top of page

HOW TO WRITE A PENETRATION TESTING RFP



  1. Do you use an RFP when sourcing a Penetration Test?

  2. Have you scoped a penetration test and not received what you thought you were asking for?

  3. Have you completed your penetration test but still feel vulnerable?


This is for you…


Emagined Security knows your frustration with penetration testing RFP’s. We actually respond to many many RFP’s and we feel your pain. This guide is designed to help you write the best RFP possible.


What Is A Penetration Testing RFP?

A penetration testing RFP is a penetration testing request for proposal. It can also be called a request for quotes, or RFQ. Your organization will want to use an RFP or RFQ to engage with a security company before deciding to have them perform penetration testing work. This will allow you to get the right service provider and ensure all of your needs are met for your penetration test.


Our Use Case


A few months ago, Emagined Security responded to (but did not win) a penetration test RFP. The customer ended up awarding the test to the lowest Respondent ($10,000 – at least 50% lower than any other Respondent) as their procurement process required them to buy from the “lowest bidder.”


The result was a mess.


The RFP requested a penetration test for an Oracle PeopleSoft environment. The following is an abridged redacted version of the request:


“CUSTOMER has upgraded our Oracle PeopleSoft environment and made significant infrastructure changes to the external facing components. This penetration test is to re-validate that these changes have not resulted in the introduction of vulnerabilities to the system."


"The selected consultant will conduct external and internal penetration tests against CUSTOMER’s Oracle PeopleSoft systems. The contracted tasks will mainly involve web-application penetration-testing with well-defined scoping rules.”


There were many other statements that the customer placed into the RFP that they thought would ensure they get what they need but something still went wrong:


“The consultant shall conduct vulnerability and penetration tests of the infrastructure based on industry-standard methodologies and best practices to primarily validate the confidentiality and integrity of this infrastructure.”


“Prior to conducting the vulnerability and penetration tests, the consultant will provide a set of processes and description of specific activities and tests intended to be conducted during the vulnerability scans and penetration attempts and will obtain approval.”


“The consultant will deve