Hiring of Vulnerability Assessment and Penetration Testing Services

The National Disaster Risk Management Fund (NDRMF) based in Islamabad Capital Territory is procuring specialized Vulnerability Assessment and Penetration Testing (VAPT) services to evaluate and enhance the security posture of its IT infrastructure. This procurement is specifically for conducting comprehensive security testing across NDRMF's primary and secondary data centers located in Islamabad, including network devices, servers, web applications, email servers, and endpoints. The technical scope includes external and internal network infrastructure assessment, web and mobile application testing, server and database security evaluation, and testing of firewalls, routers, switches, and wireless networks. The service provider must follow a structured VAPT methodology covering reconnaissance, vulnerability scanning, manual verification, controlled exploitation, post-exploitation, and detailed reporting with recommendations. Testing will be hybrid, combining online and on-premises modes. Eligible bidders must be registered with FBR and on ATL status, possess a valid business setup with telephone facilities, and must not be blacklisted. Experience criteria include at least three successful IT service contracts in the last five years and a minimum of three certified professionals holding certifications such as OSCP, CEH, CISSP, or equivalent. ISO 27001 certification is mandatory. Bidders must also submit a detailed work plan and methodology for the assignment. The submission deadline is **May 21, 2026, at 10:00 AM** through the EPADS v2.0 portal. Manual bids will not be accepted. The technical and financial bids will be evaluated using Least Cost Based Selection (LCBS). The bid security and performance guarantee requirements are clearly defined in the bidding documents. Bidders should ensure timely submission of original bid security to avoid disqualification. A practical tip for bidders is to carefully review the detailed scope and ensure all required certifications and documentary proofs are attached with the proposal. Early registration on EPADS v2.0 and familiarization with the e-bidding process will help avoid last-minute technical issues. The contract duration is within 90 days following signing, with full payment upon acceptance of deliverables. This is a critical opportunity for cybersecurity firms to engage with a federal agency and demonstrate their expertise in securing vital government infrastructure.