Requirements: Vendors must have proven experience in providing offensive security testing services, as well as meeting the minimum qualifications listed below: • Performs offensive security testing on at least two or more of the requested domains outlined below. • Been in continuous business for at least five years providing offensive security testing services Utilizes industry leading testing methodologies, which could include, but is not limited to: NIST SP 800-115, OWASP WSTG, and the MITRE ATT&CK Framework. In addition, as mentioned in the RFI Introduction section, vendors must also be able to provide two (2), or more, of the following types of security services: • Network penetration testing • Web application penetration testing • Mobile application security testing • Adversary emulation
