What to ask a Brazilian security vendor and when?
Why phases exist
But before any phase, start with the question that actually defines a vendor: is there a single accountable principal who owns the intelligence, planning, command, secure transport and concierge — and who stands behind the entire operation, end to end? And does that principal assure you that all armed protection is performed by Polícia Federal-authorized providers under its command? That is the gold-standard question. It satisfies the legality concern as an assurance the provider gives — rather than turning you into the investigator who has to extract an Alvará number from whoever holds the licence.
Most "how to hire security" guides skip that question and treat procurement as a flat checklist of documents to extract. You send the vendor a seven-item request — certificate of insurance, agent name and background, vigilante registration number, vehicle plate, armor class — and expect all of it at once. When you're negotiating a 14-day multi-principal operation with a vetted threat profile, some of that is appropriate. When you're booking a one-way airport transfer, it's a mismatch — and it forces the vendor to release sensitive information about individual agents before any contractual commitment exists.
Timing-aware due diligence solves the second part. Each phase of the procurement cycle releases what's appropriate to the current commitment level. You confirm accountability and service scope before signing anything. You verify the policy and vehicle after engagement is formalized. You verify the specific plate and agent on day-of pickup. This protects both sides: the buyer gets the information they need when they need it, and the vendor doesn't leak agent opsec without contractual cover.
Phase 1 — Before deposit or LOI
Pre-contract
Accountability and scope. At this stage you are confirming who stands behind the operation and what is included — not collecting documents that expose any individual. A serious provider gives you these as assurances; you do not need to act as an investigator.
- Confirmation that a single accountable principal owns the intelligence, planning, command, secure transport and concierge and stands behind the whole operation (the gold-standard test)
- Assurance that all armed protection is performed by Polícia Federal-authorized providers under that principal's command (Lei 7102 / Lei 14.967/2024), with credentials verified before deployment — given by the provider, not chased down by you
- Confirmation that execution is covered in every state on your itinerary (a single-state guard licence does not extend across UFs — the accountable principal carries this reach through state-authorized providers)
- General service category, daily/hourly rates, and what is included (waiting time, tolls, return leg, fuel)
- Vehicle class and NBR 15000 nível for armored work, generic to the class (not plate-specific). Civilian engagements: the only legal answer is Nível IIIA
- Confirmation that the vehicle is armored / agent is armed / armed execution is licensed (yes/no, not individual credentials)
- Insurance posture summary ("the principal carries E&O for its operational direction; licensed providers carry the local-law mandatory coverages; certificate available upon contract execution")
- References from comparable corporate or HNWI clients (with their permission)
Phase 2 — After LOI or deposit; contract negotiation
Post-LOI / Post-deposit
Operational and contract-protected information. The commitment to engage justifies the disclosure, and the contract gives both sides recourse if anything is misrepresented.
- Certificate of Insurance (COI) naming the client as additional insured if requested
- Vehicle make / model / general year for the assigned vehicle class (not plate, not VIN)
- Agent's professional background summary — prior unit, years of service, language proficiency, certifications (not full CV, not registration number)
- Specific service inclusions, SLA, response time commitments, and contingency procedures written into the SOW
- Designated point of contact and escalation chain for the duration of the engagement
- Cancellation, modification, and force-majeure terms
Phase 3 — 1–2 days before the engagement starts
24–48 hours before service
Opsec-sensitive information. By this point the principal needs operational detail for safe pickup and recognition, but the vendor's agents are still entitled to opsec protection — release at the latest reasonable moment.
- Specific vehicle plate for the assigned vehicle
- Agent's full legal name and a current photo for principal recognition at pickup
- Vigilante registration number — only if there is a regulatory or legal-counsel requirement that strictly requires it. This is a Polícia Federal-issued ID linkable to the agent's home address and is genuinely an opsec risk to release pre-contract
- Final route plan, pickup coordinates, and emergency rendezvous points
- Direct mobile contact for the lead agent during the engagement
Regulatory explainer
Understanding armor ratings: NBR 15000, VPAM, and NIJ
What governs in Brazil — and what to ask your vendor
The Brazilian standard
All armored vehicles operating in Brazil must be certified under ABNT NBR 15000, administered by the Exército Brasileiro via the Diretoria de Fiscalização de Produtos Controlados (DFPC) and authorized through the SICOVAB platform (Sistema de Controle de Veículos Blindados e Blindagens Balísticas). Civilian armored vehicles are typically certified to Nível IIIA — resistant to handgun rounds up to .44 Magnum, including the most common threats in Brazilian street crime. Higher níveis (III, IV) handle rifle threats.
The European OEM scale (VPAM)
When you research armored vehicles from manufacturers like Mercedes-Benz, BMW, or Audi, you'll often see the European VPAM / CEN 1063 BR-classification scale (BR1 through BR7). VPAM is a German/European testing standard the OEM uses when armoring the vehicle at the factory. Brazilian armorers may import OEM-armored vehicles built to VPAM specs, then recertify them under NBR 15000 for legal Brazilian operation. A vehicle built to VPAM BR4 typically certifies under NBR 15000 Nível IIIA after import and inspection.
| Threat level | NBR 15000 (Brazil) | VPAM (CEN 1063) | NIJ (USA) | Typical use |
|---|---|---|---|---|
| Handgun (9mm, .357) | Nível II | BR2 | II | — |
| Handgun (.44 Magnum) | Nível IIIA | BR3 / BR4 | IIIA | Civilian armored SUVs in Brazil; protects against >95% of Brazilian street-crime threats |
| Rifle (.223 / 5.56) | Nível III | BR5 | III | Armed Forces / Federal Police only — not available for civilian or private commercial use |
| Rifle (7.62×51 NATO) | Nível IV | BR6 | IV | Military / diplomatic — not available for civilian or private commercial use |
| AP rifle | Nível V | BR7 | IV (AP) | Specialized — not available for civilian use |
The civilian legal ceiling: Nível IIIA
Under Brazilian law, NBR 15000 Nível IIIA is the maximum armor level that individuals and private companies (including commercial security providers) can legally operate in Brazil. Níveis III and IV are categorically restricted to the Armed Forces, Federal Police, and authorized government entities — no authorization pathway exists for civilian/private commercial use, regardless of threat assessment, client profile, or budget. Over 98% of civilian armored vehicles operating in Brazil are Nível IIIA.
What a buyer should actually ask
When evaluating a Brazilian security provider's armored vehicle, ask for the NBR 15000 nível (the Brazilian rating that legally governs the vehicle's operation in-country) and, if relevant, the VPAM BR-classification the OEM originally armored it to. The two scales overlap closely but are not identical. Refusing to disclose the NBR nível is a red flag. Any vendor that claims to offer Nível III or IV armoring for a private commercial engagement in Brazil is misrepresenting the regulatory framework or operating outside it — that is a due-diligence red flag in itself.
Why the vigilante number is different
It's worth calling out the vigilante card explicitly because it's the item most commonly requested prematurely in due-diligence pings. The card is a Polícia Federal-issued document under Brazil's private security regulatory regime. Unlike a corporate PF authorization — which credentials a company — the vigilante card credentials an individual, and the associated registration links to the agent's home address and personal data.
On a low-visibility corporate engagement, agents operate on deniability. Releasing the vigilante card number to a buyer who hasn't yet contracted the service means handing over PII linked to someone the agent has no client relationship with. For the responsible vendor, that's a risk that justifies refusing — not because they have anything to hide, but because the agent is a third party who deserves protection. Request it only when a regulation or legal jurisdiction explicitly requires it, and even then, prefer verifying the company's regulatory posture via PF over the individual's card.
Red flags in vendor responses
- Refusal to disclose the NBR 15000 nível. This is a public-record item and no serious vendor should hesitate to share it pre-contract.
- Offers “Nível III or IV armoring” for a private commercial client. This is not legally possible in Brazil. Níveis III/IV are restricted by the Exército Brasileiro / DFPC to the Armed Forces, Federal Police, and authorized government entities. A vendor that makes this offer is misrepresenting the regulatory framework.
- Releases agent legal names, vigilante registration numbers, or specific vehicle plates pre-contract. This is the opposite of a positive signal — it suggests the vendor doesn’t exercise basic opsec discipline with its own staff.
- Cannot assure licensed armed execution under its command. All armed protection in Brazil must be performed by Polícia Federal-authorized providers. A serious provider stands behind that as an assurance — if it cannot state who commands the licensed armed execution, or that it verifies credentials before deployment, it operates without proper accountability.
- Is a pure middleman who hands off the operation. International providers who pass through Brazilian operators without owning command typically markup significantly without adding value. But beware the opposite inference too: a lone licensed guard firm is a component, not a substitute — it is state-limited, with no independent intelligence, advance, GSOC, command or concierge layer, and no one to answer for the seams between vendors. Going direct to the executor is a downgrade, not a saving.
What this framework protects
Structuring due diligence by phase does four things. First, it protects agent opsec — you're not asking an individual agent to be exposed to a buyer who hasn't yet committed. Second, it makes your process look professional in the vendor's eyes — you're signaling that you understand the procurement cycle in Brazilian private security. Third, it gives the vendor less reason to inflate prices defensively — generic upfront asks often trigger defensive pricing because the vendor can't scope the work. And fourth, it lets the vendor respond in kind — you get more accurate answers, instead of the evasive answers a vendor produces when you ask for everything at once.
For the engagements where the full checklist is justified — multi-principal operations, high-threat environments, government engagements — you can still ask for everything. The difference is that in those contexts the disclosure makes sense because the size and profile of the contract justifies the exposure. The point is not to never ask for the sensitive information; it's to ask for it when the corresponding commitment is in place.
Related reading
Frequently asked questions
A one-day airport transfer and a 14-day multi-principal engagement carry different operational footprints. A flat checklist that demands agent legal names, vehicle plates, and registration numbers up-front treats both engagements the same and forces the vendor to release PII before contract execution. Timing-aware procurement protects agent opsec, gives the vendor a reason to take the buyer seriously, and lets both sides converge on the actual SOW before exchanging anything sensitive.
Pre-contract verification covers accountability and scope: confirmation that a single accountable principal owns and commands the whole operation, the assurance that armed protection runs through Polícia Federal-authorized providers under that command, general service category, daily rates, and armoring posture. Post-LOI verification covers what is contract-protected: certificate of insurance, vehicle make/model/year (not plate, not VIN), and the SOW-specific service inclusions. Day-of verification (24–48 hours before) covers operationally sensitive items: specific vehicle plate, agent legal name and photo for principal recognition.
Generally no. The vigilante card (carteira de vigilante, registered through the SVPCT system) is a Polícia Federal-issued ID that links to the agent's home address and personal details. Releasing it pre-contract creates a real opsec risk for someone you have not yet engaged. Request it only when a regulatory or legal-counsel requirement makes it strictly necessary, and even then, prefer to verify via the vendor's PF authorization rather than the individual card.
You do not have to hunt down a licence number — and on a retail engagement you should not have to. The right move is to require the provider to take ownership: confirm there is a single accountable principal who stands behind the entire operation and assures you, ideally in writing, that all armed protection is performed by Polícia Federal-authorized providers under its command (Lei 7102 / Lei 14.967/2024), with credentials verified before deployment. That places the compliance burden where it belongs — on the accountable provider — and keeps you from collecting documents tied to individual agents. (For large institutional buyers running formal vendor diligence, naming the licensed provider and its Alvará belongs in a gated B2B package, not in a retail booking.)
Ask for the NBR 15000 nível, not a VPAM B-number. NBR 15000 is the Brazilian standard administered by the Exército Brasileiro / DFPC and is what legally governs the vehicle in-country. For civilian commercial use the answer should always be Nível IIIA — that is the legal maximum for civilian armored vehicles in Brazil. Nível III and IV are restricted to government use. A vendor that volunteers "Nível III/IV available for high-threat engagements" is either misrepresenting the regulatory framework or operating outside it.
No — but ask the right way. Reasonable: 'Can you connect us with two comparable corporate or HNWI clients, with their permission, who can speak to your service?' Unreasonable: 'Send us your full client list.' Vendors with real Fortune 500 / UHNW clients protect those names; the willingness to facilitate a vetted introduction is itself a credibility signal.
Sources cited
- Polícia Federal — Sistema de Vigilância Privada (SVPCT), vigilante card and PF authorization registry
- Lei 7102/1983 — original Brazilian private-security operating law (Planalto / Casa Civil)
- Lei 14.967/2024 — updated Brazilian private-security regulation (Planalto / Casa Civil)
- Receita Federal — CNPJ public business registry lookup
- Exército Brasileiro — Diretoria de Fiscalização de Produtos Controlados (DFPC) — armor/blindagem regulation
- ABNT — NBR 15000 series (Brazilian vehicle-armoring technical standards)
- Secretaria de Segurança Pública do Estado de São Paulo (SSP-SP) — state-level operating licenses
- Instituto de Segurança Pública do Rio de Janeiro (ISP-RJ) — state-level security data
Ready to Secure Your Brazil Trip?
Complete our 3-minute security assessment for a custom protection plan.