Reference

SASE RFP Template: What to Ask Vendors

January 15, 20267 min readUpdated Feb 2026

TL;DR

A ready-to-use SASE RFP template with 80+ evaluation criteria across SSE depth, SD-WAN maturity, management, DEM, and commercial terms. Weight categories based on your deployment priority (SSE-first vs full SASE). Includes scoring rubrics, mandatory vs nice-to-have classification, and red-flag responses that disqualify vendors.

A SASE RFP (Request for Proposal) template is a structured document that organizations use to evaluate SASE vendors against consistent, weighted criteria covering security depth, networking capability, management experience, SLA commitments, and total cost of ownership. The purpose of a well-constructed RFP is not to generate more paperwork but to force vendors to provide specific, verifiable answers to questions that separate mature platforms from marketing-driven feature claims. This template covers the requirements that matter in production, organized by category with priority levels.

Before you write the RFP

The most common RFP mistake is sending a 200-question spreadsheet that vendors answer with marketing boilerplate. A better approach: identify your 15-20 non-negotiable requirements, weight them by priority, and demand proof-of-concept validation for the top 5. The RFP document should be structured to elicit specific, testable answers, not general capability descriptions.

Start by documenting your current state: how many users, how many branch sites, which SaaS applications are business-critical, what compliance frameworks apply, what your current WAN architecture looks like (MPLS, broadband, SD-WAN already in place), and what your legacy security stack includes (on-prem proxies, VPN concentrators, branch firewalls). This context lets vendors propose realistic architectures rather than generic reference designs.

Define your deployment scope: SSE-only, full SASE, or phased approach
Document user populations: office workers, remote workers, contractors, OT/IoT devices
List your top 20 SaaS applications by traffic volume and business criticality
Identify compliance requirements: SOC 2, HIPAA, PCI-DSS, GDPR, NIS2, DORA
Catalog existing infrastructure: SD-WAN vendor, firewall vendor, proxy vendor, VPN vendor, IdP provider
Define your success metrics: latency targets, uptime requirements, deployment timeline

RFP requirements by category

SSE Security Requirements

Requirement	Priority	What to Verify
TLS 1.2 and 1.3 decryption with configurable bypass policies	P1 - Critical	Ask for measured decryption throughput per PoP under production load
SWG URL categorization with GenAI-specific categories	P1 - Critical	Request the URL category list and ask when GenAI categories were added
CASB covering your top 20 SaaS apps in both inline and API mode	P1 - Critical	Verify API integration depth for each app: what data types can it scan
ZTNA with clientless access for contractors and BYOD	P1 - Critical	Test clientless access with a real application during PoC
DLP with pattern matching, ML classification, and OCR	P2 - High	Run your own test data through the DLP engine during PoC
Remote browser isolation for uncategorized or high-risk sites	P2 - High	Test RBI with interactive web apps, not just static pages
DNS-layer security with threat intelligence integration	P2 - High	Ask for DNS threat intelligence source and update frequency
Inline sandboxing with sub-60-second verdicts for unknown files	P2 - High	Test with a custom-compiled benign executable to measure verdict time
IPS with 10,000+ signatures covering OWASP Top 10 and CVEs	P3 - Medium	Request IPS signature count and compare against published CVE coverage
Support for TLS 1.3 Encrypted Client Hello (ECH) handling	P3 - Medium	Ask specifically how ECH traffic is handled when SNI is encrypted

SD-WAN and Networking Requirements

Requirement	Priority	What to Verify
Application-aware routing with 5,000+ application signatures	P1 - Critical	Test with your actual business applications, not just vendor demo apps
Sub-second failover across WAN transport links	P1 - Critical	Measure failover during PoC by physically disconnecting a link
Support for MPLS, broadband, LTE/5G, and satellite transports	P2 - High	Verify which transport types are tested vs. theoretically supported
Zero-touch provisioning for branch appliance deployment	P2 - High	Deploy a test branch appliance using only ZTP during PoC
QoS and traffic shaping with per-application bandwidth policies	P2 - High	Verify QoS works when traffic goes through the SSE inspection pipeline
Branch-to-branch traffic policy enforcement through the PoP	P3 - Medium	Ask if branch-to-branch traffic is inspected or direct

Management and Operations Requirements

Requirement	Priority	What to Verify
Single management console for SSE and SD-WAN policies	P1 - Critical	Ask whether it is truly one console or two branded portals
Role-based access control with granular permission scoping	P1 - Critical	Test creating a read-only role for a specific policy category
API coverage for all configuration and reporting functions	P1 - Critical	Request API documentation and verify coverage of your automation needs
Multi-tenant management for MSP or multi-BU environments	P2 - High	Test tenant isolation: can a tenant admin see other tenants' data
Log export to SIEM via syslog, CEF, or native integration	P2 - High	Verify log format, granularity, and real-time vs. batched export
Change tracking and configuration rollback capabilities	P2 - High	Test rolling back a policy change and verify it takes effect immediately
DEM with hop-by-hop latency decomposition	P2 - High	Verify whether DEM is included in base license or requires add-on
Terraform or infrastructure-as-code provider support	P3 - Medium	Check Terraform provider completeness vs. full API capability

SLA and Support Requirements

Requirement	Priority	What to Verify
99.999% uptime SLA for the SASE cloud platform	P1 - Critical	Read the SLA document: what is excluded? How are credits calculated?
Latency SLA: maximum added latency through the inspection pipeline	P1 - Critical	Get the SLA in writing with specific millisecond commitments per region
24/7 support with less than 15-minute response for P1 incidents	P1 - Critical	Test support responsiveness during the PoC evaluation period
Dedicated customer success manager for enterprise accounts	P2 - High	Ask at what spend level a dedicated CSM is included
Documented incident response process with root cause analysis	P2 - High	Request examples of past incident RCA reports
Planned maintenance windows with advance notification	P3 - Medium	Ask for maintenance history: how often, how long, what impact

Pricing and Licensing Requirements

Requirement	Priority	What to Verify
Clear per-user or per-site pricing with no hidden per-feature charges	P1 - Critical	Ask for a complete SKU list including every add-on and its price
DEM, DLP, and CASB included in base license without add-on costs	P1 - Critical	Verify which features require separate SKUs or higher license tiers
Flexible licensing: ability to mix user-based and site-based models	P2 - High	Ask if you can license remote users per-user and branches per-site
True-up provisions: how overage is handled and billed	P2 - High	Get true-up terms in writing before contract signature
Three-year TCO projection including support, training, and migration	P2 - High	Ask vendor to model TCO for your specific user/site count
Exit terms: data portability, contract termination, and migration support	P3 - Medium	Read the exit clause carefully; some contracts have 12-month notice periods

Proof of concept requirements

The PoC is where marketing claims meet reality. Structure your PoC around 5-7 testable scenarios that map to your highest-priority requirements. Each scenario should have a pass/fail criterion defined before testing begins. Do not let the vendor control the PoC environment; run it with your own users, your own applications, and your own network conditions.

Deploy the endpoint agent to 50-100 users across at least 3 office locations and 20+ remote users
Enable TLS inspection and measure added latency to your top 10 SaaS applications
Configure ZTNA for 3 internal applications and test access from managed and unmanaged devices
Deploy DLP policies for PCI and PII detection and measure false-positive rate over 2 weeks
Run CASB shadow IT discovery for 30 days and validate application detection accuracy
Test SD-WAN failover by physically disconnecting WAN links at a pilot branch
Simulate a security incident and measure detection time, alert quality, and analyst investigation workflow

Scoring and selection

Weight your categories based on your deployment priorities. For SSE-first deployments, weight SSE 40%, management 20%, SLA 20%, pricing 15%, SD-WAN 5%. For full SASE deployments, balance SSE 30%, SD-WAN 25%, management 20%, SLA 15%, pricing 10%. Score each requirement within its category as pass/fail or on a 1-5 scale, then multiply by priority weight. The vendor with the highest weighted score is your technical leader, but the final decision should also factor in vendor financial stability, roadmap alignment, and reference customer feedback from organizations similar to yours in size and industry.

Never select a SASE vendor based solely on the RFP response. The PoC is mandatory. Vendors will answer every RFP question affirmatively; the PoC reveals what actually works, what requires workarounds, and what is quietly on the roadmap rather than in production.

Sources & further reading

Gartner, "How to Write an Effective RFP for Security Service Edge" — gartner.com/reviews/market/security-service-edge
Gartner, "Magic Quadrant for Single-Vendor SASE" — gartner.com/reviews/market/single-vendor-sase
SANS Institute, "Evaluating Network Security Solutions" — sans.org/white-papers/security-evaluation
Cisco, "SASE Buyer's Guide" — cisco.com/c/en/us/solutions/enterprise-networks/sase
Palo Alto Networks, "Prisma SASE Evaluation Checklist" — paloaltonetworks.com/sase/evaluate

Frequently asked questions

Three to four vendors maximum. Include the market leaders (Cisco, Palo Alto) and at least one vendor that aligns with your existing infrastructure (Fortinet if you run FortiGates, Check Point if you have Quantum firewalls). More than four vendors creates evaluation fatigue and delays the selection by months.

If you plan to deploy both, yes. Evaluating them separately risks selecting vendors that do not integrate well. Even if you plan SSE-first, include SD-WAN requirements in the RFP to ensure the vendor can deliver both when you are ready for phase two.

Minimum 30 days with real users and real traffic. Two weeks for deployment and baseline, two weeks for policy tuning and testing. Shorter PoCs miss issues that only surface over time: DLP false-positive rates stabilize after 2 weeks, CASB shadow IT discovery needs 30 days for a complete catalog, and DEM baselines require 2-4 weeks of data.

Related on sase.cloud

SASE PoC Guide →Vendor Reviews →

More references

SASE Glossary: Every Term Defined

A comprehensive SASE glossary with 40+ terms defined for network engineers and security practitioners. Covers SASE, SSE,...

SASE Licensing & Pricing Guide

Honest breakdown of SASE pricing models, hidden costs, and licensing traps. Covers per-user, per-device, and bundled pri...

SASE Vendor Rankings 2026: Independent Scoring

Independent 2026 SASE vendor rankings scoring all 8 major vendors — Cato Networks, Cisco, Fortinet, Palo Alto, Zscaler, ...

Get the next guide in your inbox

One email per publish. Unsubscribe anytime.

ShareLinkedIn X

Was this helpful?

← Previous