Netherlands - IT services: consulting, software development, internet and support

Description

The Contract consists of the provision of pen testing services and Red and Purple Teaming Services. The tender is divided into six (6) Lots. The Assignment includes the execution, by qualified and/or certified Pentesters, of a Pentest or Red or Purple Teaming assignment with the aim of determining the security level of systems falling within the defined scope. For this purpose, an attempt is made to find vulnerabilities in the system or IT infrastructure under investigation and to penetrate the system in a manner similar to the approach of a malicious hacker. This can include both technical and social engineering attacks, depending on what is agreed upon.
Standard Pentesting Services. This involves performing Pentesting of full application "stack" (including but not limited to: Operating systems, hypervisors, networks, firewalls, databases and web servers) for security issues. Black box, White box and Grey box testing may be involved. Highly sensitive Pentest Services (business and/or state secrets) This involves performing Pentesting of a full application "stack" (including but not limited to: Operating systems, hypervisors, networks, firewalls, databases and web servers for security issues of a corporate and/or state secret nature). Highly sensitive pentesting services (business and/or state secrets); incl. distributed systems: This involves performing Pentesting for an entire application "stack" (including but not limited to: internet disclosure, application server, database server) for security issues. Red or Purple Teaming: This involves performing Pentesting based on a Red and/or Purple Teaming process. In doing so, the Tenderer shall comply with the following frameworks/principles.I. Red Teaming. This involves attacking and exploiting the Participant's environment with the goal of compromising predefined crown jewels. The risks in the current environment and the crown jewels are determined in a Threat Modeling session with the Participant in advance. This should result in simulating the most realistic cyber attack possible using multiple attack paths (e.g. phishing, social engineering, penetration testing, etc.).II. Purple Teaming: This means bringing together the 'red team' (see Red Teaming above) with the 'blue team' meaning the Participant's defenders, sometimes supplemented by employees of the Contractor. This involves working closely together, giving the blue team insight into exactly how the red team operates. This allows the blue team to see what the typical movements and procedures of hackers are and thus learn to avoid them. In this way, the red team can learn how attack attempts are blocked and how they need to adjust their modus operandi to still be successful. This under the supervision of the 'white' team, which keeps an overview of the teams and takes action/ intervenes where necessary Red or Purple Teaming incl. distributed systems. This concerns the execution of Pentesting on the basis of Red and/or Purple Teaming trajectory. The Tenderer will comply with the following frameworks/principles.I. Red Teaming. This involves attacking and exploiting the client's environment with the aim of compromising pre-defined crown jewels. The risks in the current environment and the crown jewels are identified with the customer in a Threat Modeling session beforehand. This should result in simulating the most realistic cyber attack possible using multiple attack paths (e.g. phishing, social engineering, penetration testing, etc.).II. Purple Teaming: This refers to bringing together the "red team" (see Red Teaming above) with the "blue team" meaning the client's defenders. This involves working closely together, giving the blue team insight into exactly how the red team operates. This allows the blue team to see what the typical movements and procedures of hackers are and thus learn to avoid them. In this way, the red team can learn how attack attempts are blocked and how they need to adjust their modus operandi to still be successful. Standard Pentesting Services. This involves performing Pentesting of full application "stack" (including but not limited to: Operating systems, hypervisors, networks, firewalls, databases and web servers) for security issues.

Opportunity closing date

17 January 2024

Value of contract

£5m-50m