessment of vendors for a particular project.

When reading through penetration testing RFPs, it is normally pretty easy to spot the ones that have been authored by a procurement team that may not have a strong technical background or know exactly what they are looking for. So let’s discuss the do’s and dont’s of effectively writing an RFP to ensure you get the greatest number of qualified bids for your project.

The Do’s of Writing an Effective Penetration Testing RFP:

  • Do be very clear as to the scope of the project. For example requesting a “Network Penetration Test” is not sufficient. A network penetration test means a lot of different things to different people. Instead, try to be overly descriptive with what your need is, such as “an external penetration test to assess the security of our network perimeter from the Internet” and include any associated details that may help the bidders (e.g. 15 external IP addresses).
  • Do have a period where questions can be submitted. In order to ensure bids are getting scoped to meet your requirements, a question period is great to allow vendors the opportunity to clarify anything that may determine the price of the project.
  • Do give very clear deadlines as to the various milestones, such as when questions are due, when final proposals are due, when you expect a decision to be made, etc. This will help your bidders prioritize and ensure they can meet your deadlines.

The Dont’s of Writing an Effective Penetration Testing RFP:

  • Do not provide too much information that could undermine your security. Bidders may not need to know specific information about the technologies your organization uses or any details on the current configuration/layout of your network, for example. If they do need to know, this information could be provided privately and directly outside the completely public RFP. RFPs can be posted on the open Internet and providing this type of information could give an attacker very sensitive information that they could use as part of an exploit.
  • Do not be unrealistic on the specifics of the size and format of the proposal. For example, if you are asking for sample reports, sample contracts, this, that, and the other to be included and then saying the total proposal should not be more than 10 pages, this is just not realistic and you are going to get some strangely formatted responses. (Yes, we have seen this in the past).

At the end of the day, RFPs are a great way to solicit bids and engage with various vendors to ensure your requirements are being met at the best price. However, by having an ambiguous or unrealistic RFP, you may limit the number/quality of responses or get proposal prices that are higher than they should be because the scope is unclear. Have questions? Need advice? Please feel free to reach out and we would be happy to assist!