SASE RFP Questions: Free Download + Customisation Guide

One of the key issues when evaluating SASE is the complexity of considering one single platform that can handle everything from SD-WAN routing to Zero Trust access controls, all delivered from the cloud.  

For procuring SASE, we’ve found that RFP templates often focus more on on-premises individual hardware deployments and don’t capture you’re SASE requirements. For example, you could end up comparing firewall throughput specifications instead of assessing security service integrations. And there’s often little in the sense of PoP density, cloud-native architecture or identity-driven access policies - traditional RFP templates don't cover these aspects because they were written for on-premises hardware deployments and this disconnect leads to poor vendor selection.

To assist with this, this article provides the Netify SASE RFP question set - including the PDF download for our 87 vendor-neutral questions across 12 different categories, all of which are based on real SASE deployments. More importantly, this article will show you how to adapt these questions for your specific requirements and which ones actually matter for different deployment scenarios.

Why SASE RFPs Require Different Questions

Your RFP needs to ask about these integrated capabilities rather than treating them as separate functions. Questions must evaluate how components work together - whether security and networking share policies, operate on common infrastructure or whether they're just separate products bundled together under one brand name.

SASE also relies heavily on identity as the new security perimeter. Your RFP should focus on identity provider integration, user and device context and policy enforcement based on that context - not just IP addresses and VLAN assignments. 

The Netify RFP Question Set

We’ve detailed on why each of these question sections matter and why you should pick them.

Company & Service Model (7 questions)

These questions establish whether you're dealing with a credible, stable vendor who can  deliver to your business’s needs. By asking these questions, you're verifying operational scale (not just marketing claims), understanding exactly who's accountable when things go wrong and confirming they can support your industry's specific requirements. For multinational organisations, this section can help to separate whether a vendor truly has global capabilities or just a few regional partnerships.

Network Footprint & Architecture (5 questions)

Our Network Footprint & Architecture questions are designed to reveal whether a vendor has PoPs close enough to your locations to deliver acceptable latency, whether their backbone can handle your traffic reliably and how they'll actually intend to connect your sites.

SLAs & Change Management (6 questions)

It’s now commonplace to see the words "99.9% uptime" displayed as commitments across even the smaller vendors but without exact measurements that back them up, it’s difficult for buyers to determine what’s a meaningful uptime commitment and what isn’t. This set of questions force vendors to be specific about performance guarantees for the traffic paths and applications you actually use. On top of this, the change management questions provide you with how long configuration changes take, what the approval process looks like and whether emergency changes will disrupt your business. For example, is there also a service credit structures to highlight how confident vendors are in their performance?

NOC, Support & Tooling (6 questions)

If you're relying on vendor-managed or co-managed services, it’s important to know the level of support you’ll be receiving. Given how this can vary from provider to provider, understanding how quickly you can escalate to senior engineers during critical incidents and whether their management tools actually integrate with your existing infrastructure can be extremely important to differentiate them. And with regards to tooling, whilst SASE dashboards are very intuitive, they offer no programmatic access, making them impossible to integrate into DevOps workflows. Through these questions you can ask about this access and gain a better understanding if each SASE solution fits with your toolset.

SD-WAN Capabilities (10 questions)

As with any SASE solution, half of it will be the SD-WAN networking capabilities and so it should go without saying this is an important section. Determining whether the vendor's implementation can actually handle your specific requirements, you’ll want this section to evaluate application-aware routing for your critical apps and performance optimisation/load balancing under realistic conditions. The underlay independence questions reveal whether you're locked into the vendor's connectivity or can use your own circuits and configuration management capabilities determine whether you can scale this architecture across hundreds of sites or whether each deployment becomes a custom project.

SASE / Network Cybersecurity (16 questions)

And following on from the SD-WAN section comes the other half of the offering, the SASE and network security. These questions systematically evaluate every security service the vendor claims to provide, from web filtering to Zero Trust access. More importantly, they assess whether these services are truly integrated or just separate products bundled together – for example checking if identity-driven security is used or if it’s just bolting these capabilities onto legacy firewall rules.

Cloud & Edge Integration (5 questions)

We don’t need to tell you about Cloud’s importance, with the vast majority of businesses now leveraging cloud and SaaS applications to do their daily work. These questions assess whether vendors have direct connectivity to the cloud platforms and regions you actually use. For organisations running significant cloud workloads, the quality of these integrations directly impacts application performance and cloud costs.

Analytics, Reporting & Visibility (5 questions)

Through our analytics, reporting and visbility questions, you’ll be able to ask whether you'll have the data you need to troubleshoot issues, optimise performance and demonstrate compliance. For example, if you're using existing SIEM or observability platforms some vendors lock data into their own dashboards whilst others provide full API access – therefore it might be worthwhile if you’re interested in leveraging your existing services.

Compliance, Data Residency & Assurance (7 questions)

For regulated industries or organisations with data sovereignty requirements, this section is arguably one of the most important. These questions verify that vendors hold the certifications they claim (with current evidence, not expired certificates), understand where your data is actually processed and stored, and can provide the audit evidence you need for compliance. The data residency questions are particularly important for GDPR compliance - some vendors process all traffic through US-based PoPs regardless of where you're located.

Commercials, Contract Terms & Pricing (10 questions)

Like-for-like vendor comparisons can be difficult due to the way different vendors price their solutions based on different variables and metrics. These questions are designed so that vendors break down costs - not just license fees but implementation costs, change fees, professional services and hardware charges and helps to make the overall cost more transparent and comparable. Following on from this, it’s worth knowing whether you're locked in for three years or can scale services up and down with ease, therefore we’ve added questions for this and if there are any price indexing and benchmarking clauses to protect you from being overcharged relative to other customers.

Customer Evidence & Outcomes (5 questions)

Whilst we’d always recommend Proof of Concept demonstrations, whilst you’re still in the early stages of comparing vendors, references and case studies can be particularly valuable. These questions request proof from customers similar to you - not just any reference but organisations with comparable size, industry, and requirements. The before/after metrics questions are designed to ask whether vendors can actually demonstrate the improvements they promise or just provide vague testimonials. These look for satisfaction metrics (such as churn rates) to indicate whether customers are genuinely happy or just trapped in long-term contracts.

Implementation, Migration & Governance (5 questions)

When implementing something as largescale as SASE, the last thing you’d want is a botched deployment. These questions establish whether vendors have proven deployment methods, realistic timelines and proper knowledge transfer/training processes. On top of this, decommissioning questions often get overlooked but matter significantly for MPLS migrations where you need to avoid paying for both old and new infrastructure simultaneously.

How to Customise for Your Project

Here at Netify, we understand the importance of tailoring to your business' specific needs. To customise your RFP, we'd recommend the following tips.

For All Projects

Start with the Company & Service Model questions - these establish vendor credibility regardless of your specific requirements. If you're in a regulated industry, you can add custom questions about relevant certifications and ask for customer references from your sector or, for example, if you're multinational, be explicit about which countries you need capabilities in.

For SLAs & Change Management, be specific about metrics that matter for your applications. If you're running VoIP, jitter and packet loss matter more than raw bandwidth - rather than accepting generic 99.9% uptime statements, ask for SLAs specific to the traffic paths you actually use.

SD-WAN-First Approach

If you're primarily focusing on SD-WAN first but like the idea of the added security from SASE, prioritise the SD-WAN Capabilities and Network Footprint sections - focusing questions on network performance and application-aware routing, areas in which SD-WAN offers significant benefits. Then, in security sections, acknowledge interest in the vendor's security roadmap, how security services can be enabled later without rearchitecting the network and request references from customers who took a similar approach.

SSE-First Approach

Alternatively, if you're more focused on security services than SD-WAN capabilities, utilise the SASE / Network Cybersecurity section. Emphasise which SASE security services are of highest importance (ZTNA, CASB, SWG, NGFW) and how these or any existing security services integrate with your current WAN.

Greenfield Deployment

Without legacy constraints, it's arguably even easier to deploy SASE (think of this like starting with a clean slate). Focus on really tailoring to your needs, such as cloud-native design, PoP coverage and the full security stack. We'd also recommend asking about identity-driven models and Zero Trust architecture since you can implement these properly from the start - these tend to be much more difficult once systems are already more-rigidly in place.

Key Customisation Tips

Just like how there are differences in the quality of vendor offerings, so is the quality of questions. To best get the answers you need, follow these tips on writing your own custom questions.

Be Specific Where It Matters

Generic questions get generic answers. When you ask about "cloud connectivity", vendors will more than likely tell you they support all major clouds, however if you ask about "AWS connectivity to eu-west-2 with Direct Connect and typical latency measurements", you're more likely to get actionable information.

If you're unsure on how to go into more detail, start by listing your specific office locations and ask vendors to confirm PoP locations with typical latency measurements for each. For cloud questions, list the specific platforms and regions you use - this could be for SaaS, PaaS or IaaS services. Finally, for security questions, name your specific regulatory obligations (GDPR, PCI-DSS, specific standards) rather than asking generically about compliance and how you're currently handling these vs how they'll be translated to a SASE solution.

Remove What Doesn't Apply

Don't ask about capabilities you're certain you don't need just because they're in the question set. It's more important to focus on what will actually influence your decision as these will be your success criteria when you get your vendor responses.

Structure Your RFP Clearly

Organise any custom questions into the associated sections that vendors can respond to systematically. If you're asking a complex or unique question, provide context to it. Rather than going back and forth in a Q&A after publishing, it can save you time and add clarity if you add a brief paragraph explaining what you're assessing, helping vendors understand your needs and can often garner better responses.

Next Steps

Download the SASE RFP question set and start creating your custom question set for your business. Remember to remove sets of questions that don't apply and add custom sections for organisation-specific questions where needed.

Remember to involve network, security, cloud and application teams during customisation rather than after issuing the RFP - this collaborative approach ensures you don't overlook critical requirements for vendor selection.