NNetify

SASE RFP Template (Free Download) + Run Your RFP Online

A SASE RFP needs to cover your site and user profile, the mandatory capabilities you're testing vendors against, security and compliance evidence, service and SLA terms, commercials, and a scoring method published up front - then every vendor answers into that same structure so you're comparing like with like rather than marketing decks. The Netify SASE RFP Builder puts all of this together in minutes using our 20-pillar procurement framework, publishes it to more than 30 vendors, and scores the responses side by side automatically. Free to use - start your RFP directly, or read the evaluation criteria checklist first if you want the detail before committing.

In UK procurement the same document is often called an ITT or a tender. The structure, scoring and process on this page apply to both, and the builder serves UK and North American businesses with national or global requirements.

What is a SASE RFP?

A SASE RFP (Secure Access Service Edge Request for Proposal) is a structured procurement document that organisations use to evaluate and compare SASE vendors against specific technical, security, and commercial requirements. It covers:

  • Security architecture — zero trust network access (ZTNA), cloud-access security broker (CASB), secure web gateway (SWG), and firewall-as-a-service (FWaaS)
  • Network connectivity — SD-WAN underlay options, global PoP coverage, latency SLAs, and last-mile diversity
  • Management and visibility — single-pane dashboard, policy orchestration, real-time analytics, and API integrations
  • Compliance alignment — mapping to NHS DSPT, PCI DSS, ISO 27001, SOC 2, and sector-specific frameworks
  • Commercial terms — per-user vs per-site licensing, contract flexibility, SLA guarantees, and total cost of ownership

How to Create a SASE RFP in 5 Steps

  1. Define your requirements — Document current network topology, user counts by location, application dependencies, and compliance obligations.
  2. Map evaluation criteria — Weight each pillar (security, networking, management, compliance, commercial) according to organisational priorities.
  3. Select your vendor shortlist — Use market data and independent reviews to identify 3-5 vendors that match your sector, scale, and geography.
  4. Issue and score responses — Send the RFP to shortlisted vendors with clear deadlines, then score responses against your weighted criteria matrix.
  5. Run proof of concept — Validate the top-scoring vendor with a limited deployment before committing to a full rollout.

SASE RFP Evaluation Criteria

Netify's evaluation methodology scores SASE RFP responses against ten criteria, and there's typically a mix of things that are quick to check and things that take a bit more digging to actually get to the bottom of, which is roughly how they're set out below.

Identity & access - whether ZTNA is genuinely native to the platform or bolted on through a partner is the first thing worth establishing, and an architecture diagram showing exactly where identity enforcement actually sits tends to answer that faster than anything else you could ask for.

Threat prevention - inline controls like FWaaS, IPS and sandboxing should, in theory, be native rather than licensed in from somewhere else, though in practice a lot of vendors blur this, so it's worth getting them to name the actual engine sitting behind each control rather than accepting a feature-list description of what it does.

Network & connectivity - how SD-WAN transport and path selection actually behave for latency-sensitive traffic matters considerably more than the marketing claim usually lets on, and a PoP map with measured latency figures for your own regions, as opposed to a general performance statement that could apply to more or less anyone, is what tells you something useful.

Operations & governance - is there a genuine single-pane-of-glass console, and can every policy change actually be traced through an audit log, rather than just claimed to exist somewhere in the platform? Worth asking to see it live rather than in a slide deck, since the two things can look quite different in practice.

Evaluation & selection - how the vendor suggests you weight competing requirements when they're effectively scoring their own response is worth probing, and a sample scoring framework, or better still a completed RFP response from another customer, tends to answer that far more usefully than anything in a pitch deck.

Commercial - the number that actually matters here is the full three-year total cost of ownership rather than the headline per-user figure, so it's worth pushing for an itemised breakdown that includes implementation and whatever tends to sit behind the premium tier, plus asking for two reference customers roughly your size and sector who you can genuinely call rather than just a case study PDF.

Evidence - two reference customers of comparable size and sector, with contact details you'll actually use rather than a name on a slide, are worth asking for directly, alongside independent certifications relevant to your sector and current rather than expired.

Compliance mapping - compliance mapping needs to be explicit against the frameworks you're actually held to, ISO 27001, NHS DSPT, PCI-DSS or whatever applies in your case, rather than a general assurance that the vendor "takes compliance seriously," since a proper mapping document tends to beat a marketing claim every single time.

Deployment model - managed, co-managed and DIY delivery each demand meaningfully different levels of internal resource depending on which one you go for, so a deployment timeline with named milestones is worth asking for rather than accepting a vague estimate of "a few weeks."

Exit terms - exit terms are the one thing that almost nobody reads properly until they actually matter, and by then it's usually too late to negotiate anything, so it's worth finding out early what happens to your data and configuration at contract end and what notice period you're genuinely working with, pulled from the actual contract rather than the sales deck. All told, running through these ten in order tends to surface most of what a vendor would rather you didn't ask about directly.

What is a SASE RFP Template?

A SASE RFP template is a structured procurement document used by enterprise IT teams to evaluate Secure Access Service Edge vendors against standardised technical, security, and commercial criteria. The Netify 20-Pillar SASE Procurement Framework provides a methodology covering architecture, security posture, deployment model, compliance, and commercial terms — used by IT teams across Manufacturing, Retail, Healthcare, and Financial Services.

Why Do Most SASE RFPs Fail to Produce Results?

Most SASE RFP templates and processes produce inconclusive results because the evaluation was compromised before a single vendor responded. The following table identifies the five structural failures observed in traditional SASE procurement and how the Netify 20-Pillar SASE Procurement Framework addresses each.

Failure ModeWhat HappensImpact on EvaluationNetify Framework Response
Vendor-led question biasRFP questions drawn from vendor sales materials or pre-sales documentation rather than business requirementsEvaluation criteria favour the incumbent or preferred vendor; competing providers cannot differentiate on genuine capabilityPre-built requirement modules developed from cross-vendor evaluation experience across 30+ SASE providers
No scoring modelResponses evaluated subjectively by individuals without agreed weighting or criteriaShortlist determined by presentation quality or existing relationships rather than technical merit1–10 per-requirement scoring with cumulative totals and automated vendor ranking
No compliance mappingSecurity requirements written without reference to NHS DSPT, PCI DSS, SOC 2, FCA or sector-specific standardsVendor responses cannot demonstrate regulatory alignment; compliance gaps discovered post-contractCompliance framework mapping built into each module covering UK GDPR, PCI DSS 4.0.1, ISO 27001, DSPT, FCA PS21/3, NIS2, IEC 62443 and HIPAA
No stakeholder alignmentIT, security, procurement and business stakeholders not agreed on evaluation priorities before vendor engagement beginsConflicting scoring, disputed shortlists and procurement delays as teams revisit criteria mid-evaluationModular requirement selection allows stakeholders to agree scope before publication; each module independently activated or deactivated
No structured comparisonVendor responses arrive as PDFs, slide decks and spreadsheets in incompatible formatsEvaluation teams spend weeks normalising responses rather than assessing capability; like-for-like comparison is impossiblePlatform-enforced response structure where providers address each requirement independently within a common format

The Netify 20-Pillar SASE Procurement Framework eliminates these failures structurally. Requirements are standardised, responses are comparable, scoring is quantified and compliance alignment is pre-mapped — before the first vendor receives your RFP.

How Does the SASE RFP Builder Work?

A SASE RFP template through Netify is built through five phases: choosing the right questions for your business, security requirement specification, marketplace publication, response management and scoring.

  1. Introduce your Company & Environment — input your industry, company overview and primary contact details.
  2. Define your Security Posture & Access Patterns — input your existing identity provider, user types, device posture requirements and application access policies.
  3. Specify ZTNA, SWG, CASB, FWaaS and DLP requirements — detail which security components you need vendors to address and your organisation’s specific compliance obligations.
  4. Collect structured submissions in-platform — providers respond to each security requirement with standardised, directly comparable results. Monitor responses, request clarifications and RFP progress in the dashboard.
  5. Evaluate, rank and build shortlists — score vendor responses, assess security capabilities and produce a shortlist highlighting capability differences.

The Netify 20-Pillar SASE Procurement Framework

Developed by Netify for enterprise IT procurement teams, the Netify 20-Pillar SASE Procurement Framework evaluates vendors across standardised pillars spanning identity, threat prevention, network connectivity, operations and commercial terms.

Identity & Access

  • Pillar 1 — Zero Trust Network Access (ZTNA): user authentication, device posture, per-app micro-tunnels, least-privilege enforcement.
  • Pillar 2 — Identity Integration & Authentication: SSO, MFA, Azure AD / Okta / on-prem AD compatibility, conditional access.
  • Pillar 3 — Third-Party Access Management: contractor access, vendor remote sessions, temporary credentials, session recording.

Threat Prevention

  • Pillar 4 — Secure Web Gateway (SWG): URL filtering, TLS inspection, malware scanning, bandwidth controls.
  • Pillar 5 — Cloud Access Security Broker (CASB): shadow IT discovery, inline / API modes, DLP for SaaS, OAuth app control.
  • Pillar 6 — Firewall as a Service (FWaaS): L3–L7 policy enforcement, IPS/IDS, DNS security, micro-segmentation.
  • Pillar 7 — Data Loss Prevention (DLP): content inspection, regex/fingerprint matching, exact data match, OCR.
  • Pillar 8 — Encryption & TLS Inspection: TLS 1.3 decryption, certificate management, bypass policies, performance impact.

Network & Connectivity

  • Pillar 9 — SD-WAN Convergence: path selection, application-aware routing, WAN optimisation, branch connectivity.
  • Pillar 10 — Global Backbone & PoP Distribution: PoP locations, peering arrangements, latency SLAs, regional redundancy.

Operations & Governance

  • Pillar 11 — Logging, Monitoring & SIEM Integration.
  • Pillar 12 — Implementation & Migration Methodology.
  • Pillar 13 — Service Model & Support.
  • Pillar 14 — Resilience & Business Continuity.
  • Pillar 15 — Compliance & Certification Validation.
  • Pillar 16 — Policy Governance & Audit Trail.
  • Pillar 17 — Data Residency & Sovereignty.
  • Pillar 18 — Commercials & Licensing.
  • Pillar 19 — AI-Assisted Custom Requirements (Netify AI Helper).

Evaluation & Selection

  • Pillar 20 — Provider Evaluation & Shortlisting: per-requirement scoring, cumulative ranking, weighted priorities, shortlist generation.

How Does the Netify Framework Compare to a Generic SASE RFP Template?

DimensionGeneric RFP TemplateNetify 20-Pillar Framework
FormatStatic Word document or PDFStructured 20-pillar methodology with modular requirement selection
ScoringNo scoring automation; ad-hoc spreadsheetsBuilt-in 1–10 per-requirement scoring with weighted priorities and automated ranking
ResponsesVendor-written in inconsistent formatsStandardised structured responses within enforced common format
BenchmarkingNo benchmarking capabilityMarketplace comparison built-in across 30+ pre-vetted vendors
ComplianceManual compliance checkingPre-mapped to NHS DSPT, HIPAA, PCI DSS 4.0.1, SOC 2, ISO 27001, FCA PS21/3, NIS2
Vendor accessLimited to known contacts; manual outreach30+ curated SASE vendors and managed service providers matched algorithmically

Major SASE Platforms Evaluated in Enterprise RFPs

Enterprise SASE RFPs typically shortlist a small number of major platforms representing different architecture models. The table below shows commonly evaluated SASE platforms and the security components typically included in enterprise SASE evaluations.

VendorZTNASWGCASBFWaaSDLPGlobal BackboneArchitecture Model
Cato NetworksYesYesPartialYesYesYesSingle-vendor SASE
ZscalerYesYesYesPartialYesYesSSE Platform
NetskopeYesYesYesYesYesYesSSE Platform
Palo Alto PrismaYesYesYesYesYesYesSASE Platform
FortinetYesPartialPartialYesYesLimitedSD-WAN + Security
CiscoYesYesYesYesPartialYesSSE + SD-WAN
CloudflareYesYesPartialYesPartialYesCloud Security Edge

SASE RFI or RFP: Which Should You Run First?

Not every SASE evaluation should start with a formal RFP, and it's worth being honest about that upfront. An RFI is market discovery, shorter and capability-level, meant to tell you which vendors are even worth shortlisting before you've locked down exact requirements. An RFP comes after that: evidence-level, scored against your specific environment, and ultimately the document you actually take to procurement or the board.

Run an RFI first when the market's genuinely unclear to you, when you're not yet sure which platforms actually fit your architecture, or when you're scoping budget before requirements have been finalised. Skip straight to the RFP once you already know your environment well enough and just need comparable, evidenced responses to score against each other. Start with an RFI if you're still scoping the market; go straight to the RFP Builder if requirements are already agreed.

CriteriaSASE RFISASE RFP
PurposeMarket discoveryFormal procurement
DepthCapability-levelEvidence-level
LengthShorter, roughly 12-15 questionsFull requirement set
OutputA shortlistScored, comparable responses
Best used whenRequirements are still formingRequirements are already agreed

Which SASE RFP Approach Is Right for You? Platform vs Traditional vs Consultant

The Netify SASE & SD-WAN RFP Builder is, in effect, a free interactive alternative to filling out a static template on your own. Tell it what you need and it drafts weighted questions against the Netify SASE Methodology v2026.1, publishes the RFP out to 30+ vendors, and scores the structured responses that come back, meaning there's no spreadsheet required on your end at all.

CriteriaNetify RFP BuilderStatic Template DownloadConsultant-led
Time to first draftMinutesHours, starting from a blank documentDays to weeks
Question qualityWeighted, methodology-drivenGeneric, one-size-fits-allTailored, but slow to produce
Vendor distributionAutomatic, to 30+ vendorsManual, one at a timeManual, via the consultant
Comparable responsesStructured by defaultDepends on vendor disciplineDepends on the consultant's format
ScoringBuilt in, weightedYou build your ownThe consultant builds it for you
Kept currentUpdated with the methodologyStatic once downloadedAs current as the consultant's own research

SASE RFP Requirements by Industry

Healthcare

A SASE RFP for healthcare must emphasise clinical application access controls, medical IoT device segmentation, patient data protection within cloud services, and demonstrable compliance with DSPT and Caldicott Principles. Clinical staff require seamless access to EPR and PACS systems whilst maintaining strict data protection standards.

SASE ComponentHealthcare-Specific RequirementCompliance DriverPriority
ZTNAPolicies for managed devices and clinician-owned smartphones accessing EPR and PACSDSPT, Caldicott PrinciplesCritical
CASBCapabilities demonstrated with clinical SaaS platforms and patient data workflowsUK GDPR, DSPTCritical
FWaaSIoMT device segmentation with auditable policy enforcementDSPT, NHS DigitalCritical
DLPPatient data protection across cloud applications and emailUK GDPR, CaldicottHigh
LoggingRetention periods satisfying DSPT evidence requirementsDSPTHigh
Service ModelManaged service capabilities for clinical sites without on-site security specialistsOperationalHigh

Retail

A SASE RFP for retail must prioritise consistent policy enforcement across distributed branches, third-party vendor access controls, payment network segmentation, and rapid deployment capability.

SASE ComponentRetail-Specific RequirementCompliance DriverPriority
ZTNAThird-party contractor access without persistent VPN tunnelsPCI DSS, Least PrivilegeCritical
SWG / FWaaSCentralised policy management scaling across hundreds of endpointsOperationalCritical
FWaaSPCI DSS-compliant payment network segmentation with audit trailsPCI DSS 4.0.1Critical
ResilienceFailover mechanisms with documented RTO for store connectivityOperationalHigh
DeploymentZero-touch provisioning for rapid multi-site rolloutOperationalHigh

Manufacturing

A SASE RFP for manufacturing must prioritise OT/IT network separation, global PoP coverage for plant-to-cloud connectivity, device posture controls for industrial systems, and operational models suited to sites with limited security staff.

SASE ComponentManufacturing-Specific RequirementCompliance DriverPriority
ZTNAOT access with least-privilege enforcement for third-party equipment vendorsIEC 62443, NIS2Critical
FWaaSClear policy boundaries between production OT and corporate IT networksIEC 62443, Purdue ModelCritical
Global PoPDistribution adequate for multinational plant operations with predictable latencyOperationalHigh
Service ModelManaged service offerings reducing burden on plant-level teamsOperationalHigh
ResilienceMaintenance window scheduling aligned to production schedulesOperationalHigh

Financial Services

A SASE RFP for financial services must prioritise comprehensive security stack integration, stringent identity and device controls, complete audit trail generation, and low-latency connectivity for trading platforms.

SASE ComponentFinancial Services-Specific RequirementCompliance DriverPriority
Integrated SASEZTNA, SWG, CASB, FWaaS and DLP within a unified management planeFCA PS21/3, Operational ResilienceCritical
ZTNAStrong authentication and device posture checks for trading systemsFCA, PRACritical
CASB / DLPPrevention of unauthorised data exfiltration from cloud applicationsFCA, UK GDPRCritical
LoggingComprehensive audit trails with retention periods meeting regulatory needsFCA, PCI DSS 4.0.1Critical
EncryptionTLS inspection without introducing unacceptable latency for tradingFCA, PCI DSS 4.0.1High
GovernanceRole-based access, approval workflows and immutable audit logsFCA PS21/3, SOXHigh

SASE RFP Scoring: Vendor Evaluation Methodology

ScoreClassificationEvaluation CriteriaVendor Response Characteristics
9–10Exceeds RequirementsVendor demonstrates capability beyond stated requirement with evidenceDetailed technical response, reference architectures, proven deployments in comparable environments
7–8Fully Meets RequirementsVendor addresses all elements of the requirement with supporting detailClear capability statements, configuration examples, compliance evidence provided
5–6Partially Meets RequirementsVendor addresses core elements but gaps exist in coverage or evidenceGeneral capability confirmed but lacking specificity, roadmap items included, limited evidence
3–4Minimally Meets RequirementsVendor acknowledges requirement but response lacks substance or relies on third partiesVague statements, partner/integration dependencies, no evidence of deployed capability
1–2Does Not Meet RequirementsVendor cannot address the requirement or response is non-substantiveNo capability, future roadmap only, or requirement deflected without addressing core need

SASE RFP Compliance: Regulatory Framework Mapping

Compliance FrameworkZTNASWGCASBFWaaSDLPLogging
UK GDPRYesYesYesYesYesYes
PCI DSS 4.0.1YesYesPartialYesYesYes
ISO 27001:2022YesYesYesYesYesYes
Cyber Essentials PlusYesYesPartialYesPartialPartial
SOC 2 Type IIYesYesYesYesYesYes
DSPT (NHS)YesYesYesYesYesYes
FCA PS21/3YesYesYesYesYesYes
NIS2 DirectiveYesYesYesYesYesYes
IEC 62443 (Industrial)YesPartialPartialYesPartialYes
HIPAA (US Healthcare)YesYesYesYesYesYes

Common SASE RFP Questions

How many vendors should you include in a SASE RFP?

The Netify 20-Pillar SASE Procurement Framework recommends inviting 3–5 vendors to respond to a structured RFP. This allows meaningful comparison without overwhelming evaluation teams. Netify’s platform provides access to 30+ curated vendors, with algorithmic matching to identify the best-fit shortlist based on site count, region and security requirements.

What should a SASE RFP include?

Your site and user profile, mandatory capability requirements, security and compliance evidence, service and SLA terms, commercials, and a published scoring method, all collected from vendors in a comparable structure rather than free-form marketing responses that are difficult to line up against each other.

What evaluation criteria should I use?

Netify's ten-point evaluation checklist covers identity & access, threat prevention, network & connectivity, operations & governance, evaluation & selection, commercial, evidence, compliance mapping, deployment model and exit terms.

How long should a SASE RFP process take?

A structured SASE RFP process typically takes 4-8 weeks from requirements definition to vendor shortlist. The Netify RFP Builder accelerates this by providing pre-built question sets, AI-assisted requirement generation and automated response scoring, reducing the typical timeline to days rather than months.

RFI or RFP first?

Run an RFI first if you're still scoping the market and don't yet know which platforms actually fit your architecture. Go straight to the RFP once requirements are agreed.

How do vendors respond and how is it scored?

Vendors respond inside the platform in a standardised, structured format instead of sending across individual marketing decks that are hard to compare. You then score by feature category, weight the sections that matter most to your organisation, and a ranked shortlist gets generated automatically at the end of it.

Free Sector SASE RFP Templates: Manufacturing, Healthcare & Retail

Three sector-specific SASE RFP templates produced by the Netify research team — covering Manufacturing, Healthcare and Retail. Each template contains expert RFP questions written from both the buyer and supplier perspective, and includes a guide to running your evaluation through the Netify marketplace, giving you access to 30+ curated vendors and managed service providers.

Build Your SASE RFP in Minutes

Select your security requirements using the Netify 20-Pillar SASE Procurement Framework, define access policies, publish to over 30 vetted SASE vendors and managed service providers, then evaluate and rank submissions — all within the Netify platform.

Related Articles from Netify Insights