Facing relentless cyber threats in 2025? Take control with a penetration testing RFP that delivers real protection not just paperwork.
In this definitive guide, you’ll learn exactly what penetration testing is, why it matters for your business, and how to write a winning RFP that attracts top tier security partners. We’ll break down the differences between RFP, RFI, and RFQ, give you a practical RFP checklist, and show you step by step how to compare vendors, ensure compliance, and secure the best value for your cybersecurity investment.
Don’t leave your defenses to chance to discover how to request, compare, and select the right penetration testing service for 2025 and beyond.
Penetration Testing: What Is It And Why Should You Care?
Penetration testing often called “pentesting” is the cybersecurity world’s version of hiring an expert to break into your house before a real thief tries. But instead of checking doors and windows, pentesters probe your company’s digital defenses networks, cloud apps, websites, and even employee email for vulnerabilities. The goal? Find and fix those weak spots before a real attack hits.
In a typical pentest, ethical hackers (white hats) are invited to use the same tools and tactics as cybercriminals: scanning for open ports, exploiting outdated software, launching phishing emails, and more. But unlike real attackers, they document every move and show you exactly how they got in so you know where your defenses are solid and where they need work.
A thorough pentest might cover:
- Network Security: Are your firewalls configured correctly? Are there exposed servers or open ports that shouldn’t be?
- Web Apps: Can your customer login, payment forms, or admin pages be hacked using common attack techniques like SQL injection?
- Cloud Environments: Is sensitive data stored securely on AWS, Azure, or Google Cloud?
- Social Engineering: Could someone trick your employees into revealing credentials or clicking a malicious link?
Pentesting isn’t just a checkbox for big companies or regulated sectors. Whether you’re a fast growing startup or an established brand, penetration testing provides a real world view of your cyber risks and helps you build a practical roadmap for improvement.
Let’s be clear: If you’re serious about protecting your business, you absolutely need to request a professional penetration testing service. And just as important, you need to understand how to write a strong Penetration Testing RFP.Why? Because getting the right test and the right team starts with a clear, detailed RFP. This isn’t something you want to leave to chance or generic templates. Your company’s security is too important.
What is a Penetration Testing RFP?
A penetration testing RFP (Request for Proposal) is a document organizations use to clearly outline their needs and requirements for a security assessment, so vendors can submit tailored proposals. A good RFP ensures both you and the vendor are aligned on scope, approach, timelines, compliance, and deliverables reducing misunderstandings and helping you select the best partner for your security needs.
Cyber threats don’t take days off and as we move into 2025, cybercriminals are becoming more creative and persistent than ever. The headlines are full of breaches, ransomware attacks, and supply chain compromises. Small businesses and global brands alike are in the crosshairs. That’s why a clear, detailed Request for Proposal (RFP) for penetration testing isn’t just a nice to have it’s a strategic necessity.
A well crafted RFP does more than check a box for compliance. It sets the stage for a successful, efficient, and results driven security assessment. The better your RFP, the better your chances of hiring true security professionals, not just paper “experts.” The stakes are high: a vague or rushed RFP can leave your business exposed, cost you time and money, and even lead to compliance failures or public embarrassment if a breach occurs after a weak pentest.
This guide will walk you step by step through writing a strong penetration testing RFP in clear, plain language. We’ll skip the jargon and corporate fluff, focusing on the practical moves you need to protect your business, get real value for your budget, and meet the ever changing expectations of regulators, customers, and your own leadership.
Benefits of Writing a Clear Penetration Testing RFP: Better Results, Fewer Risks
Let’s break it down: If you want actionable, trustworthy results from your penetration test, you need a thoughtful plan from the start. A penetration testing RFP is not just a boring formality. It’s your playbook, your contract, and your roadmap all in one.
What happens when you do it right?
- You get better proposals: Vendors understand your requirements and can tailor their solutions to your business and industry.
- Easy vendor comparisons: Clear RFPs mean you get proposals you can compare side by side, apples to apples, instead of sorting through confusing pitches.
- Fewer misunderstandings: You avoid costly mistakes, wasted time, and “scope creep” because everyone is working from the same playbook.
- Better value for money: The right details up front mean you’re not paying for unnecessary services or missing critical ones.
What happens when you skip it or rush it?
- Vendors might make wild guesses about your needs or focus on the wrong systems.
- You risk picking a partner who’s inexperienced, overpriced, or simply not a good fit.
- The pentest might leave you exposed to the very risks you wanted to fix.
- You can end up paying extra for changes, or missing deadlines for compliance and business needs.
Bottom line: Your RFP is your best chance to set expectations, avoid confusion, and ensure your pentest investment pays off.
Common RFP Mistakes (Don’t Be That Company!)
- Rushing your RFP and forgetting key requirements
- Not defining the scope—or what’s out of scope
- Skipping retesting (and staying vulnerable!)
- Choosing the lowest price over real expertise
- Forgetting legal/data protection must-haves
Pro Tip: Review your RFP with IT, compliance, and legal before sending!
Penetration Testing RFP vs. RFI vs. RFQ: Choosing the Right Approach for Cybersecurity Procurement
Procurement can be confusing let’s demystify the three main documents you’ll encounter:
RFP (Request for Proposal)
- Purpose: You want a detailed plan and price for a specific project like a penetration test.
- When to use: When you have a defined need but want vendors to propose their approach.
- Example: “We want a full penetration test of our e commerce platform and internal network. Please tell us how you’d approach it, your credentials, timeline, and cost.”
RFI (Request for Information)
- Purpose: You’re just exploring options and want to learn about services, methodologies, and vendor capabilities.
- When to use: When you’re early in the process or researching potential providers.
- Example: “We’re considering future penetration testing. Can you provide information about your service offerings and certifications?”
RFQ (Request for Quotation)
- Purpose: You know exactly what you want (down to the technical requirements) and need a price.
- When to use: When scope is fixed and you’re ready to buy.
- Example: “Please quote for a 5 day external network pentest following the attached scope.”
For penetration testing, an RFP is almost always the way to go. You get the best balance of tailored solutions, competitive pricing, and relevant experience.
Get Your Ducks in a Row: Preparation Steps Before Writing Your RFP
A great RFP starts with internal clarity. Here’s what to work out in advance:
1. Know Your Goals
- Why are you doing this pentest? Common drivers include regulatory compliance (PCI DSS, HIPAA, ISO 27001), recent security incidents, new systems going live, mergers/acquisitions, or just maturing your security posture.
- What outcome do you expect? Is it a compliance report for your auditor? Actionable findings for your IT team? Peace of mind for leadership? Spell it out.
Compliance Tip: If your industry is regulated, state the specific compliance frameworks up front (PCI DSS for retail, GLBA for finance, HIPAA for healthcare, GDPR/ISO 27001 for global data). This ensures vendors propose work that meets those standards.
2. Check Your Security Posture
- What’s your current situation? List the tools and controls you already have firewalls, intrusion detection, endpoint protection, security awareness training, etc.
- Any known weaknesses? Maybe you’ve had a phishing scare, a ransomware close call, or a system outage. Prioritize areas you know are at risk.
- What’s changed recently? Did you move to the cloud? Launch a new app? Merge with another company? Changes often bring new vulnerabilities.
3. Build a Team
- Who needs to be involved? Bring in IT, DevOps, compliance officers, HR (for social engineering scope), legal (for NDAs and contracts), and business leaders.
- Assign roles: Who is the main contact for vendors? Who signs off on the project? Who handles communications if there’s a major finding?
4. Set a Realistic Budget
- Do your homework: Ask peers or use industry benchmarks to estimate costs. Penetration tests range from a few thousand to tens of thousands of dollars depending on scope.
- Budget for extras: Don’t forget retesting, after action support, or travel if onsite work is needed.
- Be transparent with vendors: Sharing a budget range helps filter out vendors who are way off base and attracts those who can deliver real value.
Penetration Testing RFP Checklist: Key Components Every Security RFP Needs
The best RFPs are detailed but clear. Here’s a checklist to follow:
- Company intro: Briefly describe your business and why security matters to you. (E.g., “We process online payments for 10,000+ customers.”)
- Project overview: What triggered the pentest compliance, business changes, incidents, customer requests?
- Scope of work: List the exact systems, applications, networks, and physical locations in scope. Specify what’s off limits (production servers, customer databases, etc.).
- Timeline and milestones: Key dates, testing windows, blackout periods, expected project length, and reporting deadlines.
- Vendor qualifications: Required certifications (OSCP, CREST, CISSP), years of experience, industry expertise, sample reports, and proof of insurance.
- Deliverables: What reports, debriefs, or retests do you need? Should results be mapped to compliance controls (PCI DSS, ISO 27001)?
- Rules of engagement: Testing hours, communication protocols, escalation for critical findings, social engineering limits.
- Confidentiality and legal requirements: NDA expectations, data handling, retention, and destruction.
Pro tip: “Please include an executive summary, detailed technical findings with screenshots, prioritized recommendations, compliance mapping, and a follow up retest in your deliverables.”
How to Define the Scope of Your Penetration Testing RFP
Real World Example:
A midsize retailer didn’t clearly define “off limits” systems in their RFP. Their pentest vendor ended up scanning a live payment gateway during peak shopping hours, causing temporary outages and lost revenue. If the RFP had specified a testing window and sensitive systems, this could have been avoided.
Be explicit about:
- What to test: Websites, APIs, cloud environments, mobile apps, IoT devices, physical locations.
- What’s out of scope: Anything too sensitive, in production, or that could cause outages without prior approval.
- Known issues or restrictions: E.g., “Do not run DoS tests on our live payment processor.”
- Testing environment: Preferably use a staging environment that closely mimics production.
- Expected attack scenarios: E.g., “Simulate phishing against accounting staff” or “Attempt privilege escalation in our HR portal.”
Compliance Tip: For regulated data (like PCI DSS cardholder environments), describe the boundary clearly and require all findings to be mapped to the relevant compliance controls.
Penetration Testing RFP Scope Checklist
- List all systems, apps, and environments to test
- Clearly state what’s out of scope
- Specify testing environment (production/staging)
- Define testing windows/times
- List any restrictions (e.g., “No DoS attacks on live systems”)
- Outline expected attack scenarios
How to Source and Select the Best Penetration Testing Vendors in 2025
Start here:
- Accredited directories: Look for CREST, OSCP, or other accredited vendors in directories. AWS Marketplace and Gartner are also good sources.
- Industry events and conferences: Black Hat, DEF CON, RSA Conference, Infosec Europe, and regional summits often have vendor expos. Meet them, ask tough questions, and request sample reports.
- Referrals and word of mouth: Ask peer CISOs, security managers, or in professional communities like ISACA, OWASP, and LinkedIn groups.
- Online communities: Security Slack groups and specialized forums are goldmines for real reviews.
Pro tip: Ask vendors for references from companies similar to yours. A great pentest firm for a bank might not be right for a SaaS startup.
Penetration Testing RFP Timeline: Setting Milestones and Managing Expectations
Open ended pentest projects are a recipe for frustration. Your RFP should spell out the whole schedule:
- Kickoff meeting: Align expectations and set communication channels.
- Testing window: E.g., “Testing must be conducted between 9pm 6am UTC to minimize business impact.”
- Progress updates: Weekly check ins or a mid test review can keep you informed.
- Preliminary findings (optional): Some orgs want urgent findings reported ASAP.
- Final report delivery: Set a specific date for the full report.
- Remediation and retest: Allow time for you to patch issues and schedule a retest for validation.
- Debrief: Require a presentation for stakeholders and a technical Q&A.
Who’s Qualified? What Really Matters
Don’t just settle for a big brand name. Your RFP should require:
- Real world experience: Ask for detailed bios, CVs, or LinkedIn profiles of the exact testers, not just the company. Years in the industry, past clients, and technical specializations.
- Certifications: OSCP is considered a hands on, practical pentesting cert. CREST and CISSP also have value. Don’t just list acronyms explain why you care.
- Industry expertise: Has the vendor tested in your field? A healthcare provider should look for HIPAA experience, a fintech for GLBA and SOC 2, etc.
- Methodology: Ask vendors to describe their testing methodologies (e.g., OWASP, NIST SP 800 115) and how they tailor them for different environments.
- Insurance: Require minimum cyber liability insurance, especially if data or uptime is at risk.
Red flag: Vendors who dodge questions about tester experience or want to keep everything “proprietary.”
Penetration Testing Methodologies: White Box, Black Box, and Gray Box Testing Explained
Different pentest approaches simulate different attacker mindsets:
- Black Box Testing: The tester has no prior knowledge of your systems like an external attacker. This approach shows you what an outsider could exploit, using only publicly available information.
- White Box Testing: The tester is given full access and documentation (source code, network diagrams, credentials). It’s the most thorough method, revealing even subtle or hidden vulnerabilities.
- Gray Box Testing: The tester has partial knowledge of some insider info, but not everything. This simulates a rogue employee or someone who’s already breached your perimeter. It’s the most common real world approach.
State your preferred approach and why. Example: “We want a gray box pentest to simulate a partially compromised insider.”
Rules of Engagement for Penetration Testing RFPs: Safety, Scope, and Incident Response
Your rules of engagement should be crystal clear:
- Testing hours: Only during agreed windows.
- Emergency contacts: Vendors must call if they discover a critical vulnerability.
- Safe words: Agree on an emergency halt procedure if something goes wrong.
- No go zones: No denial of service, data deletion, or social engineering unless explicitly scoped.
- Incident response coordination: Decide in advance what happens if a live threat is discovered during testing.
Penetration Testing RFP Deliverables: Reports, Remediation, and Retesting
Your RFP should require:
- Executive summary: A 1 2 page overview for non technical leaders with key findings and business risks.
- Technical report: Detailed vulnerabilities, risk ratings, exploitation steps, and supporting evidence (screenshots, logs).
- Remediation recommendations: Specific, actionable advice not generic “apply latest patches.”
- Compliance mapping: Each finding mapped to the relevant control (PCI DSS, ISO 27001, SOC 2, HIPAA).
- Retesting and certification: After fixes, the vendor validates remediation and issues a retest report.
- Optional presentation: Ask for a debrief or Q&A session.
Pro tip: Request a sample redacted report before you sign see the vendor’s style and clarity.
The Importance of Retesting in Penetration Testing RFPs
Why is retesting crucial?
- Fixes sometimes don’t work as planned, or create new holes.
- Retesting proves to auditors and the board that vulnerabilities are really closed.
- Many regulations require proof of remediation (PCI DSS Section 11.3, etc.).
Make retesting part of the contract not an optional extra. Ask vendors to spell out timelines, scope, and pricing for retests up front.
Should You Ask for a Sample Assessment?
Yes, if feasible: A small scale test or a redacted report gives you a preview of the vendor’s skills, thoroughness, and reporting style.
- Sample test: “Can you do a quick assessment of our test website to show your process?”
- Sample report: “Please provide a redacted report from a similar engagement.”
Heads up: The best firms may not do free hands on demos, but should always walk you through their methodology and deliverables.
How to Attract Top Penetration Testing Vendors (and Spot Red Flags Early)
You don’t want just any company poking around your systems. Here’s how to make your RFP stand out to the right folks and weed out the ones who just aren’t up to snuff.
1. Keep It Clear and Direct
Vendors aren’t mind readers. The clearer your RFP, the better their proposals. Use real world language and lay things out step by step. Don’t hide what’s important behind fancy words or endless paragraphs.
2. Balance Specifics and Open Ended Questions
Some things should be non negotiable (like testing your main app or having OSCP certified testers). For other parts, like how they run certain tests or keep things safe, ask open questions. This helps you see who really knows their stuff.
3. Ask for Proof
Don’t just take their word for it. Ask for:
- Team bios or resumes
- Case studies (even if the client’s name is hidden)
- Sample reports
- References you can actually contact
4. Watch Out for Red Flags
Some warning signs:
- Super low prices (they might be skipping steps)
- Vague answers or lots of “it depends”
- No insurance, no references, or no certifications
- Lots of buzzwords but no real plan
If it feels off, it probably is.
Red Flags Expanded List
Watch out for:
- Super low bids (might mean shortcuts or inexperience)
- Vague answers to direct questions
- No insurance, references, or proof of past results
- Buzzword bingo in their proposal, but no clear plan or process
- No mention of secure data handling or compliance experience
If you spot any of these, ask more questions or keep looking!
Penetration Testing RFP Pricing: What to Expect and How to Avoid Hidden Costs
Not all pentest quotes are the same, so ask vendors to spell out exactly how they charge:
- Fixed price: Great if your project scope is clear.
- Hourly/daily rates: Offers flexibility if your needs might change.
- Retainers: Good for ongoing or repeat tests.
Also, always ask about hidden extras:
- Is there a fee for retesting after fixes?
- Do they charge travel costs if onsite work is needed?
- Are post test support or Q&A sessions included, or do they cost extra?
Understanding what’s included up front saves you from surprises later.
How to Compare Penetration Testing Proposals: Using a Scoring Matrix
It’s easy to get overwhelmed by lots of vendor proposals. Make it simple:
- Create a quick chart or spreadsheet.
- Score each vendor on things like experience, certifications, price, timeline, and how well they understood your needs.
- Assign more points to what matters most to you (for example, if technical skills are critical, weight those higher).
- Tally it up and you’ll see your best option clearly.
This helps you compare apples to apples and makes your final decision easier to explain to your team.
Legal, Compliance, and Data Protection Requirements for Penetration Testing RFPs
This isn’t just about ticking boxes. These things keep you out of trouble if something goes wrong.
- NDAs Are a Must: Make sure everyone signs. Don’t assume.
- Insurance Coverage: Be clear on the kind of insurance you expect and the amount. You don’t want surprises if a test crashes a server.
- Compliance: Tell them if you need things done a certain way for HIPAA, GDPR, or any other rulebook.
- Sensitive Data: Make sure test results, vulnerabilities, and any data found during testing are kept safe, shared securely, and destroyed when you say so.
Covering this stuff in your RFP saves a ton of headaches later.
Data Handling Keeping Your Info Safe
Don’t be shy about asking how vendors handle your data:
- Storage: Your info should be stored securely (think encryption, not “saved on someone’s laptop”).
- Transfer: Reports and sensitive data should be shared over secure channels not plain email.
- Disposal: Make sure they agree to delete data when the project wraps up.
- Regulations: If you’re in a regulated industry (healthcare, finance, etc.), make sure your vendor gets the rules (GDPR, HIPAA, CCPA) and follows them.
Compliance Tip: Some regulations (like GDPR or HIPAA) require strict data handling and breach notification protocols. Make sure your RFP asks about their compliance track record and practices, especially for storing, transferring, and destroying sensitive data.
And yes, always get that NDA signed before you share anything sensitive.
How to Evaluate and Select the Best Penetration Testing Vendor
Once you have all the proposals, it’s time to pick a winner. Don’t just go by gut feeling give yourself a fair system:
- Score Each Proposal: Use a simple chart or spreadsheet. Rate things like their understanding of your needs, team experience, methods, timeline, and price.
- Weigh What Matters Most: Maybe you care more about technical skills than turnaround time, or vice versa. Assign extra points to the stuff that’s most important to you.
- Ask Follow Up Questions: If something isn’t clear, reach out and ask. Good vendors are happy to clarify.
- Check Those References: Seriously, don’t skip this step.
When you find a vendor who checks all the boxes, gives you confidence, and fits your budget go for it.
Frequently Asked Questions about Penetration Testing RFPs
What is the primary purpose of a Penetration Testing RFP?
Its main purpose is to clearly communicate your penetration testing needs and expectations to potential vendors. In other words, it spells out what you want done (and how/when), so vendors can craft proposals to meet those requirements. A good RFP makes sure both you and the vendor are on the same page from the start.
What is the difference between a Penetration Testing RFP and an RFI?
A Penetration Testing RFP is asking vendors for a proposal on a specific pentesting project including how they'd do it and how much they'd charge. An RFI (Request for Information) is more general you're asking for information about services or capabilities, not for a project plan or price. You might send an RFI to learn about what a pentesting firm offers, then later issue an RFP when you're ready to get actual proposals.
What are the key components of a well crafted Penetration Testing RFP?
It should include: a brief company background, an overview of the project and objectives, a clearly defined scope of work, the timeline and schedule for the project, the qualifications you expect from the vendor, and the deliverables/reporting you expect to receive. Basically, it needs to tell the vendor everything about what you need, when you need it, and what you'll judge them on.
What is the difference between white box, gray box, and black box testing?
These terms describe how much knowledge the tester has before starting:
- White box: The tester has full knowledge of the system (source code, network diagrams, credentials, etc.).
- Gray box: The tester has partial knowledge (maybe some credentials or system info, but not everything).
- Black box: The tester has no prior knowledge (they're testing blind, like a real external attacker).
Why is it a good idea to request OSCP certified testers in a Penetration Testing RFP?
OSCP is a well respected certification in the pentesting world that shows a person has hands on hacking skills. If you request an OSCP certified tester, you're basically ensuring that at least one person on the vendor's team has proven they know how to find and exploit vulnerabilities. It's a way to gauge expertise. It's not the only certification that matters, but it's a strong indicator of practical ability.
What are the typical deliverables expected from a penetration testing project?
Usually, you'll get a few key deliverables:
- An Executive Summary for management that highlights the main findings and what they mean in business terms.
- A Detailed Technical Report that lists all vulnerabilities found, with details, evidence, and severity ratings.
- Recommendations for Remediation for each issue, explaining how to fix or mitigate the vulnerabilities.
- A Retest Report (if you included a follow up test) confirming whether the fixes for the major issues were successful.
How can organizations ensure they comply with security regulations during a penetration testing project?
The best approach is to build those requirements into the RFP and the engagement. Make sure your RFP asks vendors to follow relevant standards (like OWASP Top 10, NIST guidelines) and to adhere to any compliance frameworks you fall under. For instance, require them to follow HIPAA rules for data if you're in healthcare, or to sign a GDPR data processing agreement if personal data is involved. Also, include requirements for how they handle your data (encryption, secure deletion, etc.). Essentially, be explicit about compliance and data protection in your RFP and contract that way, any vendor you choose has contractually agreed to meet those requirements.
What are key factors to consider when evaluating and selecting a vendor from the proposals?
Pay attention to several things:
- Does the vendor clearly understand your requirements and address them?
- Do they have the right experience and technical skills (and team size) for your project?
- What do their past clients say (references) or past projects show (case studies)?
- Are their approach and methodologies solid and tailored to your needs?
- And of course, does their price offer good value for what you're getting?
It's a balance you want a vendor who is technically competent, reliable, and within your budget. Using a scoring system as mentioned can help weigh these factors so you look at the overall picture rather than focusing on just one thing like cost.
Why is it crucial to establish a clear scope of work and rules of engagement in a Penetration Testing RFP?
Because it prevents misunderstandings and accidents. A clear scope of work tells the vendor exactly what to test (and what not to test), so they don't miss anything important or hit something you didn't intend to include. Clear rules of engagement set the boundaries (like when they can test, how far they can go, who to contact in an emergency). Together, scope and rules ensure the pentest is conducted safely, effectively, and without any unintended consequences (like knocking over a critical server or violating a compliance rule). In short, clarity here means a smoother, problem free engagement.
What is the importance of retesting and verification in a penetration testing project?
Retesting is basically a sanity check after you've fixed the issues. Its importance is high without it, you have to assume that all the fixes worked and covered the vulnerabilities. By having the pentest team come back to verify, you get confirmation that the holes are truly patched. It's like fixing a leaky roof and then spraying water on it to make sure it no longer leaks. Retesting gives you confidence that the vulnerabilities found in the pentest have been effectively resolved, thereby actually improving your security posture, not just identifying problems..
Penetration Testing RFP Compliance Guide: PCI DSS, HIPAA, ISO 27001, and More
When your business is in a regulated industry, your penetration testing RFP needs to show vendors exactly which rules they must follow. Here’s how to spell out compliance requirements for the most common frameworks and regulations.
PCI DSS (Payment Card Industry Data Security Standard)
Who needs it: Any company that stores, processes, or transmits payment card data.
What to include in your RFP:
- Clearly state that you’re subject to PCI DSS.
- Require annual penetration testing, as well as testing after any significant changes (PCI DSS Section 11.3).
- Specify that the test must cover the Cardholder Data Environment (CDE).
- Ask vendors to map every finding to a specific PCI DSS control.
- Require a post remediation retest to confirm issues are fixed.
Sample RFP language: “We process cardholder data and require annual penetration testing per PCI DSS 11.3. Please map all findings to PCI DSS controls and include a follow up retest after remediation.”
ISO 27001 (Information Security Management Standard)
Who needs it: Organizations following or certified under the ISO 27001 framework.
What to include in your RFP:
- Reference your ISMS and ISO 27001 compliance.
- Request that testing supports Annex A.12.6.1 (Technical Vulnerability Management).
- Cover all information systems and assets within your ISMS.
- Ask for findings and recommendations to be mapped to ISO 27001 controls.
- Strongly recommend a follow up test after remediation.
Sample RFP language: “Our ISMS is certified to ISO 27001. Please conduct penetration testing that supports Annex A.12.6.1, map findings to ISO 27001 controls, and include a retest after remediation.”
SOC 2 (Service Organization Controls 2)
Who needs it: SaaS companies, cloud service providers, and any business handling customer data subject to SOC 2 audits.
What to include in your RFP:
- Confirm your organization is subject to SOC 2 Trust Services Criteria.
- Require testing to support and map to security, availability, confidentiality, and privacy criteria.
- Ensure all systems in scope for your SOC 2 audit are tested.
- Ask vendors to cross reference findings to SOC 2 controls.
- Request optional retesting before your next audit.
Sample RFP language: “We are subject to SOC 2 Trust Services Criteria. Penetration testing must support these criteria, with all findings mapped to SOC 2 controls. Please offer a retest after remediation.”
HIPAA (Health Insurance Portability and Accountability Act)
Who needs it: Healthcare providers, insurers, or anyone handling protected health information (PHI).
What to include in your RFP:
- Specify HIPAA compliance and the presence of PHI.
- Require testing to address the HIPAA Security Rule (risk analysis and risk management).
- Include all systems that process, store, or transmit PHI.
- Make sure the report includes findings relevant to HIPAA and breach notification procedures.
- Require post remediation testing for documentation.
Sample RFP language: “We handle PHI and require HIPAA compliant penetration testing. Please document findings related to the Security Rule, include breach notification steps, and provide retesting after remediation.”
GLBA (Gramm Leach Bliley Act)
Who needs it: U.S. financial institutions and affiliates handling customer financial data.
What to include in your RFP:
- State that your business is regulated under GLBA.
- Require assessment to address the GLBA Safeguards Rule.
- Specify that all systems with access to Nonpublic Personal Information (NPI) must be tested.
- Ask vendors to map findings to GLBA controls and your risk management process.
- Require a retest report after remediation.
Sample RFP language: “As a financial institution, we are subject to GLBA. Please test all NPI systems per the Safeguards Rule, map findings to GLBA requirements, and provide a retest report after remediation.”
GDPR (General Data Protection Regulation)
Who needs it: Any organization processing personal data of EU residents.
What to include in your RFP:
- Clearly state that your environment includes GDPR regulated data.
- Require testing to meet GDPR Article 32 (security of processing).
- Ensure all systems processing or storing EU personal data are in scope.
- Ask for documentation of data handling, breach notification, retention, and deletion procedures.
- Request a retest to confirm GDPR related vulnerabilities are fixed.
Sample RFP language: “We process EU personal data and require testing that meets GDPR Article 32. Please include documentation for data handling and breach notification, and provide a retest after remediation.”
Tip: Always consult with your compliance and legal teams when drafting your RFP, as regulations can change.
Ready to Protect Your Business?
Need help writing your penetration testing RFP for 2025? contact our team for a free consultation or request a sample template.