MSSP RFP Template 2026: 47 Questions, Scoring Rubric, Sample
The MSSP / MDR / SOCaaS procurement template the security industry does not give you for free. 47 questions across 7 categories, weighted scoring rubric, and how to actually evaluate vendor responses.
How to use this template
- Copy the 47 questions into your RFP document. Assign each its weight (totals to 100 percent).
- Send to 4-6 shortlisted vendors. Allow 4-6 weeks for response (this is a real RFP, not a price-shopping exercise).
- Score each response on a 1-5 scale per question. Multiply by question weight. Sum to a total score.
- Use the contract checklist (25 clauses) to convert the winning RFP response into negotiated contract terms.
- Validate the top-2 scored responses with reference customer calls and a live SOC analyst workbench demo.
1. SLA and performance
Weight: 20%- What is your committed MTTD SLA for P1 / P2 / P3 incidents, measured and reported how?[5%]
- What is your committed MTTC SLA for P1 / P2 / P3 incidents? Does MTTC mean 'containment started' or 'containment complete'?[5%]
- What is your platform uptime guarantee and how are maintenance windows excluded from SLA?[3%]
- What false-positive rate do you commit to and is tuning included in base contract?[4%]
- What financial penalty applies if SLA targets are missed in a quarter? Provide last 4 quarters' SLA attainment evidence.[3%]
2. Scope and coverage
Weight: 15%- What coverage hours are committed (8x5 / 16x5 / 24x7), including holiday coverage policy?[4%]
- Enumerate the named platforms you support (our SIEM, EDR, cloud providers). Provide certification or training evidence per platform.[4%]
- What is your process for adding new asset types (SaaS apps, new cloud accounts) to monitoring scope mid-contract?[3%]
- Provide your escalation contact matrix and response time commitments per severity.[4%]
3. Data handling and residency
Weight: 15%- Where is our log data physically stored (named data centers, regions)?[4%]
- What is your hot and cold log retention policy and is it included in base contract?[3%]
- Provide your data portability commitments: format (CEF, JSON, OCSF), volume limits, time to deliver, cost.[4%]
- What is your data deletion timeline and certification process at contract end?[2%]
- Confirm compliance certifications: SOC 2 Type 2, ISO 27001, FedRAMP if required.[2%]
4. Incident response
Weight: 15%- What containment actions are pre-authorised per severity (isolate host, block IP, disable account)?[4%]
- How many breach response hours are included annually and at what hourly rate for overages?[4%]
- Describe your digital forensics capability: in-house, named partner, or third-party. SLA for evidence-preservation initiation.[3%]
- What is your post-incident review process and timeline for P1 / P2 events?[2%]
- Provide a real (anonymised) breach response timeline from one of your customers in the last 12 months.[2%]
5. Reporting and transparency
Weight: 10%- What operational reports are provided monthly and what data do they include (MTTD, MTTC, alert volume, false positive trends)?[3%]
- What executive / board-ready reports are provided quarterly?[2%]
- Can we get read-only direct access to your SOC analyst workbench (case management, triage queue)?[3%]
- What custom reporting can you build aligned to our compliance frameworks (PCI DSS, SOC 2, HIPAA, ISO 27001)?[2%]
6. Team and operating model
Weight: 10%- What is your SOC analyst tier structure and what tier handles initial triage of our alerts?[3%]
- What is your SOC analyst annual turnover rate and how do you handle continuity during turnover?[3%]
- Where are your SOC analysts physically located (US / EMEA / APAC / offshore)?[2%]
- What certifications do your analysts hold (CompTIA Security+, GCIA, GCIH, OSCP, CISSP)?[2%]
7. Commercial terms
Weight: 15%- Provide your pricing model (per-device, per-user, per-endpoint, flat-rate, outcome-based) with itemised rate card.[5%]
- What is the minimum contract term and what are the termination provisions, including for-cause termination?[3%]
- What annual price escalator applies and is it capped?[2%]
- What onboarding fees apply and over what period are they amortised?[2%]
- Provide three reference customer contacts of similar size and industry.[3%]
Scoring rubric
| Score | Meaning | When to assign |
|---|---|---|
| 5 | Exceeds expectation | Vendor answers with specifics, evidence (named SLAs, case studies, named certifications), and commits financially to the answer (penalty clauses, money-back guarantees). |
| 4 | Meets expectation | Vendor answers with specifics and commits to the answer, but without financial backing or money-back guarantees. |
| 3 | Partial answer | Vendor answers in general terms or with caveats ('we typically...', 'in most cases...'); commits only to best effort. |
| 2 | Below expectation | Vendor answers vaguely or deflects to 'discuss in scoping call'; no commitment in the response. |
| 1 | Non-response | Vendor does not answer the question or answers a different question entirely. |
Total scores typically range 200-450 out of 500 maximum. Anything under 350 is a red flag; anything over 420 is exceptional and worth deep reference checking.
Common RFP failure patterns
Pricing-first RFP
Asking for price before asking for SLA, coverage scope, and incident response capability. You get a low price quote that excludes critical work, then renegotiate on the back foot. Always score on operational fit first; pricing comes in commercial terms as 15 percent of total weight.
Missing reference customer requirement
Not requiring three reference customer contacts of similar size and industry. The reference call is where you learn the vendor's actual MTTD attainment, real handover quality during analyst turnover, and how they behave during a P1 incident at 3 AM. Skipping references means buying on the brochure.
Vague containment authority language
Allowing 'we will recommend containment actions' without specifying which actions are pre-authorised on customer pre-agreement. At 3 AM during a ransomware event, 'recommend' means 'wait for approval' means 'lateral movement continues'. Pre-authorise specific actions per severity.
No data portability commitment
Not requiring a named export format (CEF / JSON / OCSF), volume cap, and delivery SLA at contract end. You learn during exit that data export costs $50K and takes 6 months. Negotiate exit terms before signing, not after.
Single-vendor procurement
Inviting one vendor to RFP because 'they came recommended' or 'our consultant uses them'. Single-vendor RFPs surface no comparable benchmarks and weaken your negotiating position. Always 3-5 vendors minimum; 6 is the upper bound where evaluation becomes operationally heavy.
Ignoring SOC analyst turnover rate
Not asking the analyst-turnover question. Industry average is 20-30 percent annual SOC analyst turnover, which means the senior analyst assigned to your account at month 6 will likely not be there at month 18. Ask about continuity model, knowledge-management practices, and named-shift consistency.
Related cost references
This template is offered as a free reference resource for SOC procurement teams. No vendor lock-in, no email gate, no affiliate links. Adapt freely to your organisation's procurement standards. SecurityOperationsCost.com has no commercial relationship with any MSSP, MDR, or SOC-as-a-Service vendor.