Network penetration testing and hacking exploit monitoring services for south african airways

The General Conditions of Contract include clauses covering definitions, application, standards, use of contract documents, patent rights, performance security, inspections, packing, delivery, insurance, transportation, incidental services, and other general terms.

Returnable documents and submission details are specified in the Special Conditions of Contract (SCC). The SCC supplements the General Conditions of Contract and prevails in case of conflict. Bidders must compile and submit the SCC separately for this bid.

Documents to be submitted by the supplier are specified in the Special Conditions of Contract (SCC).

Must be registered with South African Revenue Services and provide valid tax clearance certificate (Clause 32.3). Must not be restricted from doing business with public sector. Must comply with National Industrial Participation Programme if applicable (Clause 33). Foreign suppliers responsible for all taxes/levies outside South Africa (Clause 32.1).

The goods supplied must conform to standards mentioned in the bidding documents and specifications. The purchaser may inspect the supplier's premises and records. All pre-bidding testing is at the bidder's cost. Goods may be rejected if they do not comply with contract requirements. Packing must prevent damage during transit and comply with special requirements in the contract.

Delivery of goods must be made in accordance with terms specified in the contract.

Goods must conform to standards in bidding documents. The supplier must maintain confidentiality of contract documents and permit inspections and audits by the purchaser. Inspection, testing, and analysis costs are allocated based on compliance. Non-compliant supplies may be rejected.

If a price other than an all-inclusive delivered price is required, it will be specified in the SCC. Prices charged must not vary from bid prices except as authorized in the SCC or bid validity extension.

Prices must not vary from the bid price except as authorized in the SCC or bid validity extension. Payment terms are specified in the SCC. Payments are made in Rand, within 30 days of invoice submission, upon fulfillment of contract obligations.

A tax clearance certificate issued by SARS is required prior to award. No contract will be concluded with bidders whose tax matters are not in order. The National Industrial Participation (NIP) Programme applies if subject to NIP obligation. Collusive bidding is prohibited and may lead to restriction from public sector business.

The National Industrial Participation (NIP) Programme administered by the Department of Trade and Industry applies to all contracts subject to NIP obligation.

The contract includes clauses on payment, prices, amendments, assignment, subcontracts, delays, penalties, termination for default, force majeure, termination for insolvency, dispute settlement, limitation of liability, governing language, applicable law, notices, taxes and duties, National Industrial Participation Programme, and prohibition of restrictive practices. Special Conditions of Contract (SCC) supplement these and prevail in conflict.

Special Conditions of Contract (SCC) relevant to this bid must be compiled separately and will supplement the General Conditions of Contract. The SCC prevails in case of conflict.

• Request for Quotation for network penetration service (internal and external) and ongoing active watch on hacking exploits applicable to SAA's environment and industry.
• Scope includes provision, execution, configuration, and ongoing management of enterprise-grade penetration testing and active exploit monitoring.
• Solution must cover a minimum of 2,200 user endpoints, be scalable, and provide advanced analytics and reporting.

• Closing date: 19 June 2026.
• Closing time: 16:00 (4:00 PM).
• No other dates (e.g., briefings, site visits) are specified in the document.

• Submission email: [email protected].
• Business unit: Global Supply Management.
• No specific contact person, phone number, or physical address provided.

• Submit your quotation via email to [email protected] by the closing date and time. Late submissions will not be considered.
• The maximum email attachment size is 2MB. If your files exceed this, send them in parts or provide a downloadable link. SAA is not responsible for corrupt links.
• Ensure your bid includes all required returnable documents: SAA Vendor Document (Annexure 1), SBD 4 Document (Annexure 2), and General Conditions of Contract (Annexure 3).
• Incomplete submissions or failure to meet mandatory requirements will result in disqualification.
• The bid must be signed by an authorised respondent.

G.1 Written Quote Form

• Scope: Provide fully managed enterprise-grade penetration testing (internal and external) and active exploit monitoring services for SAA.
• Deliverables include:
• Continuous penetration testing programme with adaptive, automated assessments across systems, applications, networks, and endpoints.
• Active Watch Exploit Monitoring capability for real-time detection, continuous threat intelligence monitoring, automated alerts, and unlimited exploit simulations.
• Access to a continuously updated vulnerability database aligned with ISO 27001, NIST, and CIS Controls.
• Coverage for a minimum of 2,200 user endpoints and associated infrastructure, with scalable licensing.
• Advanced analytics: vulnerability scoring, exploit trend analysis, maturity assessments, risk posture measurement, and monthly/quarterly dashboards and reports.
• Experience requirement: Minimum 8 years combined professional experience in penetration testing and active watch within financial and aviation services.
• Team requirement: Minimum 5 security professionals each holding OSCP certification plus additional certifications (e.g., CREST, CEH, GPEN).
• Compliance: Must adhere to internationally recognised cybersecurity standards (ISO/IEC 27001 or NIST Cybersecurity Framework) and certifications such as OSSTMM, OWASP Testing Guide, or PTES.

• Minimum 8 years professional experience in penetration testing and active watch within financial and aviation services.
• Proven track record in active watch deployment for continuous monitoring and rapid response.
• Team must include at least 5 security professionals each holding OSCP certification plus additional certifications (e.g., CREST, CEH, GPEN).
• Provide CVs for key personnel and professional references validating prior engagements.
• Submit evidence of three client projects within the past 8 years, including signed completion letters, contract extracts, proof of service period, and description of managed services.

• Solution must align with internationally recognised cybersecurity standards: ISO 27001, NIST, CIS Controls.
• Must include certifications such as OSSTMM, OWASP Testing Guide, or PTES.
• Testing must be automated, recurring, and tailored to SAA's threat landscape.
• Requires continuous monitoring, real-time detection, automated alerts, and detailed reporting on system resilience.

• Prices must be exclusive of VAT, firm (fixed), and only subject to VAT changes.
• Pricing should be based on individual components making up the solution, aligned with technical and functional requirements.
• Service, pricing, and availability will be considered in evaluation.

• All prices must be exclusive of VAT.
• Prices must be firm (fixed) and only subject to statutory VAT changes.
• Pricing should be broken down by individual components based on technical and functional requirements.
• Service, pricing, and availability will be considered in evaluation.
• No bonds, guarantees, or payment terms are specified.

• Tax Clearance Certificate: Vendor must ensure SAA has a valid original Tax Clearance Certificate. If SAA does not have one, submit an original certificate with the RFQ. Failure may invalidate the quote.
• B-BBEE: Provide a B-BBEE certificate, sworn affidavit, or CIPC certificate. For joint ventures, a consolidated scorecard is accepted.
• Specific Goals: B-BBEE Level 1 or 2 scores 10 points; 30% or more black women ownership scores 10 points.
• Mandatory documents: SAA Vendor Document, SBD 4 Document, and General Conditions of Contract must be submitted.
• General compliance: Bidders must meet all administrative, substantive, technical, and financial requirements.

• B-BBEE Level 1 or 2 scores 10 points; Level 3–8 or non-compliant scores 0.
• 30% or more black women ownership scores 10 points.
• Acceptable evidence: B-BBEE certificate, sworn affidavit, or CIPC certificate (consolidated scorecard for joint ventures).

• All goods or services purchased are subject to SAA General Conditions of Contract, available from the procurement office.
• Purchases require an official purchase order; do not deliver goods or services without one.
• The vendor certifies that information supplied is correct, has read and understood SAA's General Conditions of Contract, and accepts them.

• Vendor must ensure SAA has a valid original Tax Clearance Certificate; submit one if SAA does not have it.
• Mandatory requirements must be met with proof; failure results in disqualification.

• Evaluation stages: Administrative, Substantive, Technical Functionality, Price, and Specific Goals.
• Technical Functionality minimum threshold: 75%.
• Specific Goals: 20 points allocated for B-BBEE and black women ownership.
• SAA may conduct evaluation stages in parallel; evaluation at any stage does not imply passing previous stages.

This document is an SBD4 (Standard Bidding Document 4) - Bidder's Disclosure annexure only. It does not contain the description of the network penetration services tender. The actual tender is for network penetration testing services (internal and external) and ongoing active monitoring of hacking exploits applicable to South African Airways's environment and industry. Full scope details are not present in this document.

Contact details are limited. Department: Supply Chain Management. No specific contact person, email address, or phone number is provided in this document. Bidders should consult the full tender documentation for SCM and technical contact details.

This document (SBD4 - Bidder's Disclosure) does not contain submission guidelines for the network penetration services tender. The actual submission requirements, returnable documents, and submission address are not present in this annexure. Bidders must obtain the full tender documentation to determine where and how to submit their proposals.

No technical specifications for the network penetration services (internal/external) or active hacking exploit monitoring are contained in this document. This SBD4 annexure does not include scope, deliverables, standards, or service level requirements. The full tender specification document is required to understand the technical requirements.

Mandatory sbd4 disclosure requirements:

• Complete the Bidder's Disclosure form (SBD4) in full
• Declare if bidder or any director/trustee/shareholder/member/partner with controlling interest is employed by the state — if yes, provide full names, identity numbers, and state institution names
• Declare if any connected person is employed by the procuring institution — if yes, provide particulars
• Declare if bidder or controlling persons have interest in any related enterprise — if yes, provide particulars
• Sign the declaration certifying all information is true and complete
• Disqualification risk: Bidders listed on Register for Tender Defaulters or List of Restricted Suppliers will automatically be disqualified
• False declaration risk: Bid may be rejected or legal action taken under PFMA SCM Instruction 22; suspicious bids reported to Competition Commission and/or NPA; possible restriction from public sector for up to 10 years under Prevention and Combating of Corrupt Activities Act

Bidder disclosure requirements (sbd4):

• All bidders (natural or juristic persons) must complete this form
• Based on constitutional principles of transparency, accountability, impartiality, and ethics
• Persons on Register for Tender Defaulters or List of Restricted Suppliers will be automatically disqualified
• Section 2.1: Declare if bidder or any controlling persons are employed by the state — if yes, list names, identity numbers, and state institution
• Section 2.2: Declare if any connected person is employed by the procuring institution — if yes, provide particulars
• Section 2.3: Declare if bidder or controlling persons have interest in other related enterprises — if yes, provide particulars
• Section 3 Declaration: Certify that bid was prepared independently without consultation, communication, agreement, or arrangement with any competitor regarding quality, quantity, specifications, prices, methods, factors, formulas, market allocation, bidding intentions, or delivery particulars
• Joint venture or consortium partners may communicate but this does not constitute collusive bidding
• Certify that bid terms have not been disclosed to competitors before bid opening or contract award
• Certify no improper arrangements with procuring institution officials except for bid clarification
• Certify bidder was not involved in drafting specifications or terms of reference
• Consequence of false declaration: Reported to Competition Commission for investigation and possible administrative penalties; reported to NPA for criminal investigation; restricted from public sector for up to 10 years under applicable legislation

No evaluation criteria for the network penetration services tender are contained in this document. Only the mandatory SBD4 disclosure form is provided here.