Executive Summary
RWS requires an integrated XDR platform with 24x7x365 MXDR operations to strengthen cybersecurity operational resilience, accelerate detection-to-containment, and meet strict governance and regulatory expectations. For this requirement, SoftwareOne has partnered with Armor Defense, a tech-enabled services company providing Managed Detection and Response (MDR) services with unified threat visibility, faster response, and audit-ready operations.
Coverage Scope
Base (mandatory)
Core endpoint/server protection and EDR, XDR correlation and incident lifecycle management, integrations and automation, plus vulnerability capability requirements as defined in scope.
Optional modules
Email Security, Network/NDR, Identity Protection, Mobile, IoT/OT, Additional Cloud Workloads (e.g., AliCloud) and AI/GenAI Security supported without re-architecture if activated later.
Implementation Approach and Timeline
Foundation
Architecture/design, platform foundation, integrations and acceptance planning.
Rollout
Ring-based rollout and migration/onboarding with stabilization and governance.
Operations
Steady-state 24x7x365 MXDR operations and continuous improvement.
Milestones: Commissioning before 1 Jun 2026. Full onboarding and operational before 31 Dec 2026.
What RWS Gets
Reduced Business Risk
Faster detection and containment via unified incident correlation and governed response playbooks across endpoint, identity, email, and cloud.
24/7/365 Singapore-Based SOC
Monitoring by local L2/L3 analysts who understand APAC threats. Global follow-the-sun coverage for other activities like threat intelligence, detection engineering and more.
Lower Operational Burden
Consolidated security operations with standardized workflows, reporting, and continuous tuning to reduce noise.
Extreme Microsoft Security Depth
Full M365 E5 integration, maximizing your existing investment with expert human oversight and response.
Rapid Incident Response
15-minute response SLA for critical incidents with pre-approved containment actions.
AI-Augmented Detection
Armor AI accelerates investigations combined with curated threat intelligence for proactive hunting.
Stronger Assurance
Evidence-grade auditability and support for regulatory and internal compliance obligations.
Phased Delivery
Controlled migration with coexistence validation and rollback planning to minimize disruption.
Key Differentiators
No Walled Gardens. Challenging the Industry.
Armor isn't another security vendor with a closed ecosystem. We deliver a flexible framework where you never lose control or visibility of your risk posture. We orchestrate your existing investments into a coherent security strategy - fully adaptable as your partners and needs evolve.
Armor Dash
Executive Security Dashboard
Unified visibility across all security vendors, tools, and GRC platforms. AI-powered insights in plain English. Financial risk quantification for executive level conversations.
Armor Nexus
Incident Operations Platform
Unified XDR platform with AI-powered detection, automated playbooks, and real-time SOC collaboration. Bi-directional sync with your existing SIEM and ITSM systems.
No Black Box
All detection rules, tuning, and automations created for RWS are fully transparent, RWS-owned, and transferable. Your security IP stays with you.
Noise-Free Security
Armor MDR filters irrelevant alerts and reduces noise - we value your time as much as you do.
True Partnership
Co-managed approach integrates seamlessly with your team as a genuine extension, not an add-on.
Human-AI Synergy
AI-driven detection combined with expert human analysis for precision and speed.
Compliance Built-In
Compliance-ready reports and dashboards help meet regulatory requirements effortlessly.
Custom Playbooks
Tailored response workflows aligned to your business processes - not generic, one-size-fits-all.
Bi-directional ITSM Sync
Incidents flow seamlessly between Armor and RWS's existing SIEM/ITSM systems without disrupting your established workflows.
Armor Reactor
Data security for the AI era - discover, monitor, and govern your organization's AI ecosystem with automated playbooks and privacy controls.
Company Profile
SoftwareOne
SoftwareOne is a leading global software and cloud solutions provider, helping organizations optimize their software portfolios and accelerate cloud transformation. With operations in 90+ countries and 9,000+ employees, we combine local expertise with global scale.
SoftwareOne Certifications
ISO 27001
Information Security Management
SOC 2 Type 1
Security, Availability, Confidentiality
Armor
Armor is a cloud-native managed security provider recognized by Frost & Sullivan as a leader in Managed Detection and Response. Our platform combines advanced threat detection, expert security analysts, and automated response capabilities to protect organizations across cloud, hybrid, and on-premises environments.
"Armor's MDR platform delivers unified visibility across cloud and on-premises environments with 24/7 expert monitoring and rapid response capabilities."
Lucas Ferreyra, Senior Industry Analyst - Frost & Sullivan
Armor Certifications
ISO 27001
Information Security Management
SOC 2 Type II
Security, Availability, Confidentiality
PCI DSS
Payment Card Industry Compliance
CSA STAR
Cloud Security Alliance
Understanding RWS Requirements
Based on the RFQ specifications and our discussions, we understand RWS seeks a comprehensive MXDR solution that addresses the following core requirements:
Interpretation of RWS Security and Operational Requirements
| RWS Objective | Our Understanding |
|---|---|
| Scope & outcomes | RWS seeks an integrated EPP/EDR/XDR platform with Managed XDR (MXDR) that strengthens detection, investigation, response and operational resilience across servers, workstations/laptops, persistent & non-persistent VDI, and containerized workloads, delivered over 3 + 1 + 1 years. |
| Platform capabilities | The platform must use a single lightweight agent and a single cloud-native console, support RBAC, provide rich telemetry and hunt/search, deliver behavioural analytics, UEBA, automated playbooks, and cross-domain orchestration, including ransomware rollback. |
| Security operating model | Day-2 MXDR runs 24x7x365 fully within the RWS tenant with named, least-privilege accounts (MFA, JIT/PAM, IP allow-listing); Singapore-based L2/L3 escalation within 2 hours. |
| Performance, SLOs & SLAs | Target SLOs include endpoint event searchable in 15s, identity/email in 60s, cloud audit in 120s; action execution in 30s; console uptime 99.9%; false-positive rate 2% monthly. Threat-hunting SLAs define ack in 4h, critical IoC sweep in 4h, standard IoC in 24h, complex hunts in 72h, and hunt report in 24h post-completion. |
| Integration & environment fit | Native integration with Microsoft Entra ID (AD) SSO, IDAS, SIEM/CLM/data lake, ITSM, email, firewalls/NDR, cloud audit (Azure first), with alignment to RWS standard tech stacks. |
| Compliance & auditability | The service must support PDPA-aligned controls, immutable evidence, evidentiary bundles, SLA telemetry (MTTD/MTTR), change control, and certification posture. |
RWS's objective is to uplift cybersecurity operational resilience through an integrated EPP/EDR/XDR platform with 24x7x365 MXDR operations, delivered with a controlled migration from incumbent tooling and measurable operational outcomes.
RWS Security & Operational Requirements
Unified Platform
Single-agent / single-console design with cloud-native telemetry correlation, strong anti-tamper controls, and controlled rollout.
Unified Threat Visibility
Consolidated view across endpoints, identity, email, cloud workloads, and applications through Microsoft Defender XDR integration.
Scale & Environment
Approx. 7,500 agents across endpoints and servers (hybrid estate), with Prod/UAT/SIT environments and cross-domain telemetry ingestion.
SOC/MXDR Operating Model
24x7x365 MXDR operations with Singapore-based L2/L3 escalation within 2 hours.
Expert-Led Response
24/7 human analyst coverage for threat triage, investigation, and response - not just automated alerts.
Operational Integration
Seamless integration with RWS's existing SIEM, ITSM, and security workflows without disruption.
Training & Knowledge Transfer
Role-based training for SOC, IT Ops, and management, plus quarterly workshops for capability uplift.
Compliance Alignment
Support for regulatory requirements including data residency, audit trails, and reporting.
Key Challenges and Risk Areas Addressed by the Proposed Solution:
| RWS Challenge | Right-fit Solution |
|---|---|
| Migration and co-existence with incumbent EPP/EDR | Phased deployment, policy parity and structured rollback plans |
| Hybrid/on-prem + cloud telemetry normalization | Cloud-based scalable architecture. Custom or built-in parsers to normalize data. |
| Noise & false positives reduction | Armor Nexus platform provides full visibility into MDR operations including False Positive reduction overtime. |
| Server-safe containment guardrails | Approval gates in playbooks, pre-approved high-severity actions catalog, exception lists. |
| Regulatory reporting & audit trails | Armor Nexus dashboard provides compliance-ready reporting and immutable audit trails. |
| Singapore-based L2/L3 escalation and Project Manager | Armor Local MDR experts will assist when needed. |
| xAI requirements | Microsoft Security Copilot and Armor Nexus portal provide transparency, feature importance, confidence, auditability |
Assumptions & Dependencies
- June deadline achievable only if project awarded in January 2026
- Devices updated and all pre-requisites met before MDE onboarding
- Armor will provide instrumentation, dashboards, and monthly reporting of SLO-style metrics under agreed volumes and conditions but does not warrant or commit to specific SLO thresholds. Only service SLAs (response/resolution/availability per Section 17) are contractually binding.
- ORT/Commissioning and PGP completion will be based on functional correctness, defect exit criteria, documentation, and SLA process readiness; performance observations will be reported but not guaranteed as SLO commitments
- For XDR implementation, the platform shall be fully operational
Implementation Approach
Our phased implementation methodology ensures minimal disruption to RWS operations while accelerating time-to-value. Each phase builds upon the previous, with clear milestones and success criteria.
Validation
Planning
Coexistence
Cutover
Full Operations
Outcome
Management Milestones
- Define PoC scope and success criteria
- Execute PoC in constrained environment
- Validate results are correct and reproducible
- Environment discovery and critical assets
- Solution architecture design
- Project plan and risk log
- Roles and responsibility mapping (RACI)
- Rollout ring design
- Draft test plans (SIT/UAT/ORT/DR)
- Execute SIT → UAT → Failover → HA/DR → ORT
- Defect management and test reports
- Knowledge transfer workshops
- Pilot rollout to smaller group
- Ring-based enterprise deployment
- Remove incumbent agents
- Confirm incumbent removal complete
- Transition to steady-state operations
- Operational handover documentation
Platform Key Tasks
- Verify licensing and prerequisites
- Network connectivity validation
- Environment discovery
- Device groups and RBAC design
- Workspace and connector planning
- Integration strategy for existing tools
- Map incumbent settings to Defender XDR
- Set up forwarders, connectors, subscriptions
- Set mutual EDR exclusions
- Push registry keys for passive mode
- Onboard endpoints (ring-based)
- Onboard servers (change-controlled)
- Configure dual log forwarding
- Run detection tests, verify healthy devices
- Complete endpoint migration
- Complete server migration
- Uninstall incumbent AV/EDR
- Force MDAV active and enforce policies
- Configure single log forwarding to Sentinel
- Apply ASR rules
- Enable Auto Disruption
- Enable Tamper Protection
- Enable Web/Network Protection
- Verify Microsoft best practices alignment
Service Readiness
- Understand business and regulatory requirements
- Geolocation setup and BU mapping
- Identify crown jewels and critical assets
- Map existing cybersecurity tools
- Review existing playbooks
- Use case planning & detection design
- Define autonomous vs approval-required actions
- Gap analysis against best practices
- 24x7 monitoring begins for onboarded devices
- Use case deployment
- Initial threat response capability active
- Expanding coverage as devices rollout
- Use case tuning & optimization
- Policy hardening
- Full MXDR operations active
- All endpoints under 24x7 monitoring
- All capabilities enabled
- Proactive threat hunting
This unified implementation roadmap integrates project governance, platform deployment, and managed security services into a single coordinated framework. Rather than managing three separate workstreams with independent timelines and handoffs, RWS gains visibility into how each track progresses through common stage gates—ensuring that technical readiness, operational preparedness, and business outcomes remain aligned at every milestone.
The approach is deliberately structured around coexistence and controlled transition. Allowing the XDR platform to coexist with incumbent tooling during Stage 3 significantly reduces migration risk—detection coverage remains continuous, rollback paths stay available, and teams can validate behavior in production conditions before committing to cutover. MXDR services activate at the point of commissioning approval—not after full deployment—meaning RWS benefits from 24x7 threat monitoring from the earliest transitioned workloads through the complete and final cutover.
Why this matters for RWS: Security transformation projects frequently stall or fail when platform deployment, service enablement, and governance operate on disconnected tracks. This integrated model compresses time-to-protection, reduces execution risk, and ensures that every stage gate delivers measurable business value—from validated solution fit through to maximum security posture. For RWS, this means faster realization of your security investment, continuous protection throughout the transition, and a clear line of sight from technical activity to operational resilience.
Implementation Timeline
The implementation follows a gated stage approach across three parallel workstreams. Project Management establishes governance, testing protocols, and deployment controls. The XDR Platform track handles technical deployment from tenant configuration through agent rollout and legacy retirement. The MXDR Service track activates threat monitoring capabilities progressively, beginning with use case planning and culminating in 24x7 managed detection and response.
Infrastructure as Code and Security as Code practices drive the platform deployment, enabling rapid provisioning with consistent, repeatable configurations at enterprise scale. Critical dependencies are sequenced to minimize risk: proof-of-concept validation precedes architecture commitment, commissioning approval gates service activation, and ring-based deployment allows controlled rollout with rollback capability at each stage.
Why this matters for RWS: Time-to-value is weeks, not months. RWS gains 24x7 threat monitoring by week 10 while enterprise rollout continues in parallel. Each stage gate validates success before proceeding, delivering predictable outcomes with controlled risk throughout the transition.
Delivery Model | Phase 1 Onboarding
Planning & Assessment
- Initial Consultation
- Environment Review
- Architecture and Solutioning
Deployment
- Deployment ring planning
- Rollout and monitoring of agents
XDR
deployment
Optimization, Integration & Tuning
- Tuning of policies
- Integrating various log sources
Testing & Continuous Improvement
- Perform SIT and UAT tests
- Documentation & Handover
Service Management and Governance
- Quarterly Management Reviews
- Monthly Steering Committee Meetings
- Weekly Operational Meetings
- Collaborative Workshops
- Risks & Issue Tracking
Resorts World Sentosa Delivery Model | Day 2 Monitoring
Tuning, Hunting
Vulnerability Management
Service Management and Governance
- Single point of contact for all service matters
- Weekly sync calls (or as agreed frequency)
- Escalation management and coordination
- Service performance reporting
- Continuous improvement initiatives
Proposed Solution Architecture
Our solution leverages RWS's existing Microsoft security investments while adding Armor's expert monitoring, threat intelligence, and response capabilities.
Architecture Overview
Solution Components
Microsoft Defender XDR
Your unified security platform that automatically correlates signals across endpoints, identities, email, and cloud to detect and disrupt multi-stage attacks in real-time.
- Defender for Endpoint: Advanced endpoint protection and EDR
- Defender for Identity: Identity threat detection and investigation
- Defender for Office 365: Email and collaboration security
- Defender for Cloud Apps: SaaS application visibility and control
- Defender for Cloud: Multi-cloud workload protection
- Microsoft Sentinel: Cloud-native SIEM for correlation and automation
Armor Nexus Platform
Intuitive interface that integrates AI, prioritized incidents, evolving telemetry, and real-time SOC interactions to accelerate threat detection and response.
- Single pane of glass for all security telemetry
- AI-assisted investigation and recommended actions
- Real-time collaboration with Armor SOC analysts
- Custom dashboards and reporting
Armor MDR Team
Singapore-based L2 and L3 engineers and architects providing:
- 24/7 threat monitoring and triage
- Onsite incident management and dark web monitoring
- Threat intelligence integration
- Vulnerability management
Microsoft Security Copilot
AI for Security provides automated response, intelligent search, and recommendations - ensuring no new AI risks are introduced while accelerating investigations.
Managed XDR Services
Armor's MXDR service combines advanced technology with expert human analysis to provide comprehensive threat detection, investigation, and response capabilities.
Service Components
24/7 Threat Monitoring
Continuous monitoring of all connected security telemetry by experienced SOC analysts. Every alert is triaged, investigated, and actioned - not just forwarded.
Threat Intelligence
Armor's curated threat intelligence feeds are leveraged to proactively hunt for threats in your environment and ensure detection rules stay current.
Incident Response
When threats are confirmed, our team executes pre-approved containment actions immediately - isolating endpoints, disabling accounts, blocking hashes.
Proactive Threat Hunting
Regular hypothesis-driven hunts for advanced threats that evade automated detection, using TTPs from latest threat intelligence.
Vulnerability Management
Continuous vulnerability assessment with prioritized remediation recommendations based on actual exploitability and asset criticality.
Security Reporting
Monthly executive reports, weekly operational summaries, and real-time dashboards provide visibility at every level.
MDR Backup Regions
| Region | Location | Role |
|---|---|---|
| Primary | Singapore | Primary SOC for APAC coverage |
| Secondary | United States | Follow-the-sun coverage, disaster recovery |
| Tertiary | India | Additional capacity and redundancy |
Detection & Response Capabilities
Detection Methodology
Our detection approach combines multiple techniques to identify threats across the kill chain:
- Signature-based detection: Known malware and attack patterns
- Behavioral analytics: Anomalous user and entity behavior
- Threat intelligence correlation: IOCs from global threat feeds
- Custom detection rules: RWS-specific scenarios and assets
- Machine learning models: Advanced threat detection via Microsoft Defender
Investigation & Correlation
- Alert correlation and prioritization across all data sources
- Investigation workflows with defined timelines
- Root cause analysis capabilities
- Threat timeline reconstruction
Response Automation & Playbooks
- Automated and semi-automated response actions
- Playbook customization and governance
- Integration with SOAR and ITSM systems
- Pre-approved actions for immediate containment
Pre-Approved Response Actions
To enable rapid response, we recommend pre-approving the following containment actions:
| Action | Trigger | Impact |
|---|---|---|
| Isolate Endpoint | Confirmed malware execution | Device isolated from network, user notified |
| Disable User Account | Confirmed account compromise | Account disabled, sessions terminated |
| Block Hash/Domain | Confirmed malicious indicator | IOC blocked across environment |
| Force Password Reset | Credential theft detected | User required to reset password |
Service Levels & KPIs
Response Time SLAs
| Severity | Definition | Initial Response | Update Frequency |
|---|---|---|---|
| Critical | Active breach, ransomware, critical system compromise | 15 minutes | Every 30 minutes |
| High | Confirmed malware, lateral movement, data exfiltration attempt | 30 minutes | Every 2 hours |
| Medium | Suspicious activity requiring investigation | 2 hours | Every 4 hours |
| Low | Policy violations, informational alerts | 8 hours | Daily |
Key Performance Indicators
| KPI | Target | Measurement |
|---|---|---|
| Mean Time to Detect (MTTD) | < 5 minutes | Time from event occurrence to alert generation |
| Mean Time to Respond (MTTR) | < 30 minutes | Time from alert to containment action |
| False Positive Rate | < 10% | Percentage of alerts determined to be benign |
| SLA Compliance | 99.5% | Percentage of incidents meeting response SLAs |
| Platform Availability | 99.9% | Armor Nexus platform uptime |
Compliance with Tender Specifications
This section maps our solution to the specific requirements outlined in RWS-IT-RFQ-118.
Statement of Compliance
Detailed compliance matrix pending
Deviations & Exceptions
Content pending
Key Challenges & Risk Areas
Content pending
Project Team
Phase 1 Implementation Team
Executive / Strategic Oversight
Chris Drake
Armor Founder & CEO
Project Manager
TBD
Overall project coordination and delivery
Technical Lead
Jude Antoni
Architecture and technical implementation
Security Architect
Thanapol Balawongse
Security design and integration
Implementation Lead
Malgene Teo
Deployment and configuration
SOC Integration Lead
Vinay Rajput
SOC onboarding and process integration
Escalation Matrix - Phase 1
| Level | RWS Contact | Armor Contact |
|---|---|---|
| Executive | Executive Team | Account Executive |
| Strategic | RWS Project Lead | Project Manager |
| Tactical | RWS Security Architect | Technical Architect |
| Operational | RWS Project Team | Implementation Experts |
Escalation Matrix - Phase 2 (Operations)
Technical Escalation
| Level | Trigger | Armor Role | RWS Contact |
|---|---|---|---|
| L1: Auto Triage | Alert fired, SOAR playbooks run | Nexus Platform | Auto-containment |
| L2: Initial Human | Automation cannot resolve or High severity | Security Analyst | Security Team |
| L3: Advanced Analysis | Complex lateral movement or malware | Senior Security Analyst | Security Team Lead |
| L4: Incident Response | Active breach, critical impact | IR Lead | Security Director / CISO |
Service Delivery Escalation
| Level | Trigger | Armor Role | RWS Contact |
|---|---|---|---|
| Functional | Minor SLA delay, report formatting | Customer Success Manager | Security Team Lead |
| Tactical | Recurring issues, missed handoffs | Service Delivery Manager | Security Director |
| Strategic | Critical SLA breach, contractual dispute | Account Executive | Governance Team |
| Executive | Major brand risk, legal/compliance crisis | Chief Risk Officer | Executive Team |
Appendices
A. Technical Datasheets
To be attached
B. Architecture Diagrams
Detailed diagrams to be attached
C. Case Studies & References
To be attached
D. Certifications & Accreditations
Certificate copies to be attached
E. Product Roadmap
High-level roadmap to be attached
Disclaimer
- This publication contains proprietary information that is protected by copyright. SoftwareOne reserves all rights thereto.
- SoftwareOne shall not be liable for possible errors in this document. Liability for damages directly and indirectly associated with the supply or use of this document is excluded as far as legally permissible.
- The information presented herein is intended exclusively as a guide offered by SoftwareOne. The publisher's product use rights, agreement terms and conditions and other definitions prevail over the information provided herein. The content must not be copied, reproduced, passed to third parties or used for any other purposes without written permission of SoftwareOne.
- Copyright © by SoftwareOne. All Rights Reserved. SoftwareOne is a registered trademark of SoftwareOne. All other trademarks, service marks or trade names appearing herein are the property of their respective owners.