Awarded to 6 POINT 6

Start date: Monday 11 October 2021
Value: £277,128
Company size: SME
Defence Science and Technology Laboratory

Orchestrated Cyber Deception Demonstrator using Virtual Machine Introspection

3 Incomplete applications

2 SME, 1 large

4 Completed applications

2 SME, 2 large

Important dates

Tuesday 13 July 2021
Deadline for asking questions
Tuesday 20 July 2021 at 11:59pm GMT
Closing date for applications
Tuesday 27 July 2021 at 11:59pm GMT


Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
The approach will develop and deliver VMI-based deception-oriented effects on virtualise hosts, as well as create a OpenC2 compliant Application Programming Interface (API) and Web user interface for the monitoring, administration and orchestration of these effects.
Latest start date
Monday 9 August 2021
Expected contract length
6 Months
South West England
Organisation the work is for
Defence Science and Technology Laboratory
Budget range

About the work

Why the work is being done
Current cyber deception approaches typically rely on deceiving adversaries either before they gain access to internal networks and/or during the lateral movement phases of an intrusion. When deception is utilised, it is typically at the network level – once a malicious actor gains access to an individual host, current deception measures are often limited. What measures are available often contaminate hosts with tell-tale signs of their presence (logs, suspicious processes, or inconsistent decoy data which stands out), or may be bypassed through modified Tools, Techniques and Procedures (TTPs).
Problem to be solved
Virtual Machine Introspection (VMI) allows for the monitoring of the runtime state of application generated system level instructions in virtual environments. As VMI allows for monitoring of low level requests from applications and processes to the underlying system kernel, it should be possible to manipulate these in order to feed intentionally erroneous data back to the source, deceiving the adversary utilising it. If such activity could be coordinated with other Defensive Cyber (DC) tooling, this provides an opportunity to manipulate and gather threat intelligence on as well as a means to hinder their further progression.
Who the users are and what they need to do
As a Cyber Security Researcher, I need to utilise VMI to deceive adversary activity within a virtualised Windows and/or Debian environment so that I can determine the viability of the approach. I need to be able to coordinate these VMI implementations with other tooling via a OpenC2 compliant API, and observe the actuation of this activity in a web front end.
Early market engagement
Any work that’s already been done
Existing team
The supplier will be working with a dedicated technical partner from Dstl for day to day interaction. Alongside this will be a small team from the Authority who will contribute to and review work carried out under this task. This team will act as hosts, when or should the need to work on or demonstrate the concepts on our site arises. This team operates out of their own laboratory space which is equipped to support software development and deployment.
Current phase

Work setup

Address where the work will take place
We would expect the majority of the work to be conducted at the suppliers own address, but there maybe times when both formal meetings and development work will take place at our Salisbury Site (COVID permitting).
Working arrangements
To ensure that the demonstrator can be utilised alongside other Dstl tooling as the concept develops and evolves, the project will utilise an iterative and incremental approach to delivery. The supplier must adopt an Agile system engineering approach (e.g. Scrum) and work closely with the Authority throughout the development process to realise the project’s aims. It is expected that this work will require significant dialogue between the Authority and the supplier throughout the contract period; the Authority will make staff available to support this.
Security clearance

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Demonstrate experience creating software using Python 3 and/or C to run on Debian-based Linux operating systems (>= Ubuntu 18.04 LTS) without reliance on closed-source, proprietary, software dependencies.
  • Demonstrate, with evidence the ability to conduct agile software development in-house, without support from subcontractors.
  • Demonstrate with evidence the ability to continue and evolve software development from a complex inherited and/or Open Source codebases.
  • Demonstrate with evidence the ability to deliver without authority funded capability enhancements (for example, procurement of additional ICT to support development activities).
  • Demonstrate experience developing cyber security or system management software (preferably for high threat and government organisations).
  • Demonstrate, with evidence, the ability to produce appropriate levels of documentation, and conduct verification and validation of software.
  • Demonstrate experience using Git-Source-Code-Management(SCM)and broader collaborative development tool-suites. Provide examples of providing customers with access to developmental and release versions of software source-code, and engaged them in the development process.
Nice-to-have skills and experience
  • Demonstrate, with evidence, experience utilising the LibVMI and/or other VMI software libraries in the development of cyber security tooling.
  • Demonstrate, with evidence, experience of working with, monitoring and/or manipulating systemcalls on Windows and/or Linux-based operating systems.
  • Demonstrate, with evidence, working knowledge of x86 cpu instruction sets and manipulating system memory.
  • Indicate, with evidence of prior work, the ability to adhere to appropriate coding standard(s) for the development of software (i.e. PEP 8)
  • Indicate whether the proposed solution(s) are applicable to A: Windows, B: Debian based Operating Systems, or C: both.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • The proposed technical solution offered by the supplier (0.3)
  • The proposed approach and methodology (0.2)
  • The proposed deception concepts utilising VMI and targeted Operating System(s) (0.2)
  • How the approach or solution meets user needs (0.1)
  • Provide estimated timeframes for the work. (0.1)
  • Detail and explain identified risks and dependencies. Provide details of offered approaches to manage these risks. (0.1)
Cultural fit criteria
  • Demonstrate consistent cultural commitment to agile software development practices. (0.5)
  • Demonstrate with evidence that they are able to respond to an evolving customer requirement. (0.2)
  • Demonstrate with evidence being transparent and collaborative when making decisions. (0.1)
  • Demonstrate with evidence of sharing knowledge and experience with other team members. (0.1)
  • Demonstrate with evidence an ability to successfully deliver within the UK Defence landscape. (0.1)
Payment approach
Fixed price
Additional assessment methods
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Has there been prior work been undertaken by industry which Dstl would like to see this future work build on?
We are not aware of any work carried out by industry utilising VMI explicitly for cyber deception that would be suitable to build upon.

Any proposals requiring use of prior work should be restricted to material and/or software where the supplier can guarantee a perpetual, royalty-free, irrevocable, transferable worldwide licence to use, change and sub-license the material where it is needed to enable both:
(a) receive and use of the Deliverables from the proposed work; and
(b) make use of the deliverables provided by a Replacement Supplier
2. Will the authority retain all intellectual property from the engagement, or will the supplier be able to re-use any outcomes for their own future research needs and goals?
All generated IPR will be owned by the authority.

"9.2 Any New IPR created under a Contract is owned by the Buyer. The Buyer gives the Supplier a licence to use any Existing IPRs and New IPRs for the purpose of fulfilling its obligations during the Contract Period."

For use post contract, you'll require written permission from the authority as per section 9.4 of the T&Cs.

"9.4 Neither Party has the right to use the other Party’s IPRs, including any use of the other Party’s names, logos or trademarks, except as provided in Clause 9 or otherwise agreed in writing."