Greetings SecurityStreet! Writing proposals for Rapid7, I get daily exposure to the requests that customers and industry experts have for vulnerability management products and vendors. Throughout my tenure here, I've noticed many patterns in the way customers ask about vulnerability management. I see broad categories of functionality requests all the time, like Asset Discovery and Compliance Scanning, and in many cases I will often see requests written as a verbatim copy between different RFP's!

We thought we'd help customers looking to purchase a vulnerability management solution but hung up with the procurement process. By culling a list the most common requests from customers as well as industry experts like Gartner and Forrester, we've created a set of requirements that can serve useful to you when evaluating vulnerability management solutions. Our hope is that this can expedite the process of developing your own set of criteria to put down on paper, and provide you with a more informed decision when all is said and done.

There are a couple special notes I'd like to point out about the material attached to this post.

  1. I think of us as thought leaders in a burgeoning industry rife with customer challenges. I like to think of my job here as helping to solve a complex puzzle. However, every person or company's puzzle is a bit different, and yours might not be the same as someone's from another team, with a company in another vertical. What we've put down here represents a great aggregate sample that could provide a general fit for most anyone. Feel free to strike requirements and sample other requirements that suit your fancy and include them in this list. I like to think of this document as the beginning of the process, giving you a better vantage point to more easily craft requirements useful to you specifically.
  2. The Excel version of this list gives an explanation to vendors for filling out the form, and calculates a score each vendor. You can modify both the weighted importance of each requirement category and the vendor's response score! On the third sheet of the workbook, an overall score is presented with a breakdown for each section.

If you feel you don't need this analysis, feel free to use the PDF version as a straight list of requirements to incorporate into your own document.

Having noted each of these points, I'll give you the list of categories we included here.

  • Architecture, Performance and Scalability
  • Administration
  • Vulnerability Assessment and Coverage
  • Compliance & Configuration Management
  • Reporting
  • Risk & Remediation Management
  • Integration
  • Vendor Viability & Product Strategy

I hope these are of use to you as you establish a cogent set of requirements in your RFI, RFP, or evaluation criteria matrix. This stage of procurement is important, but ultimately seeking out the right solution for your organization is what matters most. Good luck and Godspeed!

Please share your experience with this type of procurement, including any challenges you've overcome to get the best solution. We're eager to hear your comments!