Skip to main content
Enterprise Template · Printable PDF

VAPT Vendor Evaluation
& RFP Template

A structured framework for enterprise procurement and security teams to evaluate VAPT vendors systematically, compare proposals objectively, and select the right partner for your security testing needs.

Need Help with Your RFP?

Section 1

Why you need a structured VAPT RFP

Selecting a VAPT vendor based solely on price or brand recognition leads to inconsistent results, missed vulnerabilities, and compliance gaps. A structured RFP process ensures you evaluate vendors on the criteria that actually matter: technical depth, methodology rigor, team qualifications, and the ability to find what automated scanners miss.

Common Mistakes in Vendor Selection

  • Choosing the lowest bidder without evaluating manual testing depth
  • Not verifying CERT-In empanelment status and validity
  • Accepting automated scanner output disguised as penetration testing
  • Ignoring retesting policy and remediation validation
  • No evaluation of the vendor's own security posture and data handling
  • Failing to define scope precisely, leading to scope creep and cost overruns

What This Template Covers

  • Asset inventory and scope definition template
  • Vendor qualification checklist with essential vs. preferred criteria
  • Technical requirements and methodology expectations
  • Compliance framework mapping for Indian and global regulations
  • Weighted scoring matrix for objective vendor comparison
  • Pricing comparison template and RFP timeline

Section 2

Scope definition template

Complete the table below to define the assets in scope for the VAPT engagement. Accurate scoping ensures comparable vendor proposals and prevents cost surprises.

Asset Category Count Environment Priority
Web Applications   Production / Staging / UAT Critical
Mobile Applications (iOS)   Production High
Mobile Applications (Android)   Production High
APIs (REST / GraphQL / SOAP)   Production / Staging Critical
Network Infrastructure (Internal)   Corporate LAN / Data Center Critical
Network Infrastructure (External)   Internet-facing Critical
Cloud Infrastructure (AWS)   Production Account High
Cloud Infrastructure (Azure)   Production Subscription High
Cloud Infrastructure (GCP)   Production Project Medium
IoT / OT / SCADA   Operational Technology Network Critical
Source Code Review   Repository Access High

Note: Fill in the "Count" column with the number of assets in each category. Adjust environments and priorities to match your organisation's context.

Section 3

Vendor requirements checklist

Use this checklist to qualify vendors before detailed evaluation. Items marked as "Essential" are mandatory disqualification criteria.

CERT-In Empanelment

Essential

Vendor must hold current CERT-In empanelment as a security auditing organisation. Verify empanelment number and validity period.

ISO 27001 Certification

Essential

Vendor's own operations must be ISO 27001 certified, demonstrating that they follow information security best practices internally.

Team Certifications

Essential

Minimum required certifications across the testing team: OSCP, OSCE, CRTP, CRTO, CEH, or equivalent. Specify minimum number of certified testers.

Minimum Team Size

Vendor must have a minimum dedicated security testing team (e.g., 50+ full-time security professionals). Subcontracting policy must be disclosed.

Platform & Tooling

Vendor should demonstrate proprietary or licensed platforms for engagement management, vulnerability tracking, and report generation.

Reference Clients

Essential

Minimum 3 reference clients in the same industry vertical with comparable scope. References must be contactable.

Insurance Coverage

Professional indemnity and cyber liability insurance with coverage adequate for the engagement scope. Minimum coverage amount to be specified.

NDA & Data Handling

Essential

Vendor must sign mutual NDA before scoping. All findings, data, and artifacts must be encrypted at rest and in transit. Data destruction policy required post-engagement.

Section 4

Technical requirements

Define the technical standards and expectations for the VAPT engagement. These requirements should be included verbatim in the RFP document.

Methodology

Testing must follow recognised frameworks: OWASP Testing Guide v4.2, PTES (Penetration Testing Execution Standard), and MITRE ATT&CK for adversary simulation. Vendor must document their methodology mapping.

OWASP Testing Guide v4.2
PTES Framework
MITRE ATT&CK Matrix
OWASP API Security Top 10
OWASP Mobile Testing Guide

Manual Testing Requirement

Specify the minimum percentage of manual testing vs. automated scanning. Recommended: minimum 70% manual testing for critical assets. Vendor must detail their manual testing approach.

Minimum 70% manual testing
Business logic testing included
Authentication & authorization bypass
Custom exploit development
Chained vulnerability demonstration

Retesting Policy

Define the retesting scope, timeline, and cost structure. Recommended: at least one round of retesting included within 30 days of remediation.

At least 1 retest cycle included
Retest within 30 days of remediation
Same tester continuity preferred
Delta report after retest
Final closure certificate

Report Format & Quality

Reports must include executive summary, detailed findings with CVSS scoring, proof-of-concept evidence, remediation guidance with code examples, and compliance mapping.

Executive summary for leadership
CVSS v3.1 / v4.0 scoring
Proof-of-concept screenshots & payloads
Technology-specific remediation code
Compliance framework mapping

SLA Requirements

Define turnaround times for deliverables, critical vulnerability notification, and communication cadence during the engagement.

Critical findings: notify within 4 hours
Draft report: within 5 business days
Final report: within 3 days of feedback
Daily status updates during testing
Dedicated point of contact

Section 5

Compliance alignment

Map your VAPT requirements to applicable regulatory frameworks. The vendor's reports must satisfy the specific requirements listed for each framework.

Framework VAPT Requirement Frequency
RBI Cybersecurity Framework Mandatory VAPT for banks, NBFCs, payment aggregators. Annual assessment required. CERT-In empanelled auditor mandatory. Annual
SEBI CSCRF Comprehensive security audit for stock exchanges, brokers, depositories, AMCs. Includes VAPT, secure code review, and configuration audit. Annual
PCI DSS v4.0 Requirement 11.4: External and internal penetration testing. Segmentation testing every 6 months. ASV scans quarterly. Annual + Quarterly
ISO 27001:2022 Annex A 8.8: Management of technical vulnerabilities. Regular vulnerability assessments and penetration testing as part of ISMS. Annual
CERT-In Directions 2022 Mandatory incident reporting within 6 hours. Regular security audits by empanelled organisations. Log retention for 180 days. Annual
IRDAI Cybersecurity Cybersecurity framework for insurance companies. VAPT mandatory for all internet-facing and critical applications. Annual
GDPR / DPDP Act Article 32: Appropriate technical measures including regular testing and assessment of security. Data protection impact assessments. Annual
SOC 2 Type II Trust service criteria CC7.1: Detect and monitor security events. Regular penetration testing validates control effectiveness. Annual

Section 6

Evaluation scoring matrix

Use this weighted scoring matrix to objectively compare vendor proposals. Score each criterion from 1-10, multiply by the weight, and sum for a total score out of 100.

Criterion Weight What to Evaluate Vendor A
(1-10)		 Vendor B
(1-10)		 Vendor C
(1-10)
Technical Capability 30% Depth of testing methodology, manual testing ability, tool coverage, vulnerability detection accuracy, and ability to identify business logic flaws.      
Methodology & Process 20% Adherence to recognised frameworks (OWASP, PTES, MITRE ATT&CK), documentation quality, reproducibility, and engagement workflow.      
Team Qualifications 15% Certifications held (OSCP, OSCE, CRTP), years of experience, published research, CVEs discovered, and subject-matter specialization.      
Platform & Tooling 15% Proprietary platforms for engagement management, real-time dashboards, vulnerability tracking, and integration with client systems (Jira, ServiceNow).      
Pricing & Commercial 10% Competitiveness of pricing, transparency of cost structure, flexibility of engagement models, and value-adds included in the proposal.      
References & Track Record 10% Client references in the same industry, case studies demonstrating impact, client retention rate, and years of operation.      
Total Weighted Score 100%      

Scoring guide: 1-3 = Does not meet requirements, 4-5 = Partially meets requirements, 6-7 = Meets requirements, 8-9 = Exceeds requirements, 10 = Exceptional. Multiply each score by the weight percentage to get the weighted score.

Section 7

Pricing comparison template

Use this table to compare pricing across shortlisted vendors on a like-for-like basis. Request all vendors to provide pricing in the same format for fair comparison.

Line Item Unit Vendor A Vendor B Vendor C
Per Web Application (Standard) Per app      
Per Web Application (Complex/E-commerce) Per app      
Per Mobile Application (iOS + Android) Per app      
Per API (up to 50 endpoints) Per API      
Per API (50-200 endpoints) Per API      
Network PT - External (per IP range) Per /24 subnet      
Network PT - Internal (per IP range) Per /24 subnet      
Cloud Security Assessment (per account) Per account      
Source Code Review (per 100K LOC) Per 100K LOC      
Man-day Rate (Senior Tester) Per day      
Retesting (per cycle) Per cycle      
Report Turnaround Time Business days      
Annual Contract Discount % discount      
Total Estimated Annual Cost      

Note: All pricing should be exclusive of applicable taxes. Request vendors to specify payment terms, milestone-based billing options, and any additional charges for travel, out-of-hours testing, or expedited reporting.

Section 8

RFP timeline template

A typical VAPT vendor selection process takes 5-6 weeks from RFP issuance to engagement kickoff. Adjust the timeline below to match your organisation's procurement cycle.

01

RFP Issuance

Day 1

Publish RFP to shortlisted vendors (minimum 3). Include scope definition, evaluation criteria, submission deadline, and commercial terms. Allow vendors to submit clarification questions.

02

Vendor Q&A Period

Day 1-7

Accept and consolidate vendor questions. Issue clarification responses to all participating vendors simultaneously to ensure fairness.

03

Proposal Submission

Day 14

Deadline for vendor proposals. Proposals must include: technical approach, team composition, tooling details, timeline, pricing, and references.

04

Technical Evaluation

Day 15-21

Score proposals using the evaluation matrix. Shortlist top 2-3 vendors for presentations and proof-of-concept demonstrations.

05

Vendor Presentations & PoC

Day 22-28

Shortlisted vendors present their approach and demonstrate capabilities on a designated test environment. Evaluate real-world testing quality.

06

Reference Checks

Day 29-32

Contact provided references. Verify vendor claims about team size, certifications, methodology, and past engagement quality.

07

Final Selection & Negotiation

Day 33-37

Select the winning vendor. Negotiate commercial terms, SLAs, data handling clauses, and engagement timeline. Execute MSA and SOW.

08

Engagement Kickoff

Day 38-40

Conduct kickoff meeting with selected vendor. Share access credentials, define communication channels, confirm testing windows, and align on escalation procedures.

Need help running your VAPT RFP?

Our team has responded to thousands of VAPT RFPs across banking, insurance, fintech, and enterprise verticals. We can help you define scope, set evaluation criteria, or simply respond to your RFP.

Talk to an Expert