Managed Detection and Response Services

The Vendor is required to provide a tenant-resident 24x7x365 Managed Detection and Response (MDR) service while providing full operational control of the SOC function.
- Centers on endpoint protection and Microsoft-native telemetry, but the architecture should be designed with future expansion in mind — including integration of identity, network, and infrastructure logs to support broader correlation and detection capabilities.
- All telemetry, rules, alerts, playbooks, and configurations for optimal security operations will reside within the tenant to ensure portability and continuity over time.
- Core deliverables shall include, but are not limited to:
•    Tier 1 Endpoint Detection and Response (EDR):
o    Provide 24x7x365 monitoring, triage, containment, and remediation of endpoint threats using Microsoft Defender and related tools, with clearly defined escalation paths for Tier 2+ incidents. Vendors may propose optional or value-added Tier 2 capabilities, such as advanced investigation, threat hunting, or root cause analysis, as part of their base offering or as separately priced services.
•    Tenant-Resident SOC Operations:
o    Operate entirely within the City’s Microsoft 365 tenant, ensuring all telemetry, rules, alerts, playbooks, and configurations are accessible to City staff and remain under City ownership.
•    Co-Managed Visibility and Access:
o    Ensure City cybersecurity personnel have real-time access to the same data, alerts, dashboards, and tools used by the vendor, enabling transparency, collaboration, and operational continuity.
•    Detection Engineering and Tuning:
o    Develop, implement, and continuously refine detection rules, alert thresholds, and automated response playbooks tailored to the City’s environment and risk profile.
•    Incident Response Support and Root Cause Analysis:
o    Provide deep-dive incident investigations, including root cause analysis and forensic support, on an as-needed, time-and-materials basis under pre-negotiated rates.
•    Operational Reporting and Recommendations:
o    Deliver regular reports that go beyond activity metrics to include actionable insights, trends, and recommendations for improving the City’s security posture and internal processes.
•    Documentation and Knowledge Transfer:
o    Maintain up-to-date documentation of all configurations, rules, playbooks, and procedures. Provide knowledge transfer to City staff to support long-term operational maturity.
- The solution must be designed to ensure transparency, co-management, and long-term sustainability.
- Ongoing Operations and Support Services
•    24x7x365 Monitoring and Response:
o    Continuous monitoring, triage, and containment of endpoint threats using Microsoft
o    Defender and Sentinel, with clearly defined escalation paths for Tier 2+ incidents.
•    Alert Investigation and Containment:
o    Real-time investigation and response to alerts, including device isolation, user suspension, and other containment actions within pre-approved parameters.
•    Detection Tuning and Continuous Improvement:
o    Ongoing refinement of analytics rules, suppression logic, and automation workflows to reduce false positives and improve detection fidelity. 
•    Threat Hunting and Proactive Detection:
o    Conduct proactive threat hunting using Microsoft-native tools and available telemetry. Collaborate with City staff to identify emerging risks and suspicious activity patterns.
•    Support for Departmental Operational Contexts:
o    The City’s endpoint environment includes multiple departments with distinct operational requirements, including public safety and other critical services. The vendor shall ensure that all MDR configurations — including onboarding, alert tuning, playbooks, containment actions, and escalation workflows — are appropriately tailored to reflect these varying operational contexts. Vendors must demonstrate the ability to support differentiated response strategies and risk tolerances across departments, and collaborate with City staff to define and maintain these profiles over time.
•    Collaboration and Knowledge Sharing:
o    Maintain open communication with City cybersecurity staff, including shared access to dashboards, alerts, and playbooks. Support knowledge transfer and co-management practices.
•    On-Demand Forensic Support:
o    Provide remote or deployable personnel for deep-dive incident investigations and root cause analysis on a time-and-materials basis, under pre-negotiated terms.

- Contract Period/Term: 3 years
- Questions/Inquires Deadline: November 17, 2025