Call: Provision of Cyber Threat Intelligence Analysis Platform

Deadline: May 18th 2026, 11:30 PM CEST

Project Description: The purpose of this Invitation for Bid is to award a single contract for an initial period of three years that may be extended through the exercise of two one-year extension options, with a maximum of five years in total, for the provision of cyber intelligence analysis platform .

1. GENERAL

1.1 INTRODUCTION

1.1.1 The purpose of this Statement of Work is to provide information concerning the requirements for a subscription to a cyber threat intelligence platform to be provided by the selected Contractor (hereafter: Contractor) that meet the needs of NATO’s Joint Intelligence and Security Division (JISD).

1.2 BACKGROUND

1.2.1 The Cyber Threat Analysis Branch (CTAB) within the Intelligence Production Unit (IPU) of the Joint Intelligence and Security Division (JISD) monitors and reports on the cyber threat landscape in order to provide accurate and timely assessments to various stakeholders about relevant cyber issues of interest to NATO. These assessments provide situational awareness across the Alliance, inform strategic decision-making, and inform NATO’s cyber defence stakeholders in order to assist NATO’s senior leadership make informed decisions.

1.2.2 The strategic goals of CTAB are threefold: (1) Enhance the collective situational awareness of cyber-enabled threats and their potential implications for NATO’s strategic interests, (2) Provide strategic advice and guidance to NATO’s senior leadership to make risk-informed decisions, and (3) Implement operational, intelligence, and information sharing relationships with key stakeholders across the NATO enterprise to enable an active, threat-informed network defence.

1.2.3 An intelligence analysis platform — with a granular, flexible and expansive data model, performant backend and the capability to collect, enrich and correlate from several data providers — provides the data and analysts workbench, enabling the team to achieve its goals. The team leverages Cyber Threat Intelligence (CTI) capabilities to conduct threat assessments and enrichment in support of operational needs, with a focus on accurately conveying the context, urgency, credibility, severity, intent and motivation of cyber threats among other things.

1.2.4 Operationally, a CTI capability that is actionable, intelligence-driven and grounded in an extensive raw intelligence feed and in-depth technical analysis is envisaged to serve as a primary source for indicators of compromise (IOC) related to cyber threat actor campaigns.

1.3 SCOPE

1.3.1 The following services and products to be provided under the contract include one subscription to an Intelligence Analysis Platform that meets the conditions described below. Detailed requirements are listed in Annex D of IFB Part II – Intelligence Analysis Platform Requirements.

1.3.1.1 The Contractor must provide the CTI solution as an instance or container that provides access to the intelligence analysis platform via a command-line interface, Application Programming Interface (API) and a web-based user interface. The proposed solution MUST run on the client’s own cloud infrastructure. No SaaS solution is acceptable for this SOW.

1.3.1.2 The Contractor must deliver the platform and accompanying services via an Enterprise license. If unavailable, the platform and services must be accessible to a minimum of 20 analysts.

1.3.1.3 The platform must have a broad and granular coverage in terms of data model and shall also have the flexibility to create custom and flexible data structures and labels to provide context, convey assessments and represent judgments, among other things.

1.3.1.4 The platform shall ingest and enrich data from multiple data providers via APIs according to current data structures. It should be possible to do the majority of these integrations by the team themselves without Contractor support and therefore the proper documentation must be delivered.

1.3.1.5 The Contractor must supplement the team with a dedicated technical point of contact to assist with new integrations and technical questions about the product (e.g. query language questions).

1.3.1.6 The contractor must provide training of their product to the CTAB team. Training requirement is listed in TR-01.

2. STATEMENT OF OBJECTIVES

2.1 CORPORATE OBJECTIVE

2.1.1 Collect, store, process, enrich and analyse tactical (e.g. Indicators of Compromise, observables) and operational (e.g. TTPs) information to have one source of truth regarding open source and private source intelligence. The platform will enhance NATO’s cyber threat situational awareness and supplement network defence NATO-wide, providing deep understanding and enhanced visibility of threat actor behaviours, infrastructure, tooling, ongoing campaigns and their severity in areas of significance to NATO.

2.2 CONTRACT OBJECTIVES

2.2.1 Establish a contract for the provision of a subscription to an intelligence analysis platform that will:

2.2.1.1. Provide a workbench for cyber threat analysts and threat researchers to conduct in-depth analysis of cyber threat actor campaigns and operations, tactics, techniques and procedures (TTPs), motivation, intent, organizational alignments, clustering, technical and high-level shifts, evolutions and trends occurring on the threat landscape (e.g., changes in collection priorities, infrastructure and capabilities).

2.2.1.2. Ingest both structured and unstructured data, increasing visibility of threats and providing opportunities for threat enrichment and cross-correlation with findings in the context of incident investigation.

2.2.1.3. Contextualize and enrich cyber threat actor campaigns and operations with telemetry, knowledgebase and expert analysis, enabling NATO cyber threat intelligence analysts to obtain a granular understanding of threat actor campaigns on the tactical and operational level, assess severity, track patterns and evolutions pertaining to behaviours, infrastructure or capabilities, understand operational lifecycles and reveal campaign scope and depth. This knowledgebase will allow NATO cyber threat intelligence analysts to generate predictive insights about threats, and to forecast future trend lines regarding relevant threat actors’ behaviours and activities.

2.2.1.4. Outputs will be used to inform and advise a variety of technical and non-technical audiences.

2.3 MANAGEMENT OBJECTIVE

2.3.1 Allow the Contractor the maximum flexibility to innovatively manage its corporate resources, expertise, and subcontracts (if any) so as to provide a high-value contribution in support to the NATO’s corporate and contract objectives within existing constraints and a proper service management framework.

SUPPORT AND MAINTENANCE OF NATO HQ IDENTITY AND ACCESS MANAGEMENT SYSTEM

Close Date: May 24th 2026, 11:30 PM CEST

Project Description: The purpose of this Invitation for Bid is to award a single contract for an initial period of 3 years that may be extended through the exercise of 1+1 years extension options, with a maximum of five years in total, for the support and maintenance of the NATO HQ identity and access management systems per the IFB Part II Statement of Work.