Web3 projects consistently demonstrate a strong commitment to cybersecurity. Many protocols invest heavily in security reviews, engage reputable audit firms, and communicate their efforts transparently to users and investors. This reflects a shared understanding: security matters.

Yet recent high-profile incidents reveal that investment alone is not enough. Audits are more common than ever, but their effectiveness depends on how they are scoped, structured, and executed. The 2025 Balancer exploit offers a clear lesson. Despite multiple audits that deemed the protocol mature and secure, a vulnerability outside the defined audit scope was exploited, leading to losses of A. They performed the reviews exactly as specified. The key takeaway is that clearly defining the scope of security work is just as important as the quality of its execution.

The problem with cybersecurity RFPs

A Request for Proposals (RFP) is the document a project uses to engage a cybersecurity firm. It specifies:

• Which systems or codebases will be reviewed

• The depth and methodology of the review

• What is included in and excluded from the scope

• The expected deliverables

RFP defines a project’s security priorities. What is included signals which risks are considered most critical, while what is excluded reflects assumptions about acceptable or unlikely threats.

The problem is RFPs themselves require expert knowledge. Scoping a review is a security-relevant task. Ideally, scoping should involve a third-party expert. If the scope is incomplete, audits may leave critical risks uncovered. Often, RFPs are unclear, leaving auditors narrowing the scope further to submit competitive bids. This creates a race to the bottom, where security is optimised for cost rather than real-world risk coverage.

Current audit platforms reinforce this mindset. They are optimised for conducting audits, which encourages projects to treat security as an afterthought. Cybersecurity RFPs are conducted after development is completed, which violates the shift-left paradigm.

Why audits benefit from clearer framing

In many industries, certifications serve as indicators of safety. Web3 often adopts a similar mindset, treating audit reports as proof of security.

Audits are highly valuable, but they are limited to the scope of a specific engagement. Auditors focus on the tasks assigned to them, which can be a strength as long as the scope encompasses all relevant risks. Poorly scoped audits, even if executed flawlessly, can give a false sense of security. Clear, thoughtful framing of security objectives ensures audits deliver real-world protection rather than just a report.

Advancing the RFP process

When used intentionally, RFPs remain one of the most effective tools for commissioning security but only if carried out by experts and early in the development cycle:

• Engage security expertise early
  Before soliciting proposals, internal security leads, virtual CISOs, or external advisors can assist in defining the scope.

• Separate scoping from execution
  A neutral expert can design the RFP and evaluate bids, allowing auditors to focus on delivery while improving coverage.

• Evolve audit platforms
  Supporting adversarial testing, follow-up reviews, and remediation leads to stronger, longer-lasting outcomes.

• Emphasise outcomes over checklists
  Outcome-driven security aligns incentives around resilience, risk reduction, and user protection.

Security as a continuous discipline

Web3 does not suffer from a lack of audits. It has an opportunity to better align security investment with security outcomes. By refining how security work is defined and commissioned, the industry can:

• Set clearer expectations

• Improve collaboration between teams and auditors

• Build more resilient systems

In cybersecurity, outcomes are shaped early. When projects ask better questions, they receive better protection.

Get a quote for your project, schedule a call with our team, follow us on X, and sign up for our newsletter for simplified and curated Web3 security insights.