What to ask a Brazilian security vendor and when?
Why phases exist
Most "how to hire security" guides treat procurement as a flat checklist. You send the vendor a seven-item request — PF authorization, certificate of insurance, agent name and background, vigilante registration number, vehicle plate, armor class — and expect the vendor to answer all of it in one round. When you're negotiating a 14-day multi-principal operation with a vetted threat profile, that's appropriate. When you're booking a one-way airport transfer, it's a mismatch — and it forces the vendor to release sensitive information about individual agents before any contractual commitment exists.
Timing-aware due diligence solves this. Each phase of the procurement cycle releases what's appropriate to the current commitment level. You verify the company and service before signing anything. You verify the policy and vehicle after engagement is formalized. You verify the specific plate and agent on day-of pickup. This protects both sides: the buyer gets the information they need when they need it, and the vendor doesn't leak agent opsec without contractual cover.
Phase 1 — Before deposit or LOI
Pre-contract
Public-record and scope-level information. The vendor can share all of this without exposing any individual or operational detail, and you can verify most of it independently.
- CNPJ and legal name of the operating entity (verifiable on the Receita Federal public registry)
- Polícia Federal authorization / alvará da PF showing the company is licensed under Lei 7102 / Lei 14.967/2024 (the operating license — public record)
- State-level operating license from the relevant Secretaria de Segurança Pública (SSP) for each state where service will be delivered (SP licensing does not extend to RJ)
- General service category, daily/hourly rates, and what is included (waiting time, tolls, return leg, fuel)
- Vehicle class and NBR 15000 nível for armored work, generic to the class (not plate-specific). Civilian engagements: the only legal answer is Nível IIIA
- Confirmation that the vehicle is armored / agent is armed / agent is licensed (yes/no, not credentials)
- Insurance posture summary ("we carry E&O and CGL; certificate available upon contract execution")
- References from comparable corporate or HNWI clients (with their permission)
Phase 2 — After LOI or deposit; contract negotiation
Post-LOI / Post-deposit
Operational and contract-protected information. The commitment to engage justifies the disclosure, and the contract gives both sides recourse if anything is misrepresented.
- Certificate of Insurance (COI) naming the client as additional insured if requested
- Vehicle make / model / general year for the assigned vehicle class (not plate, not VIN)
- Agent's professional background summary — prior unit, years of service, language proficiency, certifications (not full CV, not registration number)
- Specific service inclusions, SLA, response time commitments, and contingency procedures written into the SOW
- Designated point of contact and escalation chain for the duration of the engagement
- Cancellation, modification, and force-majeure terms
Phase 3 — 1–2 days before the engagement starts
24–48 hours before service
Opsec-sensitive information. By this point the principal needs operational detail for safe pickup and recognition, but the vendor's agents are still entitled to opsec protection — release at the latest reasonable moment.
- Specific vehicle plate for the assigned vehicle
- Agent's full legal name and a current photo for principal recognition at pickup
- Vigilante registration number — only if there is a regulatory or legal-counsel requirement that strictly requires it. This is a Polícia Federal-issued ID linkable to the agent's home address and is genuinely an opsec risk to release pre-contract
- Final route plan, pickup coordinates, and emergency rendezvous points
- Direct mobile contact for the lead agent during the engagement
Regulatory explainer
Understanding armor ratings: NBR 15000, VPAM, and NIJ
What governs in Brazil — and what to ask your vendor
The Brazilian standard
All armored vehicles operating in Brazil must be certified under ABNT NBR 15000, administered by the Exército Brasileiro via the Diretoria de Fiscalização de Produtos Controlados (DFPC) and authorized through the SICOVAB platform (Sistema de Controle de Veículos Blindados e Blindagens Balísticas). Civilian armored vehicles are typically certified to Nível IIIA — resistant to handgun rounds up to .44 Magnum, including the most common threats in Brazilian street crime. Higher níveis (III, IV) handle rifle threats.
The European OEM scale (VPAM)
When you research armored vehicles from manufacturers like Mercedes-Benz, BMW, or Audi, you'll often see the European VPAM / CEN 1063 BR-classification scale (BR1 through BR7). VPAM is a German/European testing standard the OEM uses when armoring the vehicle at the factory. Brazilian armorers may import OEM-armored vehicles built to VPAM specs, then recertify them under NBR 15000 for legal Brazilian operation. A vehicle built to VPAM BR4 typically certifies under NBR 15000 Nível IIIA after import and inspection.
| Threat level | NBR 15000 (Brazil) | VPAM (CEN 1063) | NIJ (USA) | Typical use |
|---|---|---|---|---|
| Handgun (9mm, .357) | Nível II | BR2 | II | — |
| Handgun (.44 Magnum) | Nível IIIA | BR3 / BR4 | IIIA | Civilian armored SUVs in Brazil; protects against >95% of Brazilian street-crime threats |
| Rifle (.223 / 5.56) | Nível III | BR5 | III | Armed Forces / Federal Police only — not available for civilian or private commercial use |
| Rifle (7.62×51 NATO) | Nível IV | BR6 | IV | Military / diplomatic — not available for civilian or private commercial use |
| AP rifle | Nível V | BR7 | IV (AP) | Specialized — not available for civilian use |
The civilian legal ceiling: Nível IIIA
Under Brazilian law, NBR 15000 Nível IIIA is the maximum armor level that individuals and private companies (including commercial security providers) can legally operate in Brazil. Níveis III and IV are categorically restricted to the Armed Forces, Federal Police, and authorized government entities — no authorization pathway exists for civilian/private commercial use, regardless of threat assessment, client profile, or budget. Over 98% of civilian armored vehicles operating in Brazil are Nível IIIA.
What a buyer should actually ask
When evaluating a Brazilian security provider's armored vehicle, ask for the NBR 15000 nível (the Brazilian rating that legally governs the vehicle's operation in-country) and, if relevant, the VPAM BR-classification the OEM originally armored it to. The two scales overlap closely but are not identical. Refusing to disclose the NBR nível is a red flag. Any vendor that claims to offer Nível III or IV armoring for a private commercial engagement in Brazil is misrepresenting the regulatory framework or operating outside it — that is a due-diligence red flag in itself.
Why the vigilante number is different
It's worth calling out the vigilante card explicitly because it's the item most commonly requested prematurely in due-diligence pings. The card is a Polícia Federal-issued document under Brazil's private security regulatory regime. Unlike a corporate PF authorization — which credentials a company — the vigilante card credentials an individual, and the associated registration links to the agent's home address and personal data.
On a low-visibility corporate engagement, agents operate on deniability. Releasing the vigilante card number to a buyer who hasn't yet contracted the service means handing over PII linked to someone the agent has no client relationship with. For the responsible vendor, that's a risk that justifies refusing — not because they have anything to hide, but because the agent is a third party who deserves protection. Request it only when a regulation or legal jurisdiction explicitly requires it, and even then, prefer verifying the company's regulatory posture via PF over the individual's card.
Red flags in vendor responses
- Refusal to disclose the NBR 15000 nível. This is a public-record item and no serious vendor should hesitate to share it pre-contract.
- Offers "Nível III or IV armoring" for a private commercial client. This is not legally possible in Brazil. Níveis III/IV are restricted by the Exército Brasileiro / DFPC to the Armed Forces, Federal Police, and authorized government entities. A vendor that makes this offer is misrepresenting the regulatory framework.
- Releases agent legal names, vigilante registration numbers, or specific vehicle plates pre-contract. This is the opposite of a positive signal — it suggests the vendor doesn't exercise basic opsec discipline with its own staff.
- Cannot produce a current PF authorization or state SSP operating license. These are required licenses for legal operation. Absence suggests the company operates without proper credentialing.
- Insists on subcontracting without disclosing. International providers who subcontract Brazilian operators but avoid acknowledging it typically markup significantly without adding value — you end up paying the middleman for an operation another firm actually delivers.
What this framework protects
Structuring due diligence by phase does four things. First, it protects agent opsec — you're not asking an individual agent to be exposed to a buyer who hasn't yet committed. Second, it makes your process look professional in the vendor's eyes — you're signaling that you understand the procurement cycle in Brazilian private security. Third, it gives the vendor less reason to inflate prices defensively — generic upfront asks often trigger defensive pricing because the vendor can't scope the work. And fourth, it lets the vendor respond in kind — you get more accurate answers, instead of the evasive answers a vendor produces when you ask for everything at once.
For the engagements where the full checklist is justified — multi-principal operations, high-threat environments, government engagements — you can still ask for everything. The difference is that in those contexts the disclosure makes sense because the size and profile of the contract justifies the exposure. The point is not to never ask for the sensitive information; it's to ask for it when the corresponding commitment is in place.
Related reading
Frequently asked questions
A one-day airport transfer and a 14-day multi-principal engagement carry different operational footprints. A flat checklist that demands agent legal names, vehicle plates, and registration numbers up-front treats both engagements the same and forces the vendor to release PII before contract execution. Timing-aware procurement protects agent opsec, gives the vendor a reason to take the buyer seriously, and lets both sides converge on the actual SOW before exchanging anything sensitive.
Pre-contract verification covers what is already public record: CNPJ, Polícia Federal authorization under Lei 7102, general service category, daily rates, and confirmation of armoring posture and licensing. Post-LOI verification covers what is contract-protected: certificate of insurance, vehicle make/model/year (not plate, not VIN), and the SOW-specific service inclusions. Day-of verification (24–48 hours before) covers operationally sensitive items: specific vehicle plate, agent legal name and photo for principal recognition.
Generally no. The vigilante card (carteira de vigilante, registered through the SVPCT system) is a Polícia Federal-issued ID that links to the agent's home address and personal details. Releasing it pre-contract creates a real opsec risk for someone you have not yet engaged. Request it only when a regulatory or legal-counsel requirement makes it strictly necessary, and even then, prefer to verify via the vendor's PF authorization rather than the individual card.
Two checks cover most pre-contract due diligence. First: look up the CNPJ on the Receita Federal public registry to confirm the legal entity exists and is active. Second: ask the vendor for their Polícia Federal authorization number (issued under Lei 7102 / Lei 14.967/2024) — this is the operating license and is appropriate to verify pre-contract because it credentials the company, not an individual. Both are public-record checks that do not put any agent at risk.
Ask for the NBR 15000 nível, not a VPAM B-number. NBR 15000 is the Brazilian standard administered by the Exército Brasileiro / DFPC and is what legally governs the vehicle in-country. For civilian commercial use the answer should always be Nível IIIA — that is the legal maximum for civilian armored vehicles in Brazil. Nível III and IV are restricted to government use. A vendor that volunteers "Nível III/IV available for high-threat engagements" is either misrepresenting the regulatory framework or operating outside it.
No — but ask the right way. Reasonable: 'Can you connect us with two comparable corporate or HNWI clients, with their permission, who can speak to your service?' Unreasonable: 'Send us your full client list.' Vendors with real Fortune 500 / UHNW clients protect those names; the willingness to facilitate a vetted introduction is itself a credibility signal.
Ready to Secure Your Brazil Trip?
Complete our 3-minute security assessment for a custom protection plan.