Network Penetration Test

Background
St. Louis Community College (STLCC) is the largest community college system in Missouri and serves the St. Louis metropolitan area. The college aims to assess its information security program through a network penetration test, which will validate its vulnerability management efforts and identify gaps in IT risk management strategies. This engagement is crucial for informing STLCC's cybersecurity strategy.

Work Details
The contractor will perform a network penetration test with the following specific goals:

1. User-Level Access: Attempt to gain user-level access to operational and business domains.

2. Privileged Access to Critical Systems: Attempt to obtain administrative access to domain controllers, file servers, database servers, and web servers.

3. Active Directory Compromise: Attempt to escalate privileges to obtain Domain Administrator and Enterprise Administrator access.

4. Microsoft 365 Compromise: Attempt to gain privileged access including Global Administrator and Security Administrator roles.

5. Backup Infrastructure Access: Attempt to access backup files, servers, and management software.

6. Network Infrastructure Access: Gain privileged access to routers, switches, firewalls, and VPNs.

7. Security Infrastructure Access: Compromise or bypass antivirus/EDR solutions, IDS/IPS systems, and SIEM systems.

8. Cloud Security Assessment (Oracle Cloud): Evaluate IAM configurations, network segmentation, firewall rules, and exposure of cloud-hosted services.

9. Vulnerability Identification and Reporting: Identify vulnerabilities and provide detailed findings with risk ratings and remediation recommendations.

The scope includes approximately 150 live external IP addresses across various subnets, an internal network of about 300 servers and 6000 clients, as well as testing from both external and internal perspectives using automated and manual techniques.

Period of Performance
The contract period is set from September 1, 2025, to September 30, 2025.

Place of Performance
The services will be performed at St. Louis Community College located at 3221 McKelvey Road, Bridgeton, MO 63044.

Bidder Requirements
Bidders must provide proof of insurance covering potential liabilities during the engagement. They are required to have extensive experience in performing penetration tests for large organizations or institutions of higher education with a minimum of five years’ experience in network penetration testing. Bidders must also comply with Missouri's Revised Statutes regarding employment verification for unauthorized aliens.