Phishing Simulation RFP Template
Copy-and-paste, free, built by people who run phishing programs
Phishing Simulation RFP Template
A copy-and-paste RFP template for procurement teams, CISOs and IT leadership evaluating phishing simulation and security awareness training vendors. Nine sections - scope, functional requirements, technical integrations, content library, reporting, compliance evidence, pricing, vendor questions and scoring rubric. Customize the placeholders, distribute to your vendor shortlist, score responses with the included rubric.
Section 1 - Organizational Scope
Issuing organization: [Company Name]
Issuing department: [Information Security / IT / Risk]
Procurement contact: [Name, email, phone]
RFP issued: [Date] Responses due: [Date, time, time zone]
Anticipated award: [Date] Contract start: [Date]
1.1 Organization profile
- Industry: [Healthcare / Financial Services / Manufacturing / Education / Government / Legal / Tech / Other]
- Headcount: [#] employees with email accounts; [#] contractors
- Geographic footprint: [US-only / North America / EMEA / APAC / Global]
- Languages required: [List of languages with workforce headcount per language]
- Email environment: [Microsoft 365 / Google Workspace / Other]
- Identity provider: [Entra ID / Okta / Ping / Other]
- HRIS / directory: [Workday / BambooHR / SuccessFactors / AD / Other]
1.2 Compliance scope
Programs targeting any of the following frameworks must explicitly accommodate them:
- SOC 2 Type II
- HIPAA / HHS 405(d) HICP
- PCI DSS 4.0
- NIST CSF 2.0 / NIST 800-53
- ISO 27001 / ISO 27002
- GDPR / NIS2
- FedRAMP / CMMC
- FFIEC / NYDFS Part 500
- HITRUST CSF
- State-level regulations (CCPA, NY SHIELD, others)
Section 2 - Functional Requirements
Mark each requirement as M (Must-have, disqualifying if not satisfied), N (Nice-to-have), or D (Disqualifying if present).
2.1 Campaign engine
- Email phishing simulation with template library across multiple categories and difficulty tiers
- SMS phishing simulation (smishing) covering the same workforce roster
- Voice phishing simulation (vishing) with optional AI-generated call scripts
- Scheduled, immediate and staggered-delivery campaign modes
- Per-user campaign suppression for medical leave, terminated employees and other exclusions
- Multi-tenant architecture for organizations with subsidiaries or business units
2.2 Training delivery
- Auto-assigned training when a user clicks a simulated phish - module assignment matches lure category
- Training module library covering phishing recognition, password hygiene, data handling, social engineering, incident reporting
- Role-based training paths (general staff, executives, IT admins, finance, customer service)
- Multi-language training content matching the workforce language inventory
- Completion tracking with deadlines and auto-reminders
- Custom-branded training-completion certificates (where required for HR records)
2.3 User management
- CSV bulk-import of users with manager-mapping
- API or SCIM-based ongoing sync from HRIS / directory
- Group/cohort management with arbitrary nesting
- Per-user attribute support (department, location, language, manager, custom fields)
- Bulk operations (group assignment, language tag updates, suppression toggling)
Section 3 - Technical & Integration Requirements
- SSO support (SAML 2.0, OpenID Connect)
- Identity provider integrations: [your IdP]
- Email gateway allow-listing documentation for the platform's sending infrastructure
- SIEM integration (Splunk, Sentinel, others) for click and credential-entry events
- API documentation, rate limits, authentication model
- Webhook support for real-time event push
- Data residency: [US / EU / Other]
- Encryption at rest and in transit
- Audit logging of administrative actions
- SOC 2 Type II / ISO 27001 certifications of the vendor itself
Section 4 - Content & Template Library Requirements
- Number of templates in the standard library: [minimum #]
- Categories covered: financial / shipping / IT / social media / events / [industry-specific]
- Difficulty tiers (easy, regular, hard) with explicit progression
- Industry-specific templates relevant to [your industry]
- Template refresh cadence - how often new templates are added in response to threat intelligence
- Custom template creation - UI, approval workflow, ethical-floor enforcement
- AiTM-styled templates covering the 2025-2026 threat landscape
- Translated / native-localized templates (not machine-translated) for required languages
- Landing-page library matched to template categories
- Image and asset library separate from text templates
Section 5 - Reporting & Analytics Requirements
- Per-campaign report - recipients, open rate, click rate, credential-entry rate, training completion
- Trend reporting across configurable time windows (quarterly, annual, multi-year)
- Per-user, per-group, per-cohort drill-downs
- Manager dashboards (where program is manager-visible)
- Executive dashboards with risk-aligned KPIs
- Board-ready PDF export with quarterly trend, threshold-exceedance documentation, remediation evidence
- API export of campaign data for custom analysis
- Per-language and per-region breakouts (if multi-language program)
- Automated weekly / monthly / quarterly emailed reports to designated stakeholders
Section 6 - Compliance & Evidence Requirements
The platform must produce the evidence required for our compliance scope (Section 1.2). Specifically:
- Per-user training delivery records with completion timestamps, exportable for audit response
- Campaign-by-campaign records covering at minimum the audit cycle (12 months for SOC 2 / ISO 27001 / annual examinations; 24+ months for HITRUST r2 and CMMC)
- Click-rate trend reports with year-over-year comparison
- Threshold-exceedance event log with documented program response
- Role-based training delivery records differentiated for privileged users
- Policy alignment documentation showing how the platform supports the specific control numbers in our compliance frameworks
- Vendor-side SOC 2 Type II / ISO 27001 attestation reports available under NDA
- Sub-processor list and data processing agreement (GDPR Article 28 / CCPA / state-level)
Section 7 - Pricing Structure & Contract Terms
Vendors must provide:
- Per-user annual pricing at our headcount tier
- Multi-year discount structure (1-year, 2-year, 3-year)
- Module-based pricing if applicable (separate line items for email / SMS / voice / training)
- Implementation / professional services pricing if separate from license
- Payment terms (annual upfront, quarterly, monthly)
- Auto-renewal terms and notice periods
- Termination rights, data export rights at termination
- Data deletion timeline post-termination
- Pricing escalator clauses (year-over-year price increase caps)
- Free trial availability and trial scope
Section 8 - Vendor Questions
- How long has your phishing simulation product been on market? When was the last major architecture change?
- How many customers in our industry segment? How many in our headcount tier?
- What is your customer churn rate, and what are the most common reasons for non-renewal?
- Describe your incident response process if your platform is used to deliver an unintended real phishing message (e.g., template misconfigured to actually harvest credentials).
- What is your roadmap for AI-generated phishing content (defensive - generating training scenarios, not offensive)?
- How do you handle template ethical floor - what categories or framings do you not support?
- Describe your data security posture - encryption, access controls, employee security clearance.
- Provide three customer references at our headcount tier in our industry. We will contact two of them.
- What does first-month ramp typically look like for a customer at our scale?
- Describe a representative escalation case - what's the resolution time and ownership chain?
Section 9 - Scoring Rubric
Each section scored 1-5 (1=weak, 5=strong). Weights customizable to organizational priorities; example weights below.
| Section | Default Weight | Score (1-5) | Weighted |
|---|---|---|---|
| Functional requirements (Section 2) | 25% | - | - |
| Technical & integration (Section 3) | 15% | - | - |
| Content & templates (Section 4) | 15% | - | - |
| Reporting & analytics (Section 5) | 15% | - | - |
| Compliance & evidence (Section 6) | 15% | - | - |
| Pricing & contract (Section 7) | 10% | - | - |
| Vendor profile / references (Section 8) | 5% | - | - |
| Total | 100% | - | - |
Disqualifying-finding policy: Any vendor that fails a Must-have requirement (Section 2 marked M) drops out of consideration regardless of weighted score. Disqualifying findings (Section 2 marked D, or vendor-side concerns surfaced in Section 8) are immediate disqualifiers.
Submission Instructions
Submit RFP responses as a single PDF document by [date, time, time zone] to [email]. Late submissions are disqualified. Vendor-side questions during the response window: [email] - questions and answers will be distributed to all known respondents by [date].
End of RFP template.
Usage notes
This template is intentionally comprehensive. Most procurement teams will customize / shorten it before sending to vendors - that's expected. The most common customizations:
- Trim Sections 4-6 to the requirements that matter for your specific environment
- Adjust Section 9 weights to your organizational priorities (regulated industries typically weight Compliance higher; SMBs typically weight Pricing higher)
- Add industry-specific requirements not covered above (HIPAA-covered entities should add BAA execution timeline; DoD suppliers should add CMMC-specific evidence requirements)
- Cap responses at a page count if your team is bandwidth-constrained for review
The template is provided free with no warranty. It reflects observed best practices but is not legal or procurement advice - adapt it to your organization's specific procurement process and policies.