Tender Description:

JSC “Liberty Bank” announces a tender for the selection of a company to conduct external and internal infrastructure penetration testing for the Bank throughout 2026, in accordance with the qualification requirements outlined below.

Requirements for Companies:

• The company should preferably have at least 5 years of experience in providing penetration testing services.
• Over the past two years, the company has implemented at least two projects related to similar tasks.

List of similar projects

• Company has staff, who were involved in at least 2 similar projects with the company within last 2 years.
• The company must provide a team of at least 4 penetration testers.
• The penetration tester who will lead the project must have one of the following or similar certifications.: OSCP, OSCP+, OSEP, CPTS, CRTO, CRTL, GXPN.
• A Lead Penetration Tester must have at least 3 years of experience in this field.

The proposal must include:

• CVs and roles of all personnel involved in testing.
• The company must provide 2 letters of recommendation for providing penetration testing services.
• ·t's desirable for the company to have penetration testing specialists in Georgia. Their physical presence may be required.
• Company should be authorized by Digital Governance Agency for conducting pen tests according to Law on Information Security of Georgia

Penetration Test Scope:

External Penetration Test (BlackBox):

• 1x VLAN (/24) [hosted ~30 Simple Web Applications and ~20 Public APIs]
  
• 2x VLAN (/28)

Internal Penetration Test (Gray Box):

• 1x WiFi VLAN (/22)
  
• 1x VoIP VLAN (/22)
  
• 3x Users VLAN (/24)
  
• 11x Servers VLAN (/24)

Internet and Mobile Banking Penetration Testing (White/Gray box)

• 1x Internet Bank
  
• 1x Business Internet Bank
  
• 1x Mobile Bank App
  
• 1x Mobile Business Bank App

*User and features list for interne/mobile bank penetration testing will be provided

ATM Penetration Testing (Black Box)

Pay.ge Penetration Testing

OpenBanking Web Application Penetration Testing [5 Simple WebApps and 9 APIs]

Please also provide Man/Day or Man/Hour price for penetration test. One or more websites may be selected for penetration testing during the year.

Project requirements:

• Penetration Tests will be conducted throughout 2026.
• Timeline for each penetration test will be scheduled mutually at the beginning of the year.
• First and Second PCI DSS penetration test will be conducted by different penetration testers.
• Preferable active (testing) phase and reporting should be finished on December 20, 2026 (reporting deadline can be discussed)

Proposal must include:

• Methodologies to be used.
• Tools to be used.
• Man/days of each involved personnel.
• Financial proposal

Deliverables:

• Assessment report of external and internal separately
• Report must include:
  - Executive summary containing overall assessment of security level and list of nonconformities.
  - Detailed list of non-conformities with appropriate evidence
  
• Non-conformities should have severity classification.
• Recommendation how to solve non-conformity.
  
• Separate excel file with list of non-conformities and corresponding recommendations.

 Interested parties are kindly requested to submit their proposals no later than 5th January 2026.

Tender Submission Terms:

• Offers should be submitted on procurement web-page: www.tenders.ge
• Submission Deadline is: 05/01/2026 ; 18:00 PM 
• Bid currency: N.A
• Auction type: Without auction
  
• Instructions to Apply for E-Tender can be found in the attached file
• Any question during the electronic tender process shall be made in writing and communicated through the Q&A platform of www.tenders.ge website 

For any questions related to the project or to obtain detailed information, please contact the Head of the IT Security Division, Information Security Department.
Avtandil Nebadze:  avtandil.nebadze@lb.ge  Mob: +995 599 25 76 86

ტენდერის კატეგორია:

• 72200000 პროგრამული უზრუნველყოფის შემუშავება და საკონსულტაციო მომსახურებები