Internal and External Penetration Testing SaaS Solution

The vendor is required to provide internal and external penetration testing SaaS solution designed to continuously assess and validate the security posture of the organization’s digital infrastructure.
- The software shall offer an autonomous penetration testing platform which continuously test the organization’s environment to find and exploit attack paths, provide detailed remediation guidance and verify fixes that are effective without agents or predefined scripts.
- Desired outcomes
1. Continuous security validation
•    Establish a process of ongoing internal and external penetration testing to ensure the organization’s evolving infrastructure remains secure.
•    Provide assurance that vulnerabilities, misconfigurations, and weak controls are detected before adversaries exploit them.
•    Enables scheduling and unlimited frequency of pen tests—including after every material system change—along with rapid, audit-ready verification of fixes
2. Prioritization of remediation
•    Differentiate between exploitable weaknesses and non-critical issues, reducing time wasted on false positives or non-actionable findings.
•    Deliver contextual scoring to ensure the most impactful risks are addressed first.
3. Proof, path, and impact
•    Generate attack-path visualizations and proof-of-exploit to clearly show how vulnerabilities, misconfigurations, and credentials can be chained together to compromise systems.
•    Identify sensitive data at risk and quantify potential blast radius from compromised accounts.
•    Integrated phishing impact simulation - can leverage real phished credentials in attack chains, showing downstream risk such as lateral movement and privilege escalation
4. Actionable remediation and verification
•    Provide detailed, actionable remediation guidance to address weaknesses at the root cause.
•    Enable immediate retesting after remediation to verify effectiveness and confirm that vulnerabilities have been eliminated.
•    Consolidates all discovered vulnerabilities in a single dashboard, with context-aware business risk scoring, built-in fix workflows, and “1-click verify” to rapidly validate that remediations worked—anchoring security posture in provable system state
5. Comprehensive coverage
•    Assess across the full enterprise attack surface, including:
o    External and internal networks
o    On-prem and cloud infrastructure
o    Identity and access management systems
o    Data stores, IOT devices, and hybrid environments
6. Operational efficiency
•    Deploy without agents, special hardware, or consultants.
•    Launch pen tests on-demand or on a scheduled basis, scaling to cover the entire enterprise in hours, not weeks or months.
7. Compliance and assurance
•    Support compliance efforts by providing auditable reports demonstrating proactive risk management.
•    Enhance purple team collaboration by aligning red team (offensive) and blue team (defensive) efforts in continuous exercises.
8. Safety in production
•    Platform must be safe to run in live production environments without causing outages or data corruption.
•    Persistent agents, privileged accounts, or special hardware.
9. Integration and workflow
•    Provide APIS and portal access for launching, monitoring, and automating penetration tests.
•    Integrate with existing ticketing, SIEM, or security orchestration platforms where applicable.
10. Data protection
•    Ensure data confidentiality and compliance with organizational and regulatory requirements.
•    Support secure storage, transmission, and disposal of test data.

- Contract Period/Term: 5 years
- Virtual Pre-Proposal Meeting Date: November 5, 2025
- Questions/Inquires Deadline: November 12, 2025