1. Executive Summary

Resorts World Sentosa (RWS) is executing one of Asia's largest hospitality transformations with the RWS 2.0 expansion. New attractions, hotels, and digital experiences rolling out through 2030 will significantly expand the technology footprint requiring protection. To support this growth, RWS requires an integrated XDR platform with 24x7x365 MXDR operations to strengthen cybersecurity operational resilience, accelerate detection-to-containment, and meet strict governance and regulatory expectations.

For this requirement, SoftwareOne has partnered with Armor Defense (Armor), a tech-enabled services company providing Managed Detection and Response (MDR) services with unified threat visibility, faster response, and audit-ready operations. Our solution leverages RWS's existing Microsoft investments, extends them with Armor Nexus for operational transparency, and provides managed XDR expertise to scale security alongside business growth.

Coverage Scope

Base (mandatory)

Core endpoint/server protection and EDR, XDR correlation and incident lifecycle management, integrations and automation, plus vulnerability capability requirements as defined in scope.

Optional modules

Email Security, Network/NDR, Identity Protection, Mobile, IoT/OT, Additional Cloud Workloads (e.g., AliCloud) and AI/GenAI Security supported without re-architecture if activated later.

Implementation Approach and Timeline

1

Foundation

Architecture/design, platform foundation, integrations and acceptance planning.

2

Rollout

Ring-based rollout and migration/onboarding with stabilization and governance.

3

Operations

Steady-state 24x7x365 MXDR operations and continuous improvement.

Milestones: Commissioning before 1 Jun 2026. Full onboarding and operational before 31 Dec 2026.

What RWS Gets

Reduced Business Risk

Faster detection and containment via unified incident correlation and governed response playbooks across endpoint, identity, email, and cloud.

🇸🇬

24/7/365 Singapore-Based SOC

Monitoring by local L2/L3 analysts who understand APAC threats. Global follow-the-sun coverage for other activities like threat intelligence, detection engineering and more.

Lower Operational Burden

Consolidated security operations with standardized workflows, reporting, and continuous tuning to reduce noise.

Extreme Microsoft Security Depth

Full M365 E5 integration, maximizing your existing investment with expert human oversight and response.

Rapid Incident Response

15-minute response SLA for critical incidents with pre-approved containment actions.

AI-Augmented Detection

Armor AI accelerates investigations combined with curated threat intelligence for proactive hunting.

Stronger Assurance

Evidence-grade auditability and support for regulatory and internal compliance obligations.

Phased Delivery

Controlled migration with coexistence validation and rollback planning to minimize disruption.

Key Differentiators

No Walled Gardens. Challenging the Industry.

Armor isn't another security vendor with a closed ecosystem. We deliver a flexible framework where you never lose control or visibility of your risk posture. We orchestrate your existing investments into a coherent security strategy - fully adaptable as your partners and needs evolve.

Armor Dash

Executive Security Dashboard

Unified visibility across all security vendors, tools, and GRC platforms. AI-powered insights in plain English. Financial risk quantification for executive level conversations.

EDR/XDR SIEM GRC ITSM

Armor Nexus

Incident Operations Platform

Unified XDR platform with AI-powered detection, automated playbooks, and real-time SOC collaboration. Bi-directional sync with your existing SIEM and ITSM systems.

Detection Response Automation Hunting

No Black Box

All detection rules, tuning, and automations created for RWS are fully transparent, RWS-owned, and transferable. Your security IP stays with you.

Noise-Free Security

Armor MDR filters irrelevant alerts and reduces noise - we value your time as much as you do.

True Partnership

Co-managed approach integrates seamlessly with your team as a genuine extension, not an add-on.

Human-AI Synergy

AI-driven detection combined with expert human analysis for precision and speed.

Compliance Built-In

Compliance-ready reports and dashboards help meet regulatory requirements effortlessly.

Custom Playbooks

Tailored response workflows aligned to your business processes - not generic, one-size-fits-all.

Bi-directional ITSM Sync

Incidents flow seamlessly between Armor and RWS's existing SIEM/ITSM systems without disrupting your established workflows.

Add-On

Armor Reactor

Data security for the AI era - discover, monitor, and govern your organization's AI ecosystem with automated playbooks and privacy controls.

Platform Differentiator

Microsoft Security: A Unified Ecosystem vs. Point Solutions

While competitors offer individual tools, Microsoft delivers an integrated security ecosystem where every component shares intelligence, correlates signals, and responds as one unified platform.

Microsoft Security Ecosystem

Integrated Platform

Native Integration - Defender XDR, Sentinel, Entra ID, Intune, and Purview share a common data fabric
Unified Correlation - Cross-domain signals from endpoints, identity, email, and cloud automatically correlate into incidents
Single Console - One portal for detection, investigation, and response across all attack surfaces
Shared Threat Intelligence - 100+ trillion signals daily powering all components simultaneously
Automated Response - Native playbooks span identity, endpoint, and cloud without API bridges
License Efficiency - M365 E5 bundles comprehensive security, reducing total cost of ownership

Point Solution Approach

Palo Alto / CrowdStrike / Splunk

Integration Tax - Each tool requires custom connectors, API maintenance, and data normalization
Manual Correlation - Analysts must pivot between consoles to piece together attack chains
Multiple Consoles - Separate portals for EDR, SIEM, identity, and cloud create context switching
Siloed Intelligence - Threat data locked within each vendor's ecosystem
SOAR Dependency - Requires separate orchestration layer to coordinate cross-tool response
Stacked Licensing - Each capability requires separate procurement and renewal cycles

The RWS Advantage: By consolidating on Microsoft Security with Armor MDR, RWS gains ecosystem-native detection and response that eliminates integration complexity while reducing vendor management overhead.

2. Company Profile and Credentials

SoftwareOne

SoftwareOne is a leading global software and cloud solutions provider that stands at the forefront of digital transformation, offering a comprehensive suite of services that help our clients navigate the complexities of cloud, Data & AI. As a global provider, SoftwareOne is dedicated to modernizing our clients' applications through integrated solutions that not only facilitate cloud migration and management across multi-cloud and hybrid systems but also harness the power of data and AI to drive tangible business outcomes. We serve over 65,000 clients worldwide, including large enterprises, corporates, small and medium-sized enterprises (SMEs) and public sector organisations, across a range of end-markets.

60+ Countries

20+ Years Local Presence

13,000+ Employees

65,000+ Clients Worldwide

SoftwareOne ESG Program

SoftwareOne has an established Environmental, Social and Governance (ESG) programme that is progressively integrated into its business strategy and operations. The programme is guided by a governance framework involving Board oversight and dedicated global committees on environmental, social and governance matters - https://www.softwareone.com/en-in/our-story/esg-environmental-social-governance

Environmental Initiatives

Climate ambition & targets: SoftwareOne's stated ambition is net zero for Scope 1 & 2 by 2030, with program detail, climate risk management (including scenario analysis), and Scope 3 focus areas described in the Annual Report.
SBTi validation: In 2025, near term science based targets were validated by the Science Based Targets initiative (SBTi):
- 42% absolute reduction in Scope 1 & 2 by FY2030 (from a 2024 base year)
- 25% absolute reduction in selected Scope 3 (incl. business travel) by FY2030
- 75% of suppliers by emissions to set SBTs by FY2030
Carbon measurement & reduction levers: SoftwareOne maintains an annual GHG inventory and details practical levers such as transitioning offices to renewable energy where possible, EV fleet adoption, business travel/commute reductions, and site recycling ("Green Office" initiatives).
Waste & e-waste posture: As a software & cloud services company (no manufacturing), SoftwareOne emphasizes office waste reduction and recycling, and states it does not generate packaging/hazardous waste; a standardized global approach to waste management is planned within the Environmental Policy.
Cloud sustainability for customers: Beyond its own footprint, SoftwareOne offers Cloud Sustainability and FinOps for Sustainability services that quantify cloud/application emissions and optimize workloads to reduce carbon and cost supporting customers' Scope 3 reporting and compliance.

SoftwareOne Certifications

ISO 14001

Environmental Management

ISO/IEC 27001

Information Security Management

ISO/IEC 27701

Privacy Management

ISO 22301

Business Continuity Management

CSA

SOFTWAREONE PTE. LTD.
UEN: 200102465D
Lic. ID: CS/PTS/C-2023-0454R

Armor

Armor is a cloud-native managed security provider recognized by Frost & Sullivan as a leader in Managed Detection and Response. Our platform combines advanced threat detection, expert security analysts, and automated response capabilities to protect organizations across cloud, hybrid, and on-premises environments.

"Armor's MDR platform delivers unified visibility across cloud and on-premises environments with 24/7 expert monitoring and rapid response capabilities."
Lucas Ferreyra, Senior Industry Analyst - Frost & Sullivan

24/7 SOC Coverage

15 min Critical Response SLA

1,500+ Customers Protected

3 Global SOC Locations

Armor Certifications

ISO 27001

Information Security Management

SOC 2 Type II

Security, Availability, Confidentiality

PCI DSS

Payment Card Industry Compliance

HITRUST CSF

Healthcare Security Framework

Data Privacy Framework

US-EU Data Transfer Compliance

PDPA

Singapore Personal Data Protection

GDPR

EU General Data Protection Regulation

CSA

ARMOR DEFENSE ASIA PTE. LTD.
UEN: 202222526H
Lic. ID: CS/SOC/C-2022-0154R

Team Certifications

CISSP

Certified Information Systems Security Professional

CISA

Certified Information Systems Auditor

CRISC

Certified in Risk and Information Systems Control

GXPN

GIAC Exploit Researcher

OSCP

Offensive Security Certified Professional

OSCE

Offensive Security Certified Expert

OSED

Offensive Security Exploit Developer

OSEP

Offensive Security Experienced Penetration Tester

OSWE

Offensive Security Web Expert

+ Dozens More

Industry certifications across the team

Better Together

SoftwareOne

Cloud + AI + IT

We build, optimize, and manage your digital infrastructure.

Armor

Cybersecurity

We protect it - 24/7, across every environment.

For RWS: No coordination overhead. No finger-pointing. One unified team accountable for outcomes.

3. Understanding of RWS Requirements

Based on the RFQ specifications and our discussions, we understand RWS seeks a comprehensive MXDR solution that addresses the following core requirements:

Interpretation of RWS Security and Operational Requirements

RWS Objective	Our Understanding
Scope & outcomes	RWS seeks an integrated EPP/EDR/XDR platform with Managed XDR (MXDR) that strengthens detection, investigation, response and operational resilience across servers, workstations/laptops, persistent & non-persistent VDI, and containerized workloads, delivered over 3 + 1 + 1 years.
Platform capabilities	The platform must use a single lightweight agent and a single cloud-native console, support RBAC, provide rich telemetry and hunt/search, deliver behavioural analytics, UEBA, automated playbooks, and cross-domain orchestration, including ransomware rollback.
Security operating model	Day-2 MXDR runs 24x7x365 fully within the RWS tenant with named, least-privilege accounts (MFA, JIT/PAM, IP allow-listing); Singapore-based L2/L3 escalation within 2 hours.
Performance, SLOs & SLAs	Target SLOs include endpoint event searchable in 15s, identity/email in 60s, cloud audit in 120s; action execution in 30s; console uptime 99.9%; false-positive rate 2% monthly. Threat-hunting SLAs define ack in 4h, critical IoC sweep in 4h, standard IoC in 24h, complex hunts in 72h, and hunt report in 24h post-completion.
Integration & environment fit	Native integration with Microsoft Entra ID (AD) SSO, IDAS, SIEM/CLM/data lake, ITSM, email, firewalls/NDR, cloud audit (Azure first), with alignment to RWS standard tech stacks.
Compliance & auditability	The service must support PDPA-aligned controls, immutable evidence, evidentiary bundles, SLA telemetry (MTTD/MTTR), change control, and certification posture.

RWS's objective is to uplift cybersecurity operational resilience through an integrated EPP/EDR/XDR platform with 24x7x365 MXDR operations, delivered with a controlled migration from incumbent tooling and measurable operational outcomes.

Our implementation approach specifically addresses coexistence during transition, ensuring zero protection gaps during cutover and preserving operational continuity. The migration plan includes parallel operation periods, validation gates, and coordinated retirement of incumbent agents only after full Microsoft Defender XDR coverage is confirmed.

RWS Security & Operational Requirements

01

Unified Platform

Single-agent / single-console design with cloud-native telemetry correlation, strong anti-tamper controls, and controlled rollout.

02

Unified Threat Visibility

Consolidated view across endpoints, identity, email, cloud workloads, and applications through Microsoft Defender XDR integration.

03

Scale & Environment

Approx. 7,500 agents across endpoints and servers (hybrid estate), with Prod/UAT/SIT environments and cross-domain telemetry ingestion.

04

SOC/MXDR Operating Model

24x7x365 MXDR operations with Singapore-based L2/L3 escalation within 2 hours.

05

Expert-Led Response

24/7 human analyst coverage for threat triage, investigation, and response - not just automated alerts.

06

Operational Integration

Seamless integration with RWS's existing SIEM, ITSM, and security workflows without disruption.

07

Training & Knowledge Transfer

Role-based training for SOC, IT Ops, and management, plus quarterly workshops for capability uplift.

08

Compliance Alignment

Support for regulatory requirements including data residency, audit trails, and reporting.

Key Challenges and Risk Areas Addressed by the Proposed Solution:

RWS Challenge	Right-fit Solution
Migration and co-existence with incumbent EPP/EDR	Phased deployment, policy parity and structured rollback plans
Hybrid/on-prem + cloud telemetry normalization	Cloud-based scalable architecture. Custom or built-in parsers to normalize data.
Noise & false positives reduction	Armor Nexus platform provides full visibility into MDR operations including False Positive reduction overtime.
Server-safe containment guardrails	Approval gates in playbooks, pre-approved high-severity actions catalog, exception lists.
Regulatory reporting & audit trails	Armor Nexus dashboard provides compliance-ready reporting and immutable audit trails.
Singapore-based L2/L3 escalation and Project Manager	Armor Local MDR experts will assist when needed.
xAI requirements	Microsoft Security Copilot and Armor Nexus portal provide transparency, feature importance, confidence, auditability

Assumptions & Dependencies

Assumptions

June deadline achievable only if project awarded in January 2026
Devices updated and all pre-requisites met before MDE onboarding
Armor can provide dashboards, and reporting of SLO-style metrics under agreed volumes and conditions but does not warrant or commit to specific SLO thresholds. Only service SLAs (response/resolution/availability) are contractually binding.
ORT/Commissioning and PGP completion will be based on functional correctness, defect exit criteria, documentation, and SLA process readiness; performance observations will be reported but not guaranteed as SLO commitments
For XDR implementation, the platform shall be fully operational
RWS will provide timely access to required systems, networks, documentation, and personnel
Existing infrastructure meets Microsoft Defender XDR minimum system requirements
RWS will complete ARB approval process prior to subscription activation
Network connectivity between endpoints and Microsoft cloud services is available or can be established
Existing security tools will remain operational during the transition period
RWS IT team will be available for scheduled knowledge transfer sessions
Change Advisory Board (CAB) will convene as needed for deployment approvals
If travel outside Singapore is needed, additional per-diem cost will be charged and invoiced
For MDE onboarding, device management tools like Intune will be used

Dependencies

RWS Active Directory and Azure AD availability and access for identity integration
SIEM and ITSM platform API access for bidirectional integration
Endpoint deployment tool access (Intune, SCCM, or GPO)
Network firewall rules permitting Microsoft Defender cloud connectivity
Test environment availability for SIT and UAT activities

Prerequisites (RWS Responsibilities)

Completion of security clearances for Armor Defense personnel requiring casino access
Execution of NDA and data processing agreements
Provision of current endpoint inventory and network documentation
Establishment of communication channels (Teams tenant, email distribution lists)
Identification of key stakeholders and project resources
Current state documentation of existing EPP/EDR configurations for migration planning

RWS-Specific Threat Model

As an integrated resort handling millions of guest transactions annually, RWS presents a high-value target for sophisticated threat actors. Our detection and response strategy is specifically calibrated to address the unique threat landscape facing hospitality and gaming operations.

Key Threat Actors Targeting Hospitality & Gaming

Financially Motivated Groups

Motivation: Payment card theft, ransomware, extortion

Tactics: POS malware, credential harvesting, ransomware deployment during peak events

Nation-State APTs

Motivation: Espionage on VIP guests, economic intelligence

Tactics: Spear-phishing, long-term persistence, supply chain compromise

Hacktivists

Motivation: Reputation damage, protest against gaming industry

Tactics: DDoS attacks, website defacement, data leaks

Insider Threats

Motivation: Financial gain, disgruntlement

Tactics: Data exfiltration, privilege abuse, credential sharing

Priority Attack Scenarios for RWS

1

Point-of-Sale (POS) Compromise

Targeting payment terminals across casino floor, retail outlets, hotels, and F&B operations to harvest payment card data.

2

Guest Network Pivot

Using guest WiFi or public-facing systems as entry points to pivot into corporate infrastructure.

3

Loyalty Program Account Takeover

Compromising guest accounts for points theft, identity fraud, or unauthorized redemptions.

4

Operational Technology (OT) Attacks

Targeting building management systems, surveillance infrastructure, or gaming machine networks.

5

Business Email Compromise

Impersonating executives or vendors to initiate fraudulent wire transfers or procurement fraud.

6

Supply Chain Compromise

Exploiting third-party vendors with access to RWS systems, including maintenance contractors and service providers.

7

Event-Timed Ransomware

Deploying ransomware during major events, concerts, or peak seasons to maximize operational pressure and ransom leverage.

RWS 2.0 Expansion Considerations

As RWS expands with new properties and attractions, additional threat vectors emerge including increased attack surface, integration points between legacy and new systems, construction-phase vendor access, and new attraction technologies (IoT, robotics). Our threat model continuously evolves to address these emerging risks.

Alignment with RWS Security Strategy

Resorts World Sentosa (RWS) is executing one of Asia's largest hospitality transformations with the RWS 2.0 expansion. New attractions, hotels, and digital experiences rolling out through 2030 will significantly expand the technology footprint requiring protection. This proposal leverages RWS's existing Microsoft investments, extends them with Armor Nexus for operational transparency, and provides managed XDR expertise to scale security alongside business growth.

Scaling Security with Business Growth

As RWS 2.0 brings new properties, attractions, and guest systems online, the security perimeter expands with each phase. Construction timelines and vendor access add complexity that traditional security teams struggle to absorb.

How this proposal helps:

Microsoft Defender XDR provides unified visibility across endpoints, identity, email, and cloud from a platform RWS already uses, eliminating new tool adoption during critical expansion phases
Armor Nexus delivers a single operational view as new systems come online, with AI-powered triage that scales detection capacity without proportional headcount growth
Armor's managed service model absorbs the operational complexity of expanding environments, allowing RWS IT to focus on business-critical initiatives rather than security operations scaling

Protecting Digital Experience Investments

Guest-facing digital initiatives depend on infrastructure that must remain secure and available. High guest volumes mean any security incident affecting digital systems has immediate operational and reputational impact.

How this proposal helps:

Microsoft Defender XDR correlates threats across the full Microsoft ecosystem, detecting attacks that span endpoints, identity, and cloud workloads before they impact guest-facing systems
Proactive threat hunting identifies risks to guest-facing infrastructure before they become incidents, while pre-approved containment actions enable immediate response without waiting for change approval during an active threat
Armor Nexus AI-augmented triage delivers 8x faster analysis, reducing mean time to containment for threats targeting operational systems

Governance and Regulatory Visibility

Singapore's regulatory environment requires demonstrable security governance with audit-ready documentation and clear accountability. Security operations must be transparent and defensible.

How this proposal helps:

Armor Nexus transforms the traditional "black box" MDR model into a fully transparent partnership with real-time visibility into every detected threat, SOC action, and incident status
Microsoft Defender XDR integration with Sentinel provides compliance-ready dashboards and immutable audit trails that satisfy regulatory scrutiny
Structured reporting through weekly, monthly, and quarterly reviews creates the governance cadence regulators expect

Why this matters for RWS: Armor accelerates time-to-value from Microsoft security investments while removing the operational burden from RWS IT. As RWS 2.0 demands focus on guest experience, new attractions, and operational excellence, Armor provides mature security operations that scale with the business and evolve with the threat landscape.

4. Project Implementation and Onboarding Approach

Our phased implementation methodology ensures minimal disruption to RWS operations while accelerating time-to-value. Each phase builds upon the previous, with clear milestones and success criteria.

Unified Implementation Roadmap

STAGE

Stage 1

Discovery &
Validation

Stage 2

Architecture &
Planning

Stage 3

Foundation &
Coexistence

Stage 4

Rollout &
Cutover

Stage 5

Hardening &
Full Operations

Business
Outcome

Confirmed solution fit with zero risk to operations

Approved blueprint aligned to business and regulatory needs

24x7 threat protection active with zero business disruption

Complete enterprise coverage, legacy security retired

Maximum protection posture with continuous improvement

GATE

◆ PoC Success

◆ ARB Approval

◆ Commissioning Approval

◆ Rollout Complete

◆ Full Operations

Project
Management Milestones

Define PoC scope and success criteria
Execute PoC in constrained environment
Validate results are correct and reproducible

Environment discovery and critical assets
Solution architecture design
Project plan and risk log
Roles and responsibility mapping (RACI)

Rollout ring design
Draft test plans (SIT/UAT/ORT/DR)
Execute SIT → UAT → Failover → HA/DR → ORT
Defect management and test reports

Knowledge transfer workshops
Pilot rollout to smaller group
Ring-based enterprise deployment
Remove incumbent agents

Confirm incumbent removal complete
Transition to steady-state operations
Operational handover documentation

XDR
Platform Key Tasks

Verify licensing and prerequisites
Network connectivity validation
Environment discovery

Device groups and RBAC design
Workspace and connector planning
Integration strategy for existing tools
Map incumbent settings to Defender XDR

Set up forwarders, connectors, subscriptions
Set mutual EDR exclusions
Push registry keys for passive mode
Onboard endpoints (ring-based)
Onboard servers (change-controlled)
Configure dual log forwarding
Run detection tests, verify healthy devices

Complete endpoint migration
Complete server migration
Uninstall incumbent AV/EDR
Force MDAV active and enforce policies
Configure single log forwarding to Sentinel

Apply ASR rules
Enable Auto Disruption
Enable Tamper Protection
Enable Web/Network Protection
Verify Microsoft best practices alignment

MXDR
Service Readiness

Understand business and regulatory requirements
Geolocation setup and BU mapping
Identify crown jewels and critical assets
Map existing cybersecurity tools

Review existing playbooks
Use case planning & detection design
Define autonomous vs approval-required actions
Gap analysis against best practices

★ MXDR Service Start

24x7 monitoring begins for onboarded devices
Use case deployment
Initial threat response capability active

Expanding coverage as devices rollout
Use case tuning & optimization
Policy hardening

Full MXDR operations active
All endpoints under 24x7 monitoring
All capabilities enabled
Proactive threat hunting

This unified implementation roadmap integrates project governance, platform deployment, and managed security services into a single coordinated framework. Rather than managing three separate workstreams with independent timelines and handoffs, RWS gains visibility into how each track progresses through common stage gates -ensuring that technical readiness, operational preparedness, and business outcomes remain aligned at every milestone.

The approach is deliberately structured around coexistence and controlled transition. Allowing the XDR platform to coexist with incumbent tooling during Stage 3 significantly reduces migration risk -detection coverage remains continuous, rollback paths stay available, and teams can validate behavior in production conditions before committing to cutover. MXDR services activate at the point of commissioning approval -not after full deployment -meaning RWS benefits from 24x7 threat monitoring from the earliest transitioned workloads through the complete and final cutover.

Why this matters for RWS: Security transformation projects frequently stall or fail when platform deployment, service enablement, and governance operate on disconnected tracks. This integrated model compresses time-to-protection, reduces execution risk, and ensures that every stage gate delivers measurable business value -from validated solution fit through to maximum security posture. For RWS, this means faster realization of your security investment, continuous protection throughout the transition, and a clear line of sight from technical activity to operational resilience.

Implementation Timeline

The implementation follows a gated stage approach across three parallel workstreams. Project Management establishes governance, testing protocols, and deployment controls. The XDR Platform track handles technical deployment from tenant configuration through agent rollout and legacy retirement. The MXDR Service track activates threat monitoring capabilities progressively, beginning with use case planning and culminating in 24x7 managed detection and response.

Infrastructure as Code and Security as Code practices drive the platform deployment, enabling rapid provisioning with consistent, repeatable configurations at enterprise scale. Critical dependencies are sequenced to minimize risk: proof-of-concept validation precedes architecture commitment, commissioning approval gates service activation, and ring-based deployment allows controlled rollout with rollback capability at each stage.

Project Governance and Delivery Methodology

Governance Structure

Armor implements a structured governance framework aligned with RWS project standards:

Forum	Participants	Frequency
Steering Committee	RWS IT Leadership, Armor Defense Management, Key Stakeholders	Monthly (or as needed for escalations)
Working Committee	Project Managers, Technical Leads, RWS IT Representatives	Weekly
Technical Working Group	Solution Architect, Security Engineers, RWS Technical Team	As needed for technical decisions
Daily Stand-up	Implementation Team	Daily during deployment phases

Stakeholder Engagement and Reporting Cadence

Daily Status Updates: During critical deployment windows and migration activities
Weekly Progress Reports: Milestone tracking, risk/issue logs, upcoming activities
Monthly Steering Reports: Executive dashboard, budget status, strategic decisions
Ad-hoc Escalation: For critical risks requiring immediate executive attention

Risk Management Approach

Risk Register: Maintained throughout project lifecycle with owner, probability, impact, and mitigation
Weekly Risk Review: Assessment of new risks and mitigation progress
Risk Escalation: Clear thresholds for escalation to Steering Committee
Contingency Planning: Documented plans for high-impact risks including rollback scenarios

Quality Assurance Approach

Acceptance Criteria: Defined for all deliverables aligned with RWS IT Project Delivery Framework
Test Plans: Comprehensive SIT, UAT, ORT plans with requirement traceability matrix (RTM)
Sign-off Gates: Formal approval required at each major milestone before proceeding

Platform Implementation Approach - Phased Adoption

1

Pre-implementation PoC

Define PoC scope and Success criteria
Execute PoC in constrained environment

Exit Criteria: PoC results are correct and reproducible

2

Architecture & Design, ARB Readiness

Environment discovery and understanding critical assets
Roles and Responsibility mapping. Draft project plan and risk log
Architect the solution with RWS' business and regulatory requirements in mind

Exit Criteria: ARB approval

3

Platform Setup and Coexistence Planning

Rollout ring design
Draft test plans and acceptance criteria for SIT/UAT/ORT
Draft test plans for Failover and HA/DR
Prepare platform, deployment packages and necessary settings
Draft Deployment Plan
Map existing platform settings to Microsoft Defender XDR

Exit Criteria: Platform prepared and deployment packages created. Deployment packaging/signing complete

4

Acceptance Testing & KT

Knowledge transfer: Provide KT workshops to the team.

Conduct SIT → UAT → Failover → HA&DR → ORT based on test plans

Deliverables: Defect/Issue Logs and Fixes, Test Summary & Report, Disaster Recovery (DR) Test Plans, Test Scenarios and Test Cases

Gate: Commissioning approval issued after successful ORT

5

Enterprise Rollout

Post-Commissioning rollout: Pilot Rollout to a smaller group before proceeding with broader ring deployment across servers/workstations/VDI.

Remove incumbent agents.

High-level Service Transition Approach

1

Discovery

Understand business and regulatory requirements, geolocation setup and BU map
Understand crown jewels and business critical assets
Map existing cybersecurity tools to identify what can be replaced, integrated, or run in parallel
Understand desired future state
KT workshops with incumbent to understand process and environment (if possible)

2

Risk and Gap Analysis

Review existing playbooks and adjusting them to include Armor's response capabilities
Determine which actions Armor can take autonomously versus those requiring RWS approval
Discuss recurring issues or major past pain points to ensure Armor addresses these specifically
Compare current operations against industry best practice to fill gaps

3

Transitional MXDR

24x7 monitoring and response for threats after any device is onboarded
Regular cadences to fine-tune rules and harden policies
Fine tune processes and expectations

4

Full MXDR

24x7 monitoring and response for threats after most devices are onboarded
Continuous fine-tuning and hardening of policies

Why this matters for RWS: Time-to-value is weeks, not months. RWS gains 24x7 threat monitoring by week 10 while enterprise rollout continues in parallel. Each stage gate validates success before proceeding, delivering predictable outcomes with controlled risk throughout the transition.

Delivery Model | Implementation

The Implementation delivery model illustrates Armor and SWO's structured approach to deploying Microsoft Defender XDR for RWS. This framework is designed to ensure that desired security outcomes are achieved while keeping the implementation on track through disciplined stage-gate execution and continuous governance oversight.

Armor Platform & Security Team

1 Discovery &
Validation

2 Architecture &
Planning

3 Foundation &
Coexistence

4 Rollout &
Cutover

5 Hardening &
Full Operations

Microsoft Defender XDR Fully Operational

RWS Project Team

Service Management & Governance

Weekly Operational Meetings Monthly Steering Committee Collaborative Workshops Risk & Issue Tracking

Armor-SWO Project and
Service Delivery Leadership

At the top of the model, the Armor Platform & Security Team leads delivery through five sequential stages -each building upon the previous to systematically advance the deployment. Stage 1: Discovery & Validation confirms the current environment and validates requirements. Stage 2: Architecture & Planning establishes the technical blueprint and deployment strategy. Stage 3: Foundation & Coexistence implements core infrastructure while maintaining operational continuity with existing systems. Stage 4: Rollout & Cutover executes the phased deployment across RWS environments. Stage 5: Hardening & Full Operations optimizes configurations and transitions the platform to steady-state operations.

The successful completion of all five stages delivers the target outcome: a fully operational Microsoft Defender XDR platform providing comprehensive threat detection and response capabilities.

Underpinning the entire delivery is a robust Service Management & Governance framework. The RWS Project Team and Armor-SWO Project and Service Delivery Leadership collaborate through weekly operational meetings, monthly steering committee reviews, collaborative workshops, and continuous risk and issue tracking. This governance structure ensures alignment on priorities, rapid resolution of blockers, and executive visibility into progress -keeping the implementation on schedule and on target.

Why this matters for RWS: Armor and SWO's structured approach delivers confidence without complexity. Each stage validates success before proceeding, governance keeps all parties aligned, and executive oversight ensures the implementation stays on track. The result is a fully operational security platform with no surprises.

Delivery Model | Operations

The Operations delivery model illustrates how Armor provides ongoing managed detection and response services for RWS. This framework establishes clear operational touchpoints, defined responsibilities, and structured governance to ensure continuous security coverage while maintaining transparent communication between all parties.

Technical Operations

RWS ITSM

Microsoft Defender XDR

Configuration, Use Case/Policy Tuning, and Support

Platform Engineers Security Engineers Detection Engineers Support Engineers

Security Operations

RWS Security Team

ARMORNEXUS

Real-time, transparent MDR interface AI-led enrichment and autonomous SecOps Service level tracking & Executive Reporting Interactive Incident Management and Support

Incident Response, Vulnerability Management

Threat Responders Threat Hunters Vulnerability Analysts

Strategic Partnership

RWS Executive Team

Service Management & Governance

Weekly/Monthly Service Reviews Escalation management and coordination Service performance reporting Quarterly Executive Business Review Continuous improvement initiatives

Customer Success

Technical CSM Account Executive Executive Sponsor

The model operates across three integrated tiers. Technical Operations establishes the foundation where RWS ITSM integrates bidirectionally with Microsoft Defender XDR for incident ticketing and workflow automation. Armor's MDR experts -including Platform Engineers, Security Engineers, Detection Engineers, and Support Engineers -handle configuration, use case tuning, and ongoing support.

Security Operations delivers the core detection and response capability. Armor Nexus serves as the real-time MDR interface, providing AI-led enrichment, autonomous SecOps, service level tracking, executive reporting, and interactive incident management. Armor's Threat Responders and Threat Hunters work continuously to identify, investigate, and respond to security events.

Strategic Partnership ensures long-term alignment and value. Service Management & Governance provides structured touchpoints -Weekly/Monthly Service Reviews, Quarterly Executive Business Reviews, escalation management, and continuous improvement initiatives. Armor's Customer Success team, including Technical CSM, Account Executive, and Executive Sponsor, maintains strategic alignment with RWS objectives.

Why this matters for RWS: This operating model transforms security from a cost center into a strategic capability with clear accountability at every level. From daily technical operations to quarterly executive reviews, Armor serves as a dedicated partner invested in outcomes, not just activities, with transparent reporting and continuous service improvement built into the engagement.

Armor Global Delivery Locations

Armor's global delivery model combines dedicated local presence with worldwide operational reach. Singapore serves as the primary delivery location for RWS, providing regional expertise, time zone alignment, and direct APAC coverage. This local presence is reinforced by strategically positioned global facilities that enable true 24/7 follow-the-sun operations, ensuring uninterrupted security coverage regardless of regional outages, capacity demands, or global threat events.

Region	Location	Role
Primary	Singapore	Primary delivery location for APAC coverage
Secondary	United States	Follow-the-sun coverage, disaster recovery
Tertiary	India	Additional capacity and redundancy

Why this matters for RWS: A Singapore-only security operation would leave RWS vulnerable to regional outages and limited to local business hours for expert response. Armor's global footprint delivers the responsiveness of a local partner with the resilience of a multinational operation, ensuring critical security decisions happen in real-time, 24/7, regardless of where threats originate or when they strike.

Armor Service Map

The diagram below illustrates how Armor's teams integrate with RWS's Microsoft Defender XDR environment through the Armor Nexus Platform.

Armor Operating Model showing Support Team, Detection & Response Team, and integration with RWS Environment

Project Team

Successful security implementations require experienced professionals with clear ownership and defined accountability. Our team structure spans executive sponsorship through hands-on implementation, with escalation paths that ensure issues are resolved quickly at the appropriate level.

Armor Key Personnel - Implementation

Executive / Strategic Oversight

Chris Drake

Armor Founder & CEO

Technical CSM and Architecture Lead

Karim Wadhwani

Architecture, Implementation, and Operations

Singapore-based Project Manager

To Assign

Overall project coordination and delivery

Technical Lead

Jude Antoni

Architecture and technical implementation

Security Architect

Thanapol Balawongse

Security design and integration

Implementation Lead

Malgene Teo

Deployment and configuration

Integration Lead

Vinay Rajput

Technical onboarding and process integration

Escalation Matrix - Phase 1

During implementation, the following escalation structure ensures that project risks, blockers, and decisions are addressed by the right stakeholders without delay.

Level	RWS Contact	Armor Contact
Executive	Executive Team	Account Executive
Strategic	RWS Project Lead	Project Manager
Tactical	RWS Security Architect	Technical Architect
Operational	RWS Project Team	Implementation Experts

Escalation Matrix - Phase 2 (Operations)

Once operational, Armor maintains two parallel escalation paths: one for security incidents requiring technical response, and one for service delivery matters requiring relationship management. This separation ensures security events receive immediate expert attention while service quality issues are addressed through appropriate governance channels.

Technical Escalation

Level	Trigger	Armor Role	RWS Contact
L1: Auto Triage	Alert fired, SOAR playbooks run	Nexus Platform	Auto-containment
L2: Initial Human	Automation cannot resolve or High severity	Security Analyst	Security Team
L3: Advanced Analysis	Complex lateral movement or malware	Senior Security Analyst	Security Team Lead
L4: Incident Response	Active breach, critical impact	IR Lead	Security Director / CISO

Service Delivery Escalation

Level	Trigger	Armor Role	RWS Contact
Functional	Minor SLA delay, report formatting	Customer Success Manager	Security Team Lead
Tactical	Recurring issues, missed handoffs	Service Delivery Manager	Security Director
Strategic	Critical SLA breach, contractual dispute	Account Executive	Governance Team
Executive	Major brand risk, legal/compliance crisis	Chief Risk Officer	Executive Team

Why this matters for RWS: Clear ownership and defined escalation paths eliminate ambiguity during both implementation and ongoing operations. RWS always knows who to contact, what level of response to expect, and how to escalate when standard channels are insufficient. This structure ensures accountability from day one through the life of the engagement.

5. Proposed Solution

Our solution leverages RWS's existing Microsoft security investments while adding Armor's expert monitoring, threat intelligence, and response capabilities.

Best-of-Breed Partnership

RWS deserves nothing less than industry-leading technology paired with world-class expertise. Our solution combines two recognized leaders in their respective domains:

Best-of-Breed XDR Platform

Microsoft Defender XDR

The industry's most comprehensive extended detection and response platform, correlating 84 trillion daily signals across endpoints, identities, email, cloud apps, and infrastructure.

★ Gartner Magic Quadrant Leader - Endpoint Protection (2025)

★ Gartner Magic Quadrant Leader - Email Security (2025)

★ 100% MITRE ATT&CK Protection Coverage

★ Industry-First Automatic Attack Disruption

Best-of-Breed MDR Provider

Armor Managed Detection & Response

Expert-led security operations with rapid incident response tailored for APAC enterprises.

★ Singapore-Based Company with Presence Across APAC

★ MDR Services Powered by Armor Nexus Platform

★ Microsoft Security Solutions Partner

★ Proactive Threat Hunting & Intelligence

The Power of Integration

When best-of-breed XDR meets best-of-breed MDR, RWS gains more than the sum of its parts: Microsoft's unmatched threat intelligence and automatic protection capabilities, amplified by Armor's human expertise, contextual analysis, and rapid response. This partnership ensures no alert goes uninvestigated and no threat goes uncontained.

Architecture Overview

The diagram below illustrates how security telemetry flows from RWS data sources through Microsoft Defender XDR into Armor Nexus, where our MDR team provides 24/7 monitoring, investigation, and response. This architecture maximizes your existing Microsoft investments while adding Armor's expert human analysis and AI-powered threat detection -with full bidirectional integration to your ITSM for seamless incident management.

Resorts World Singapore - Recommended Topology

Solution Components

Microsoft Defender XDR

Your unified security platform that automatically correlates signals across endpoints, identities, email, and cloud to detect and disrupt multi-stage attacks in real-time.

Defender for Endpoint

Advanced endpoint protection with industry-first automatic attack disruption and AI-powered investigation capabilities.

Automatic Attack Disruption: Halts ransomware in under 3 minutes with 99.99% confidence
AI-Powered Investigation: Security Copilot reduces triage time by up to 44%
Cross-Platform: Windows, Linux, macOS, iOS, Android, and IoT
Threat Intelligence: 84 trillion daily signals, 10,000 experts

2025 Gartner Leader for Endpoint Protection · 100% MITRE ATT&CK protection

Defender for Identity

Real-time Active Directory monitoring that extends protection to AI agents and service accounts.

Real-Time AD Monitoring: Detects lateral movement and compromised accounts
Unified Identity Sensors: Widest sensor coverage for on-prem infrastructure
Behavioral Analytics: AI detects drift in service accounts and identities
Attack Path Analysis: Identifies and prioritizes identity attack vectors

Seamless XDR integration · Extends beyond traditional ITDR

Defender for Office 365

LLM-powered email security with sentiment analysis that detects sophisticated phishing campaigns.

LLM-Powered Detection: 99.99% accuracy detecting attacker intent
BEC Protection: AI identifies impersonation and compromise attacks
Collaboration Security: Extends to Teams, SharePoint, OneDrive
Zero-Hour Auto Purge: Removes threats post-delivery within 48 hours

2025 Gartner Leader for Email Security

Defender for Cloud Apps

Goes beyond traditional CASB with unified SSPM, app-to-app protection, and threat detection.

Shadow IT Discovery: 1,000+ apps including GenAI with 90+ risk indicators
SaaS Security Posture: Surfaces misconfigurations with remediation
Integrated DLP: Native Microsoft Purview data classification
User Behavior Analytics: Detects anomalous activity and compromises

Unified CASB + SSPM + Threat Detection · Included in M365 E5

Defender for Cloud

Cloud-native application protection platform for multi-cloud workload security.

CSPM: Attack path analysis across Azure, AWS, and GCP
CWPP: Runtime protection for VMs, containers, serverless
DevSecOps: Code-to-cloud with GitHub/GitLab integration
AI Security Posture: Purpose-built for generative AI workloads

IDC MarketScape CNAPP 2025 Leader · Frost & Sullivan CWPP Leader

Microsoft Sentinel

Cloud-native SIEM/SOAR with AI-powered detection and zero infrastructure to manage.

Cloud-Native SIEM/SOAR: Rapid deployment, consumption pricing
Fusion Detection: AI correlates signals into high-confidence incidents
Free Log Ingestion: No cost for M365, Entra ID, Defender logs
Security Copilot: Generative AI accelerates investigation

Forrester 2025 #1 Detection Engineering · 234% ROI vs legacy SIEM

Why this matters for RWS: Microsoft Defender XDR represents the convergence of best-of-breed security capabilities into a unified platform, eliminating the complexity and cost of managing disparate point solutions. Each component is independently recognized as a market leader (Gartner, Forrester, IDC), yet the true value lies in their native integration: signals from endpoints, identities, email, and cloud correlate automatically to detect and disrupt sophisticated attacks that siloed tools would miss. For RWS, this translates to measurable outcomes. Organizations report up to 234% ROI, 44% faster incident response, and significantly reduced total cost of ownership through consolidated licensing, free log ingestion, and elimination of integration overhead.

Armor Nexus Platform

Nexus is Armor's unified security operations platform, providing unprecedented transparency into SOC activities, proactive threat defense, and intelligent support for complex global organizations. Launched in February 2025, Nexus delivers real-time visibility into every detected threat, SOC action, and asset status, transforming the traditional "black box" MDR model into a fully transparent security partnership.

Full SOC Transparency

Real-time window into Armor's Security Operations Center showing every action taken to neutralize threats.

Live Activity Feed: View threat neutralization as it happens
Hunt Findings: Detailed threat hunt results and recommendations
Investigation Details: Full visibility into analyst workflows
Tailored Recommendations: Environment-specific guidance

Complete visibility into every security action

Armor Intelligence Platform (AI)

AI-driven analysis replicating expert analyst techniques at machine speed with explainable decisions.

95% Faster Decisions: 15 minutes reduced to 40 seconds
8x Faster Analysis: Accelerated investigation workflows
Contextual Enrichment: Links vulnerabilities and campaigns
Explainable AI: Transparent, auditable decisions

Human reasoning at machine speed

Proactive Cyber Risk Reduction

Continuously adapts defenses based on real-time intelligence and evolving attack patterns.

Shift Left: Move earlier on MITRE ATT&CK chain
Adaptive Defense: Real-time threat intelligence integration
Attack Surface Reduction: Proactive vulnerability mitigation
Impact Metrics: Visible effectiveness tracking

From reactive response to proactive prevention

Incident Management & Response

Centralized incident tracking with automated escalation and remediation guidance.

Severity Prioritization: Risk-based incident ranking
Automated Escalation: Intelligent routing workflows
Remediation Guidance: Step-by-step response actions
Full Context: Complete incident timeline and evidence

Immediate threat mitigation with full context

Threat Hunting

AI-enabled and human-led hunting combining machine-speed detection with expert intuition.

AI + Human: Machine speed with analyst expertise
Proactive Searches: Find threats before incidents occur
Environment-Specific: Tailored to your risk profile
Detailed Findings: Actionable recommendations

Identify threats before they materialize

Multi-Organization Support

Intelligent routing for globally distributed enterprises and complex organizational structures.

Intelligent Routing: Segregation with unified hunting
Global Operations: Support for distributed enterprises
Subsidiary Management: Independent group operations
Unified Protection: No blind spots across environment

Holistic protection eliminating blind spots

Why this matters for RWS: Nexus eliminates the "black box" problem inherent in traditional MDR services. RWS gains complete visibility into every security action taken on their behalf, with AI-powered analysis that delivers 95% faster threat decisions while maintaining full transparency and auditability. This combination of speed, visibility, and expert human oversight translates directly into reduced risk exposure, faster incident containment, and measurable security ROI.

Armor Dash: Unified Executive Visibility

Armor Dash is a revolutionary executive dashboard that solves one of the biggest challenges in enterprise security: managing multiple security vendors with fragmented visibility. For organizations like RWS that operate both SIEM/SOC services and XDR/MDR services, Armor Dash provides a single pane of glass that unifies all security telemetry, GRC platforms, and ITSM workflows into one AI-powered command center.

Unified Vendor Visibility

Consolidate security telemetry from all vendors into a single dashboard, eliminating the need to context-switch between multiple consoles.

Multi-Vendor Integration: SIEM, XDR, EDR, NDR, and cloud security in one view
Real-Time Correlation: Cross-vendor signal correlation for complete attack visibility
Normalized Metrics: Consistent KPIs across disparate security tools
GRC & ITSM Sync: Bi-directional integration with compliance and ticketing systems

One dashboard for complete security posture

Financial Risk Quantification

Translate technical security metrics into business language that executives and board members understand.

Dollar-Value Risk: Quantify cyber risk in financial terms
ROI Visibility: Demonstrate security investment effectiveness
Board-Ready Reports: Executive summaries without technical jargon
Risk Trending: Track risk reduction over time with clear metrics

Bridge the gap between security and business

AI-Powered Plain English Insights

Ask questions about your security posture in natural language and receive instant, actionable answers.

Natural Language Queries: "What are our top risks this week?"
Instant Answers: AI synthesizes data from all connected tools
Contextual Recommendations: Prioritized actions based on your environment
Trend Analysis: Automatic identification of patterns and anomalies

Security intelligence at your fingertips

Real-Time Security Posture

Continuous visibility into your organization's security health with live updates and proactive alerting.

Live Dashboards: Real-time security metrics and KPIs
Posture Scoring: Aggregate security health score across all tools
Compliance Tracking: Continuous compliance monitoring and gap analysis
Proactive Alerts: Early warning for emerging risks and trends

Always-on security awareness

Why Armor Dash matters for RWS: With security operations spanning multiple vendors (SIEM/SOC and XDR/MDR), RWS faces the common enterprise challenge of fragmented visibility. Armor Dash eliminates this challenge by providing a single source of truth that consolidates all security telemetry, translates technical metrics into financial risk language for executives, and enables instant answers through AI-powered natural language queries. This means faster decision-making, clearer ROI demonstration, and complete visibility across your entire security ecosystem.

Armor MDR Team

Armor's Security Operations Center (SOC) combines human expertise with AI-powered capabilities to deliver enterprise-grade threat detection and response. Armor's Singapore-based team includes Security Engineers, Platform Engineers, Detection Engineers, Threat Responders, and Threat Hunters delivering specialized security operations with direct Asia-Pacific regional coverage. This dedicated local presence is backed by a globally distributed organization enabling true 24/7 follow-the-sun operational capabilities. With 15+ years protecting thousands of customers across 40+ countries and diverse industry verticals, Armor's team brings deep understanding of global threat trends and adversarial techniques to RWS's security operations. Comprehensive reporting keeps both technical teams and executive leadership informed through real-time dashboards, weekly operational summaries, and monthly executive reports.

Detection & Platform Engineering

Singapore-based engineers managing detection infrastructure, platform health, and security tool optimization with global follow-the-sun support.

Custom Rule Development: Detection tuning specific to RWS environment and threat landscape
ML/AI Optimization: Machine learning models tuned for multi-stage attack identification
Platform Management: Continuous refinement of SIEM, SOAR, and XDR configurations
Operational Dashboards: Real-time visibility into detection performance, alert volumes, and platform health

Reduces alert fatigue while maximizing threat detection accuracy

Threat Hunting & Intelligence

Proactive security specialists continuously searching for hidden threats, with fresh analysts always on duty across time zones. Hunt summaries document findings and recommendations for every threat hunt conducted.

Hypothesis-Driven Hunting: AI-augmented investigations with 8x faster analysis
Dark Web Monitoring: Tracks threat actor discussions targeting hospitality and gaming
Campaign Correlation: Links indicators across endpoints, identity, and cloud
Global Threat Intelligence: Commercial and proprietary feeds with industry context

Discovers hidden threats before they become costly incidents

Incident Response & Forensics

Rapid containment and expert investigation with clear escalation paths to senior specialists within minutes, regardless of time zone.

AI-Powered Containment: Limits lateral movement within minutes of detection
Collaborative Investigation: Works directly with RWS IT team for coordinated response
Digital Forensics: Evidence preservation, chain of custody, and detailed reconstruction
Remediation Guidance: Step-by-step instructions with post-incident reports documenting root cause and lessons learned

Minimizes business impact through rapid containment and root cause analysis

Vulnerability Management

Expert analysis and prioritization of vulnerability data from Microsoft Defender to guide remediation efforts.

Defender Integration: Leverages Microsoft Defender Vulnerability Management scanning data
Risk-Based Prioritization: Focuses remediation on exploitable, high-impact vulnerabilities
Contextual Analysis: Correlates vulnerabilities with active threat campaigns
Risk Reporting: Prioritized remediation recommendations with exploitability context and risk reduction metrics

Expert prioritization of Microsoft Defender vulnerability insights

Why this matters for RWS: Every hour of undetected threat activity increases breach costs and business disruption. Armor's MDR team delivers 95% faster threat decisions through AI-augmented analysis while human expertise ensures precision for complex attacks. With a Singapore-based team providing regional responsiveness and global 24/7 coverage, RWS gains continuous protection without the $2-4M annual cost of building equivalent in-house capabilities. This translates directly into reduced risk exposure, faster recovery, and measurable security ROI.

Microsoft Security Copilot

Microsoft Security Copilot empowers RWS's internal IT and security staff to operate as effective co-management partners alongside Armor's expert SOC team. By transforming complex security data into natural language insights, Security Copilot bridges the communication gap between Armor's security specialists and RWS's operational staff, enabling more productive collaboration during incident response and strategic planning. Combined with Armor's Intelligence Platform (AIP), which delivers plain-language threat explanations and transparent decision rationale, RWS staff gain consistent, understandable context from both platforms. This enables RWS to understand Armor's recommendations, ask informed questions, and participate meaningfully in security decisions. With 35% productivity gains and the ability to answer security questions 44% more accurately, Security Copilot ensures RWS can fully leverage Armor's expertise while maintaining visibility into their security posture.

Incident Investigation & Summarization

AI-powered incident summaries that help RWS staff understand and follow Armor's investigation findings.

Attack Summarization: Plain-language incident summaries including timeline, assets, and threat actors
Impact Assessment: Clear visibility into scope, affected entities, and indicators of compromise
Root Cause Context: Understand how attacks unfolded from initial access to containment
Natural Language Queries: Ask follow-up questions about incidents Armor is investigating

Enables informed collaboration during active incidents

Script & Malware Analysis

Instant translation of technical malware findings into understandable explanations for non-specialists.

PowerShell Decoding: Understand what malicious scripts are doing without reverse engineering expertise
Threat Attribution: See how Armor links script techniques to known threat actors
IOC Explanation: Comprehend indicators of compromise identified during investigations
Risk Context: Understand severity and business impact of threats Armor detects

Technical findings translated for business decisions

Threat Hunting & Query Generation

Natural language access to security data that enables RWS to explore and validate alongside Armor's hunters.

Conversational Queries: Ask security questions in plain language, receive meaningful answers
Query Explanation: Understand the logic behind searches Armor's team performs
Collaborative Exploration: Investigate specific concerns alongside Armor's threat hunters
Cross-Platform Visibility: See across Defender XDR, Sentinel, and connected data sources

Informed partnership with Armor's expert threat hunters

Autonomous Security Agents

AI agents that accelerate detection and triage, enabling Armor's analysts to focus on complex threats.

Phishing Triage Agent: Pre-filters email threats, surfacing confirmed risks for Armor review
Conditional Access Agent: Identifies Zero Trust policy gaps for Armor's recommendations
Threat Intelligence Briefing: Proactively surfaces emerging threats for Armor's assessment
Custom Workflows: Armor configures agents aligned to RWS's operational environment

AI handles volume so Armor's experts focus on what matters

Why this matters for RWS: Security Copilot transforms RWS from a passive consumer of managed security services into an informed, empowered co-management partner. Internal staff can investigate incidents, validate Armor recommendations, and make informed decisions without years of specialized training. This builds institutional security knowledge over time, reduces single-vendor dependency, and ensures RWS leadership can make confident decisions during critical incidents while retaining full operational visibility and control.

Proposed Trainings

To ensure RWS teams can effectively operate, maintain, and leverage the security platform, we propose the following role-based training program:

RWS Trainers / End-Users

Use the system efficiently and effectively

1 Workshop

Learning Outcomes

Understand what MDE does on their device and why
Recognize Defender notifications/blocks and what action to take
Practice safe browsing/email habits; report suspicious activity quickly
Know self-help steps and when to contact Helpdesk

Agenda

What MDE is and how it protects you
What you'll see: Windows Security app, notifications, quarantines
Safe behavior: links, attachments, USB, macros, and PUA
If something is blocked: how to proceed, request allow, escalate
How to report suspicious activity (portal/email/Teams form)
Privacy & performance FAQs, Q&A

RWS Security Team

Maintain and support the system; configure and diagnose issues

3 Workshops

Learning Outcomes

Understand Armor Nexus portal and the various benefits it offers
Write/run starter KQL queries; use Advanced Hunting safely
Tune policies (ASR, Network Protection, indicators, exclusions) to reduce noise
Track TVM exposure and run remediation campaigns
Review reports from Armor Nexus

Agenda

Nexus Portal tour: Incidents, Alerts, ticketing, reports, support etc.
Incident handling: evidence & entities, timeline, etc.
Live Response on XDR: safe basics, what to do/avoid, audit trail
Hunting: KQL starter pack & pivots
Automated Investigation & Remediation (AIR): settings and SOPs
Policy tuning: ASR rules, Network Protection, Indicators & exclusions
TVM: exposure score, recommendations, remediation tasks
Reporting & dashboards; handover/runbooks

IT Infrastructure Operations Team

Maintain hardware, OS, backup/recovery, and administration

1 Workshop

Learning Outcomes

Onboard and keep endpoints healthy at scale (Intune/ConfigMgr/GPO)
Ensure service connectivity (proxy/SSL inspection/URLs) and update channels
Maintain Defender AV platform/definitions; understand sensor health signals
Implement change/rollback, recovery steps for impacted devices
Back up and version control configuration (Intune policies, GPO), track drift

Agenda

Architecture & dependencies (cloud service, client sensor, supported OS)
Onboarding methods: Intune/ConfigMgr/GPO
Updates: Defender platform/engine/definitions; Windows Update rings
Health & performance: sensor status, remediation, exclusions hygiene
Backup & recovery: exporting policies, rollback plans, break-glass procedures
Monitoring: device coverage dashboards, alerting on unhealthy sensors

IT ID Administration Team

Maintain account lifecycle and identity governance

1 Workshop

Learning Outcomes

Map Entra ID roles to XDR RBAC (least privilege) and manage access lifecycle
Assign/track licensing to device owners
Enforce Conditional Access for security portal access and enable PIM/JIT
Govern device groups/tags via AAD/Intune groups; audit and report access changes

Agenda

Identity & access model: MDE RBAC vs Entra ID roles
Access provisioning: groups, role assignments, PIM/JIT, break-glass
Conditional Access for security portals; MFA requirements
Licensing: assignment & reconciliation across users/devices
Device groups & tags governance, lifecycle workflows
Audit & compliance: access reviews, logs, alerts on privileged changes

6 Total Workshops

4 User Groups

Role-Based Curriculum

Hands-On Approach

6. Managed Extended Detection and Response (MXDR)

Scope of Services

Armor delivers comprehensive MXDR services including:

24/7 Monitoring: Continuous security event monitoring and analysis
Investigation: Expert-led threat investigation and correlation
Response: Rapid containment and remediation actions
Threat Hunting: Proactive searches for hidden threats

Operating Model

24x7x365 operations with Singapore-based L2/L3 analysts providing local expertise, supported by global follow-the-sun coverage for continuous protection.

Use Case Development Methodology

Our use case lifecycle ensures detection capabilities remain effective:

Design: Threat modeling and use case definition based on RWS's environment
Testing: Validation in staging environments
Tuning: Optimization to reduce false positives
Validation: Ongoing effectiveness verification

Coverage Areas

Compliance monitoring and reporting
Threat detection across endpoints, identity, email, and cloud
Insider threat detection
Continuous improvement through feedback loops

Service Levels and KPIs

Armor's service commitments are designed to ensure rapid threat containment and continuous security effectiveness. These contractual SLAs and measurable KPIs provide RWS with clear accountability, transparent performance tracking, and the confidence that security incidents will be addressed with the urgency they demand.

Response Time SLAs

Armor classifies all security events by severity and commits to defined response and update timelines for each level. These SLAs ensure that critical threats receive immediate attention while maintaining structured workflows for lower-priority events.

Severity	Definition	Initial Response	Update Frequency
Critical	Active breach, ransomware, critical system compromise	15 minutes	Every 30 minutes
High	Confirmed malware, lateral movement, data exfiltration attempt	30 minutes	Every 2 hours
Medium	Suspicious activity requiring investigation	2 hours	Every 4 hours
Low	Policy violations, informational alerts	8 hours	Daily

Key Performance Indicators

Beyond response times, Armor tracks operational KPIs that measure the overall effectiveness and reliability of our security operations.

KPI	Target	Measurement
Mean Time to Detect (MTTD)	< 5 minutes	Time from event occurrence to alert generation
Mean Time to Respond (MTTR)	< 30 minutes	Time from alert to containment action
False Positive Rate	< 10%	Percentage of alerts determined to be benign
SLA Compliance	99.5%	Percentage of incidents meeting response SLAs
Platform Availability	99.9%	Armor Nexus platform uptime

Annual Support Hours

Armor Defense allocates 120 hours annually for additional service requests beyond standard MXDR operations, including:

Architectural modifications and system enhancements
Onboarding of custom log sources
Security consultancy and advisory services
Development of complex or customized use cases
Firmware or software upgrade support

Unused hours may roll over to the next contract year, up to a maximum cumulative cap of 240 hours.

Alternative Professional Services

Alternatively, Armor provides RWS the option to utilise the hours for Professional Services:

Strategic Advisory: Development of long-term security strategies, roadmaps, and frameworks (e.g., NIST, ISO 27001)
Governance, Risk, and Compliance (GRC): Guidance and support for regulatory requirements and compliance frameworks
AI Security Services: Advisory and implementation support for securing AI-driven environments
Security Awareness Training: Programs designed to enhance organizational security culture and reduce human risk
Cybersecurity Tabletop Exercises: Simulated incident response scenarios to test and improve preparedness

The scope of these services will be mutually defined and agreed upon. Armor reserves the right to approve the proposed professional service or, alternatively, carry forward any unused hours.

Why this matters for RWS: These commitments establish clear accountability for security outcomes. Rather than simply providing tools and hoping for the best, Armor contractually commits to detection speed, response times, and operational reliability. RWS gains a partner measured by results, with transparent performance tracking that ensures security investments deliver tangible protection.

Security Maturity Roadmap

Your journey to security excellence - a structured 3-year transformation that evolves RWS from foundational protection to predictive, AI-driven security operations.

Start

Year 1

Year 2

Year 3+

Year 1

Foundation

Establish & Protect

Key Activities

Service Onboarding
EDR Platform Deployment
Risk & Maturity Assessment
Asset Discovery & Classification
Log Source Onboarding
Use Case Development
SOAR Playbook Development
Basic Threat Modelling

Outcomes

24x7 Monitoring Security Hardening Tuned Rules Contextualized Alerts SOAR Playbooks

Maturity Level

Year 2

Expansion

Extend & Optimize

Key Activities

XDR Platform Expansion
Additional Log Onboarding
Advanced Use Case Development
Cloud Security Posture Management
Security for AI
Signal Fidelity Optimization
Advanced SOAR Automation

Outcomes

Reduced Attack Surface XDR Optimized OT Monitoring Faster Remediation

Maturity Level

Year 3+

Acceleration

Predict & Lead

Key Activities

Unified Visibility Platform
Service Expansion for Business Needs
Predictive Analytics & Insights
AI-Enabled Continuous Optimization
Zero Trust Aligned Visibility

Outcomes

Enhanced Visibility Minimized Attack Surface Scalable Services Zero Trust Aligned

Maturity Level

Continuous Evolution, Measurable Progress

This roadmap isn't just a plan - it's a commitment to measurable security improvement. Each phase builds upon the last, with clear milestones and outcomes that demonstrate tangible progress in RWS's security posture. Quarterly business reviews will track advancement against these objectives, ensuring alignment with both security goals and business priorities.

7. Detection and Response Capabilities (Deep Dive)

Armor's detection and response methodology defines how threats are identified, investigated, and neutralized across RWS's environment. This section details the operational processes and technologies that enable rapid, effective response. Our layered approach combines Microsoft Defender XDR's native capabilities with Armor Nexus's AI-powered enrichment and 15+ years of threat intelligence, ensuring threats are identified across the full attack lifecycle and contained before causing business impact.

Detection Methodology

Signature-based Detection: Known malware signatures, attack patterns, and IOCs from global threat feeds. Continuously updated rule sets from Microsoft and Armor proprietary intelligence.
Behavioral Analytics: AI-powered anomaly detection tuned for hospitality and gaming environments. UEBA identifies insider threats and compromised accounts through baseline deviation analysis. ML models detect credential abuse, lateral movement, and data exfiltration patterns.
Threat Intelligence Integration: Commercial feeds, proprietary Armor intelligence from 15+ years of operations, dark web monitoring for RWS brand and credential exposure, and industry-specific IOC correlation for hospitality and gaming threats.
Custom Rules Development: RWS-specific detection scenarios developed by Armor's Detection Engineers. Rules tailored to your business applications, casino systems, and regulatory requirements. Monthly rule tuning based on false positive analysis and emerging threats.

Investigation & Correlation

AI-Augmented Triage: Armor Nexus AI delivers 8x faster analysis with automated enrichment. Machine learning confidence scoring prioritizes alerts by severity and business impact. Automated IOC enrichment from 50+ threat intelligence sources.
Cross-Platform Correlation: Links indicators across endpoints, identity, email, and cloud via Microsoft Defender XDR unified incident view. Attack chain visualization maps lateral movement and privilege escalation. Timeline reconstruction shows complete attack progression.
Collaborative Investigation: Armor analysts work directly with RWS IT through shared Nexus dashboards. Real-time investigation notes and evidence sharing. Escalation workflows integrated with your communication channels.
Root Cause Analysis: Comprehensive threat timeline reconstruction with attack chain documentation. Identification of initial access vectors, persistence mechanisms, and impact scope. Actionable recommendations to prevent recurrence.

Response Automation & Playbooks

AI-Powered Containment: Automated response limits lateral movement within minutes. Pre-approved containment actions execute immediately: endpoint isolation, account suspension, network segmentation. Human-in-the-loop escalation for business-critical systems.
RWS-Specific Playbooks: Custom response procedures aligned with your change management and regulatory requirements. Playbooks for ransomware, BEC, insider threat, and PCI-DSS compliance incidents. Runbooks documented and tested during onboarding.
Tiered Response Model: Level 1: Automated containment (endpoint isolation, block malicious IPs). Level 2: Analyst-driven response (credential reset, system quarantine). Level 3: Escalation to RWS IT for business decisions. Clear SLAs and escalation paths for each tier.
SOAR Integration: Microsoft Sentinel playbooks orchestrate response across Defender XDR, Azure AD, and your ITSM. Automated ticket creation, notification workflows, and evidence collection. Integration with ServiceNow/Jira for seamless incident tracking.

Incident Response Workflow

The following diagram illustrates the end-to-end incident response workflow, showing how alerts flow through investigation, containment, eradication, and recovery phases. Automation via Microsoft Sentinel SOAR accelerates response while maintaining appropriate human oversight for critical decisions.

Pre-Approved Response Actions

The following represents our minimum recommended pre-approved containment actions to enable rapid response. Armor maintains a library of additional response actions and can implement customized pre-approved actions tailored to RWS's operational requirements and risk tolerance.

Action	Trigger	Impact
Isolate Endpoint	Confirmed malware execution	Device isolated from network, user notified
Disable User Account	Confirmed account compromise	Account disabled, sessions terminated
Block Hash/Domain	Confirmed malicious indicator	IOC blocked across environment
Force Password Reset	Credential theft detected	User required to reset password

Why this matters for RWS: Every minute between detection and containment increases breach costs and business disruption. Armor's methodology delivers sub-5-minute mean time to detect and containment within minutes of confirmation through AI-powered automation backed by human expertise. Pre-approved response actions eliminate decision delays during critical incidents, while collaborative investigation ensures RWS maintains visibility and control throughout. This combination of speed, precision, and transparency translates directly into reduced downtime, limited blast radius, and faster return to normal operations.

8. Compliance with Tender Specifications

This section maps our solution to the specific requirements outlined in RWS-IT-RFQ-118.

Statement of Compliance

A detailed compliance matrix has been prepared mapping each requirement from the RWS Scope of Work (Appendix B1) to our proposed solution.

View Full Compliance Matrix

Deviations & Exceptions

Exception 1: Platform Service Level Objectives (SLOs)

Deviation:

Armor Defense does not guarantee Service Level Objectives (SLOs) for Microsoft Defender XDR platform performance metrics as specified in Section 17.4 of the Scope of Work, including:

Platform availability (≥ 99.9% uptime)
Ingestion latency (≤ 10 seconds average)
Automated action execution (≤ 30 seconds)
Platform false-positive rate (≤ 2% monthly)

Justification:

These platform-level SLOs are governed by Microsoft's Azure service commitments and are outside Armor Defense's direct control. The performance of these metrics depends on Microsoft's cloud infrastructure, data center operations, and platform development decisions.

Mitigation Measures:

Continuous Monitoring: Armor Defense will monitor all platform SLOs using Microsoft health dashboards and custom alerts
Monthly Reporting: Platform performance metrics included in monthly service reports
Microsoft Escalation: Established escalation procedures to Microsoft Premier Support for platform issues
Root Cause Analysis: Investigation and documentation of any platform-related service degradation
Service Credits: For platform-related outages, RWS may pursue service credits directly with Microsoft under their SLA terms
Alternative Response: If platform degradation impacts MXDR service delivery, Armor Defense will implement compensating measures where possible

Armor Defense Guaranteed SLAs:

Armor Defense can comply with service-level SLAs within our direct control, including:

Incident response times (identification, analysis, containment, reporting)
Threat hunting completion times
Reporting delivery schedules
SOC service availability (99.9%+)
Escalation response times

Exception 2: Hardware Maintenance

Deviation:

No hardware maintenance services are included in this proposal.

Justification:

Microsoft Defender XDR is a fully cloud-native SaaS solution requiring no on-premises management servers, or appliances. Only lightweight software agents are deployed on endpoints.

9. Live Demonstration Readiness

Live Demo Ready

Armor is ready to conduct a live demonstration during the tender presentation to showcase our capability readiness.

Available Demo Topics

Agent Deployment and Policy Management

Zero or Minimal Performance Impact During Rollout

Demonstration of Attack Scenarios

Investigation Timeline and Root Cause Analysis

Automated Response Actions

Analyst Workflow from Alert to Remediation

Lateral Movement Simulation and Containment

RWS shall notify Armor at least 2 business days in advance regarding their preferred topic of interest.

10. Appendices

A. Case Studies & References

Client References

Name of Client	Description of Goods & Services Provided	Estimated Value (S$)	Contract Period
Company: A leading government healthcare technology agency Contact Person: Confidential Email/Tel: Confidential	SIEM Deployment with managed security services (SOC) + PS (OS, RA, OSO)	~$1,600,000.00	Jun 2022 - Jun 2025
Company: Integrated healthcare and hospitality group Contact Person: Confidential Email/Tel: Confidential	Defender + SIEM Deployment with managed security services (SOC)	~$299,000.00	August 2022 - August 2027
Company: Colt Data Centre Services, a global data centre and network infrastructure provider Contact Person: Confidential Email/Tel: Confidential	SIEM Deployment with managed services	~$3,800,000.00	January 2020 - January 2028

Armor is happy to facilitate 1:1 meetings with our references upon request.

Public Case Studies

View complete list of Armor case studies →

Disclaimer

This publication contains proprietary information that is protected by copyright. SoftwareOne reserves all rights thereto.
SoftwareOne shall not be liable for possible errors in this document. Liability for damages directly and indirectly associated with the supply or use of this document is excluded as far as legally permissible.
The information presented herein is intended exclusively as a guide offered by SoftwareOne. The publisher's product use rights, agreement terms and conditions and other definitions prevail over the information provided herein. The content must not be copied, reproduced, passed to third parties or used for any other purposes without written permission of SoftwareOne.
Copyright © by SoftwareOne. All Rights Reserved. SoftwareOne is a registered trademark of SoftwareOne. All other trademarks, service marks or trade names appearing herein are the property of their respective owners.

Proposal Access

Resorts World Singapore

1. Executive Summary

Coverage Scope

Base (mandatory)

Optional modules

Implementation Approach and Timeline

Foundation

Rollout

Operations

What RWS Gets

Reduced Business Risk

24/7/365 Singapore-Based SOC

Lower Operational Burden

Extreme Microsoft Security Depth

Rapid Incident Response

AI-Augmented Detection

Stronger Assurance

Phased Delivery

Key Differentiators

No Walled Gardens. Challenging the Industry.

Armor Dash

Armor Nexus

No Black Box

Noise-Free Security

True Partnership

Human-AI Synergy

Compliance Built-In

Custom Playbooks

Bi-directional ITSM Sync

Armor Reactor

Platform Differentiator

Microsoft Security: A Unified Ecosystem vs. Point Solutions

Microsoft Security Ecosystem

Point Solution Approach

2. Company Profile and Credentials

SoftwareOne

SoftwareOne ESG Program

Environmental Initiatives

SoftwareOne Certifications

ISO 14001

ISO/IEC 27001

ISO/IEC 27701

ISO 22301

CSA

Armor

Armor Certifications

ISO 27001

SOC 2 Type II

PCI DSS

HITRUST CSF

Data Privacy Framework

PDPA

GDPR

CSA

Team Certifications

CISSP

CISA

CRISC

GXPN

OSCP

OSCE

OSED

OSEP

OSWE

+ Dozens More

Better Together

SoftwareOne

Armor

3. Understanding of RWS Requirements

Interpretation of RWS Security and Operational Requirements

RWS Security & Operational Requirements

Unified Platform

Unified Threat Visibility

Scale & Environment

SOC/MXDR Operating Model

Expert-Led Response

Operational Integration

Training & Knowledge Transfer

Compliance Alignment