Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for DDoS protection

Requirements, questions, and evaluation criteria specific to DDoS protection procurement

6 min read

DDoS protection RFPs require careful planning due to the complex technical landscape and the high cost of failure. A well-structured RFP ensures that the selected vendor can effectively mitigate increasingly sophisticated and high-volume attacks.

What makes DDoS protection RFPs different

DDoS protection RFPs are unique due to the need for specialized technical expertise and a deep understanding of network infrastructure. Unlike many software purchases, DDoS protection directly impacts service availability and can result in immediate and significant financial losses if not properly implemented.

The rapid evolution of attack vectors and mitigation techniques also necessitates a focus on vendor innovation and adaptability.nnFurthermore, compliance requirements such as DORA in the EU and SEC regulations in the US add another layer of complexity. Buyers must ensure that the vendor can meet these standards and provide the necessary documentation for audits.

The distributed nature of DDoS attacks also requires vendors to have a global presence and robust network infrastructure, making geographical considerations crucial.

  • Global network capacity and distribution of scrubbing centers
  • Real-time threat intelligence and automated mitigation capabilities
  • Integration with existing security infrastructure (WAF, SIEM, etc.)
  • Compliance with relevant industry regulations (DORA, PCI-DSS)

RFP vs RFI vs RFQ

Here's when to use each document type when procuring DDoS protection software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

For DDoS protection, an RFI is useful for initial research to understand different mitigation approaches and vendor capabilities. An RFP is essential for a detailed evaluation of technical specifications, service level agreements, and pricing models. An RFQ is generally not suitable due to the complexity and customization required for effective DDoS protection.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Network Mitigation

  • Volumetric attack mitigation (state maximum Tbps capacity)
  • Protocol attack mitigation (SYN flood, UDP flood, etc.)
  • Application-layer (Layer 7) attack mitigation
  • DNS attack mitigation
  • SSL/TLS attack mitigation

Infrastructure & Architecture

  • Anycast network with geographically distributed scrubbing centers
  • Always-on vs. on-demand mitigation options
  • Redundancy and failover capabilities
  • Support for BGP FlowSpec
  • Integration with CDN (Content Delivery Network)

Detection & Response

  • Real-time traffic monitoring and anomaly detection
  • Automated mitigation and response capabilities
  • Customizable alerting and reporting
  • Integration with SIEM/SOAR platforms
  • Threat intelligence feeds

Reporting & Analytics

  • Real-time attack dashboards
  • Detailed attack reports (volume, duration, vectors)
  • Historical traffic analysis
  • Customizable reporting options
  • Compliance reporting

API Protection

  • API discovery and inventory
  • API behavioral analysis
  • Rate limiting and throttling
  • OWASP API Security Top 10 protection
  • API-specific WAF capabilities

Questions to include in your RFP

Architecture & Deployment

  • Describe your network architecture and the location of your scrubbing centers.
    Ensures sufficient capacity and proximity to mitigate attacks effectively.
  • What deployment models do you support (cloud, on-premise, hybrid)?
    Determines flexibility and integration with existing infrastructure.
  • What is your typical time to mitigation (TTM) for volumetric and application-layer attacks?
    Critical for minimizing downtime during an attack.
  • Describe your redundancy and failover mechanisms.
    Ensures continuous protection even if a scrubbing center fails.

Mitigation Capabilities

  • What types of DDoS attacks can you mitigate (volumetric, protocol, application-layer)?
    Verifies comprehensive protection against various attack vectors.
  • Describe your approach to mitigating "carpet bombing" attacks.
    Tests the vendor's ability to handle distributed attacks.
  • How do you differentiate between legitimate traffic and malicious bot traffic?
    Ensures minimal false positives and disruption to legitimate users.
  • Do you support BGP FlowSpec for surgical filtering?
    Enables precise mitigation without blocking legitimate traffic.

Threat Intelligence

  • Describe your threat intelligence sources and how they are integrated into your mitigation strategies.
    Ensures proactive protection against emerging threats.
  • How often is your threat intelligence database updated?
    Reflects the vendor's commitment to staying ahead of attackers.
  • Do you share threat intelligence with your customers?
    Provides valuable insights for improving overall security posture.

Reporting & Analytics

  • What types of reports and analytics do you provide?
    Enables monitoring, analysis, and optimization of DDoS protection.
  • Can you provide real-time attack dashboards?
    Allows for immediate visibility into ongoing attacks.
  • Are your reports customizable?
    Enables tailoring reports to specific needs and compliance requirements.
  • Do you offer forensic analysis capabilities?
    Helps understand attack patterns and improve future defenses.

Service Level Agreement (SLA)

  • What are your guaranteed uptime and performance metrics?
    Sets expectations for service availability and reliability.
  • What is your process for incident response and escalation?
    Ensures timely and effective support during an attack.
  • What are the penalties for failing to meet the SLA?
    Provides accountability and compensation for service disruptions.
  • Do you offer 24/7 support?
    Ensures access to assistance at any time.

Pricing & Licensing

  • Describe your pricing model and licensing options.
    Clarifies cost structure and potential hidden fees.
  • Do you offer flat-rate pricing or usage-based billing?
    Determines cost predictability during high-volume attacks.
  • Are there any overage charges for exceeding traffic limits?
    Avoids unexpected costs during an attack.
  • What are the costs for professional services (implementation, configuration, optimization)?
    Provides a complete picture of total cost of ownership.

Compliance & Security

  • What compliance certifications do you hold (SOC 2, ISO 27001, PCI-DSS)?
    Verifies adherence to industry security standards.
  • How do you protect customer data and maintain confidentiality?
    Ensures data privacy and security.
  • Do you comply with relevant industry regulations (DORA, GDPR)?
    Ensures compliance with legal requirements.
  • Do you perform regular penetration testing and vulnerability assessments?
    Identifies and addresses potential security weaknesses.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

PCI-DSS

Required if handling payment card data. If applicable, request current PCI-DSS compliance certificate and AOC (Attestation of Compliance).

SOC 2 Type II

Required for demonstrating operational security and data protection. If applicable, request a SOC 2 Type II report.

ISO 27001

Required for information security management. If applicable, request ISO 27001 certification.

DORA (Digital Operational Resilience Act)

Required for financial entities operating in the eu. If applicable, request documentation demonstrating compliance with DORA requirements, including incident response and testing procedures.

Evaluation criteria

Here is the suggested weighting for DDoS protection RFPs.

Mitigation Effectiveness Ability to effectively mitigate various types of DDoS attacks (volumetric, protocol, application-layer).
25%
Network Capacity & Architecture Global network capacity, distribution of scrubbing centers, and redundancy.
20%
Threat Intelligence & Automation Quality of threat intelligence feeds and automation capabilities.
15%
Reporting & Analytics Comprehensive reporting, real-time dashboards, and forensic analysis capabilities.
10%
Service Level Agreement (SLA) Guaranteed uptime, performance metrics, and support response times.
10%
Total Cost of Ownership (TCO) Implementation, licensing, and ongoing operational costs.
10%
Vendor Reputation & Stability Vendor's market position, financial stability, and customer references.
10%

Some weights were adjusted based on your priorities.

  • Increase if budget is a primary concern.

Red flags to watch

  • Manual Diversion Only

    Indicates an inability to protect against modern short-duration burst attacks.

  • Blackhole-First Strategy

    Effectively takes the service offline, achieving the attacker's objective.

  • Opaque "Attack Overage" Fees

    Signifies unpredictable pricing and potential for bill shock.

  • Weak API/IoT Expertise

    Leaves a growing digital footprint exposed to attacks.

  • Lack of Forensic Reporting

    Prevents regulatory compliance and improvement of defenses.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Time to Mitigation (TTM)

Indicates the speed at which the vendor can respond to and mitigate an attack.

False Positive Rate

Measures the accuracy of the mitigation and the potential for blocking legitimate traffic.

Mitigation Capacity (Tbps)

Reflects the vendor's ability to handle large-scale volumetric attacks.

Number of Scrubbing Centers

Indicates the global reach and redundancy of the vendor's network.

Customer Satisfaction Score

Provides insight into the vendor's overall service quality and customer support.