PROPOSAL FOR

SUKOON INSURANCE -
VAPT ASSESSMENT &
RED TEAM
ASSESSMENT

28 May 2025
Table of Contents
Overview & Objectives 3

About SDAI - Synergy Digital 3

Scope of Work - VAPT 4

Scope of Work - Red Team Assessment 5

Methodology & Approach 6

Pre-Requisites 6

Commercials (In AED) 7

Deliverables 7

Terms & Conditions 8

Our Esteemed Clients and Accolades 9

Overview & Objective
Sukoon Insurance remains committed to continuously strengthening its cybersecurity
framework to protect its digital assets, IT infrastructure, and sensitive customer information
from evolving cyber threats. As part of this commitment, the organization will undertake a
comprehensive Vulnerability Assessment and Penetration Testing (VAPT) engagement,
covering both technical and human elements of security. This initiative includes external and
internal application assessments, social engineering (red teaming) exercises to simulate
physical security breaches, and, if applicable, an internal network assessment in the event of
a successful physical compromise. The engagement is designed to proactively identify
vulnerabilities, assess readiness against real-world attack scenarios, and enhance Sukoon
Insurance’s ability to detect, respond to, and recover from cyber incidents.

The primary objectives of this engagement are to:

• Identify security vulnerabilities across internal and external applications through VAPT
assessment.
• Evaluate the resilience of systems, network infrastructure, and applications.
• Conduct social engineering (red teaming) simulations to assess physical security controls.
• Perform an internal network assessment (conditional upon successful physical breach) to
evaluate internal threat exposure.
• Assess organizational readiness and response to both technical and physical security
threats.
• Provide actionable recommendations to mitigate risks and enhance overall security posture
in alignment with industry best practices.

About SDAI - Synergy Digital

Registered as Synergy Digital Solutions LLC, Dubai (License No. 1013105), we are licensed
to undertake Cyber Risk Management Services, Data Management & Cybersecurity
Services, and Auditing, Reviewing & Testing of Cyber Risks. Under this scope, we will deliver
Vulnerability Assessment and Penetration Testing (VAPT) services across the defined digital
assets, internal and external applications, network infrastructure, mobile platforms, and via
social engineering assessments as outlined in the SOW provided by Sukoon.

Synergy Digital has many strategic partnerships to leverage latest tools, trends, info and
advice to bring value to its customers. It draws on the technical expertise of SecureNexus a
division of X-Biz Techventures (Mumbai, India) in an advisory and consulting capacity,
ensuring delivery excellence through specialist support where appropriate.

[3]
Scope of Work - VAPT
The VAPT assessment will be conducted for the following applications:

Sr. Activities Frequency

Scope Items
No. of VAPT
1 Corp Website https://www.sukoon.com 2

https://medical.sukoon.com 2
VAPT of External https://direct.sukoon.com/car-insurance/getaquote 2
2
Applications https://direct.sukoon.com/health-insurance/getaquote 2
(Consumers)
https://app.sukoon.com/assets/app-download.html 2

https://healthcare.sukoon.com/signin 1
https://individualonline.sukoon.com/signin 1
VAPT of External https://smeonline.sukoon.com 1
3 Applications https://portal.sukoon.com/InsurancePortal/ 1
(Brokers)
https://fleetportal.sukoon.com/signin 1
https://corporate360.sukoon.com/signin 1
https://ecargo.sukoon.com/online_insurance/default.aspx 1

http://hobapsrhcsmsg02:5080/HCS.jnlp 1
http://bancs.tameen.ae/IIMS/ 1
https://erp.tameen.ae/OA_HTML/AppsLocalLogin.jsp 1
VAPT of Internal https://oicdigital.omaninsurance.ae/omniapp/pages/lo
4 1
Applications gin/loginapp.jsf
https://oiccrm.tameen.ae/OICCRM/main.aspx 1
https://oiccrm.tameen.ae/OICCRMREtail/main.aspx 1
Shamil (Agent Based) 1

Access Points (12) 1

Firewalls (8) 1
5 Network VAPT Switches (10) 1
Routers (6) 1
Load Balancers (4) 1

Mobile Android 1
6
Applications iOS 1

Social Red Team Activity (Vendor will try to breach physical

7 security and try to exploit wired and wireless 1
Engineering
connectivity)

[4]
Scope of Work - Red Team Assessment
1. Social Engineering and Physical Security Breach
• One of our consultants will visit the Sukoon Insurance’s Abhu Dhabi branch office and
attempt unauthorized access by leveraging social engineering techniques (e.g.,
impersonation, tailgating).
• If successful, the our consultant will connect a secured laptop to the internal network
and initiate the internal security assessment.
• All activities will be non-disruptive and follow agreed-upon ethical guidelines.

2. Internal Network Assessment (Conditional on Physical Access)

• Triggered only if the our consultant successfully gains physical access.
• Activities include internal network enumeration, vulnerability identification, exploitation
attempts, privilege escalation, and lateral movement – all within a limited and approved
scope.
• Ensure complete cleanup post-assessment and restoration to the original state.

Note:
If Physical Breach is successful:
• The consultant will immediately proceed with the Internal Network Assessment on the
same day.
If Physical Breach is unsuccessful:
• The engagement will conclude on the same day, and no internal testing will be performed.

[5]
Methodology & Approach
• Our Vulnerability Assessment and Penetration Testing (VAPT) engagement simulates
advanced, real-world adversary techniques. We go beyond traditional penetration testing by
simulating adversary tools, tactics, and procedures across your systems, firewalls, and
servers.
• Testing Methodologies:
- Information gathering
- Threat profiling
- Vulnerability analysis
- Exploitation
- Reporting
- Presentation
• The initial step is to gather in-depth details about the digital interfaces—specifically system,
servers, and firewalls—while also understanding the organization's operations and core
technical infrastructure. This crucial information lays the groundwork for creating targeted
test cases designed to systematically challenge these platforms, including scenarios that
examine improper data handling.
• We employ a blend of automated tools and meticulous manual testing techniques to
evaluate vulnerabilities across systems, firewalls, and servers. Our consultants rigorously
investigate these vulnerabilities, actively attempting to exploit any weaknesses within the
system.
• All findings from these exploit attempts are compiled into comprehensive reports that
provide tailored recommendations for each business, detailing specific steps to remediate
the security gaps identified in their systems, firewalls, and servers.

Pre-Requisites
To ensure an effective and smooth execution of the Vulnerability Assessment and
Penetration Testing (VAPT), the following pre-requisites must be in place before the
assessment begins:
• Valid test user accounts for all defined user roles must be provided for testing purposes.
• Credentials will only be used within the scope of this assessment and will be handled
securely.
• IP addresses or ranges from which the testing team will access the environment should be
whitelisted, especially for any protected endpoints or services.
• The Development environment should be fully deployed, stable, and accessible for testing.
• The client is required to share the list of IPs, device credentials, and configuration settings.

[6]
• Any dependencies or configurations, such as third-party services, should be in a working
state during the assessment period.
• Written permission from Sukoon Insurance, authorized representative to conduct the
security assessment.
• A primary point of contact (technical or operational) should be available throughout the
engagement to assist with queries, address access issues, and validate findings where
needed.
• Any relevant system architecture diagrams, API documentation, or user flow descriptions (if
available) to aid in understanding the application’s structure and expected behavior.
• The VAPT engagement will be conducted remotely, and all necessary access provisions
should be made accordingly
• A signed Letter of Authorization must be provided by the client prior to initiating Red
teaming via social engineering.

Commercials (In AED)

We offer transparent and competitive pricing to ensure maximum value for your investment

Engagement One-Time Activity

Activity 3-4 weeks effort including report writing & 1 round of revalidation

Pricing AED 55,000 /-

Taxes Extra, as applicable.

Payment Terms 50% advance on order

50% on report submission
Proposal Validity 4 weeks from the date of proposal

Deliverables
• Reporting: Executive Summary, Detailed Report, and Risk Matrix

• Remediation guidance for identified vulnerabilities

• Retesting cycle after remediation to validate security improvements

[7]
Terms & Conditions
1. Confidential Information

Prior to and during the Term hereof, the Client may convey to Synergy Digital Solutions
proprietary and confidential information about its business. Synergy Digital Solutions
agrees to treat all information received from Client as confidential, where the information
is appropriately and reasonably marked as such. Confidential Information does not
include information ..(a) in public domain at the time of disclosure, ..(b) generally disclosed
to third parties by either party without restriction, ..(c ) communicated to Client & Synergy
Digital Solutions by a third party with the unrestricted right to do so, or ..(d) approved for
release by Client & Synergy Digital Solutions (represented by Synergy Digital Solutions)
in writing.

2. Non-Restrictive

We retains the right to engage with other customers for similar assignments during the
current engagement period. The Client will not prevent or restrict Synergy Digital
Solutions LLC from taking similar assignments, so long as Synergy Digital Solutions is
fulfilling its part of the obligations under the agreement.

3. Non-Solicitation

The Client shall not, during the Term of Engagement and for a duration of 12 months from
the date of termination of this Agreement induce, encourage or attempt to induce any
employee or staff of Synergy Digital Solutions to leave the employment of Synergy Digital
Solutions or in any way interfere with the relationship of an employee & Synergy Digital
Solutions

4. Limitation of Liability

The Consultant shall not be liable for errors, delays or other consequences where the
Client has failed to meet his obligations in a timely manner. The sole remedy available to
the Client for any breach of default by Consultant shall be termination of this Agreement.
The Consultant shall not be liable for consequential damages to any third party..

5. Reference

The Client shall provide Feedback after completion of assignment. The Client agrees to
allow Synergy Digital Solutions to use the knowledge acquired from the assignment as
reference material and gives its consent to use its name, feedback as testimonials about
the assignment.

6. Additional Charges

Any deviation in scope will imply additional cost.

[8]
Trusted by Leading Financial Institutions
Across Regions

[9]
 UAE
407 umm hurair 2,
DUBAI, UNITED ARAB EMIRATES

INDIA
116, IJMIMA, Mindspace,
Malad West, Mumbai, India,
Pin code – 400064

[email protected]

www.synergydigital.ai