Achiziție comună/Joint Procurement: teste de penetrare infrastructură informatică/Supply of IT Security Assessment Services: Penetration Testing/IT Security Assessment Services according to the TIBER-EU framework

Titlu

Achiziție comună/Joint Procurement: teste de penetrare infrastructură informatică/Supply of IT Security Assessment Services: Penetration Testing/IT Security Assessment Services according to the TIBER-EU framework
361684_2021_M10

Scurtă descriere

The contract implies a joint procurement.
The contracting authority is purchasing also on behalf of other contracting authorities.
The participating institutions are:
Banca d'Italia, Via Nazionale 91, Roma, IT 00184, Italy
Banco de España, Calle Alcalá, 48, 28014, Spain
Banque centrale du Luxembourg, 2, boulevard Royal, L-2983 Luxembourg
Central Bank of Cyprus, 80 Kennedy Avenue, Nicosia, CY-1076, CYPRUS
Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1, Ireland
Central Bank of Malta, Castille Place, Valletta, VLT1060, Malta
European Central Bank, Sonnemannstrasse 20, Frankfurt am Main,60314, Germany
Oesterreichische Nationalbank, Otto-Wagner-Platz 3, Wien, 1090, Austria
Malta Financial Services Authority, Triq l-Imdina, Zone 1, Central Business District, Birkirkara, Malta
Other institutions, having the right to participate in EPCO’s activities (according to Decision ECB/2008/17 as amended), which did not express an interest in this procedure before the publication of the contract notice in the OJEU will also have the possibility to join the Framework Agreements - if they wish so - before its expiry. The identity of EPCO members may be consulted on EPCO's website: https://epco.lu/.
The objective of the current joint tender procedure is to contract the services for identifying the cybersecurity risks and for guidance to take appropriate technical and organizational measures to minimize those risks within current and future EPCO members of the ESCB.
To cover a wider scope, according to the testing methodology, the National Bank of Romania identified three lots for the joint tender procedure:
• Lot no. 1 - IT Security Assessment Services in line with the latest Regular Penetration Testing Execution Standards;
IT Security Assessment Services according to the TIBER-EU framework:
• Lot no. 2 - Targeted Threat Intelligence Services;
• Lot no. 3 - Red team IT Security Services.
Each lot will result in a framework agreement with the following characteristics: multi-supplier framework agreement (max 5), with reopening the competition. For all Participating Institutions, except NBR, this Framework Agreement shall be non-exclusive, meaning that these Participating Institutions will not have obligation to award assignments to the Contractor according to this Framework Agreement for the purchase of IT Security Assessment Services with the Contractor. For NBR this Framework Agreement shall be exclusive, meaning that during the term of this Framework Agreement NBR will have the obligation to fulfill its needs for IT Security Assessment Services through this Framework Agreement by concluding Further Agreements with the Contractors.
All current and future EPCO member central banks are together potential beneficiaries of the Framework Agreements, which the Participating Institutions will implement via reopening of the competition (mini-competition) among the Contractors. Each Participating Institution shall be entitled to describe its specific needs regarding the IT Security Assessment Services (the IT infrastructure that needs to be tested), apply its own offers evaluation methodology, and quality/price weighting within the terms of the Framework Agreement to assign the Further Agreements.
Deadline for requesting clarifications to the award documentation: 16 days before the deadline for submission of offers
Date of response to all requests for clarification: 11 days before the deadline for submission of offers

Autoritatea contractantă își rezervă dreptul de a atribui contracte care combină următoarele loturi sau grupuri de loturi

According to the requested manner of preparing and presenting the tenders, the tenderers can submit their tenders for one or all lots.
Regarding the estimated volume in the case of participating institutions, EPCO members, the following information will be taken into account:
• interested Institutions in using the framework agreements from the beginning: Banco de Espana, Banque Centrale du Luxembourg, Central Bank of Cyprus, Central Bank of Ireland, Central Bank of Malta, Oesterreichische Nationalbank, European Central Bank, Banca d'Italia, Malta Financial Services Authority.
• The total estimated volume based on the information provided by the institutions listed above, for all lots, for a period of 4 years: 2,975,636 EURO
• The total real value of the further agreements could increase considerably considering that any other EPCO participating institution (https://epco.lu/) has the right to access the framework agreements that will result from this joint procurement.

Descrierea achiziției publice

The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments.
These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions.
The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks.
More granular objectives are defined as follows:
— Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors,
— Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points,
— Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it,
— Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack,
— Determine if the sensitive data is well protected against bad actors,
— Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection.
From the point of view of the TIBER - EU methodology:
The tests will provide an overview of the existing vulnerabilities in employees, business processes, associated technology (applications and infrastructure) and will provide a detailed threat assessment that can be used to raise awareness of the current situation and the measures to be taken to address it, improve the situation and reduce the associated risks. These tests performed on the basis of the "Red / Blue / White Team" concept are an extended form of the classic concept of penetration testing which usually provides a detailed and useful assessment of technical and configuration vulnerabilities. In the end, the tests will follow a complete scenario for a targeted attack against the entire entity.

Criteriul de calitate (denumire)

Evaluation subfactor name: 1. Qualification and professional experience of the staff designated for the performance of the contract (proposed key experts) for carrying out the activities under the Contract 2. The degree of knowledge and understanding of the object of the contract 3. Planning specific tasks 4. Quality assurance plan 5. The degree of adequacy of the implementation plan

Informații suplimentare

Regarding the estimated volume in the case of participating institutions, EPCO members, the following information will be taken into account:
• interested Institutions in using the framework agreements from the beginning: Banco de Espana, Banque Centrale du Luxembourg, Central Bank of Cyprus, Central Bank of Ireland, Central Bank of Malta, Oesterreichische National... detalii pe www.e-licitatie.ro

Descrierea achiziției publice

The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments.
These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions.
The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks.
More granular objectives are defined as follows:
— Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors,
— Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points,
— Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it,
— Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack,
— Determine if the sensitive data is well protected against bad actors,
— Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection.
Penetration tests are performed usually by following the stages defined below:
• Pre-engagement Interactions;
• Intelligence Gathering and Threat Modelling;
• Vulnerability Identification and Analysis;
• Exploitation;
• Post Exploitation;
• Reporting.

Criteriul de calitate (denumire)

Evaluation subfactor name: 1. Qualification and professional experience of the staff designated for the performance of the contract (proposed key experts) for carrying out the activities under Contract 2. The degree of knowledge and understanding of the object of the contract 3. Planning specific tasks 4. Quality assurance plan 5. The degree of adequacy of the implementation plan

Lista și o scurtă descriere a afecțiunilor

The DUAE completed with reference data / information in relation to the provisions of art. 164 of Law no. 98/2016.
DUAE will be presented for each entity participating in the award procedure, respectively Tenderer, associate, subcontractor or third party supporter.
The supporting documents proving the fulfillment of those assumed by completing the DUAE are to be presented at the contracting authority's request, only by the Tenderers ranked on the first 5 places in the intermediate ranking drawn up at the end of the evaluation of the tenders. Documents that may be requested:
— criminal record for the Tenderer and for the persons who are members of the administrative, management or supervisory body of the respective Tenderer or have the power of representation, decision or control within it, as it results from the ascertaining certificate issued by ONRC / act constitutive.
For foreign tenderers, any document considered edifying in the country of origin or in the country where it is established is accepted, such as declarations on their own responsibility, certificates, criminal records or other equivalent documents issued by the competent authorities of that country, accompanied by an authorized translation. in Romanian.
Requirement no. 2
Reasons related to the payment of taxes and social security contributions
The manner of fulfillment and the applicability within the procedure
The DUAE completed with reference data / information in relation to the provisions of art. 165 of Law no. 98/2016.
DUAE will be presented for each entity participating in the award procedure, respectively tenderer, associate, subcontractor, or third party supporter.
The supporting documents proving the fulfillment of those assumed by completing the DUAE are to be presented at the contracting authority's request, only by the Tenderers ranked on the first 5 places in the intermediate ranking drawn up at the end of the evaluation of the tenders. Documents that may be requested:
— fiscal attestation certificates regarding the payment of taxes, fees or contributions to the general consolidated budget, etc. so as to show the lack of outstanding debts at the date of presentation of the documents,
— documents proving that the economic operator can benefit from the derogations provided in art. 166 para. (2), art. 167 para. (2), art. 171 of Law no. 98/2016 (if applicable).
For foreign Tenderers, any document considered edifying in the country of origin or in the country where it is established is accepted, such as declarations on their own responsibility, certificates, criminal records or other equivalent documents issued by the competent authorities of that country, accompanied by an authorized translation. in Romanian.
Requirement no. 3
Reasons related to insolvency, conflicts of interest or professional misconduct.
The manner of fulfillment and the applicability within the procedure
The DUAE (Part III - Reasons for exclusion) completed with reference data / information in relation to the provisions of art. 167 of Law no. 98/2016. DUAE will be presented for each entity participating in the award procedure, respectively tenderer, associate, subcontractor or third party supporter.
The supporting documents proving the fulfillment of those assumed by completing the DUAE are to be presented, at the request of the contracting authority, only by the Tenderers ranked on the first 5 places in the intermediate ranking drawn up at the end of the evaluation of the tenders:
— for the Romanian economic operator - ascertaining certificate issued by the Trade Register Office attached to the competent territorial Tribunal.
From the ascertaining certificate / register extract presented it must result:
a) the condition of the tenderer;
b) the persons representing the tenderer in the relationship with third parties.
The information contained in this document must be real / current at the date of submission.
Itcano prove the capacity to exercise the professional activity by presenting the ascertaining certificate issued by ONRC in electronic form, signed with the extended electronic signature.
— for a foreign economic operator: the tenderer will present edifying documents, translated into Romanian by an authorized translator, real / current at the date of presentation, proving a form of registration as a natural / legal person or registration / attestation or belonging from the point from a professional point of view and in which to mention the persons representing the entity in relations with third parties, in accordance with the legal provisions of the country in which the Tenderer is resident. Also, the submitted documents must include information on the status of the Tenderer.
NOTE: The supporting documents will be presented for each entity participating in the award procedure, respectively tenderer, associate, subcontractor or third party supporter.
The persons with decision-making positions within the contracting authority, regarding the organization, development and completion of the award procedure are:
National Bank of Romania Board of Directors:
• Governor - Mugur Isarescu
• First Deputy Governor - Florin Georgescu
• Deputy Governor - Eugen Nicolaescu
• Deputy Governor - Leonardo Badea
• Member - Csaba Bálint
• Member - Cristian Popa
• Member - Dan Radu Rușanu
• Member - Gheorghe Gherghina
• Member - Virgiliu Stoenescu
Management of the Procurement Department
• Gabriela Preda - Director
• Petre Augustin Dutu - Deputy Director
Management of the Budget and Financial Analysis Department
• Ion Paduraru - Director
• Gabriela Latea - Deputy Director
Management of the Accounting Department
• Iulia Stanciu - Director
• Daniela Ilie - Deputy Director
Management of the Legal Department
• Alexandru Paunescu - Director
Management of the IT Services Department
• Ovidiu Dragomir - Director
• Tiberiu Parvulescu - Deputy Director
Information and formalities necessary for evaluating if the requirements are met:
Information regarding the capacity to exercise the professional activity
The manner of fulfillment and the applicability within the procedure
The DUAE (Part IV A - Ability to comply with the requirements) supplemented with reference data / information in relation to the provisions of art. 173 of Law no. 98/2016.
The supporting documents proving the fulfillment of those assumed by completing the DUAE are to be presented, at the request of the contracting authority, only by the Tenderers ranked on the first 5 places in the intermediate ranking drawn up at the end of the evaluation of the tenders:
— for the Romanian economic operator - ascertaining certificate issued by the Trade Register Office attached to the competent territorial Tribunal.
From the ascertaining certificate / register extract presented it must result:
a) the main activity object and the secondary activity objects. The object of the contract must have a correspondent in the CAEN code from the Finding Certificate issued by ONRC
b) the legal situation of the Tenderer and his condition;
c) the persons representing the bidder in the relationship with third parties.
The information contained in this document must be real / current at the date of submission.
It can prove the capacity to exercise the professional activity by presenting the ascertaining certificate issued by ONRC in electronic form, signed with the extended electronic signature.
— for a foreign economic operator: the tenderer will present edifying documents, translated into Romanian by an authorized translator, real / current at the date of presentation, proving a form of registration as a natural / legal person or registration / attestation or belonging from the point professionally and in which to mention the persons representing the entity in relations with third parties, in accordance with the legal provisions of the country in which the bidder is resident. Also, the submitted documents must contain information on the status of the bidder.
NOTE: The supporting documents will be presented for each entity participating in the award procedure, respectively tenderer, associate, subcontractor or third party supporter.

Lista și o scurtă descriere a criteriilor de selecție

Loturile: 1,2,3 For service contracts: performance of services of the specified type For each lot, the Tenderers will fill in the DUAE the following information: Lot 1: List of the main services performed during a period covering a maximum of 3 years, calculated from the deadline set for the submission of tenders, indicating the values, data, and public or private beneficiaries, certifying that the tenderer has provided services similar within a maximum of 3 contracts with object “Penetration test”, whose cumulative value to be at least equal to 494,000 RON without VAT (or equivalent to EUR at a rate of 4.94 Lei / EUR). Lot 2: List of the main services performed during a period covering a maximum of 3 years, calculated from the deadline set for the submission of tenders, indicating the values, data, and public or private beneficiaries, certifying that the tenderer has provided services similar within a maximum of 3 contracts with object “Threat intelligence-led red team tests”, whose cumulative value to be at least equal to 494,000 RON without VAT (or equivalent to EUR at a rate of 4.94 Lei / EUR). Lot 3: List of the main services performed during a period covering a maximum of 3 years, calculated from the deadline set for the submission of tenders, indicating the values, data, and public or private beneficiaries, certifying that the tenderer has provided services similar within a maximum of 3 contracts with object “Threat intelligence-led red team tests”, whose cumulative value to be at least equal to 494,000 RON without VAT (or equivalent to EUR at a rate of 4.94 Lei / EUR).
Loturile: 1,2,3 Subcontracting proportion The tenderer must specify the part (s) of the contract which he intends to subcontract, the percentage of the contract corresponding to the activities to be carried out by the subcontractor, for each subcontractor, and the identification data of the subcontractors (at least name, legal form of organization and unique registration code).

Condiții de participare (capacitate tehnică și profesională)

The proving documents regarding the fulfillment of the qualification criteria will be requested, respectively the presentation of certificates / documents / recommendations / minutes of reception (dated and signed by the beneficiary) confirming the provision of similar requested services, in the indicated period, as well as any other documents. considered relevant in proving the fulfillment of the requirement by the economic operator.
The DUAE Form will be completed with the reference data / information in relation to the provisions of art. 179 lit. k) of Law no. 98/2016. If tenderers subcontract parts of the contract, they shall submit with DUAE, the subcontracting agreement showing at least the information on the subcontractor and the identification data, the part (s) of the contract to be performed by the subcontractor and the actual manner whereby the subcontractor ensures the fulfillment of the assumed obligations. Tenderers are requested to indicate in their tenders the subcontractor / local subsidiary or other entity that could carry out the IT Security Assessment Services (current batch), for each participating institution that could adhere to the framework agreement. Tenderers will not have the right to introduce new subcontractors except with the agreement of the NBR, by presenting the contracts concluded between the contractor and the subcontractor / subcontractors, so that the activities and amounts / percentages related to services are included in the Framework Agreement. The introduction of a subcontractor must not lead to a change in the initial technical or financial proposal. In the case of subcontracting, the contractor will remain obliged to comply with its obligations towards the NBR and the participating Institutions under the framework agreement and will assume sole responsibility for the proper execution of the framework agreement. If it uses subcontractors / affiliates, the contractor guarantees that the subcontractors / affiliates are highly qualified and that the subcontractor / affiliate must provide services to the participating institutions at a very high quality level.

If it is found that there are two or more tenders, with equal scores, ranked in one of the first five places, in order to decide the first five winners, the contracting authority will request through SEAP new price tenders, in which case the framework agreement will be awarded to the tenderers whose new financial proposals have the lowest price.
Requests for clarifications will be addressed in English, through SEAP, in the "Questions" section of the award procedure carried out by electronic means and the answers to them will be published in English, in SEAP in the Section "Documentation, clarifications and decisions" from the participation announcement. In order to send the requests for clarifications, the economic operators must register in the S.E.A.P. (www.e-licitatie.ro).
The evaluation commission will send the requests for clarification regarding the offer, in English, by using the technical facilities available in SEAP (“Questions” Section). The economic operators will send the answers to the clarifications and the eventual documents requested during the evaluation of the offers, through SEAP (“Questions” Section), entirely in the section corresponding to the respective request, in electronic format, in the form of one or more distinct documents / files signed with electronic signature according to the provisions of Law no. 455/2001 regarding the electronic signature.
All documents / documents related to the award procedure, submitted by the tenderers (offer, qualification documents, requests for clarifications, answers to requests for clarifications) will be written in English or will be presented accompanied by the authorized translation into English.

Titlu

Achizitie comuna/ Joint Procurement: Teste de penetrare infrastructura informatica / Supply of IT Security Assessment Services: Penetration Testing / IT Security Assessment Services according to the TIBER-EU framework
361684_2021_M10

Scurtă descriere

The contract implies a joint procurement.
The contracting authority is purchasing also on behalf of other contracting authorities.
The participating institutions are:
Banca d'Italia, Via Nazionale 91, Roma, IT 00184, Italy
Banco de España, Calle Alcalá, 48, 28014, Spain
Banque centrale du Luxembourg, 2, boulevard Royal, L-2983 Luxembourg
Central Bank of Cyprus, 80 Kennedy Avenue, Nicosia, CY-1076, CYPRUS
Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1, Ireland
Central Bank of Malta, Castille Place, Valletta, VLT1060, Malta
European Central Bank, Sonnemannstrasse 20, Frankfurt am Main,60314, Germany
Oesterreichische Nationalbank, Otto-Wagner-Platz 3, Wien, 1090, Austria
Malta Financial Services Authority, Triq l-Imdina, Zone 1, Central Business District, Birkirkara, Malta
Other institutions, having the right to participate in EPCO’s activities (according to Decision ECB/2008/17 as amended), which did not express an interest in this procedure before the publication of the contract notice in the OJEU will also have the possibility to join the Framework Agreements - if they wish so - before its expiry. The identity of EPCO members may be consulted on EPCO's website: https://epco.lu/.
The objective of the current joint tender procedure is to contract the services for identifying the cybersecurity risks and for guidance to take appropriate technical and organizational measures to minimize those risks within current and future EPCO members of the ESCB.
To cover a wider scope, according to the testing methodology, the National Bank of Romania identified three lots for the joint tender procedure:
• Lot no. 1 - IT Security Assessment Services in line with the latest Regular Penetration Testing Execution Standards;
IT Security Assessment Services according to the TIBER-EU framework:
• Lot no. 2 - Targeted Threat Intelligence Services;
• Lot no. 3 - Red team IT Security Services.
Each lot will result in a framework agreement with the following characteristics: multi-supplier framework agreement (max 5), with reopening the competition. For all Participating Institutions, except NBR, this Framework Agreement shall be non-exclusive, meaning that these Participating Institutions will not have obligation to award assignments to the Contractor according to this Framework Agreement for the purchase of IT Security Assessment Services with the Contractor. For NBR this Framework Agreement shall be exclusive, meaning that during the term of this Framework Agreement NBR will have the obligation to fulfill its needs for IT Security Assessment Services through this Framework Agreement by concluding Further Agreements with the Contractors.
All current and future EPCO member central banks are together potential beneficiaries of the Framework Agreements, which the Participating Institutions will implement via reopening of the competition (mini-competition) among the Contractors. Each Participating Institution shall be entitled to describe its specific needs regarding the IT Security Assessment Services (the IT infrastructure that needs to be tested), apply its own offers evaluation methodology, and quality/price weighting within the terms of the Framework Agreement to assign the Further Agreements.
Deadline for requesting clarifications to the award documentation: 16 days before the deadline for submission of offers
Date of response to all requests for clarification: 11 days before the deadline for submission of offers

Descrierea achiziției publice

The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments.
These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions.
The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks.
More granular objectives are defined as follows:
- Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors;
- Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points;
- Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it;
- Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack;
- Determine if the sensitive data is well protected against bad actors;
- Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection.
From the point of view of the TIBER - EU methodology:
The tests will provide an overview of the existing vulnerabilities in employees, business processes, associated technology (applications and infrastructure) and will provide a detailed threat assessment that can be used to raise awareness of the current situation and the measures to be taken to address it, improve the situation and reduce the associated risks. These tests performed on the basis of the "Red / Blue / White Team" concept are an extended form of the classic concept of penetration testing which usually provides a detailed and useful assessment of technical and configuration vulnerabilities. In the end, the tests will follow a complete scenario for a targeted attack against the entire entity.

Descrierea achiziției publice

The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments.
These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions.
The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks.
More granular objectives are defined as follows:
- Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors;
- Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points;
- Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it;
- Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack;
- Determine if the sensitive data is well protected against bad actors;
- Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection.
Penetration tests are performed usually by following the stages defined below:
• Pre-engagement Interactions;
• Intelligence Gathering and Threat Modelling;
• Vulnerability Identification and Analysis;
• Exploitation;
• Post Exploitation;
• Reporting.