Cyber Procurement Advisory · The Independent Buyer

I know how vendors build their proposals.
Because I’ve built them.

I’ve run complex security procurements from both sides of the table — as the organisation tendering, and as the vendor responding. I know exactly how proposals are constructed to obscure costs, where scope creep is buried in contract terms, and which concessions vendors will make if you know where to push.

That combination — deep architecture knowledge, procurement experience, and no vendor relationships — is rare. Most advisors have one. Few have all three.

Track record

Paid for itself —
many times over.

On a security procurement engagement with a major Australian health insurer, savings identified during the advisory process exceeded the advisory fee by a significant multiple. The engagement also completed ahead of schedule. Speed and rigour are not in tension when you know what you’re looking for.

The Problem

Security procurement goes wrong in predictable ways. Most buyers don’t see it coming.

The vendor writing the proposal has done it hundreds of times. The organisation responding to it does it once every three to five years. That asymmetry is structural — and vendors price it in.

Hidden costs surface post-contract

Professional services, training, integration, and migration costs that were deliberately scoped out of the headline number. By the time they appear, the vendor is already selected and the budget conversation has to go back to the board.

RFPs that favour the incumbent or loudest vendor

Requirements written without knowledge of how vendors will respond produce documentation that can be gamed. Evaluation criteria that sound rigorous but aren’t structured to surface real differentiation reward the best proposal writer, not the best product.

Overprovisioned tiers and shelfware from day one

Vendors default to proposing more than you need — higher tiers, broader licences, additional modules. Without independent architecture review, organisations routinely purchase capabilities they won’t use for years, if ever.

Contract terms that lock you in and limit your exit

Auto-renewal clauses, data portability restrictions, SLA carve-outs, and price escalation provisions are standard in enterprise software contracts. They look like boilerplate. They’re not — they’re negotiating positions that most legal teams lack the domain expertise to challenge.

Cybersecurity procurement specifically

The cybersecurity market is uniquely difficult to buy in. Hundreds of vendors compete across overlapping categories, capabilities are advancing faster than procurement cycles, and the marketing language is deliberately designed to make differentiation hard.

Getting it wrong doesn’t just blow the budget — it can leave you exposed in exactly the areas the investment was meant to address, while the capital that should have gone elsewhere is locked into a contract that underdelivers. And because security spend is increasingly visible at board level, a procurement that misses the mark isn’t just an operational problem. It’s a governance one.

What makes this different

Three things that matter. Most advisors have one.

Both sides

I’ve built the proposals you’re evaluating

Having responded to enterprise tenders on behalf of vendors, I understand the commercial logic behind how proposals are structured — where the margin is hidden, which terms are genuine constraints and which are opening positions, and what the vendor’s walk-away looks like. That knowledge doesn’t exist in a textbook. It comes from having sat in the room on the other side.

Architecture

Technical depth — not just commercial oversight

Most procurement advisors are commercial specialists. They can negotiate price but can’t assess whether the architecture is right, whether the integration assumptions are sound, or whether the proposed solution will deliver what the vendor says it will. The combination of procurement experience and security architecture depth is rare — and it’s the combination that catches hidden costs before they become board conversations.

Independent

No vendor relationships — structurally, not just in policy

Resellers earn margin on the deal. SIs have preferred vendor agreements. Large consultancies have enterprise licensing arrangements with the same vendors they recommend. Vyfority has none of these. The fee is paid entirely by the client. That’s not a policy — it’s a structural arrangement that makes genuinely unconflicted advice possible.

The Engagement

Phase-based — engage the full cycle or specific phases only.

Every phase is scoped and priced in writing before it commences. No variation without written agreement. Phases can be engaged independently or as a full-cycle mandate.

S

Small

Procurement under $500K

~$15K

full cycle, indicative

Most common
M

Medium

$500K–$2M procurement

~$31K

full cycle, indicative

L

Large

$2M+ procurement

~$55K

full cycle, indicative

All fees are indicative and scoped per engagement. Phases can be engaged independently — full-cycle figures assume all five phases.

01

Market Analysis

Market scanning and vendor identification (Optional)

Scanning the market for potential vendors and products that align with your specific architectural requirements. Produces a vendor-neutral market comparison brief to ensure you are evaluating the right field before issuing an RFP.

Medium Est.

~$2K

Scaled to scope

02

RFQ/RFP Design

Requirements definition and market approach

Procurement documentation designed by someone who knows how vendors will respond to it. Evaluation criteria that can’t be gamed, requirements structured to expose the costs vendors prefer to hide, and a competitive process that produces genuine price discovery. Includes issue management and vendor Q&A handling.

Medium Est.

~$10K

Scaled to scope

03

Vendor Evaluation

Response assessment, scoring, and shortlist

Independent technical and commercial evaluation of all vendor responses. Scoring is documented and defensible. Shortlist rationale withstands internal and external scrutiny. Includes vendor briefing sessions and clarification management.

Medium Est.

~$8K

Scaled to scope

04

Negotiation Support

Commercial negotiation and terms optimisation

Vendors negotiate enterprise security contracts every day. Most buyers do it once every three to five years. I bring benchmark pricing, knowledge of which terms are genuine constraints and which are opening positions, and the specific pressure points that produce movement. The advisory fee typically pays for itself in the first commercial concession.

Medium Est.

~$7K

Scaled to scope

05

Contract Review

Final terms review and execution support

Commercial and technical review of final contract terms before execution — not legal review, but the domain-specific review that legal teams can’t do. Auto-renewal clauses, data portability restrictions, SLA carve-outs, price escalation provisions, and exit constraints. The terms that look like boilerplate but aren’t.

Medium Est.

~$4K

Scaled to scope

Full-cycle mandate

For procurements above $2M total contract value, a full-cycle mandate is scoped as a single engagement with a fixed ceiling. Contact us to scope — full-cycle engagements typically complete significantly faster than organisations expect when the process is run with precision from day one.

Who engages Vyfority

Large enterprises where the cost of getting it wrong is greater than the cost of independent advice.

CFO

Board mandate to reduce security spend without compromising posture

You need someone who can look at a $5M renewal and tell you which $1.5M is negotiable — with no interest in the outcome other than yours.

CPO

Upcoming renewal or greenfield procurement at scale

Security procurement is technically complex in ways general procurement expertise doesn’t cover. RFP design that doesn’t anticipate vendor tactics produces outcomes that favour the vendor.

CISO

Need a defensible, documented process for internal governance

An independent advisor creates an audit trail that demonstrates rigour and protects the CISO when vendor selection decisions are scrutinised internally or externally.

Board

Previous procurement delivered less than was promised

If the last procurement required a return to the board for additional funding, the problem wasn’t the technology — it was how the procurement was structured. That problem is fixable before the next one starts.

Free Reference Guide

The Vendor Proposal Decoder

16 tactics vendors use in enterprise security proposals — and exactly how to counter them. A working reference to keep open next to your next vendor proposal. Share with procurement, finance, and legal before any contract is signed.

Cost Concealment Preview — 3 of 16 tactics shown
Live Preview
Tactic How to spot it Counter
HIGH

Professional services excluded from headline

Implementation, migration, and configuration quoted separately — often after selection, when leverage is gone. The total cost of deployment is 1.5–3× higher.

Proposal says “implementation SOW to follow” or “professional services quoted separately.”

Require a fully loaded TCO in the RFP response. No shortlisting without complete deployment cost.
HIGH

Training costs buried or omitted

Enterprise security tools require operator training. Vendors exclude this from proposals. It surfaces post-contract as a mandatory purchase.

No training line item. “Training packages available” listed as an optional add-on.

Mandate training cost disclosure in RFP. Ask: “What training is required to deliver stated outcomes?”
MED

Overprovisioned tier to “future-proof”

Vendors propose enterprise tiers when mid-tier covers actual requirements. You’re paying for capabilities you won’t use for 2–3 years.

Proposal recommends a tier above your stated requirements. Features listed include out-of-scope capabilities.

Map each feature to a stated requirement. Require vendors to justify tier selection.
+ 13 more tactics across 4 sections

Get the full guide — free

All 16 tactics. Yours instantly.

Enter your details and we’ll send the complete Vendor Proposal Decoder directly to your inbox.

No spam. One email with the PDF. We may follow up once to ask if you found it useful.

Start the conversation

Tell us what you’re procuring.

Every engagement starts with a scoping call — no cost, no commitment. Bring the procurement brief, the renewal timeline, or just the problem. We’ll tell you whether and how we can help, and give you an honest read on where the risk sits.

Dean Kastelic

Dean Kastelic

Former Enterprise CISO & KPMG Director

Dean acts as an independent proxy for mid-market organisations navigating complex technology purchases. We respond within one business day. A direct conversation with Dean — no sales process.

Prefer email? [email protected]