SACAA requires a comprehensive, always-on cyber defence capability that provides continuous monitoring, threat detection, investigation, incident response assistance, cyber risk management, and user-awareness upliftment. The service must be delivered entirely through trend micro technologies and must utilise sacaa’s existing deployed security stack. Of 46 the required services must support a cyber risk operations center (croc) model that replaces the need for a traditional soc. 5.1. Monitored environment – critical systems the service provider must monitor, ingest, analyse, and correlate security telemetry from sacaa’s azure, cloud, and on-prem environments, including but not limited to: • API connections • app services, app service plans, app service environment • azure cosmos db • bastion hosts • data factory (v2) • disks and disk encryption sets • function apps • images • key vaults • load balancers • local network gateways • log analytics workspaces • logic apps • nat gateway • network interfaces • network security groups • public ip addresses • recovery services vaults • restore point collections • snapshots • SQL virtual machines • storage accounts • virtual machines • vm scale sets of 46 • virtual networks • vpn/network gateways all telemetry must be ingested into trend vision one, which will act as sacaa’s siem, analytics engine, soar, and investigation platform. 5.2. Service components 5.2.1. Managed detection and response (mdr) the service provider must deliver trend micro-managed xdr (mdr) capabilities, including: 24/7/365 monitoring & detection • continuous monitoring across endpoint, server, email, network, identity, and cloud telemetry • automated correlation and prioritisation using AI, machine learning, and analytics • regular indicators of compromise (ioc)/ indicators of compromise (ioa) sweeping • mitre att&ck–aligned detection investigation requirements • full investigation across all trend vision one sensors • attack vector identification, lateral movement mapping, dwell time analysis • threat expert enrichment and contextualisation response requirements the mdr service must provide response actions including: • endpoint isolation • process termination • memory & process dumps • remote shell • email quarantine and deletion • blocking of malicious urls, ips, and file hashes of 46 threat hunting requirements • the provider must deliver: • indicator-based threat hunting • behavioural and ioa hunting • mitre ttp hunting • anomaly and environmental drift detection severity & escalation requirements the service must follow trend micro mdr severity definitions: • urgent: incident declared, updates every 24 hours • critical: notification within 1 hour • major: requires correlation and potentially customer clarification • minor/informational: logged but not escalated unless required 5.3. Trend vision one platform administration & management the service provider must deliver full administrative control and operational governance of sacaa’s trend vision one platform, including: • daily platform and sensor health checks • policy creation, tuning, and configuration management • troubleshooting ingestion gaps • weekly, monthly, and on-demand reporting • creation of up to 10 automated soar playbooks annually • quarterly posture and strategy reviews all platform administrative personnel must be located within south africa. NO third-party siem may be integrated or proposed, as trend vision one is to be the exclusive siem and analytics platform for SACAA. 5.4. Managed risk (crem) the provider must operationalise cyber risk exposure management (crem), delivering: • enterprise-wide cyber risk scoring of 46 • identification of high-risk devices, users, cloud workloads, ports, and external exposures • weekly remediation guidance • continuous tracking of posture improvements • executive-level risk trend reporting 5.5. Security awareness training using sacaa’s trend micro training licensing, the provider must deliver: • monthly phishing simulations • quarterly cyber awareness training modules • behaviour-based user risk scoring • reporting on completion rates and risk improvement metrics 5.6. Incident response requirements the service provider must support sacaa’s incident response process, including: • incident logging and categorisation • incident prioritisation according to sacaa’s priority matrix • detailed investigation and evidence collection • attack chain reconstruction • containment recommendation and coordination with SACAA engineers • post-incident lessons learned and improvement feedback 5.7. Priority ratings mapping requirements SACAA priority mdr severity priority 1 urgent (incident declared) priority 2 critical (1-hour notification) priority 3 major priority 4–5 minor / informational of 46 5.8. Trend agentic siem & credit requirements. Trend vision one as sacaa’s siem • NO third-party siem may be proposed or costed • all ingestion, correlation, investigation, and reporting must be performed through trend vision one additional credit requirements to meet operational and retention demands: • additional ingestion credits must be provided for expanded log volume • additional retention credits must be provided to meet the requirement of 6-month data retention 6. Evaluation criteria bidders will be evaluated in accordance with the supply chain management policies as well as the preferential procurement policy framework, 2000 (act NO. ) and the preferential procurement regulations of 2022. The evaluation criteria will consist of the following three (3) phases: 6.1. Phase 1 (part 1): supply chain management (SCM) administrative mandatory compliance requirements bids received will be verified for completeness and correctness. SACAA reserves the right to accept or reject a bid based on the completeness and correctness of the documentation and information provided. The set of bidding documents must be completed and submitted. (SACAA reserves the right to request information/additional documents if there are any missing from the bidder(s) submission.) Of 46 bidders are to ensure that they submit the following documentation / information with their bid.