Free Resource

Pentest Vendor Comparison Checklist

A 12-section structured comparison checklist for evaluating pentest vendors. Use it as a scorecard when comparing 2 to 5 vendors, or paste it into your own RFP doc if you need formal procurement. Built for SaaS founders sizing up vendors for the first time, with India-specific notes called out inline so international buyers can substitute their own framework.

No email required to view. No download gate, no tracking pixel. Use browser Save as PDF if you want a PDF copy.

See Cybersecify Pricing

How buyers use this: Most Series A SaaS startups don't write formal RFPs for pentest. Use this as a lightweight scoring sheet across 2 to 3 vendors you're comparing. Larger orgs with procurement requirements can drop the same 12 sections directly into a formal RFP. Read the full rationale on the blog for why each section matters.

CYBERSECIFY Secure Your Digital Future
Pentest Vendor Comparison Checklist

12 Sections to Compare Any Pentest Vendor

A buyer-side scoring framework for SaaS founders evaluating pentest vendors. Use as a lightweight scorecard for 2 to 3 vendor comparisons, or as a formal RFP for larger procurement processes.

Template Versionv1.0 (June 2026)
FormatHTML, copy or browser Save-as-PDF
LicenseFree to copy, adapt, redistribute
Maintained ByCybersecify (Bengaluru)

This template is the buyer's working document. Sections marked [PLACEHOLDER] are buyer-fill fields. Sections under "Reference: How Cybersecify answers" at the end are illustrative benchmark answers from one published vendor. Use them as a comparison baseline when scoring other vendor responses. Re-validated by Cybersecify every 6 months against active 2026 engagements.

Document Details

TitlePentest Vendor Comparison Checklist
Versionv1.0 (June 2026)
AudienceSeries A SaaS founders, security leads, procurement teams evaluating pentest vendors
Use modes(a) Lightweight scoring sheet for 2-3 vendor calls; (b) Formal RFP document for procurement-driven evaluation
Sections12 vendor-evaluation sections + Reference table (Cybersecify answers) + Next-step CTA
Buyer-fill markersSquare brackets [LIKE THIS] indicate fields the buyer fills before sending to vendors
GeographyIndia-primary with international substitutes called out inline in Sections 2, 3, 8, 11
LicenseFree to copy, adapt, redistribute. Attribution appreciated but not required.
Update cadenceEvery 6 months based on Cybersecify engagement learnings + regulatory updates (DPDP Rules, RBI directives, EU/UK changes)
Prepared ByCybersecify (Cyber Secify Consulting (OPC) Private Limited, Bengaluru, India)

Table of Contents

  1. Issued-by metadata (formal-RFP mode only)
  2. Scope
  3. Compliance mapping requirement
  4. Pricing
  5. Vendor qualifications
  6. Timeline
  7. Deliverables
  8. Communication
  9. Confidentiality and NDA
  10. Retest policy
  11. References
  12. Terms and conditions
  13. Decision criteria (weighted rubric)
  14. Reference: How Cybersecify answers each section
  15. Next step

1. Issued-by Metadata (formal-RFP mode)

Two ways to use this checklist:

  • As a lightweight scorecard (Series A and smaller): ask each vendor these questions over a 30-minute call or email exchange, log answers in your own notes, score in Section 12. Skip this issued-by section.
  • As a formal RFP (larger orgs with procurement): fill in the buyer-side fields below and send the whole document to 3 to 5 vendors.
Issued by[YOUR COMPANY NAME] ([YOUR ENTITY TYPE, e.g., Pvt Ltd / OPC / Inc / GmbH / Ltd])
Issued date[DD MMM YYYY]
Response deadline[DD MMM YYYY, HH:MM local time]
Submit responses to[security@yourcompany.com]
Buyer contact[Name, Role, Email, Phone]

2. Scope

The vendor will perform a penetration test on the following assets.

  • Asset list: [List every web app, REST API, GraphQL endpoint, mobile app, admin console, third-party integration in scope. Mark production URL or staging.]
  • User roles tested: [Anonymous / Regular user / Admin / Super-admin / Tenant-isolated user. Each role catches a different finding class.]
  • Explicitly out of scope: [Third-party services like Stripe / Twilio / AWS console. DDoS testing. Social engineering. Physical access.]
  • Test environment: [Production with rate-limited credentials / Staging with prod-like data / Dedicated test instance.]
  • Data classes in scope: [PII / Payment data / Healthcare data / Business logic data. Applicable privacy framework: DPDP Act 2023 (India) / GDPR (EU) / CCPA (US) / Privacy Act (Australia) / PDPO (Hong Kong).]

Scope total: [N scopes] (web app = 1, API = 1, mobile = 1, admin console = 1 by Cybersecify convention).

3. Compliance Mapping Requirement

The engagement is being run to satisfy the following compliance or stakeholder requirement.

  • Framework and version: [SOC 2 Type 1 / SOC 2 Type 2 / ISO 27001:2022 / DPDP Act 2023 (India) / GDPR + UK-DPA / CCPA + CPRA (US) / APRA CPS 234 (AU) / RBI directives (IN fintech) / PCI DSS / Enterprise customer questionnaire (Vanta, Drata, OneTrust).]
  • Consumer of the artifact: [Auditor name if known / Enterprise customer name if known / Investor diligence team.]
  • Specific controls expected to be mapped: [List relevant control IDs. e.g., SOC 2 CC6.1, CC6.3, CC6.6, CC7.2, CC8.1. ISO 27001:2022 A.5.7, A.8.8, A.8.29, A.8.30, Clause 9.1, Clause 10.2.]
  • Deliverable language: [English / other.]

4. Pricing

Vendor will quote in the following format.

  • Currency: INR with GST shown separately at 18 percent for Indian buyers; USD or EUR for international buyers (export of services from India is GST-zero-rated, FX locked at proposal date).
  • Pricing format: All-in single number including pentest, retest, report, consulting hours bundled if any. Unit pricing (per scope / per day / per finding) not accepted.
  • Budget range: [State a target band. e.g., INR 1,00,000 to INR 2,50,000 / USD 1,500 to 3,500 / EUR 1,400 to 3,200 for web app + API.]
  • Payment terms: [50 percent advance on kickoff, 50 percent on draft report delivery is standard. Monthly invoice for ongoing consulting.]
  • Out-of-scope cost adjustments: Vendor must list what triggers a price change after kickoff.

5. Vendor Qualifications

Vendor will provide the following with the response.

  • Firm registration: Legal entity name, registration number (CIN for India / Companies House for UK / EIN for US / equivalent), tax registration (GST / VAT / EIN), registered office address.
  • Lead tester named: Full name, certifications (OSCP, CompTIA PenTest+, CREST CRT, OSWE), LinkedIn profile URL. The named lead must run the engagement, not just oversee.
  • Founder involvement: If claiming founder-led, founder must scope, review findings, and sign the report.
  • Methodology framework with version: OWASP WSTG v5.0 (2023), PTES, NIST SP 800-115. Version mandatory.
  • Tooling: Burp Suite Pro, OWASP ZAP, Nuclei, custom scripts.
  • Insurance: Professional indemnity, errors and omissions, cyber liability. State coverage amount in your currency.

6. Timeline

The engagement must complete within the following window.

  • Kickoff date: [DD MMM YYYY]
  • Draft report date: [DD MMM YYYY] ([N] calendar days from kickoff)
  • Retest window: [Days from draft report]
  • Final report date: [DD MMM YYYY]
  • Audit / customer evidence-collection date: [DD MMM YYYY] (if applicable)

Realistic durations: 1 scope = 7 days, 2 scopes = 10 days, 3 to 4 scopes = 14 to 18 days from kickoff to draft report.

7. Deliverables

Vendor will deliver the following.

  • Executive summary (1 to 2 pages, non-technical, severity distribution, business impact, top 3 recommendations).
  • Scope and methodology section (what was tested, what framework, what was excluded, why).
  • Findings (one per issue: severity, CWE + OWASP mapping, reproduction steps with screenshots and HTTP requests, business impact, remediation).
  • Compliance framework mapping (per Section 3 framework).
  • Retest report (v2.0 appended after remediation cycle with findings status).
  • Letter of Attestation (signed letter referencing scope, methodology, findings count by severity, applicable controls). [REQUIRED / NOT REQUIRED]
  • Format: PDF. Optional Markdown or HTML for in-house archive.
  • Delivery method: [Encrypted email attachment / Secure file share / On-site walkthrough.]

8. Communication

Engagement communication will follow this structure.

  • Kickoff call: 30 to 60 min. Founder, lead tester, optional engineering lead. Scope confirmation, credentials handover, escalation path.
  • Mid-engagement update: Day 3 to 5. Written or call update on findings, scope clarifications, blockers.
  • Draft report walkthrough: 45 to 60 min call when draft ships.
  • Remediation pairing: Async via email or chat during remediation window. [N hours of consulting time bundled.]
  • Retest report walkthrough: 30 min call when retest ships.
  • Escalation contact: [Named individual for urgent questions during engagement.]

9. Confidentiality and NDA

  • NDA execution: Mutual NDA before scoping call. Vendor-side NDA in MSA before kickoff.
  • Data handling: All findings, credentials, customer PII processed under data processor terms per applicable framework (DPDP Act for India / GDPR Article 28 + DPA for EU and UK / CCPA for US / Privacy Act Schedule 1 for Australia). Vendor retention not to exceed engagement + 90 days for audit purposes only.
  • Data location: [State your preference. India / EU / US / vendor's choice with disclosure.]
  • Sub-processors: Vendor will disclose any third-party tools, cloud services, contractors.
  • Publication: Vendor will not publish the engagement (case study, blog, talk) without written consent. Anonymized aggregate references allowed.

10. Retest Policy

  • Retest included: 1 free retest within 30 to 45 days of draft report.
  • Retest scope: All findings from v1.0 report.
  • Retest report: v2.0 appended with findings status (closed, partially closed, open, accepted risk).
  • Out-of-policy retest: Vendor will state cost for additional retests beyond the first if requested.

11. References

  • Auditors that accepted vendor's prior reports: SOC 2 (Sensiba, A-LIGN, Insight Assurance, BARR Advisory, Schellman, Prescient Assurance). ISO 27001 (BSI, TUV-SUD, TUV-Rheinland, DNV, Bureau Veritas).
  • Customer types served: Series A SaaS, Series B SaaS, fintech, healthtech, regulated.
  • One customer reference call: 15 to 20 min with a prior customer in similar segment.
  • Published case studies or anonymized blog posts: Vendor will share links if available.

12. Terms and Conditions

Buyer-side fields to fill in your RFP. Each vendor will respond with their own firm terms.

  • Jurisdiction (buyer fill): [STATE YOUR JURISDICTION PREFERENCE. Most vendors will state their own as non-negotiable; align expectations early.]
  • Liability cap (buyer fill): [STATE YOUR PREFERRED CAP. Most boutique pentest firms cap at invoice value; refund is the realistic worst-case remedy.]
  • Insurance evidence: [Request professional indemnity certificate if required for your procurement process.]
  • Data processor terms: [Specify which privacy framework applies to your data: DPDP Act, GDPR, CCPA, Privacy Act, PDPO, etc.]
  • Payment terms (buyer fill): [State your standard payment cycle. Most pentest vendors operate on 50% advance + 50% on draft report.]

13. Decision Criteria (Weighted Rubric)

Responses will be scored using this weighted rubric. Adjust weights for your driver.

CriterionDefault weightAdjust if
Methodology specificity (named framework with version, phase-by-phase walkthrough)20%Enterprise customer questionnaire driving: 30%
Lead tester quality and founder involvement20%Pre-Series-A first pentest: 30%
Audit acceptance history (specific auditor names)15%SOC 2 deadline driving: 25%
Retest policy (free retest, scope match)10%No adjustment
Pricing transparency and value (all-in, published price)15%No adjustment
Communication and process10%No adjustment
References and customer fit10%No adjustment

Walk away if: vendor refuses to share a sanitized sample report, will not name the lead tester before contract, or quotes significantly below INR 75,000 / USD 900 / EUR 850 for a 7-day single-scope engagement.

Reference: How Cybersecify Answers Each Section

Use this as a benchmark when reading vendor responses. Cybersecify pricing and methodology are published; the sample report is downloadable without an email gate. We currently deliver to startups in India, Australia, EU, UK, and Hong Kong with founder-led delivery and USD / EUR / INR billing.

SectionCybersecify response
2. Scope1 scope (Startup, INR 74,999 / ~USD 900) or 2 scopes (Growth, INR 1,79,999 / ~USD 2,160). Add-on scopes: INR 44,999 (Startup) or INR 74,999 (Growth).
3. Compliance mappingSOC 2 + ISO 27001:2022 audit prep bundled with Growth Pentest. Letter of Attestation referencing A.8.8, A.8.29, Clause 9.1, Clause 10.2. International framework substitutes (GDPR, CCPA, APRA) accommodated on request.
4. PricingAll-in INR, USD, or EUR. India deals: GST 18% shown separately. International deals: zero-rated export, no GST. 50 percent advance on kickoff, 50 percent on draft report.
5. Vendor qualificationsCyber Secify Consulting (OPC) Private Limited. GST registered. Bengaluru. Lead tester Rathnakara GN (OSCP, CompTIA PenTest+, M.Sc Cyber Security). Founder-led: both founders on every engagement.
6. Timeline7 days (Startup, 1 scope), 10 days (Growth, 2 scopes). Retest within 30 days.
7. DeliverablesExecutive summary, scope + methodology, findings with reproduction steps, framework mapping (Growth), retest report (v2.0), Letter of Attestation (Growth).
8. CommunicationKickoff, mid-engagement update, draft walkthrough, remediation pairing (6 hrs Startup, 12 hrs Growth), retest walkthrough. Async-first across timezones (IST / CET / AEST / HKT / GMT).
9. ConfidentialityMutual NDA. India-located storage default; EU-located on request for GDPR-strict buyers. 90-day retention post-engagement for audit only.
10. Retest1 free retest within 30 days. Scope covers all v1.0 findings. v2.0 report appended.
11. ReferencesAvailable on request after mutual NDA. Current customers in Australia, EU, UK, Hong Kong, India across SaaS verticals.
12. TermsJurisdiction: Bengaluru, India (non-negotiable). Indian Contract Act applies. Liability cap = invoice value paid; refund of fees is the maximum remedy. Pentest delivered on best-effort basis per industry-standard disclaimer (see below). No uncapped or expanded liability under any circumstance.
13. Decision criteriaFounder-led delivery, published price page, sample report visible without email gate, named lead tester before contract.

Cybersecify Engagement Disclaimer

This disclaimer applies to every Cybersecify pentest engagement and supersedes any conflicting term in a buyer's RFP or MSA. It reflects industry-standard pentest practice.

Best-effort basis

Penetration testing is inherently limited by the scope, time, and resources allocated to the engagement. No individual or organisation can guarantee identifying all security issues. Testing is conducted on a best-effort basis, and the findings reported are specific to the environment provided for testing. The dynamic nature of technology and the constant evolution of new attack techniques mean that security assessments can only provide a snapshot of the current security posture.

Limitations of testing

Reported findings apply exclusively to the tested environment and configurations during testing. Information systems rely on human factors and can be inherently vulnerable to human error. While we make every reasonable effort to identify significant security vulnerabilities in the in-scope assets, it is impossible to assure that all potential vulnerabilities have been discovered.

Scope of findings

Recommendations are based on information, technologies, and known threats as of the date of the report. As technologies and risks evolve, so will the nature of vulnerabilities and the necessary mitigation measures.

Continued vigilance

Security is an ongoing process. Regular assessments and updates to security measures are essential to maintaining a strong security posture. Periodic penetration testing and continuous monitoring are recommended to adapt to new threats and vulnerabilities.

Jurisdiction and liability

Jurisdiction: All Cybersecify engagements are governed by the Indian Contract Act with exclusive jurisdiction of the courts at Bengaluru, India. This is non-negotiable across all geographies. Liability cap: Cybersecify's maximum aggregate liability under any engagement is limited to the invoice value paid for that engagement. The maximum remedy available to the client is a refund of fees paid. No consequential, indirect, incidental, or special damages will apply.

Acknowledgement

By accepting a Cybersecify engagement or report, the client acknowledges the testing's inherent limitations, agrees to the Bengaluru-jurisdiction + invoice-value liability cap above, and understands the necessity of ongoing security vigilance.

Next Step

Three paths from here.

  1. Send this checklist to 3 to 5 vendors. Use the rubric in Section 13 to score responses.
  2. Review the Cybersecify sample pentest report to see the deliverable format auditors and enterprise security teams expect.
  3. Book a 30-minute discovery call if you want to walk this checklist through with a founder before sending it to vendors.