AI-Driven Penetration Testing Collaboration Event (CE)
In-Person on 12 February 2025
Request to Attend
06 February 2025
11:59 PM ET
U.S. Citizens Only
Purpose
The Cyber Fusion Innovation Center (CFIC), in collaboration with Army Cyber Command (ARCYBER) Technology and Innovation Center (ArCTIC) is in search of industry expertise to enhance ARCYBER’s capabilities using an AI-assisted penetration testing software application. The release documents ArCTIC’s methodology for pursuing, selecting, and assessing such solutions.
Background/Synopsis
In FY25, ARCYBER identified the need to seek proposals from qualified vendors for the development and delivery of an AI-assisted penetration testing software application. The software will be used by Army Cyber Command personnel to identify vulnerabilities and trigger them to prove the existence of vulnerabilities in target infrastructure. The solution sought must accelerate the pentest operators' ability to conduct interactive missions and accelerate experience accumulation through enhanced decision-making and enriching operator feedback to enable faster decisions and preapproved actions.
Requirements and Key Performance Outcomes
-
Automatically identify vulnerabilities in target infrastructure using AI/ML techniques and recommend courses of action to validate vulnerabilities, depicting likely command output, where Pentest activity would be found in target logs, and how to mitigate.
-
Execute pre-approved actions to map, define and trigger identified vulnerabilities to prove their existence and install persistence tools, adhering to ethical and legal standards.
-
Provide a user-friendly interface for pentest operators to perform offensive tasks, incorporating intuitive UX/UI design principles that help unify mapping, discovery and situational understanding throughout the pentest operation. Vulnerability documentation, including tutorials and assistance should be provided through the sought solution.
-
Integrate with existing cybersecurity tools and systems via logging, or API such as campaign dashboards depicting the status of operations and crews or SIEM systems.
-
Generate detailed reports on vulnerabilities in formats like PDF and HTML that can be leveraged as preapproved actions or recommendations to the operator.
-
Provide support for multiple operating systems (e.g., Windows, Linux, MacOS), ensuring seamless cross-platform functionality.
-
Be scalable, secure, and compliant with relevant standards - STIG standards is not a requirement but the software must be secure and readily patchable by the provider.
-
Scalability: The software must handle large-scale infrastructure missions and support up to 1,000 node pentest operations without performance degradation.
-
Security: The software must be secure, with strong encryption and access controls to prevent unauthorized access. The software should provide comprehensive audit trails of operator activities and real-time monitoring capabilities.
-
-
Effectively identify and enable triggering of a wide range of vulnerabilities, including OWASP Top 10, LOTL and zero-day vulnerabilities, with an accuracy rate of at least 80%.
-
Be an efficient tool. The software must perform tasks quickly, with an average task completion time of under 10 seconds, and minimal resource usage (e.g., CPU/GPU usage under 30%).
How You Can Participate
RSVP to the 12 February 2025 Collaboration Event – CLICK HERE
Read and download the full event release
Questions?
For event-related questions, please contact CFIC Event Coordinator Amanda Green at agreen@cyberfic.org.
DISCLAIMERS:
An award under 10 U. S. Code, Section 2371b may result in award of a follow-on production in accordance with 10.U.S.C. 2371(f). Upon determination that the competitively awarded prototype project(s) have been successfully completed, and subject to the availability of funds, the prototype project(s) may result in the award of a follow-on production contract or transaction without the use of competitive procedures. Such awards may include multiple phases.
Non‐Government advisors may be used in the evaluation of submissions and will have signed Non‐Disclosure Agreements (NDAs) with the Government. The Government understands the information provided in this announcement is presented in confidence and may contain trade secret or commercial or financial information and agrees to protect such information from unauthorized disclosure to the maximum extent permitted and as required by law. An organization's participation in any part of the selection process under this announcement indicates concurrence with the aforementioned use of contractor support personnel.