A well-structured VAPT RFP template is the single best way to eliminate scope ambiguity, cost overruns, and post-delivery disputes when procuring penetration-testing services in India. Scope ambiguity is the single largest cause of post-delivery disputes, cost overruns, and regulator rejection. This post walks through the standard RFP structure we recommend to procurement teams in Bangalore and Mumbai. The downloadable DOCX at the end is a pre-structured template you can customise for your organisation, your regulator, and your technology stack.
The article explains each RFP section, what good looks like, and common procurement traps to avoid.
RFP Section 1: Executive summary and context
What to include:
- Organisation name, sector, and regulatory environment (RBI, SEBI, IRDAI, CERT-In)
- Purpose of the engagement (annual audit, pre-certification, post-incident validation)
- Timeline constraints (regulatory deadline, board meeting, customer audit)
- Budget range (optional but recommended for realistic responses)
Common trap: Vague purpose statements like “we need a security test.” Be specific: “Annual VAPT for RBI Cyber Security Framework compliance, with re-test until findings close.”
RFP Section 2: Scope of work
Infrastructure scope
| Item | Detail |
|---|---|
| IP ranges / CIDR blocks | List all in-scope networks |
| Domains and subdomains | Primary and staging environments |
| Cloud accounts | AWS account IDs, Azure subscriptions, GCP projects |
| Wireless networks | SSIDs, locations |
| VPN concentrators | Make/model, IP ranges |
Application scope
| Item | Detail |
|---|---|
| Web applications | URLs, authentication requirements, test accounts |
| Mobile applications | iOS/Android, app store links, IPA/APK files |
| APIs | Swagger/OpenAPI docs, Postman collections, authentication |
| Third-party integrations | Payment gateways, KYC providers, cloud APIs |
Exclusions
Be explicit about what is out of scope:
- Social engineering / phishing
- Physical security testing
- Denial-of-service testing (unless explicitly authorised)
- Production systems during business hours (if applicable)
RFP Section 3: Methodology requirements
Mandatory:
- OWASP Testing Guide v4.2 or later
- OWASP API Security Top 10 2023 (if APIs in scope)
- OWASP ASVS L2 (if web apps in scope)
- MASVS L2 (if mobile apps in scope)
- Manual testing minimum percentage (we recommend ≥ 60%)
Recommended:
- Business-logic flaw testing
- IDOR and privilege-escalation testing
- Code-review sample (if source code available)
- Configuration review of cloud environments
RFP Section 4: Deliverables
| Deliverable | Format | Due date |
|---|---|---|
| Executive summary | T+5 business days | |
| Technical findings report | PDF with CVSS scoring | T+10 business days |
| Remediation guidance | Per-finding with code/config examples | T+10 business days |
| Raw evidence | Screenshots, logs, tool output | T+10 business days |
| Re-test report | PDF after remediation | T+5 business days post-fix |
| Board presentation | PPT, 30 minutes | T+15 business days |
RFP Section 5: Auditor qualifications
Mandatory:
- CERT-In empanelment for “Penetration Testing and Vulnerability Assessment”
- CERT-In empanelment for “Information Security Audit Services” (if infrastructure in scope)
- Minimum 5 years of VAPT experience
- Indian-resident delivery team (data-sovereignty requirement)
Recommended:
- CREST, OSCP, or OSCE certification for lead testers
- Sector-specific experience (BFSI, HealthTech, crypto)
- References from 2+ comparable engagements
RFP Section 6: Commercial terms
Recommended structure:
- Fixed fee in INR, inclusive of taxes
- Re-test until findings close (no additional fee)
- Travel and accommodation (if on-site required) at actuals or capped
- Payment terms: 30% advance, 40% on report delivery, 30% on re-test completion
- Liability cap: 100% of engagement fee
RFP Section 7: Evaluation criteria
| Criterion | Weight | What to score |
|---|---|---|
| Technical approach | 30% | Methodology depth, manual-test percentage, tool stack |
| Team credentials | 25% | Empanelment, certifications, sector experience |
| Price | 20% | Total cost of ownership (including re-test) |
| References | 15% | Quality of past-client feedback |
| Timeline | 10% | Ability to meet regulatory or board deadlines |
Download the template
The DOCX version of this RFP includes:
- All seven sections pre-formatted
- Placeholder tables for scope, deliverables, and evaluation criteria
- Sample language for CERT-In empanelment verification
- Commercial terms template
- Evaluation scorecard
Download VAPT RFP Template (DOCX)
Common RFP mistakes
- Copy-pasting a generic IT RFP. VAPT has specific scope, methodology, and deliverable requirements.
- Forgetting re-test in the scope. Findings without verified closure are worthless for regulator reporting.
- Not specifying the empanelment category. A firm empanelled for ISO 27001 may not be empanelled for VAPT.
- Evaluating on price alone. The lowest bidder often delivers automated scans, not manual penetration tests.
- No timeline for re-test. Remediation takes 2–4 weeks. Budget the calendar, not just the fee.
Sector-specific RFP customisations
The seven-section structure works for general VAPT procurement. Specific industries require additional customisations.
BFSI — RBI-aligned RFP
Add: explicit reference to RBI Cyber Security Framework as the audit benchmark; quarterly testing cadence rather than annual; reporting format aligned to RBI inspection expectations; auditor empanelment for both “Information Security Audit” and “Penetration Testing” categories; on-site kickoff and exit meetings in your operating city; data-residency requirement for forensic artefacts.
SEBI-regulated entities
Add: CSCRF six-domain mapping in the deliverables section; MSOC readiness assessment as part of scope; cyber-resilience drill participation; SEBI-coordinator notification capability; sector-specific surveillance-system test cases.
HealthTech / PHI exposure
Add: DPDP children’s-data control mapping; HIPAA mapping (if US healthcare customers); ABDM data-protection alignment; clinical-data-flow specific test cases; PHI-specific access-control review.
Crypto exchanges
Add: hot/warm/cold wallet specific test cases; smart-contract review (if applicable); key-management ceremony validation; FIU-IND VASP framework alignment; VARA technology-control mapping (if international expansion in progress).
Government and PSU contractors
Add: CERT-In empanelment category-specific verification; on-site testing requirements; specific report templates if mandated by tender; classified-data handling protocols (if applicable); officer-level clearance requirements for tester team.
Common procurement traps in detail
Beyond the high-level traps, several specific procurement failures recur in Bangalore engagements.
Trap 1 — Lowest-bidder selection without scope verification. A vendor quoting ₹40,000 for “VAPT” and a vendor quoting ₹2,50,000 for “VAPT” are not delivering the same service. Without scope verification (manual vs automated split, included re-test, deliverable depth), the comparison is meaningless.
Trap 2 — Vendor selected based on certifications without verifying empanelment validity. A firm advertising CERT-In empanelment but with expired empanelment is operationally useless for tender requirements. Verify empanelment on the live CERT-In list before contracting.
Trap 3 — Variable billing accepted under “optimisation” rationale. Vendors who refuse fixed-fee engagements typically extract billing through scope creep. The procurement team’s leverage is highest before signing.
Trap 4 — Technical evaluation by procurement-only team. VAPT is a technical service; technical evaluation requires technical evaluators. Procurement-led evaluations consistently produce lower-quality vendor selection than evaluations involving CISO or senior-engineering input.
Trap 5 — No reference checks. References are routinely listed in proposals but not contacted. A 15-minute reference call frequently reveals vendor weaknesses not visible in the proposal.
Trap 6 — Tight timelines that exclude better vendors. Some procurement processes mandate response within 5 business days, which excludes vendors with full pipelines (often the better vendors). Two-week response windows produce better vendor selection.
RFP evaluation scorecard worked example
For a typical Bangalore SaaS company evaluating three VAPT vendors:
| Criterion | Weight | Vendor A (₹2.5L) | Vendor B (₹4.0L) | Vendor C (₹1.2L) |
|---|---|---|---|---|
| Technical approach | 30% | 8/10 (manual-led) | 9/10 (red-team) | 4/10 (scan-led) |
| Team credentials | 25% | 8/10 (CERT-In + OSCP) | 9/10 (CREST + 10y) | 5/10 (CERT-In only) |
| Price | 20% | 8/10 (mid-tier) | 6/10 (premium) | 10/10 (lowest) |
| References | 15% | 8/10 (positive) | 9/10 (excellent) | 6/10 (mixed) |
| Timeline | 10% | 9/10 (4 weeks) | 7/10 (8 weeks) | 9/10 (3 weeks) |
| Weighted total | 8.05 | 8.05 | 6.30 |
Vendor A and Vendor B tie on weighted score; Vendor B’s premium produces deeper engagement quality. Vendor C’s price advantage is offset by lower technical and credential scores. Most procurement teams would select Vendor A on cost-quality balance, with Vendor B as the alternative if budget permits.
Practical next steps
If you are evaluating VAPT quotes, see our VAPT cost breakdown to understand what each price tier buys. If you need to verify vendor empanelment, see our CERT-In Empanelled Auditor List guide. If you want to scope a specific engagement, our VAPT services page walks through the methodology and pricing.
For organisations that want a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope, fixed price in INR, and direct partner-level accountability through the engagement.
VAPT RFP FAQ
Should I share the budget in the RFP? Yes, in a band. Sharing “₹2–4 lakh budget for first-time VAPT” produces realistic responses; not sharing produces wide variance from inappropriate vendors.
How many vendors should I shortlist? 3–5 is typical. Below 3, comparison is weak; above 5, evaluation effort exceeds value. Shortlist for genuine bid-fitness rather than to-pad-the-list.
Should I share the technology stack in the RFP? Yes. Auditors need to scope appropriately and team appropriately. Withholding stack information produces vague proposals.
Do I need a non-disclosure agreement before sharing the RFP? Recommended. A simple mutual NDA covers the scope-disclosure aspect; doesn’t slow procurement materially.
What’s the typical RFP timeline? 5–10 business days for response. Tight timelines (less than 5 days) exclude better vendors; long timelines (more than 15 days) lose engagement.
How do I evaluate manual-vs-automated split? Ask the vendor to specify: percentage of engagement time on manual analysis vs automated tooling, and which findings would be discovered by manual versus automated approaches.
Should I require references in the RFP? Yes, with explicit permission to contact. Two references from comparable engagements (similar industry, size, scope) is the typical bar.
Can I run a paid pilot before full engagement? Yes — some firms accept a paid pilot at lower scope to demonstrate methodology. Useful for high-value engagements where vendor selection materially affects outcome.
What’s the typical payment-term structure? 30% advance, 40% on report delivery, 30% on re-test completion. Variations include 50/50 or milestone-based; the structure should align payment with deliverable acceptance.
Should I include liability cap clauses? Yes — standard clause is liability limited to engagement fee. Higher liability caps typically increase fee; lower caps may not be acceptable to mature vendors.
Is the template available in English only? The downloadable template is English-only; we recommend procurement teams operate in English for clarity even if internal communications use other languages.
Can I customise the template for non-VAPT engagements? The template is VAPT-specific. Other security engagements (red team, code review, IR retainer) require different RFP structure.
Negotiation tactics that produce better VAPT outcomes
The RFP produces a shortlist; negotiation produces the contract. Specific tactics improve outcomes during the negotiation phase.
Lock the partner
Ask which specific senior auditor will lead the engagement. Get their name in the engagement letter. Without partner-locking, vendors substitute junior staff post-signature; with locking, you get the seniority you bid for.
Cap the variation budget
Even fixed-fee engagements typically allow paid variations for scope changes. Cap the variation budget at 10–15% of the base fee. Without a cap, vendors expand scope through “necessary clarifications” and the final fee exceeds the bid materially.
Specify the deliverable acceptance criteria
Define what makes the report acceptable — page count, finding granularity, evidence depth, executive summary length. Vendors who deliver thin reports often do so because acceptance criteria were vague.
Negotiate retest economics explicitly
The default vendor position is often “two retests within 30 days.” Negotiate “retests until findings close” or “retests within 90 days, no cycle limit” — your engineering team’s remediation timeline is rarely 30 days.
Include termination clauses
Standard clause: termination for cause with 30-day notice if quality issues are documented. Without this clause, vendors can deliver substandard work knowing the procurement cycle has already closed alternatives.
Lock the report-delivery format
Word document (editable for you to comment), PDF (final deliverable), JSON or Excel (for ticketing-system integration). Without format-locking, you receive what’s convenient for the vendor, which may not be what you need for your team.
What good engagement quality actually looks like
Beyond the deliverables list, qualitative signs of good engagement quality emerge during execution.
Daily check-in cadence. Senior auditors check in daily during active testing — not weekly status reports, but real-time discussion of findings as they emerge. Vendors who only surface during weekly meetings typically deliver thinner engagements.
Real-time finding escalation. Critical findings should be flagged immediately, not held for the report. If your auditor finds something serious in week 2 and tells you in week 6, the delay represents a cost.
Reproduction steps that actually reproduce. The litmus test of finding quality: can your engineer follow the steps and reproduce the issue? Many reports include vague reproduction that breaks under scrutiny.
Remediation guidance specific to your stack. Generic OWASP-style guidance is less useful than guidance specific to your framework (Express, Django, Spring, .NET) and your cloud (AWS, Azure, GCP). Vendor depth shows in the specificity.
Re-test verification with evidence. After remediation, the retest should produce evidence that the fix works. “We confirmed the fix” without evidence is insufficient.
After the report — what to do with the findings
The report is the deliverable; remediation is the work. Specific patterns for converting findings into closure:
Triage by exploitability. Critical findings with exploit chains shipped within 7 days; high findings within 30 days; medium within 90 days; low at convenience. Don’t treat all findings equally.
Track in your existing engineering system. Findings should be tracked in Jira, Linear, or your ticketing system — not in a separate “security findings” silo. Engineering teams resolve issues in their primary system.
Code-review the fixes. Security findings often require complex fixes; code review by a security-aware reviewer reduces incomplete remediation.
Document the remediation. Each fix produces evidence — commit hashes, configuration changes, test results. Keep this evidence for the retest cycle and for next year’s audit.
Building VAPT into your engineering lifecycle
For mature Bangalore engineering organisations, VAPT is one element of a broader application-security programme.
Pre-release security testing
Internal security testing during development reduces the issues external VAPT finds. Common practices: SAST in CI for static analysis, DAST against staging for dynamic testing, dependency scanning for known CVEs, secrets scanning to prevent credential leakage, container-image scanning for infrastructure security.
Bug bounty programmes
External-researcher contributions complement formal VAPT. Bug bounties scale broader coverage than periodic VAPT can achieve. Programmes via Bugcrowd, HackerOne, or Indian-specific platforms provide structured engagement with researchers.
Continuous penetration testing
Some Bangalore SaaS companies move from quarterly to continuous penetration testing — same firm, ongoing engagement, finding-by-finding reporting. Cost is higher than quarterly but produces faster discovery.
Red team and adversary simulation
Beyond VAPT, periodic red-team exercises test detection and response capability. Red team engagements are higher-cost than VAPT but produce different findings — operational gaps in addition to technical vulnerabilities.
Internal security champions
Engineers within product teams trained as security champions extend the security team’s coverage. Champions review designs, advocate for security practices, and identify issues during normal development.
RFP outcomes — what to expect
After running the RFP and selecting a vendor, expectations should be calibrated.
Engagement quality scales with budget. ₹40K engagements deliver scan-output reports; ₹2.5L engagements deliver manual-led findings; ₹15L engagements deliver red-team-style adversary simulation. Outcome quality scales with investment.
Findings count varies by maturity. Mature organisations may have 8-20 findings; immature may have 50+. Higher finding count reflects baseline state, not auditor quality.
Remediation is the longer pole. Engagement takes 4 weeks; remediation takes 6-12 weeks for substantive findings. Plan calendar accordingly.
Re-test outcomes inform next-cycle scope. Findings that close cleanly inform what to test more deeply next cycle; findings that remain open require longer remediation focus.
VAPT vendor relationship management
Beyond the engagement itself, ongoing relationship management with VAPT vendors produces better outcomes over multiple cycles.
Single point of contact. Designate a procurement-side and security-side single point of contact for the vendor relationship. Single contacts produce consistent communication and reduce repeated context-building.
Annual relationship review. Review the vendor relationship annually — quality of engagements, cost trends, scope evolution, alternative vendor consideration. Annual review prevents relationship drift.
Multi-cycle pricing optimisation. Multi-year commitments produce pricing benefits. Negotiate locked renewal pricing for 2-3 year commitments where appropriate.
Capacity coordination. VAPT firms have busy seasons (Q3-Q4 for many India-side firms aligning with audit cycles). Schedule engagements to avoid capacity squeeze; off-peak engagement produces better attention.
Knowledge transfer between cycles. Each engagement builds vendor environmental knowledge. Lose this knowledge through vendor switching unless transition is planned.
Joint incident response readiness. VAPT vendors often provide incident-response retainer services. Combining the two relationships produces operational efficiency.
Procurement governance considerations
For Bangalore enterprise procurement teams managing VAPT vendor relationships, governance practices matter.
Vendor security due diligence. VAPT vendors handle sensitive information about your environment. Verify the vendor’s own security posture — ISO 27001 certification, data-handling commitments, employee background screening.
Data handling agreements. Specific contracts covering how VAPT findings, evidence, and reports are handled. Indian data residency commitments where applicable.
Liability and insurance. Liability cap aligned with engagement value plus indemnification for vendor errors. Vendor errors-and-omissions insurance that covers the engagement scope.
Code of conduct. Documented expectations for vendor staff conduct, particularly during on-site engagements.
Audit rights. Right to audit vendor’s handling of your information. Most reputable vendors accept this contractually.
RFP outcomes by procurement-team maturity
Mature procurement teams. Receive 4-7 substantive responses; finalist evaluation produces clear vendor selection; engagement quality matches expectations. Mature procurement reflects investment in security-procurement expertise.
Developing procurement teams. Receive responses but variance is high; finalist evaluation requires technical security input; engagement quality varies. Developing procurement benefits from external advisory support.
Inexperienced procurement teams. Receive responses but lack frame to evaluate; price-led selection produces poor outcomes; engagement quality often disappoints. Inexperienced teams should engage external procurement advisor for VAPT vendor selection.
The procurement-team-maturity dimension is often under-recognised but materially affects engagement quality.
Internal stakeholders to engage during RFP
CISO or security lead. Owns the technical scope and engagement quality. Should be primary technical evaluator.
CTO or VP Engineering. Provides architectural context and engineering availability commitments.
Procurement. Manages vendor relationship and contractual terms.
Legal counsel. Reviews engagement letter, liability terms, and data-handling provisions.
Finance. Approves engagement budget and payment-term structure.
Compliance officer (if regulated entity). Ensures regulator-acceptable scope and reporting format.
Cross-functional engagement during RFP produces better vendor selection than single-function-led procurement.