Components of an Effective Penetration Testing RFP

You are unhappy with your current pentesting provider; automated testing isn’t providing the results you need; you are required to rotate your pentesting vendor annually; a budget request was approved for your organization’s first penetration testing program.  

Whatever the reason, most security leaders will find themselves taking part in the pentesting vendor selection process at some point in their career. 

Embarking on the search for a new vendor is no easy task. Especially in today’s marketplace with hundreds of partners that have varying methodologies and expertise. To effectively choose a penetration testing company that will be the best fit for your organization you must be careful in the questions you ask.

A penetration testing Request for Proposal (RFP) communicates essential information about the project and services you need – including the logistics of the project, such as objectives and timeline. A detailed and focused RFP questionnaire can set the trajectory for the success of your program.  

So, what exactly makes an effective penetration testing RFP? Let’s take a look at a few core components.  

Security Testing Objectives 

When writing an effective RFP, be sure to answer these questions:  

1. How will we use the test results?
2. What do you hope to achieve with these services? 

Clearly defining your test objectives at the start will help vendors better understand how your organization views pentesting, what services to recommend, and what methodology to use to achieve those objectives.  

Business Overview 

You can’t expect a vendor to recommend services without a baseline understanding of your business. What does your organization do? What types of data do you store or process? What’s at risk if you were to experience a security incident? 

Selection Criteria 

Establish clear criteria to weed out the outliers and create a pool of qualified partners. Define what you are looking for in your vendor partner and, if applicable, explain what was lacking in your past partner(s). 

Recommended Services  

Additional emphasis on “recommended.” Leave the services recommendations section open-ended to allow vendors to provide strategic suggestions that extend beyond your initial proposal if they see the need for it. 

Pricing Summary 

Pricing is one of the more foundational components of an RFP, or as some call it, a Request for Quote (RFQ). Beyond asking for a general quote estimate, ask vendors to break down how they price their services, how change orders are processed, how they handle out-of-scope adjustments, vulnerability retesting costs, and any other logistical information. This extra information will help you avoid hidden costs in the future. 

Penetration Testing Methodology 

The section digs into how the pentest will be performed. It is arguably one of the most important pieces of an RFP for penetration testing.  

Some questions to consider: How do they ensure consistency? What is their vulnerability validation process? How do they escalate the discovery of high and critical vulnerabilities? 

At a very high level, there are three core pentesting methodologies to keep an eye out for: 

• Automated, technology-driven testing. Similar to a SaaS delivery model. 
• Manual testing using available resources. 
• Hybrid testing approach that leverages a combination of automated and manual testing. See: NetSPI’s Penetration Testing as a Service (PTaaS) approach. 

The methodology you ultimately choose should depend on your organizational objectives and needs.  

Vendor Risk Management Questionnaire 

Vendor risk management, third party risk management, supply chain security… regardless of what you call it, it’s crucial that you ask vendors what security practices they have in place to protect the integrity of your data. Here are five core initiatives to inquire about: 

• Company policy for performing screening and background checks on employees to ensure that none of the people hired pose an information security threat. 
• Training processes to inform employees on the privacy, security policies, and procedures necessary to meet the obligations of this project. 
• How the vendor will protect and store your data at rest and in transit and how/when the data is purged from their systems. 
• Third party risk management policies and details. 
• Business Continuity Plan. 

References  

Now it’s time to evaluate the vendor’s ability to complete the project. Ask the pentesting vendor to provide 3-4 references for you to review. This is validation that they are familiar with your industry, your objectives, and the type of services requested. 

Download our Penetration Testing RFP Template 

The RFP process may feel administrative and tactical on the surface. But a strong pentesting RFP is foundational to your overall security program success.  

Choosing the wrong pentesting partner can leave organizations in a challenging and expensive situation.  

To help, NetSPI examined the thousands of RFPs we’ve participated in to create a comprehensive template RFP for penetration testing services. In the template, you’ll find prompts and example questionnaires for the above components – and much more. Best of luck with your search!