# USAC RFP: Penetration Testing as a Service - Brief

- Company: Find Evil LLC
- SAM URL: https://sam.gov/opp/b13eeb1c32b14563bee9f39cadf3a7fb

## Decision
Go as Subcontractor

While Find Evil LLC offers elite DFIR and multi-cloud forensics expertise, the solicitation focuses heavily on Penetration Testing as a Service. A lack of federal past performance and pending socio-economic certifications limit competitive standing for a prime bid.

## Bid Summary
- Recommendation: Go as Subcontractor
- Bid posture: Subcontractor
- Readiness: Needs validation

## Key Decision Drivers
- The core requirement is Penetration Testing as a Service (PTaaS), including ethical hacking and web application testing.
- Federal past performance is typically expected to win a prime federal contract of this scope.
- The RFP explicitly requires Contractor Staff to be on-site at USAC Headquarters in Washington, DC at least 2 days per week.

## Recommended Capture Actions
- Record No Go as Prime; pursue only as subcontractor.
- Identify established federal cybersecurity contractors likely to bid on USAC IT-26-027.
- Produce a one-page capability-to-scope map that shows where the company fits and where it does not.

## Decision watchouts

### Why not prime
- Unresolved On-Site Hybrid Work Requirement (Prime blocker): On-Site Hybrid Work Requirement is still unresolved in the validated evidence set.
- Prime-delivery mismatch (Prime blocker): The current evidence points to a gap between the solicitation's PTaaS program shape and the company's documented prime-delivery proof.
- Capability Misalignment (Prime blocker): The core requirement is Penetration Testing as a Service (PTaaS), including ethical hacking and web application testing.

### Still to verify
- Business-status discrepancy (Needs confirmation): Profile claims active 8(a)/HUBZone/SDB, but Capability Statement says Pending/Eligible

## Requirements at a Glance
This solicitation includes 34 required obligations and 5 attachment-derived requirements.

Top themes:
- Proposals must be submitted via email to Procurement@usac.org with a copy to Mustafa.Kamal@usac.org no later than Monday, March 30, 2026, 11:00 AM ET. The subject line must only be 'RFP IT-26-027'.
- Proposals must be presented in four separate volumes (Corporate Information, Technical Capability, Past Performance, Price). Each volume must be submitted in PDF format as a separate attachment to a single email. Times New Roman 12-point font is required (minimum 9-point for diagrams/tables).
- Each volume must contain a cover page including: Org name, contact name, contact info, Unique Entity ID, date of submittal, a statement verifying the proposal is valid for 120 days, and the signature of a duly authorized representative.

Major submission requirements:
- Proposals must be submitted via email to Procurement@usac.org with a copy to Mustafa.Kamal@usac.org no later than Monday, March 30, 2026, 11:00 AM ET. The subject line must only be 'RFP IT-26-027'.
- Proposals must be presented in four separate volumes (Corporate Information, Technical Capability, Past Performance, Price). Each volume must be submitted in PDF format as a separate attachment to a single email. Times New Roman 12-point font is required (minimum 9-point for diagrams/tables).
- Each volume must contain a cover page including: Org name, contact name, contact info, Unique Entity ID, date of submittal, a statement verifying the proposal is valid for 120 days, and the signature of a duly authorized representative.

## Opportunity Context
- Agency / customer: USAC (FCC-associated)
- Due date: 2026-03-30
- Place of performance: Washington, DC 20005

Penetration Testing as a Service (PTaaS) across 16-20 core systems, including ethical hacking, web app, and API testing.

## Company Context
- Company: Find Evil LLC
- Core capabilities: Digital Forensics and Incident Response (DFIR), Compromise Assessment, Cloud Forensics
- Strengths: Elite DFIR capabilities, Multi-cloud forensics
- Major gaps: Lack of federal past performance, No DC-based personnel, Pending socio-economic certifications
- Business statuses: Small business, Profile claims active 8(a)/HUBZone/SDB, but Capability Statement says Pending/Eligible, 8(a) is claimed in the canonical company profile but not corroborated in SBA summary, HUBZone is claimed in the canonical company profile but not corroborated in SBA summary