This vendor-neutral secure access service edge (SASE) RFP template compiles the top solution requirements gathered from across the industry. Decision Insights collaborated with the vendor community, analysts, and enterprise decision-makers to organize these requirements into a list you can prioritize and customize to your organization’s needs.

RFP template contents

The downloadable template consists of a PDF document titled "SASE RFP—Evaluation Categories" that describes the question categories. The RFP spreadsheet is an editable .xlsx document titled "SASE RFP—Vendor Response Spreadsheet" that lists detailed questions organized by category.The spreadsheet is structured for vendor responses to each question and allows you to score the solutions side-by-side. A percentage of the maximum possible score is in row 3 at the top of the scoring column. So, a perfect score is 100%.

Steps to conduct the RFP

There are three steps to conducting the SASE RFP process.

  1. Determine requirements
    1. Document your SASE requirements, plans and projected timeline.
    2. Review the RFP categories weights and questions and edit them as needed to align with your SASE solution objectives.
    3. Write a business overview and list of solution objectives to include with the RFP.
  2. Prepare and issue the RFP package to the vendors
    1. Select the SASE solution vendors who will respond to the RFP. Brief the participating vendors in advance and conduct vendor meetings as needed.
    2. Prepare a mutual NDA as part of the package.
    3. Issue the RFP package, NDA, expected timeline and instructions to the participant vendors.
    4. Gather the vendor responses and communicate with the vendors as needed to conclude the response phase.
  3. Score the vendor responses and tabulate the results
    1. Issue the RFP and instructions to the vendors. Obtain signatures for the NDA.
    2. Compare the vendor responses side-by-side to determine the response scores on a scale of 0 to 5, with 5 being the best possible response.
    3. Review the total scores and RFP results to determine the finalist solutions.
    4. Conclude the RFP process, notify the responding vendors, and move forward with the finalist vendor(s) to the next steps.

RFP steps - suggestions and details

Document your SASE requirements

Solution evaluation starts with documenting and agreeing with your internal teams and stakeholders. What are your organization’s objectives and timeline? What will the entire solution selection and evaluation process be? Who will participate in the RFP review and response evaluation?

Importantly, you’ll need to determine the solution objectives. Where will SASE be deployed, and what is the rollout process? What are the top requirements? Will the solution involve migrating or replacing an existing solution or vendor? What adjacent solutions is SASE required to support, including security information and event management (SIEM) platforms, ITIM tools, observability tools, and automation practices?

There are three common models for SASE deployment, and you’ll need to decide which ones to consider. Those are:

  1. A single-vendor SASE solution, or a converged SASE solution, is where a single vendor meets both networking and security requirements.
  2. A two-vendor solution where generally one vendor will provide networking and firewall features and another vendor will provide the security features.
  3. An MSP-delivered solution in which the provider packages and supports a SASE service consisting of one or more vendors.

This RFP is structured to help you consider three different deployment scenarios. The "SASE RFP—Evaluation Categories" document provides more details and includes instructions for modifying the RFP for each scenario.

Review and edit the RFP categories and questions

The "Vendor Response Spreadsheet" calculates each vendor's total score as a percentage of the maximum possible score using the category importance and the solution's ability to fulfill specific requirements. Scores range from 1 to 5, with 5 being the best possible response or the most critical category. A perfect score would be 100%.

Start by determining the importance of each category for your organization’s needs. We have suggested category priorities to get you started. The "SASE RFP—Evaluation Categories" document and the second tab of the "Vendor Response Spreadsheet" include our proposed category weights. If you change the category weights, update that information on the second tab, and you will need to manually change those values in column C of the first tab of the spreadsheet.

The "SASE RFP - Evaluation Categories" document includes detailed instructions for optimizing the RFP categories and editing the questions to align with your organization’s requirements.

Write your business overview and SASE objectives

To help the vendors focus their responses on your requirements, you need to create a business overview description for vendors to read before writing their responses to the questions. We suggest the business overview include the following:

  • Business overview

Briefly describe your company’s business, operating parameters and scale (e.g., number of employees, global presence), and top concerns.

  • Key business and technical objectives

Highlight the primary goals driving the SASE initiative (e.g., improved security, optimized network performance, better support for mobile users).

  • Strategic IT context

Summarize related IT projects and strategic initiatives that influence the SASE deployment (e.g., cloud migration and moving to a zero-trust architecture):

  • Project scope and coverage

Define the scope of the SASE implementation:

  • Resources: data center, branches, mobile users, cloud applications.
  • Geographies: regions where coverage is required and challenges to address.

Current IT environment overview

Provide a high-level description of your existing IT systems and architecture:

  • Network topology, including primary data center, regional hubs, and branches.
  • Security technology stack and existing enterprise security capabilities such as SIEMs, automation practices and IT collaboration tools.

Application and workforce context

Outline key applications (purpose and locations) and mobile workforce use cases, highlighting their impact on network and security needs.

Vendor Expectations

State the importance of tailoring responses to address the provided context and aligning solutions with the outlined objectives.

Select the SASE vendors

Most SASE vendors are well known. You can easily create your list through online research. If you are open to a two-vendor solution, consider SD-WAN and security services edge (SSE) providers, as they can sometimes combine their solutions or partner. If you are considering MSPs, research those offering network-on-demand services, business access services or cloud or edge security offers. MSPs may not always advertise their service as SASE, so you will likely need to research possible vendors with services available at your global locations.

Prepare the RFP documents and NDA

When contacting the vendors to participate, you should provide response instructions, including how to populate responses in the spreadsheet, when the RFP response is due, and who to contact for questions. You should also organize a short kick-off meeting with each vendor and likely want them to sign a mutual NDA.

Some vendors may want to create a joint response with a technology partner. You should be sure to ask each and have some instructions in case vendors need to cooperate. The NDA may need to be modified accordingly.

In addition to providing instructions, you must edit the spreadsheet so the vendors can focus on their responses. Remove the category weights and scoring methodology from the vendor response spreadsheet by deleting those columns to avoid confusion or distraction.

Review and score the RFP responses

After the vendors complete their responses, you can combine them into a single spreadsheet to evaluate and score them side-by-side. If correctly edited, this spreadsheet version should include the formulas for weighting the responses by quality and category. The spreadsheet should calculate a score for each vendor (0% to 100%).

Complete the RFP process by selecting the finalists and notifying all participants. You are now ready to move on to the next steps of the solution evaluation process.

Determine next steps

With the RFP process completed and finalist vendors selected, the next step is to move beyond vendor responses and conduct real-world evaluations. Running a proof-of-concept (PoC) in your own network will help validate usability, integration with your existing technology stack, and overall effectiveness in addressing your security and networking needs. However, PoCs alone may not uncover all potential performance and security challenges.

To gain a comprehensive and unbiased view of how each SASE solution performs under stress, enterprises should leverage independent testing organizations. Third-party evaluators, such as Keysight Technologies and CyberRatings, provide objective benchmarking through rigorous performance testing, simulated cyber threats, and security stress testing. These evaluations ensure that solutions meet zero-trust security principles, scale under enterprise traffic loads, and deliver the promised protection against real-world threats.

For a data-driven decision, consider working with Keysight and CyberRatings to independently verify your SASE vendor’s capabilities.

Access the SASE RFP Template here.