External and Internal Network Pentesting Service

The Vendor is required to provide a multi-segmented internal network that supports administrative systems, educational platforms, and facilities infrastructure, including legacy SCADA and IoT-based building control systems.
- Due to the criticality of these services and the increased threat landscape, the district seeks to proactively identify and remediate vulnerabilities through a comprehensive internal and external penetration test.
- The penetration test shall include up to 100 hosts across both internal and external environments.
- Internal Penetration Testing
1. Systems include:
•    Windows Server (20xx–2022), Windows 10/11 clients
•    Linux-based appliances and servers
•    UNIX-based systems and software (e.g., Solaris, AIX, BSD)
•    Legacy SCADA systems (e.g., Modbus TCP/IP and proprietary protocols)
•    IoT devices (smart HVAC, cameras, badge readers, etc.)
•    Virtual and physical infrastructure
2. Focus areas:
•    Network enumeration and internal mapping
•    Vulnerability identification and safe exploitation (with prior approval)
•    Privilege escalation and lateral movement
•    Segmentation validation and pivoting attempts
•    Detection of exposed services and misconfigurations.
- External Penetration Testing
•    Firewall, VPN, and edge device assessments
•    DNS, certificate, and service enumeration
•    OWASP Top 10 and CVSS-aligned vulnerability validation
•    Public cloud exposure identification (if applicable)
•    Exploitable pathways to internal resources (with permission)
- The goal of this assessment is to identify vulnerabilities, insecure configurations, and exploitable pathways within the district’s internal and external enterprise networks.

- Contract Period/Term: 1 year
- Questions/Inquires Deadline: September 15, 2025