RFP template

A pentest RFP template that filters research-led firms.

The 20 questions that separate research-led pentest firms from tool operators. Vendor-neutral, ready to copy into your procurement RFP. Plus weighting guidance for evaluation panels.

REQUEST THE TEMPLATE

Download

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Pentest RFPs that ask for 'methodology' get the same paragraph from every vendor.

  • Vendor-neutral RFP questions are hard to write without bias toward your incumbent or the loudest sales call.

  • Weighting guidance is missing from most templates; evaluation panels disagree on what 'CREST + research-led' should score.

  • Without RFP questions targeting research output and reproducer quality, the spreadsheet picks the cheapest, not the best.

Here is what we ship.

Why teams pick us

20 questions, weighted for research output.

  • Vendor-neutral

    Questions filter for research-led firms in general, not for SL7 specifically. Any CREST firm with CVE-disclosure track record should score well.

  • Weighting guidance

    Per-question weighting for evaluation panels. Procurement and security pick the same vendor without re-debate.

  • Evidence-shape included

    Sample answers showing what 'good' looks like. Filters templated firms from research-led ones on first pass.

How it works

From RFP template to vendor selection without a six-week review cycle.

  1. Drop your email

    Template sent to your work email. Editable DOCX plus PDF reference.

  2. Drop into your procurement RFP

    Vendor-neutral, ready to paste. Tailor weights to your audit driver.

  3. Run the evaluation

    Panel scores by the template. Procurement and security align on first pass.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Is the template biased toward SL7?
No. It is biased toward research-led firms in general, not specifically SL7. Any CREST firm with CVE disclosure track record should score well.
Editable format?
Yes. DOCX with the questions, plus PDF reference.
Weighting guidance?
Yes. Each question has a suggested weighting per audit driver (SOC 2, ISO 27001, regulator, DD).
Will SL7 follow up after I download?
Only if you opt in. Most buyers run the RFP first and engage vendors after panel scoring.
Cost?
Free.

Ready to run an RFP that filters for research output?

Drop your work email. Editable DOCX template arrives in your inbox.

CREST · CERT-In · SOC 2 · ISO 27001