Penetration Testing

Pentest RFP Template for Indian SaaS Startups (2026)

Free 12-section pentest RFP template for Indian SaaS founders. Scope, compliance, pricing, vendor qualifications, retest, scoring rubric. First-time buyer.

ASK
Ashok S Kamat
Cybersecify
15 min read

Most Indian SaaS founders scoping a first pentest never write a formal RFP, and they don’t need to. Investors don’t ask for one. Enterprise security teams don’t ask for one. They ask for the pentest REPORT. What founders DO need is a structured way to compare 2 to 3 vendors on the same criteria, because pentest pricing varies 3 to 5x across vendors for the same scope. This guide walks 12 sections to evaluate any pentest vendor on, the buyer-side decision criteria that go into each section, the vendor-side red flags to watch for in responses, and links to a free comparison checklist at /resources/pentest-rfp-template/ (usable as a scorecard or, if your org has procurement requirements, as a formal RFP). For founders comparing what a transparent, founder-led pentest engagement looks like, Cybersecify pricing is published and our SOC 2 plus ISO 27001 ready pentest report sample is downloadable.

Key findings

  • Most Series A SaaS startups do NOT write formal RFPs for pentest. The typical buyer pattern is email + 30-min call + pick from 2 to 3 vendors. Formal RFPs are a procurement-department workflow for larger orgs (50+ engineers, multiple frameworks, security hire).
  • Investors require the REPORT, not the RFP. Pentest buying triggers in 2026 are: compliance (SOC 2 / ISO), investor diligence, enterprise customer onboarding, fear. None of these require a formal RFP; they all require a credible pentest report.
  • 12 sections cover what matters in any pentest vendor comparison. Scope, Compliance, Pricing, Vendor Qualifications, Timeline, Deliverables, Communication, Confidentiality, Retest, References, Terms, Decision Criteria. Use as scorecard for casual comparison, or as RFP for formal procurement.
  • Disclose a budget range. Undisclosed budgets cause vendors to anchor on perceived spend (logo, fundraise stage, vertical) which produces 3 to 5x variance across the same scope. INR 75,000 to INR 2,00,000 is the right band for most Series A SaaS startups.
  • Most diagnostic vendor response signal is methodology specificity. Real vendors name OWASP WSTG v5.0, PTES, NIST SP 800-115 explicitly and can walk through the phases. Vague vendors say only OWASP without a version.
  • Free retest within 30 days is the right model. Retests billed at 25 to 50 percent of engagement fee creates an incentive to leave findings open. Cybersecify includes 1 free retest with both pentest plans.
  • Letter of Attestation is auditor-acceptable evidence. ISO 27001:2022 Annex A.8.8 plus A.8.29 plus Clause 9.1 plus 10.2 reference. Bundled with Growth Pentest, not Startup. Useful for SOC 2 audit prep and enterprise customer security review.
  • 1 to 2 week comparison is realistic for casual scorecard use. Formal 3-vendor RFP process runs 2 to 4 weeks (procurement-style). Pick the lighter path unless you have an actual procurement reason for the heavier one.

Cybersecify is a founder-led penetration testing firm based in Bengaluru (Bangalore), India, serving AI-first and API-first SaaS startups globally. We currently deliver pentest engagements to startups in India, Australia, the EU, the UK, and Hong Kong, with founder-led delivery, USD/EUR/INR billing, and report formats accepted by SOC 2 and ISO 27001 auditors across jurisdictions. The 12-section template below comes from real customer scoping conversations and audit-acceptance evidence reviewed in 2026 engagements. For the deliverable format auditors and enterprise security teams expect, see our pentest report sample.

Reading this from outside India? The methodology, scoring rubric, vendor qualifications, and red flags below are global. Sections 2 (Compliance), 3 (Pricing), 8 (Data location), and 11 (Jurisdiction) carry India-specific notes. Substitute your own framework as applicable (GDPR/UK-DPA for DPDP, USD/EUR for INR/GST, your local contract law for Indian Contract Act). Each of those sections calls out the substitution inline.

What the comparison checklist covers

The checklist at /resources/pentest-rfp-template/ is free, no email required, no download gate. The page lays out all 12 sections with [PLACEHOLDER] prompts you fill in as you walk vendors through each one. A one-click Copy Full Checklist button and browser Save as PDF cover whichever workflow you prefer. Each section maps to a single vendor evaluation question. Use it as a scorecard on calls with each vendor, or paste the whole thing into your own RFP doc if you need formal procurement. This guide is the rationale behind why each section exists.

If you have 10 minutes and want the checklist now, jump to the template page. If you have 30 minutes and want to understand why each section earns its place, read the 12 sections below.

Section 1: Scope

The single most expensive failure mode in a pentest engagement is scope mismatch. The founder asked for one thing, the vendor priced and tested another, and the deliverable does not answer what the auditor or enterprise customer needs.

What to specify in the scope section:

  • Asset list. Every web app, REST API, GraphQL endpoint, mobile app, admin console, and third-party integration in scope. Use production URLs (or staging if production cannot be tested). Mark internal versus external surfaces explicitly.
  • User roles tested. Anonymous, regular user, admin, super-admin, tenant-isolated user. Each role catches a different class of findings.
  • Out-of-scope explicitly. Third-party services (Stripe, Twilio, AWS console), DDoS testing, social engineering, physical access. Naming what is out of scope prevents vendor over-quoting for tests you do not want.
  • Test environment. Production with rate-limited credentials, staging with production-like data, dedicated test instance. Each has tradeoffs (production catches real issues but risks customer impact, staging is safer but may miss production-only configurations).
  • Data classes in scope. PII, payment data, healthcare data, business logic data. DPDP Act 2023 considerations apply if PII is in scope and the pentest vendor is processing personal data on the founder’s behalf.

For Indian SaaS startups with one production app and one customer-facing API, scope is typically 1 to 2 scopes in pentest pricing terms. Cybersecify counts a web app as 1 scope and an API as 1 scope; web app plus API equals 2 scopes.

Section 2: Compliance mapping requirement

If the pentest is being run for a compliance reason, name the compliance reason. Vendor pricing and deliverable format change based on which framework needs to be mapped.

Common compliance hooks (India + international):

  • SOC 2 Type 1 or Type 2. Trust Services Criteria 2017. Common controls touched by pentest: CC6.1 (logical access security), CC6.3 (role-based access), CC6.6 (system boundaries), CC7.2 (monitoring), CC8.1 (change management).
  • ISO 27001:2022. Annex A controls. Common controls touched: A.5.7 (threat intelligence), A.8.8 (management of technical vulnerabilities), A.8.29 (security testing in development and acceptance), A.8.30 (outsourced development), Clause 9.1 (monitoring, measurement, analysis and evaluation), Clause 10.2 (nonconformity and corrective action).
  • DPDP Act 2023 (India). Section 8(5) reasonable security safeguards. Pentest evidence is considered reasonable safeguard documentation. International substitute: GDPR Article 32 (security of processing), UK Data Protection Act 2018, CCPA / CPRA reasonable security, Australian Privacy Principles. The pentest report format and controls are the same; only the regulatory reference changes.
  • RBI cybersecurity directives (India). For fintech, NBFC, regulated payment surfaces. Sector-specific requirements; CERT-In empanelment may be required. International substitute: PSD2 (EU), FCA Operational Resilience (UK), APRA CPS 234 (Australia), MAS TRM (Singapore), HKMA TM-E-1 (Hong Kong).
  • PCI DSS. Global standard. If payment card data is in scope, ASV scanning and PCI-qualified pentester requirements apply regardless of jurisdiction.
  • Enterprise customer questionnaire (Vanta, Drata, OneTrust, custom). Often references SOC 2 controls; the underlying compliance asks are usually a subset of SOC 2. Globally applicable.

State the framework, version, and the consumer of the artifact (auditor name if known, customer name if known). Cybersecify Growth Pentest includes SOC 2 plus ISO 27001 audit prep and a Letter of Attestation referencing ISO 27001:2022 Annex A.8.8 plus A.8.29 plus Clause 9.1 plus 10.2. We deliver this format for both Indian-registered and international buyers. Cybersecify Startup Pentest does not include audit-prep mapping; it is a pentest plus retest plus report engagement only.

Section 3: Pricing

Pricing transparency in the RFP saves 2 to 4 weeks of back-and-forth.

What to specify:

  • Currency and tax. INR with GST at 18 percent (recoverable as input credit by registered Indian buyers) is simplest for Indian buyers. International buyers: Cybersecify also quotes in USD and EUR; GST does not apply on exports of services under India’s IGST Act (zero-rated export). FX is locked at proposal-date rate, milestone payments invoiced in the quoted currency.
  • Pricing format. All-in (single number including pentest, retest, report, consulting hours) is preferred. Unit pricing (per scope, per day, per finding) introduces ambiguity.
  • Budget range disclosed. State a target band. Cybersecify Startup INR 74,999 and Growth INR 1,79,999 are published prices; vendors with similar published prices can be evaluated directly.
  • Payment terms. 50 percent advance on kickoff, 50 percent on draft report delivery is standard for Indian SaaS pentest engagements. Monthly invoice applies to ongoing consulting (like the Security Retainer at INR 24,999 per month).
  • Out-of-scope cost adjustments. What triggers a price change after kickoff. Adding a scope, expanding test environments, adding a compliance framework mapping mid-engagement.

If the RFP target band is INR 1,00,000 to INR 2,50,000 for a web app plus API engagement, that filters out vendors who would have quoted INR 5,00,000 plus and saves evaluation cycles.

Section 4: Vendor qualifications

The vendor qualifications section converts marketing claims into structured evaluation data.

What to require:

  • Firm registration. Indian-registered entity (CIN), GST registration, registered office address. For DPDP Act 2023 data handling, an Indian entity simplifies the data processor agreement.
  • Lead tester named. Full name, certifications (OSCP, CompTIA PenTest+, CREST CRT, OSWE), LinkedIn profile. The named lead must run the engagement, not just oversee it.
  • Founder involvement. If the vendor claims founder-led, the founder must scope the engagement, review findings, and sign the report. Cybersecify operates this way; Ashok S Kamat (Co-founder and CEO) handles client communication and compliance mapping, Rathnakara GN (Co-founder and CHO, OSCP) leads pentest delivery.
  • Methodology framework with version. OWASP WSTG v5.0 (2023), PTES, NIST SP 800-115. Version matters; OWASP WSTG v4.2 (2014) is a 10-year-old playbook.
  • Tooling. Burp Suite Pro, OWASP ZAP, Nuclei, custom scripts. Tools are not methodology; tools are inputs to methodology.
  • Insurance. Professional indemnity insurance (PII), errors and omissions (E&O), cyber liability. INR 1 to 5 crore coverage is typical for boutique founder-led firms.

Section 5: Timeline

State the engagement window, kickoff date, draft report date, and retest window.

Realistic timelines for Indian SaaS pentest:

  • Single-scope web app or API. 7 calendar days from kickoff to draft report. 1 to 3 business days for retest after fixes. Total engagement closes in 14 to 30 days.
  • Two-scope web app plus API. 10 calendar days from kickoff to draft report. Retest as above.
  • Three to four scopes (web plus API plus mobile). 14 to 18 calendar days. Retest may extend to 5 business days.
  • Compliance deadline driven. Work backward from the auditor’s evidence-collection date. Allow 2 to 4 weeks between draft report and auditor submission for remediation and retest.

Cybersecify Startup Pentest is 7 days for 1 scope. Growth Pentest is 10 days for 2 scopes. Additional scopes add 3 to 5 days depending on plan.

Section 6: Deliverables

The deliverable list is what the auditor, enterprise customer, or investor actually consumes. State each one.

Standard pentest deliverables for Indian SaaS engagements:

  • Executive summary. 1 to 2 pages, non-technical, severity distribution, business impact, top 3 recommendations.
  • Scope and methodology section. What was tested, what framework was followed, what was excluded, why.
  • Findings. One per identified issue. Severity (Critical, High, Medium, Low, Informational), CWE plus OWASP mapping, reproduction steps with screenshots and HTTP requests, business impact, remediation guidance.
  • Compliance framework mapping. SOC 2 Trust Services Criteria, ISO 27001 Annex A controls, PCI DSS requirements, HIPAA Security Rule (per the framework specified in Section 2).
  • Retest report. Appended after remediation cycle. v1.0 ships at draft, v2.0 ships after retest with findings status (closed, partially closed, open, accepted risk).
  • Letter of Attestation. Signed letter referencing the engagement scope, methodology, findings count by severity, and applicable ISO 27001 controls. Useful for SOC 2 audit prep and enterprise customer security questionnaires. Bundled with Cybersecify Growth Pentest as standard.

State the format (PDF, optionally markdown or HTML for in-house archive), the language (English; mention if Hindi or any other language is needed), and the file delivery method (encrypted email attachment, secure file share, on-site walkthrough).

Section 7: Communication

Communication cadence is where most engagements drift quality.

Realistic communication structure for a 7 to 14 day Indian SaaS pentest:

  • Kickoff call. 30 to 60 minutes. Founder, lead tester, optionally the engineering lead. Scope confirmation, credentials handover, escalation path.
  • Mid-engagement update. Day 3 to 5. Brief written or call update on findings emerging, scope clarifications, blockers.
  • Draft report walkthrough. 45 to 60 minute call when draft ships. Walk through findings, severity rationale, remediation guidance.
  • Remediation pairing. Async via email or chat during the remediation window. Cybersecify Startup includes 6 hours and Growth includes 12 hours of consulting time usable in this window.
  • Retest report walkthrough. 30 minute call when retest ships. Findings status confirmation, audit-evidence handoff.
  • Escalation path. Named individual (founder or lead tester) for urgent questions during engagement.

Section 8: Confidentiality and NDA

State the NDA structure and data-handling expectations.

What to specify:

  • NDA execution. Mutual NDA before scoping call; vendor-side NDA included in MSA before kickoff.
  • Data handling. All findings, credentials, customer PII viewed during testing are processed under DPDP Act 2023 data processor terms. Vendor must not retain customer data beyond engagement plus 90 days for audit purposes.
  • Data location. Where vendor stores findings, credentials, screenshots during the engagement. For DPDP Act compliance, India-located storage is operationally simpler.
  • Sub-processors. Any third-party tools, cloud services, or contractors involved. Disclose all.
  • Publication restrictions. Vendor will not publish the engagement (case study, blog post, conference talk) without written consent. Anonymized aggregate references (we have pentested X startups in Y sector) are usually acceptable.

Section 9: Retest policy

Retest practice signals whether the vendor views findings as work to be closed or revenue to be re-billed.

Three retest models active in India:

  • 1 retest included free within 30 to 45 days. Aligns vendor with customer outcome. Cybersecify uses this model for both Startup and Growth plans.
  • Retest billed at 25 to 50 percent of original fee. Creates an incentive to leave findings open. Common at generalist agencies.
  • No retest offered. Vendor sees pentest as a one-time deliverable. Walk away.

State the expected model in the RFP: 1 free retest within 30 days, retest scope covers all findings from v1.0 report, retest report appended as v2.0.

Section 10: References

Ask for specific named references rather than aggregate counts.

What to ask:

  • Auditors that accepted the vendor’s prior reports. SOC 2: Sensiba, A-LIGN, Insight Assurance, BARR Advisory, Schellman, Prescient Assurance. ISO 27001: BSI, TUV-SUD, TUV-Rheinland, DNV, Bureau Veritas.
  • Customer types. Series A SaaS, Series B SaaS, fintech, healthtech, regulated. Generic claims (over 100 customers) without persona specificity is a soft red flag.
  • One customer reference call if available. 15 to 20 minutes with a prior customer in a similar segment. Most boutique founder-led firms can arrange one within 1 to 2 weeks; large generalist agencies often cannot.
  • Published case studies or blog posts. Vendor blog posts about engagements (anonymized) signal the firm operates in the open.

Section 11: Terms and conditions

State jurisdiction, liability cap, and data handling.

Buyer-side fields to fill in your RFP. Each pentest vendor will respond with their own firm terms; most will treat jurisdiction and liability cap as non-negotiable. Align expectations early.

  • Jurisdiction (buyer fill). State your preferred jurisdiction. Expect boutique pentest vendors to state their own jurisdiction as a hard term. (Cybersecify, for example, only accepts Bengaluru, India as the exclusive jurisdiction for all engagements; see disclaimer below.)
  • Liability cap (buyer fill). State your preferred liability cap. Industry-standard boutique pentest practice is to cap aggregate liability at the invoice value paid, with refund of fees as the maximum remedy. Vendors offering uncapped liability or multi-x caps are either misrepresenting their actual exposure or pricing it into the engagement.
  • Insurance evidence. Request professional indemnity certificate if required for your procurement process.
  • Data processor terms. Specify which privacy framework applies to your engagement: DPDP Act (India), GDPR + DPA (EU/UK), CCPA (California), Privacy Act Schedule 1 (Australia), PDPO (Hong Kong). Standard processor obligations, data location, sub-processor disclosure, breach notification within 72 hours.
  • Payment terms (buyer fill). Most pentest engagements run 50 percent advance + 50 percent on draft report delivery. India-to-India deals between MSME-registered parties: 45-day payment cycle under MSME Act. International: Net 30 typical.

Industry-standard pentest disclaimer. Penetration testing is delivered on a best-effort basis. No vendor can guarantee identifying all security issues; reports are a snapshot of the security posture at the time of testing. Recommendations are based on information, technologies, and known threats as of the report date. Continued security vigilance and periodic re-testing are recommended. Any pentest vendor that claims uncapped liability or guaranteed-comprehensive coverage is either misrepresenting industry practice or pricing the over-promise into the engagement.

Section 12: Decision criteria

The most overlooked section. Without decision criteria, the founder evaluates responses on whatever stands out subjectively, which usually means cheapest price or fastest timeline.

Weighted scoring rubric for Indian SaaS Series A pentest selection:

  • Methodology specificity: 20 percent
  • Lead tester quality and founder involvement: 20 percent
  • Audit acceptance history: 15 percent
  • Retest policy: 10 percent
  • Pricing transparency and value: 15 percent
  • Communication and process: 10 percent
  • References and customer fit: 10 percent

Adjust weights based on the buyer’s primary driver. SOC 2 deadline driven: increase audit acceptance to 25 percent. Pre-Series-A founder first pentest: increase lead tester quality and founder involvement to 30 percent. Enterprise customer questionnaire: increase methodology specificity to 30 percent.

How Cybersecify maps to the 12 sections

Quick reference for founders evaluating Cybersecify against the RFP template:

  • Scope: 1 scope (Startup) or 2 scopes (Growth), additional scopes priced at INR 44,999 (Startup add-on) or INR 74,999 (Growth add-on).
  • Compliance mapping: Growth Pentest includes SOC 2 plus ISO 27001 audit prep and Letter of Attestation. Startup does not.
  • Pricing: INR 74,999 (Startup), INR 1,79,999 (Growth). All-in including pentest, retest, consulting hours, GST listed separately.
  • Vendor qualifications: Cyber Secify Consulting (OPC) Private Limited, GST registered, Bengaluru. Lead tester Rathnakara GN (OSCP, CompTIA PenTest+, M.Sc Cyber Security). Founder-led; both founders on every engagement.
  • Timeline: 7 days (Startup, 1 scope), 10 days (Growth, 2 scopes), retest within 30 days.
  • Deliverables: Executive summary, scope and methodology, findings with reproduction steps, framework mapping (Growth), retest report, Letter of Attestation (Growth).
  • Communication: Kickoff, mid-engagement update, draft walkthrough, remediation pairing (6 hours Startup, 12 hours Growth), retest walkthrough.
  • Confidentiality: Mutual NDA, India-located data storage during engagement, 90-day retention post-engagement for audit purposes only.
  • Retest: 1 free retest within 30 days, scope covers all v1.0 findings, v2.0 report appended.
  • References: Available on request after mutual NDA. Customers in Australia, EU, Hong Kong, and India across SaaS verticals.
  • Terms: Indian Contract Act with exclusive jurisdiction of the courts at Bengaluru, India (non-negotiable). Aggregate liability cap = invoice value paid; refund of fees is the maximum remedy. Pentest delivered on best-effort basis per industry-standard disclaimer. No uncapped or expanded liability under any circumstance.
  • Decision criteria: Founder-led delivery, published price page, sample report visible without email gate.

Next step

Three paths from here:

  1. View the free pentest RFP template (no email required, copy or browser Save as PDF).
  2. Review the Cybersecify sample pentest report to see the deliverable format auditors and enterprise security teams expect.
  3. Book a 30-minute pentest discovery call if you want to walk the RFP through with a founder before sending it to vendors.

Related reading:

Frequently Asked Questions

Do Indian SaaS startups need a formal pentest RFP, or is a comparison checklist enough?

Honestly, most Series A SaaS startups in India do NOT write a formal RFP for their first pentest. The typical pattern: email 2 to 3 vendors a one-paragraph scope, take a 30-minute scoping call with each, pick on price plus founder vibe plus sample report. Investors do not require an RFP; they require the pentest REPORT. Enterprise customer security questionnaires want the report attached, not your vendor-selection workflow. A formal RFP becomes worth it when you have a procurement department, multiple compliance frameworks (SOC 2 plus ISO 27001 plus DPDP), 50+ engineers, or a security hire driving vendor evaluation. For everyone else, treat this 12-section template as a structured scorecard: walk through the same questions with each vendor on a call, log answers, compare. Same information asymmetry gets closed, none of the procurement overhead.

What sections does a pentest vendor comparison need to cover?

Twelve sections cover what matters for an Indian SaaS pentest evaluation, whether you use them as a comparison scorecard or drop them into a formal RFP. Scope (what is in and out of test). Compliance mapping requirement (SOC 2, ISO 27001, DPDP, RBI, sector-specific). Pricing format (INR vs USD, all-in vs unit, GST treatment, payment terms). Vendor qualifications (firm registration, certifications, lead tester named). Timeline (kickoff, calendar days, retest window). Deliverables (executive summary, technical findings, reproduction steps, framework mapping, retest report, Letter of Attestation if needed). Communication cadence (kickoff, mid-engagement update, draft review, final delivery). Confidentiality and NDA requirements. Retest policy (free retest within 30 days minimum, scope of retest). References and audit acceptance history. Terms and conditions (jurisdiction, liability, data handling under DPDP Act). Decision criteria (weighted scoring or pass/fail thresholds). A Series A SaaS founder can walk all 12 with each vendor in a single 30-minute call.

Should the pentest RFP specify a budget range or leave it blank?

Disclose a budget range. Two reasons. First, undisclosed budgets cause vendors to anchor on perceived spend (logo of the founder's last company, LinkedIn signal of fundraise stage, industry vertical) which produces wildly variable quotes across the same scope. Second, vendors with a published price (like Cybersecify Startup INR 74,999 and Growth INR 1,79,999) cannot price down to a low budget anyway because the price is fixed. Disclosed budgets filter out vendors who would have priced 3 to 5x higher and saves the founder evaluation cycles. The right format: state a target band (for example INR 1,00,000 to INR 2,50,000 for a single web app plus API engagement) and note that all-in pricing including GST and retest is preferred. If you want a competitive bid below your band, name it directly: we prefer founder-led firms under INR 2L; quote your best price.

How do I evaluate pentest vendors using the RFP responses?

Score across five dimensions. Methodology specificity (named framework with version, like OWASP WSTG v5.0; phase-by-phase walkthrough). Lead tester quality (named individual, OSCP or equivalent, founder involvement if claiming founder-led). Audit acceptance history (auditor names, customer types pentest reports have been accepted by). Retest policy (free retest within 30 days, retest scope matches the original finding set). Pricing transparency (all-in INR, published price page if available, no opaque adjustments). For Series A SaaS startups facing a SOC 2 deadline, weight audit acceptance and methodology specificity highest. For pre-Series-A startups scoping their first pentest under investor pressure, weight lead tester quality and founder involvement highest. Walk away from any vendor that refuses to share a sanitized sample report, will not name the lead tester before contract, or quotes significantly below INR 75,000 for a 7-day single-scope engagement.

What pentest RFP red flags should I watch for in the vendor responses?

Six concrete red flags. (1) Methodology answer is one paragraph of boilerplate (OWASP best practices) with no version number or phase detail. (2) Lead tester not named, response says we assign the best available tester. (3) Pricing under INR 75,000 for a single-scope web app pentest, almost always scanner-rebadged-as-pentest. (4) Refusal to share a sanitized sample report citing client confidentiality (sanitized samples are industry standard, every credible firm publishes one). (5) Retest billed at 25 to 50 percent of engagement fee, creates an incentive to leave findings open. (6) Audit acceptance claimed in aggregate (we have helped many customers pass SOC 2) without naming specific auditors. A vendor with three or more of these red flags should be eliminated regardless of price.

What is a fair pentest pricing range for an Indian SaaS startup in 2026?

Pentest pricing in India in 2026 splits into three reality tiers. Budget tier (INR 50,000 to 1,00,000) is usually scanner output rebranded as a pentest, rejected by SOC 2 and ISO 27001 auditors and enterprise security teams. Professional tier (INR 1,00,000 to 3,00,000) is methodology-driven, manual plus tool-assisted, OSCP-led, audit-acceptable for SOC 2 and ISO 27001. Enterprise tier (INR 3,00,000 to 15,00,000 plus) is multi-week, multi-scope, often CERT-In empanelled. Cybersecify pricing sits in the professional tier: Startup Pentest INR 74,999 (1 scope, 7 days, audit-acceptable), Growth Pentest INR 1,79,999 (2 scopes, 10 days, SOC 2 plus ISO 27001 audit prep and Letter of Attestation included). For Series A SaaS startups with one production app and an enterprise customer questionnaire, INR 75,000 to 2,00,000 is the right band. For multi-product or compliance-deadline-driven engagements, INR 1,80,000 to 5,00,000 is the right band.

How long should the RFP process take from sending to vendor selection?

Two to four weeks is realistic for a 3-vendor RFP process for Indian SaaS startups. Week 1: send RFP to 3 to 5 vendors, set 7-day response deadline. Week 2: receive responses, review against scoring rubric, shortlist 2 to 3 for clarification calls. Week 3: 30 to 45 minute scoping call with each shortlisted vendor, sample report review, reference check (one customer call if available). Week 4: final selection, contract negotiation, kickoff date set. Compressed timeline (1 to 2 weeks) is possible when the founder has prior pentest experience or a clear preference, but quality of decision drops. Extended timeline (4 to 8 weeks) signals analysis paralysis or insufficient engagement scope clarity, often pushing the SOC 2 or enterprise customer deadline closer.

Where can I download the actual Cybersecify pentest RFP template?

The Cybersecify pentest RFP template is available at /resources/pentest-rfp-template/. No email required to view. No download gate, no tracking pixel. The page hosts the full 12-section template inline with copy and Save-as-PDF buttons; you can copy the entire template to your clipboard or print it as PDF via your browser. The template is formatted for easy paste into the SaaS founder's own RFP document or for direct email to vendors. It is updated every 6 months based on changes in the Indian SaaS pentest market, new compliance requirements (DPDP Act Rules notification, RBI cybersecurity directive updates), and feedback from founders who have used it. The current version is dated June 2026.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Ashok S Kamat on LinkedIn.

Share this article
RFPPentestSaaSIndiaVendor SelectionSeries A

Related Articles

Penetration Testing

Outsourced SaaS Pentest 2026: Buyer's Guide

Outsourced pentest for SaaS startups in 2026: scope, vendor archetypes, compliance hooks (SOC 2, ISO 27001, DPDP), pricing, vendor selection criteria.
Penetration Testing

MCP Server Pentest Methodology (2026)

MCP server pentest methodology 2026: tool poisoning, command injection, credential exposure, RCE via tool definitions. 78.3% attack success rate per Unit 42.
Penetration Testing

Pre-Launch Pentest for Vibe-Coded SaaS Apps (2026)

Pre-launch pentest scope for vibe-coded SaaS (Cursor, Lovable, Bolt). 7-day timeline, what to test, what NOT to test, INR 74,999 Startup Pentest scope.

Two Ways to Start

Pick the one that fits where you are right now.

Ready to talk

Book a Discovery Call

30 min, no cost

Founder-led. Scope your pentest, ask questions, no commitment.

Just exploring

Free Security Snapshot

Open source. Runs on your infra via Docker.