How to scope a penetration testing RFP in Rwanda (with a tender checklist)

Public tenders for security testing are published in Rwanda every year, and many of them select the wrong vendor before a single bid arrives. The cause is almost always the document itself: a vague scope produces incomparable bids, and incomparable bids collapse the decision to price, where a repackaged vulnerability scan beats a real penetration test every time.

This guide is for the people who write and evaluate those documents: CISOs, heads of IT, procurement teams, and risk officers at banks, MFIs, payment providers, insurers, and public institutions. It covers what to specify, what to require from bidders, how to score the responses, and the calendar to run it on.

Why VAPT tenders select the wrong vendor

Three patterns do most of the damage:

• Vague scope. "Conduct penetration testing of the bank's systems" invites every bidder to imagine a different engagement. One prices three days of scanning; another prices three weeks of manual testing. The numbers cannot be compared, so the lowest one wins.
• Company-level requirements instead of tester-level ones. Asking for "a certified company" lets a firm with one certificate-holder in another country bid local work performed by uncertified staff. BNR Regulation N°50/2022 cares about who performs the test; your tender should too.
• No deliverable standard. If the RFP never defines what the report must contain, an unedited scanner export technically satisfies it. Your examiner will disagree.

Before you write: inventory and objective

Two pieces of homework determine whether your RFP can be scoped honestly.

Count your assets. Bidders cannot price what you have not counted. List the web applications (and roughly how many screens or user roles each has), the APIs and how many endpoints, the external IP ranges, the mobile apps per platform, and any USSD or mobile-money flows. You do not need to publish sensitive detail in the tender; ranges are enough for comparable bids, and the winning bidder confirms exact scope under NDA.

Name the driver. "BNR Article 10 compliance for the annual test", "SWIFT CSP independent assessment support", "assurance before a core-banking migration" each produce a different engagement. State the driver in the RFP so bidders propose against the outcome you actually need, and so the report arrives in a format your regulator can file.

What the scope section must specify

• Testing types: external network, web application, API, mobile, internal, social engineering: include only what you need, but name each explicitly.
• Asset counts or ranges per testing type, as inventoried above.
• Environment: production, staging, or both, and any testing windows for critical systems.
• Location: whether on-site work in Rwanda is required, and for which phases.
• Retest: require one remediation retest of confirmed findings in the base price, with a deadline.
• Reporting: an executive summary suitable for board and regulator, technical findings with reproduction steps and evidence, severity ratings with business context, and a remediation plan. For BNR-supervised institutions, state that the report must be ready to support the 15-day executive-summary filing.

Vendor requirements that actually filter

These requirements make the difference between manual penetration testing and repackaged scanning visible before you sign, and they are all verifiable:

1. Named individuals and credentials. Require the CVs and certification IDs of the testers who will perform the work, not the company's trophy cabinet. Verify at least one holds a hands-on offensive credential; OSCP is among the certifications BNR's regulation names.
2. Manual methodology. Require the bidder to describe their manual testing approach against a recognised methodology (OWASP, PTES) and to state the split between automated and manual effort.
3. A redacted sample report. Nothing shows a bidder's real testing depth faster. Look for chained exploitation, business-impact narrative, and evidence, not a list of CVE numbers.
4. Regulated-sector references. Experience inside banks or regulated environments, even where client names are protected by NDA, described specifically.
5. Data handling under Rwandan law. Where will your evidence and findings be stored and processed? Law N°058/2021 applies to the engagement artefacts themselves.
6. NDA, insurance, and authorisation. Signed rules of engagement, professional indemnity cover, and written authorisation procedures before any testing begins.

The evaluation grid

Publish the weights in the tender. A defensible split:

• Technical capability, 40%: tester credentials (verified per individual), methodology, sample report quality.
• Relevant experience, 20%: regulated-sector engagements, Rwanda or East Africa presence, on-site capability.
• Engagement quality, 10%: scoping questions the bidder asks back, retest terms, communication plan.
• Price, 30%: scored against the median bid, not the lowest.

That third category is underrated: a bidder who asks precise scoping questions before quoting is showing you how they will run the engagement. A bidder who returns a price within hours without a single question has priced a template, and you will receive one.

The procurement calendar

A realistic VAPT procurement runs four to six weeks: a week or two for bidder questions and scoping calls, a week for evaluation and award, then scheduling. Two Rwanda-specific constraints shape the calendar:

• The 15 January self-assessment. BNR-supervised institutions need the year's test completed, the executive summary filed within 15 days of testing, and remediation evidenced before the January filing. Counting backwards, a tender issued later than September is already tight; Q4 testing slots fill first. The 2026 filing calendar maps the full sequence.
• SWIFT CSP attestation. If the engagement also supports your SWIFT CSP independent assessment, the attestation window runs July to December, and the assessment must precede it.

The copy-paste requirements checklist

Paste this into the requirements section of your RFP and edit the counts:

• Scope: external network (N IP addresses), web applications (N apps, roles per app), APIs (N endpoints), mobile (Android/iOS), USSD flows (N), internal segment (optional)
• Manual penetration testing required; automated scanning alone does not satisfy this tender
• CVs and verifiable certification IDs of the named individuals performing the work; at least one hands-on offensive certification (e.g. OSCP) among the regulation-recognised credentials
• Methodology statement referencing OWASP or PTES, with the manual/automated effort split
• Redacted sample report demonstrating manual exploitation and business-impact analysis
• Executive summary suitable for board and regulator; findings with evidence and reproduction steps; remediation plan with severities
• Report delivered within 7 business days of testing completion, supporting BNR's 15-day executive-summary filing
• One remediation retest of confirmed findings included in the base price
• Statement on storage and processing of engagement data under Law N°058/2021
• Signed NDA and rules of engagement before testing; professional indemnity insurance
• References from regulated-sector engagements (NDA-respecting descriptions accepted)
• Evaluation weights: technical 40, experience 20, engagement quality 10, price 30

Get a bid worth evaluating

We respond to penetration testing RFPs and tenders from banks, MFIs, payment providers, insurers, and public institutions across Rwanda and East Africa, with OSCP-credentialled testing, BNR-fileable reporting, and a scoping call before any number. Send your draft RFP and we will flag scoping gaps before you publish it, no obligation: book a free call or start with a free breach exposure report to see your current exposure before you define scope.