Objectives

The primary objective of this tender is to appoint a qualified and experienced service provider to conduct a comprehensive Red Team Assessment for TCTA. This assessment aims to identify, validate, and ethically exploit security vulnerabilities across TCTA’s internal and external ICT environments. The outcomes will inform executive decision-making, enhance cybersecurity resilience, and support compliance with frameworks such as NIST, ISO/IEC 27001, and statutory requirements like POPIA and PFMA.

Scope

The scope encompasses planning, executing, and reporting on a multi-phase Red Team Assessment that includes:

• Simulating external adversary attacks on internet-facing systems and infrastructure.
• Internal network testing to assess insider threats, privilege escalation, and lateral movement.
• Web application security testing against OWASP Top 10 and business logic vulnerabilities.
• Physical security assessment, including social engineering techniques to evaluate physical access controls.
• Testing of human factors through phishing, pretexting, tailgating, and on-site access simulations.
• Controlled exploitation of vulnerabilities, with prior approval, excluding DoS/DDoS attacks.
• Post-assessment remediation validation through re-testing and validation reports.

Technical Requirements

The assessment must be structured into five independent phases:

1. External Penetration Testing: Simulate black-box attacks on internet-facing systems.
2. Internal Network Testing: Assess insider threats, privilege escalation, and lateral movement.
3. Web Application Testing: Evaluate web apps for OWASP Top 10 vulnerabilities and business logic flaws.
4. Physical & Social Engineering: Conduct social engineering, physical access attempts, and onsite security evaluations.
5. Remediation & Re-Testing: Verify that vulnerabilities are addressed and attack paths are closed, including follow-up re-tests.

Key conditions include controlled exploitation, prior approval for social engineering, immediate notification of critical findings, source IP whitelisting, and adherence to a Mutual Non-Disclosure Agreement.

Skills Requirements

• Company Experience: Minimum of three (3) verifiable client references for similar Red Team assessments within the past five (5) years, demonstrating experience with external/internal network assessments, web application testing, and social engineering.
• Personnel Expertise: The service provider must assign a Technical Lead with at least two (2) recognized certifications such as OSCP, OSWE, CREST CCSAS/CCSAM, ECSA, CISSP, or equivalent.
• Technical Lead Qualifications: Demonstrated experience in penetration testing, adversarial simulation, and physical/social engineering assessments, supported by references and past engagement summaries.
• Additional Personnel: The team should have expertise in ethical hacking, vulnerability assessment, physical security, and social engineering.

Furthermore, the provider must be able to provide CVs, proof of certifications, project experience summaries, and client references for verification. Replacement personnel must meet the same vetting standards.

Summary

This tender seeks a capable and experienced cybersecurity service provider to deliver a comprehensive, multi-phase Red Team Assessment aligned with international standards and local statutory requirements. The scope covers technical, human, and physical security testing, with an emphasis on controlled exploitation, validation, and remediation validation. The skills requirement emphasizes proven experience, recognized certifications, and demonstrable expertise in adversarial security testing.