Funds for Companies

Grants and Resources for Sustainability

You are here: Home / Awards and Prizes / HMGCC Co-Creation Challenge: Novel AI Pen Testing

HMGCC Co-Creation Challenge: Novel AI Pen Testing

Deadline: 21 November 2024

HMGCC is co-ordinating a Co-Creation challenge to further the security community’s understanding of AI or any novel technologies that have the capacity to penetration test secure IT environments.

This Co-Creation challenge aims to evaluate the readiness of the technologies, their capabilities and integration needs. This will be achieved by evaluating ease of adaption and integration.

Organisations and solution providers can apply for funding to undertake paper-based landscape mapping to evaluate the market maturity of AI or other novel technologies to operate as a ‘Red Agent’ penetration tester, and provide a test environment and to subsequently undertake practical testing to evaluate the feasibility of AI or other novel technologies to operate as a ‘Red Agent’ penetration tester.

The challenge is being delivered across two workstreams delivered in parallel over 12- weeks.

Project Scope

  • They are seeking applications to deliver one or both of the workstreams in this challenge. Please make it clear in your application which workstream(s) you are bidding for.
  • HMGCC will provide the supplier of Workstream 2 with additional reasonable call-off costs of up-to £65k (exc. VAT) during the project to support third-party charges for selected Red Agent tools in the test environment.
  • HMGCC may also provide additional costs for collaborative development of selected tools where appropriate after initial testing has been completed.
  • Characteristics of the assessment for each Red Agent capability could include:
    • Number of factors are considered in decision making, i.e. does not work through a simple ordered list of actions in a scripted behaviour.
    • The capability is adaptable, and is able to adapt to different networks with no specific reconfiguration.
    • Function with no knowledge of the network being tested.
    • Operates disconnected from the internet.
    • Easy to add new exploits.
    • Quick to train.
    • Quick to make decisions.
    • Ability to integrate with existing (commercially available and bespoke) tool sets, for example, to perform bespoke actions.
    • Ability to integrate with commercially available and bespoke tool sets to provide two-way control where appropriate, for example, using APIs. Logging/justification of actions that support security team with relevant outputs.
    • Allow for human decision making at key points to support more sensitive testing.
    • Able to operate in different ways, e.g. as fast as possible, slow and least disruptive, easily detectable, and difficult to detect.
    • The technology will run on a normal commercially available laptop, i.e. there is no need for any specialist compute.
  • The following capabilities would be out of scope for the assessment:
    • Scripting-based technologies are excluded as these are mature and available as commercial products.
    • Solutions at or below Technology Readiness Level (TRL) 2.
    • Security research tools.
    • Academic research paper

Workstreams

  • Workstream 1: Landscape mapping
    • They are looking for a Solution Provider (SP) with knowledge of AI and novel technology in the penetration testing domain. They would like this solution provider to identify current and future ‘Red Agent’ solutions and to develop an assessment framework – which will be used by the SP to evaluate these capabilities on paper. This would be an iterative agile process between Co-Creation and the SP, where the joint team would provide insight into the evaluation criteria, process and findings on a sprint-by-sprint basis. Red agent tools of interest from the paper-based assessment (Workstream 1) would be highlighted to the capability testing team (Workstream 2), where practical experimentation would take place. The results from this testing would be fed-back into the horizon scanning team so that the horizon scanning process could be enhanced if needed.
  • Workstream 2: Capability testing
    • They are looking for a Solution Provider (SP) with knowledge of AI and novel technology in the penetration testing domain. They would like this solution provider to provide a test capability in which they will undertake practical experimentation with between 3-6 Red Agent tools. The SP would provide the IT test environment (potentially in the cloud), team and processes/procedures to test and report on the effectiveness of each capability. The Authority would instruct the SP which 3-6 Red Agent tools to install in the test environment as these are identified during the project. All work would be undertaken at a classification of OFFICIAL. They envisage three test scenarios within the technical test environment – each one increasing in difficulty (easy/medium/hard). For example, the ‘easy’ environment could have a low level of IT security and could include 2 easily identifiable vulnerabilities that the SP would ‘plant’ in the environment for the Red Agent tool to find. This would be an iterative agile process between Co-Creation and the SP, where the joint team would provide insight into the evaluation process and findings on a sprint by-sprint basis.

Funding Information

  • Budget per single organisation, up to: £60,000 per workstream (plus call-off)
  • Project duration: 12 weeks

Eligibility Criteria

  • This challenge is open to sole innovators, industry, academic and research organisations of all types and sizes, including those not traditionally associated with the defence and security sector. There is no requirement for security clearances.
  • Solution providers or direct collaboration from countries listed by the UK government under trade sanctions and/or arms embargoes, are not eligible for HMGCC Co-Creation challenges.

For more information, visit HMGCC Co-Creation.