What to Look for in a Custom Software Vendor — and What Should Disqualify Them Immediately

Picking the wrong custom software vendor is one of the most expensive mistakes a VP R&D can make. Not because the project fails outright — though it sometimes does — but because the failure mode is slow. Eighteen months in, with three million shekels spent, the system half-works, the original team has rotated off, and nobody wants to be the one who admits it. The whole disaster could have been avoided in the first two meetings if anyone had known what to look for. Here is the checklist.

Six Things a Serious Vendor Must Have

These are not nice-to-haves. If a vendor cannot demonstrate all six, find another vendor.

• Recognized certifications, specifically ISO 27001 and ISO 9001. ISO 27001 means they have a real information security management system, not a PDF policy in someone's drawer. ISO 9001 means their delivery process is audited, repeatable, and not held together by one heroic project manager. For Israeli enterprises handling sensitive data, this is the floor, not the ceiling.
• Relevant regulatory registrations. If you operate in defense, fintech, or healthcare, your vendor needs to clear the same bar. Israeli Ministry of Defense vendor registration, for example, is not something a company gets casually. It requires years of demonstrated process maturity and security posture.
• Fixed-scope, fixed-price contracts as the default. Time-and-materials has its place, but a vendor whose only business model is T&M has no incentive to scope tightly or finish on time. A vendor willing to commit to a fixed price after a proper discovery phase is a vendor who knows what they are doing.
• A structured discovery process with deliverables. Two to three weeks, ending in a written specification, an architecture sketch, and a fixed-price estimate. Not "let's just start and figure it out." Not a six-month discovery that produces a 200-page document and no code.
• Bilingual delivery — Hebrew and English, fluently. Your internal stakeholders speak Hebrew. Your product documentation, code comments, and probably your end users speak English. A vendor who can only operate in one language will create friction at every handoff.
• Track record with companies that look like yours. Seven years in business minimum. Thirty or more delivered projects. Reference clients in your industry who will take an unscheduled phone call and tell you the truth.

Six Red Flags That Should End the Conversation

A vendor exhibiting any one of these is a risk. A vendor exhibiting two or more is a guaranteed bad outcome.

• No written security policy, or one they cannot show you in the first meeting. If they fumble on this, every code review and every penetration test will be a fight.
• Refusal to commit to a fixed price, ever. "Every project is different, we charge by the hour" is what undisciplined shops say. Discipline means knowing your numbers well enough to commit.
• The salesperson promises the world; the delivery team is invisible until contract signing. Insist on meeting the actual tech lead and project manager before signing. If the vendor resists, walk away.
• No clear answer on staffing continuity. If they cannot tell you who will be on your account in month nine, plan to be on your fourth team by month nine.
• A reference list of logos but no reference calls. Logos on a slide are cheap. Real references will take a 20-minute call and give you specific, sometimes uncomfortable, detail.
• Pressure tactics in the sales process. "This pricing is only valid this quarter." Real vendors do not need to pressure you. They know good work brings the next deal.

How to Run a Vendor Evaluation Process That Works

Do not run a beauty contest with eight vendors. It wastes everyone's time and the vendors who take it seriously will quietly de-prioritize you. Instead, run a tight three-stage process:

1. Pre-qualification (one week). Send a one-page brief to four to six vendors. Filter to three based on certifications, references, and written response quality.
2. Working session (one week per finalist). Bring each finalist in for a half-day working session on a real problem from your roadmap. You will learn more in four hours of joint whiteboarding than in any deck.
3. Paid discovery with two finalists (two to three weeks each). Yes, pay both. A few tens of thousands of shekels here saves millions later. Compare the resulting specifications, estimates, and the experience of working with each team. Pick the one you would want to be in a war room with at 2 a.m.

The vendor who clears every positive criterion, triggers none of the red flags, and produces a clean fixed-price proposal after a structured discovery is the vendor you want. They are also rare. When you find one, sign quickly. They are usually booked three to four months out for a reason.