Pentest RFP Template.
Procure a VAPT without surprises.
A working RFP a security lead can copy into procurement on Monday morning. Twelve sections covering scope, methodology, deliverables, retest, insurance, and a weighted vendor evaluation matrix — including the five questions a weak vendor will never answer well.
Twelve sections. Drop-in ready.
- →Cover letter, asset inventory, and out-of-scope tables — pre-formatted for vendor consumption
- →Methodology requirements aligned to OWASP ASVS, MITRE ATT&CK, and CREST/CHECK
- →Deliverable spec including executive summary, retest letter, and machine-readable export
- →Weighted vendor evaluation matrix with three-evaluator scoring sheet
- →Five shortlist-gate questions plus model answers from operator-grade vendors
Preview of all twelve sections.
- 01
Cover letter & background
One-page framing: who is issuing the RFP, why now (compliance trigger, M&A, regulator, post-incident), the immovable deadline, the budget envelope band.
- 02
In-scope assets inventory
Structured tables for web apps, REST/GraphQL APIs, mobile apps, cloud accounts, AD forests, and network ranges — with line-item severity weighting.
- 03
Out-of-scope & no-touch list
What the tester must not touch: production DBs, third-party SaaS, partner integrations, DoS-sensitive endpoints, regulated systems with separate sign-off chains.
- 04
Methodology requirements
OWASP ASVS level expectation, MITRE ATT&CK coverage, CREST/CHECK alignment, evidence chain-of-custody expectations, screenshot + PoC requirements.
- 05
Deliverable specification
Executive summary, technical findings, severity rubric (CVSS v4 / OWASP risk), retest letter, raw artefact pack, machine-readable export (JSON / SARIF).
- 06
Retest expectations
Retest window (typically 30 days), included severity classes (critical + high baseline), retest letter format, partial-fix handling, regression scope.
- 07
Vendor evaluation matrix
Weighted scoring rubric across methodology, team CVs, sample report quality, references, insurance, jurisdiction fit, retest discipline, and price.
- 08
Pricing structure ask
Day-rate vs. fixed-fee per surface, retest inclusion, scope-change rate card, expense pass-through policy, payment milestones tied to deliverables.
- 09
Insurance, NDA & legal
Professional indemnity floor, cyber liability floor, mutual NDA template, jurisdiction & governing law, data residency, sub-contractor disclosure.
- 10
Timeline & milestones
RFP issue / Q&A window / proposal due / shortlist / oral defence / award / kickoff / fieldwork / draft report / final report / retest — laid out as gantt.
- 11
Five-question shortlist gate
The five questions we have never seen a weak vendor answer well — covering methodology depth, retest discipline, finding triage, evidence quality, and post-engagement support.
- 12
Sample evaluation scorecard
A pre-filled scoring sheet you can hand to three evaluators (security, engineering, procurement) so the final decision is defensible to your audit committee.
Use this RFP alongside.
Service
VAPT
How a CREST-aligned VAPT engagement actually runs, end to end.
Service
Compliance Testing
SOC 2, ISO 27001, PCI DSS, DPDP — pentest evidence aligned to audit windows.
Blog
VAPT Cost in India (2026)
Day-rate vs. fixed-fee, surface-by-surface budget bands, what drives RFP cost variance.
Blog
Choosing a VAPT Vendor — RBI Checklist
The vendor-side questions that map cleanly to the RFP evaluation matrix in this template.
Skip the RFP, talk to an operator?
If you would rather walk through the scoping problem live, a 30-minute call costs nothing and you leave with a written summary either way.