Red Team Security Assessment Services

The vendor is required to provide for the services of a red team to perform advanced and targeted security penetration testing to assess the effectiveness of board preventative and detective controls.
- Primary objective of the red team engagement is to:
- Identify vulnerabilities in external-facing systems and applications.
• Identify vulnerabilities in board cloud instances with authorized access
• Evaluate the organization’s ability to detect, respond to, and recover from simulated cyberattacks.
• Provide actionable recommendations to enhance the organization’s security posture.
• Conduct web application testing on three web applications.
- The engagement will include the following activities, which comprise the services:
1. Reconnaissance
• Conduct open-source intelligence (OSINT) gathering to identify public information that could be leveraged in an attack
• Enumerate external-facing assets, including domains, IP ranges, and publicly accessible services
2. External penetration testing
• Attempt to exploit vulnerabilities in external-facing systems and applications
• Simulate real-world attack scenarios, such as:
o Credential harvesting
o Social engineering campaigns targeting all user groups including phishing, smishing, vishing, social media attacks, etc.
o Exploitation of web application vulnerabilities
o Scraping the dark web for any information available
3. Cloud security assessment
• Review two cloud instances with authorized access
• Identify and exploit misconfigurations and vulnerabilities in cloud environments
• Review cloud security controls and provide recommendations for enhancements
4. Web application assessment
• Four web applications will be in scope (intranet, external face website, mypension, and employer portal)
• Perform DAST (dynamic application security testing), SAST (static application security testing), and API (application programming interface) scan and manual testing
5. Post-exploitation simulation (if successful)
• Demonstrate the potential impact of a successful breach while ensuring no disruption to business operations.
• Highlight data exfiltration risks and lateral movement possibilities within the simulated attack context.
• All exploitation activities that have the potential to cause operational disruption require prior approval from board.
6. Reporting and deliverables
• Provide a detailed report for each activity (external penetration testing, cloud assessment, and web application assessment) that includes:
o An executive summary of findings
o Detailed technical findings with severity ratings
o Proof of concept for successful exploits (e.g., screenshots, logs)
o Recommendations for remediation and mitigation
7. Additional engagement guidelines
• The engagement must comply with all applicable laws and regulations.
• Testing activities must only target systems and applications explicitly listed within the scope.
• All testing will be conducted within the timeframe agreed upon by both parties.
• All findings and data collected during the engagement must remain confidential and be securely transmitted to board.
• The internal security team will not be informed of external penetration testing in advance.
• They may take defensive actions, such as blocking or mitigating attacks, as they normally would in response to perceived threats.
• The vendor must notify the organization immediately upon identifying and confirming any high-risk findings.
• The vendor must appoint a management-level point of contact to ensure clear communication throughout the engagement and final reporting.
• The vendor must provide regular status updates at a cadence to be agreed upon.
• Upon completion of testing, the vendor must schedule a debrief meeting with the organization before finalizing the report.
- Questions/Inquires Deadline: April 09, 2025