HMGCC Co-Creation Challenge: AI/Novel Technology Red Agent Penetration Testing
21 November
Summary of the challenge
Organisations and solution providers can apply for funding to: 1) undertake paper-based landscape mapping to evaluate the market maturity of AI or other novel technologies to operate as a ‘Red Agent’ penetration tester, and 2) provide a test environment and to subsequently undertake practical testing to evaluate the feasibility of AI or other novel technologies to operate as a ‘Red Agent’ penetration tester.
HMGCC Co-Creation will provide funding for time, material, overheads and other indirect expenses.
Context of the challenge
HMGCC is co-ordinating a Co-Creation challenge to further the security community’s understanding of AI or any novel technologies that have the capacity to penetration test secure IT environments. Scripting based technologies are excluded as these are mature and available as commercial products.
This Co-Creation challenge aims to evaluate the readiness of the technologies, their capabilities and integration needs. This will be achieved by evaluating ease of adaption and integration.
The challenge is being delivered across two workstreams delivered in parallel over 12- weeks. One workstream will identify the capabilities of autonomous Red Agent tools, measuring them up in a paper-based assessment against the major factors involved in how they would be used.
The second workstream will involve taking a small group of these tools forward (if they passed the initial workstream test) into an assessment of how they work in practice. We anticipate testing between 3 to 6 Red Agent tools. The results from both workstream tests will then be assessed together. Collaborative development might then be undertaken to help further test and improve the most promising tools where appropriate.
The gap
Workstream 1: Landscape mapping
We are looking for a Solution Provider (SP) with knowledge of AI and novel technology in the penetration testing domain. We would like this solution provider to identify current and future ‘Red Agent’ solutions and to develop an assessment framework – which will be used by the SP to evaluate these capabilities on paper. This would be an iterative agile process between Co-Creation and the SP, where the joint team would provide insight into the evaluation criteria, process and findings on a sprint-by-sprint basis. Red agent tools of interest from the paper-based assessment (Workstream 1) would be highlighted to the capability testing team (Workstream 2), where practical experimentation would take place. The results from this testing would be fed-back into the horizon scanning team so that the horizon scanning process could be enhanced if needed.
Workstream 2: Capability testing
We are looking for a Solution Provider (SP) with knowledge of AI and novel technology in the penetration testing domain. We would like this solution provider to provide a test capability in which we will undertake practical experimentation with between 3-6 Red Agent tools. The SP would provide the IT test environment (potentially in the cloud), team and processes/procedures to test and report on the effectiveness of each capability. The Authority would instruct the SP which 3-6 Red Agent tools to install in the test environment as these are identified during the project. All work would be undertaken at a classification of OFFICIAL.
We envisage three test scenarios within the technical test environment – each one increasing in difficulty (easy/medium/hard). For example, the ‘easy’ environment could have a low level of IT security and could include 2 easily identifiable vulnerabilities that the SP would ‘plant’ in the environment for the Red Agent tool to find.
This would be an iterative agile process between Co-Creation and the SP, where the joint team would provide insight into the evaluation process and findings on a sprint-by-sprint basis.
Dates
- Competition opens Thursday 17 October 2024
- Briefing call Wednesday 30 October 2024 (10am)
- Deadline for questions Wednesday 30 October 2024 (5pm)
- Clarifying questions published Wednesday 6 November 2024
- Competition closes Thursday 21 November 2024
- Applicant notified Friday 29 November 2024
- Pitch day in Milton Keynes Thursday 5 December 2024 and Friday 6 December 2024
- Target project kick-off Monday 6 January 2025
Eligibility
This challenge is open to sole innovators, industry, academic and research organisations of all types and sizes, including those not traditionally associated with the defence and security sector. There is no requirement for security clearances. Solution providers or direct collaboration from countries listed by the UK government under trade sanctions and/or arms embargoes, are not eligible for HMGCC Co-Creation challenges.
How to apply
Please submit your applications to challenges@sa.catapult.org.uk
Applications must be no more than six pages or six slides in length. The page/slide limit excludes personnel CVs and organisational profiles.
There is no prescribed application format, however, please ensure your application includes the following:
- Applicant details: Contact name, organisation details, and registration number
- Scope: Describe how the project aligns to the challenge scope
- Innovation: Describe the innovation and technology intended to be delivered in the project, along with new IP that will be generated or existing IP that can be used
- Deliverables: Describe the project outcomes and their impacts
- Timescale: Details how a minimum viable product will be achieved within the project duration
- Budget: Provide project finances against deliverables within the project duration
- Team: Key personnel CVs and expertise, organisational profile if applicable
All information you provide as part of your proposal – whether submitted directly to HMGCC or via a collaborator platform – will be handled in confidence.
