Security Operations- Out of Hours Service

1. Summary of Requirements L&Q intends to procure a hybrid Out‑of‑Hours Security Operations Centre service to operate as an extension of the internal L&Q SOC. The service will provide protective monitoring, triage, and incident response outside of core operating hours. The OOH SOC partner will be responsible for: Continuous monitoring, triage, and incident escalation during defined out‑of‑hours periods. Supporting L&Q's internal SOC with investigations, analysis, and agreed incident response actions. Operating in alignment with L&Q playbooks, processes, and security tooling (including Microsoft Sentinel, Microsoft Defender XDR, and others). Providing structured shift handovers, monthly reporting, and ongoing collaboration with L&Q SOC staff. This work is critical for maintaining security oversight during nights, weekends, and bank holidays, reducing the risk of compromise during periods where internal analysts are unavailable. 2. High‑Level Scope of Services The procurement will cover the following high‑level areas extracted from the previous specification: Service Operating Hours Mon-Fri: 17:00-09:00 Weekends & Bank Holidays: 24/7 coverage Service Performance Expectations Availability: 99.5% across operating hours Incident Acknowledgement & Escalation Times: High: 15 minutes to start incident triage, 75 minutes or end of shift to escalate Medium: 2 hours to start incident triage, 4 hours or end of shift to escalate Low: 5 hours to start incident triage, 8 hours or end of shift to escalate Key Functions Triage of all alarms generated within Microsoft Sentinel/Microsoft Defender XDR. Use of L&Q-provided tooling (Sentinel, Defender family, Azure, email analysis tools). Remote host investigations as required. Triage of reported suspicious/malicious emails. Blocking of malicious IPs on host and/or network (as per playbook direction). Ad‑hoc investigatory support to defined timescales. Incident Response support for security incidents that are detected or reported through channels outside of the SIEM. Detection engineering support in collaboration with the L&Q Group SOC, enhancing existing detections and developing new analytics and rule logic as needed Reporting & Governance Monthly service performance reporting. Written handovers at shift boundaries. Quarterly account management meetings. Documented change‑control processes aligned with L&Q practice. Security & Compliance Requirements Supplier must be headquartered in the UK or EU, or otherwise demonstrate GDPR‑compliant operating arrangements. Analysts must be proficient in Microsoft Sentinel, KQL, Defender product suite. Proven experience delivering SOC services for organisations of similar scale (4,000-5,000 staff).