2026-0057 Penetration Testing Service - NPCL Support (NS) - FRI 15 May

Deadline Date: Friday 15 May 2026

Requirement: Penetration Testing Service – NPCL Support

Location of Performance: 100% onsite in Mons, BEL

Period of Performance: As soon as possible but not later than 15 June 2026 until 31 December 2026, with possibility to exercise the following options:

2027 Option: 1st January until 31st December 2027;

2028 Option: 1st January until 31st December 2028.

Evaluation Methodology: Lowest Priced Technically Compliant

Required Security Clearance: NATO SECRET

1. Purpose

The objective of this statement of work (SoW) is to outline the scope of work and deliverables for the penetration testing service to be conducted by the selected company.

The purpose of the work package is to provide support to NATO Cyber Security Centre (NCSC) to fulfil identified penetration testing activities more effectively.

2. Background

To support the NCSC with the execution of tasks identified in the subject work package of the service, the NCI Agency is looking for experienced penetration testing professionals to augment the existing teams in order to respond to the increasing demand for high quality security assessments and expertise.

This contract is to provide consistent support on a deliverable-based (completion-type) contract, to NCSC contributing to its POW based on the deliverables that are described in the scope of work below.

3. Scope of Work

The "Senior Penetration Tester" is a position within the NATO Communications and Information Agency (NCIA), an organization of the North Atlantic Treaty Organization (NATO).

The NCIA has been established with a view to meeting to the best advantage the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

The NCI Agency NATO Cyber Security Centre (NCSC) is responsible for planning and executing all lifecycle management activities for cyber security. In executing this responsibility, NCSC provides specialist cyber security-related services covering the spectrum of scientific, technical, acquisition, operations, maintenance, and sustainment support, throughout the lifecycle of NATO Information Communications and Technology (ICT).

Within the NCSC, the Assess Branch performs comprehensive vulnerability assessments, penetration testing, security compliance audits and red teaming activities against NATO CIS components throughout their lifecycle and across the NATO CIS footprint, improving its cyber hygiene while contributing to the CIS accreditation, IT change management and cyber incident response and recovery processes. It reports on security shortfalls and provides expertise in support of the mitigation and remediation assistance process. The Section also supports exercises, software development assurance and purple teaming activities.

The Penetration Testing Section manages and conducts tailored penetration testing activities against NATO networks and systems, with the objective to assess the impact of current cyber threats, as well as their likelihood and difficulty of exploitation, on NATO CIS, a NATO Mission or NATO's cyber defences by emulating an intermediate or advanced cyber adversary. These unique activities are performed in support of accreditation, IT change management and software development assurance throughout the lifecycle of NATO CIS, during NATO exercises and in support of incident handling and recovery.

Being part of the Penetration Testing Section and under the direction of the Team Lead, the contractor taking the role of the Senior Penetration Tester will perform the following activities:

• Provide Web, infrastructure and application-level penetration testing, including but not limited to COTS software and NOTS/GOTS software (NATO/Government off the Shelf), following clearly defined methodologies.
• Participate in kick-off meetings with stakeholders and technical points of contact in order to identify requirements for testing.
• Follow the documented procedures and workflows outlined by the technical leads.
• Attend team meetings if required.
• Write technical reports in fluent English, following defined templates and Reporting Tools.
• Brief at both executive and technical levels on security reports and testing outcome, including at flag officer level.
• In case of new vulnerabilities detected for COTS software, follow the Responsible Disclosure Process and follow-up with vendors and stakeholders.
• In co-ordination with the Technical Lead of the Penetration testing team, ensure proactive collaboration and coordination with internal and external stakeholders.
• Stay abreast of technological developments relevant to the area of work.
• Perform any other duties as may be required.

The measurement of execution for this work is sprints, with each sprint planned for a duration of 1 week.

4. Deliverables and Payment Milestones

Based on the KPI framework and milestone-based payment schedule below, the contractor will be assessed on the delivery of penetration testing, and reporting activities.

4.1 Key Performance Indicators (KPIs)

A. Penetration Testing Execution (Web, Infrastructure, Application)

Test coverage across agreed scope (≥ 95% of assets tested); Compliance with defined methodologies (e.g., OWASP/NATO procedures) (100%); Number of validated vulnerabilities identified (quality over quantity; low false positives ≤ 5%); Severity classification accuracy (≥ 95%); Timely completion of testing activities (≥ 95% within schedule).

B. Planning, Kick-off & Requirements Alignment

Participation in kick-off meetings (100%); Requirements for testing clearly defined and agreed (100%); Testing scope and rules of engagement documented (100%), when applicable.

C. Process Compliance & Coordination

Adherence to technical procedures/workflows (100%); Attendance at required team meetings (≥ 95%); Issue escalation and communication timeliness (within same working day).

D. Reporting & Documentation

Report completeness (technical + executive sections) (100%); Adherence to templates and reporting tools (100%); Report delivery within agreed timelines (≥ 95%); Accuracy and clarity (≤ 5% rework required); Traceability (findings ↔ evidence ↔ affected systems) (100%).

E. Briefings (Executive & Technical)

Delivery of briefings as scheduled (100%); Clarity and appropriateness for audience level (technical/executive) (≥ 4/5); Stakeholder understanding and engagement (≥ 4/5); Ability to communicate risk and remediation clearly (validated).

F. Responsible Disclosure (COTS Vulnerabilities)

Identification and validation of vendor-related vulnerabilities (100%); Responsible disclosure initiated within SLA (e.g., ≤ 5 working days); Coordination with vendors and stakeholders (tracked and documented).

G. Knowledge, Awareness & Continuous Improvement

Evidence of staying current with relevant technologies/threats (documented); Contribution to team knowledge sharing (sessions, inputs); Adoption of updated methodologies/tools where relevant.

4.2 Milestone-Based Payment Schedule

M1 – Kick-off & Scope Definition: Stakeholder meetings, requirements, scope, rules of engagement defined.

M2 – Penetration Testing Execution: Testing activities completed (web/app/infra).

M3 – Reporting Delivery: Draft and final reports submitted per templates.

Number of Sprints Used (M1+M2+M3 combined): max 22 sprints.

Engagement-Based (for Continuous Testing)

Monthly payments based on: completed testing activities; submitted reports; verified deliverables; final reporting acceptance; completion of briefings and reviews.

Acceptance Criteria (for Payment Release)

Payments should only be released when: testing performed according to agreed methodologies; all findings supported by verifiable evidence; reports meet quality and template standards; briefings delivered and understood by stakeholders; responsible disclosure properly executed (where applicable).

Governance & Traceability

All activities should be: logged and tracked in JIRA or agreed system; fully auditable; linked to scope and requirements.

Risk & Quality Controls

Tie payments to: accuracy of findings (low false positives); timeliness of reporting; stakeholder satisfaction; compliance with NATO security procedures.

4.3 Deliverables Schedule (2026)

Deliverable 01: Maximum 22 sprints.

Payment Milestone: Upon completion of each 4 sprints acceptance (and at the end of the work).

The NCIA reserves the possibility to exercise a number of options in the years 2027 and 2028, based on the same scrum deliverable timeframe and cost, at a later time, depending on the project priorities and requirements.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS). Invoices shall be accompanied with a Delivery Acceptance Sheet signed by the Contractor and the project authority.

5. Coordination and Reporting

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office, or in person via digital means using conference call capabilities, according to the manager's / team leader's instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint's end date. The format of this report shall be a short email to the NCI Agency Project Manager mentioning briefly the work held and the development achievements during the sprint.

At the end of the project, the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

6