Description
Lot - 1: FRH Cyber Security Tooling & Managed Services for GWR & AWC
AI-powered managed cybersecurity is essential to counter a threat landscape marked by short attack timelines and sophisticated automated attacks. To address this, the organisation will procure a single integrated 24/7 managed security service covering Email Security, Network Detection and Response (NDR), Endpoint Detection and Response (EDR), and Security Information and Event Management (SIEM). The solution uses AI-driven automation, machine learning, and a managed SOC model to deliver real-time detection, triage, containment, and recovery across the estate. Automated detection and response reduce alert fatigue, cut mean time to respond (MTTR) and eliminate workflow bottlenecks that inhibit manual or traditional SOC operations. AI-powered response enables machine-speed containment for threats detected anywhere across the network, endpoint, email, and cloud services, while ensuring seamless integration of new and existing tooling.
*- Strategic Objectives
Enhance Threat Detection and Response Capabilities: Use AI-powered analysis and automation across email, endpoints, networks, and cloud environments for real-time detection and disruption of evolving threats, including zero-day attacks and business email compromise. The service provides real-time, data-driven insights and analytics, ensuring high-fidelity detection and response across all monitored domains.
Reduce Dwell Time: AI automation enables rapid correlation and response, reducing dwell time from days to minutes in managed environments by minimising manual analysis lags and increasing accuracy through automated playbooks for containment actions.
Ensure Regulatory Compliance: Continuous monitoring, automated reporting, and audit-grade response documentation support compliance mandates (e.g., GDPR, NIS2) and provide ready evidence for regulatory investigations.
Ensure alignment and certification to industry best practices CSO/IEC 42001 (Artificial Intelligence Management System), ISO/IEC 27001 (Information Security Management System), ISO 22301 (Business Continuity Management System (BCMS)), Cyber Essentials, and Cyber Essentials Plus.
Enable Proactive Defence: The solution supports automated threat hunting and anomaly detection to intervene early in the attack lifecycle, rather than relying solely on alert-based or reactive workflows.
Optimise Resource Allocation: Automated detection and response to significantly reduce time spent dealing with email-based threats, allowing staff to focus on higher-value work.
*- Scope of Services
The organisation seeks a 24/7 fully managed security service covering:
AI-driven Email Security, integrating threat intelligence and auto-remediation (using technologies such as Mimecast and Microsoft Defender).
AI-driven NDR with behaviour analytics, automated response, and cloud app coverage (including M365, leveraging DarkTrace).
AI-driven EDR integrated with SIEM, delivering automated detection, triage, and containment.
AI-driven SIEM with unified log collection, AI-powered correlation, and enrichment from endpoint, network, and email telemetry.
Wide compatibility and integration with common enterprise IaaS, PaaS and SaaS providers.
Automated response and proactive threat hunting are built into the service. AI tunes out false positives in real time. NDR, EDR, and Email Security are orchestrated via SIEM, providing a centralised view and seamless handoff between detection, investigation, and response.
*- Key Benefits
Value for Money: Competitive tendering for integrated AI-driven managed services enables benchmarking, cost optimisation, and elimination of margin losses from operational inefficiency.
Strengthening Security Capability and Outcomes: The solution delivers 24/7 managed detection and response with proven incident investigation, escalation, and rapid containment. Automated triage addresses >90% of alerts, moving human analysts to exception management and threat hunting.
Reducing Operational and Delivery Risk: Relying on automated incident response closes the talent gap, addresses analyst burnout, and places delivery risk with suppliers that maintain AI-enhanced SOC capabilities. SLA-driven performance and machine-speed automated actions are formally contracted.
Improving Governance, Auditability, and Transparency: Automated, AI-driven audit trails ensure end-to-end traceability of every incident, action, and management decision, enabling regulatory reporting and internal audit compliance.
Enabling Scalability and Future Flexibility: AI-driven architecture processes thousands more alerts per day without proportional increases in headcount, supporting scale as business needs and threat volumes evolve.
Supporting Compliance and Regulatory Obligations: The managed SOC operates within recognised frameworks (e.g., ISO 27001, ISO 42001, ISO 22301, Cyber Essentials and UK NIS and GDPR) and supplies compliance reporting and rapid incident response evidence proactively.
Lot - 2
*- Strengthening Security Capability and Outcomes
The scope of this procurement includes the replacement or renewal of several core cybersecurity capabilities, including:
- Internet Security Gateway (ISG): Advanced inspection and protection of web traffic to mitigate malicious and high-risk internet activity
- Zero Trust Network Access (ZTNA): Secure, identity- and context-based remote access, reducing reliance on legacy VPN solutions
- Privileged Access Management (PAM): Control, monitoring, and auditing of privileged identities and access pathways (applicable to Group, Bus and Rail)
- AI Governance and Control: Enforcement of policies governing access to internet-based AI services, SaaS platforms, and APIs to prevent unauthorised usage, data leakage, and compliance breaches
- CASB and Data Loss Prevention (DLP): Protection of sensitive data across sanctioned and unsanctioned SaaS applications (applicable to Avanti West Coast)
The solution must integrate seamlessly with FirstGroup's existing technology and security ecosystem, leveraging artificial intelligence and threat intelligence to enable continuous monitoring, automated policy enforcement, and proactive detection of emerging threats.
*- Reducing Operational and Delivery Risk
FirstGroup requires autonomous response and intelligent technical policy controls to reduce the operational burden on internal IT and security teams and address skills constraints within the organisation.
Suppliers must demonstrate:
- Mature and effective security governance frameworks
- Robust operational controls and service management processes
- Proven capabilities in incident management, access control, and service continuity
Given the critical nature of the systems and data involved, cybersecurity is considered a material enterprise risk, and solutions must be resilient, secure, and aligned with best practices.
*- Improving Governance, Auditability, and Transparency
To ensure consistent assurance across all bidders, shortlisted suppliers will be required to complete the FirstGroup Supplier Information Security Assessment via the RiskXChange platform.
This assessment evaluates supplier maturity across key domains, including:
- SOC assurance and security operations
- IT service management
- Secure software development
- Business continuity and disaster recovery
- Identity and access management
- Data protection and privacy
- DDoS protection and cloud security governance
This approach ensures a high standard of auditability, comparability, and transparency throughout the procurement process.
*- Enabling Scalability and Future Flexibility
The proposed solution must be scalable, adaptable, and future-ready, capable of supporting:
- Evolving business requirements
- Hybrid and distributed working models
- Increasing adoption of cloud services and AI technologies
Automation and AI-driven controls are expected to support a transition from reactive security operations to proactive and preventative security management, including dynamic policy enforcement across web, cloud, and AI service usage.
*- Supporting Compliance and Regulatory Obligations
Suppliers must provide certification with recognised industry standards, including:
- ISO/IEC 27001 (Information Security Management)
- ISO 22301 (Business Continuity Management)
- ISO/IEC 42001 (Artificial Intelligence Management Systems)
- UK NCSC-backed schemes Cyber Essentials and Cyber Essentials Plus
In addition, the solution must support compliance with applicable UK regulations, including:
- UK GDPR and the Data Protection Act, ensuring lawful, secure, and transparent processing of personal data
- UK Network and Information Systems (NIS) Regulations, where applicable, including measures for risk management and incident reporting.
*- Strategic Alignment of Tooling
This procurement supports the delivery of Cyber Security Tooling for First Rail Holdings, including FirstGroup, FirstBus, FirstBus London, London Cable Car, Hull Trains, Lumo Trains, FirstRailLondon, Trams Operations Ltd (TOL), Air Coach, Avanti West Coast, Great Western Railway.
The selected supplier will be responsible for delivering and managing an integrated, end-to-end security capability encompassing:
- Internet access security
- Cloud and AI governance
- Privileged access management
- Zero Trust connectivity
This will improve overall security effectiveness, operational efficiency, organisational resilience, and regulatory compliance across participating operating companies.