Penetration Testing RFPs – Tips and Tricks

Penetration testing requests for proposals (RFPs) or requests for quotes (RFQs) can be a great way to bid on and potentially win penetration testing projects as a business. Many pen testing vendors rely on capturing business solely, or mostly, through RFP submissions. Most RFPs are for government entities such as local municipalities, state run schools, and airports, however some commercial companies also rely on the process. Today, we will explore some of the tips and tricks on how to navigate the RFP submission process.

Temper Your Expectations – There are many penetration testing and information security related RFPs out there, however, there are also many companies bidding for the business. Additionally, RFPs are often required in the by-laws for the issuing entity, but the organization already had an incumbent or a preferred vendor in mind that will most likely win the contract. The odds of winning penetration testing projects may be low in the current market but it can be done.

Allow Plenty of Preparation Time – Unfortunately, every RFP format is different. While generally they all request the same information, it will be in a different order or with a slightly different spin to it. Allow plenty of time to ensure you have checked all of the required boxes for your submission and followed the format as best as possible. Many RFPs stipulate that if you do not follow the prescribed format, you are automatically disqualified.

Leverage RFP Search Engines – Standard search engines are difficult to navigate to find open RFPs. But there are RFP-specific search engines out there, such as BidPrime shown below, that offer this service. These will provide a curated search of RFPs to your email inbox on a daily basis and can be a great resource to find RFPs that are eligible for bid and in your company’s wheelhouse.

Penetration Testing RFPs

Take Advantage of the Question and Answer Process – Most RFPs will allow questions to be submitted prior to the final bid submission. This is a great opportunity to clarify scope for the project or ask general questions that may influence your responses. Unfortunately, some RFPs are prepared by a procurement group rather than the IT or Security teams, and therefore the details required to scope a penetration test might be lacking. Most bids are binding and you would not want to have a low bid based on the assumed scope that turns out to be much larger.

As cities and various other government entities continue to improve and bolster their security programs, the number of information security related RFPs should continue to increase from their current levels. This offers an exceptional opportunity for you to bid and potentially win some contracts. Have any questions? Want to chat further? Reach out to Triaxiom today!