SIEM as a Service - Managed Detection and Response (MDR) (Azure Sentinel or IBM QRadar)

Our service provides round-the-clock monitoring of your IT Infrastructure to detect, investigate, notify & respond to incidents & potential threats affecting your organization. Using SIEM as a Service, SecurityHQ provides MDR, powered by IBM QRadar & Microsoft Sentinel with real-time log analytics, threat hunting and advanced SOAR technology.


  • 24/7 monitoring and identification of threat detection
  • SLA of 15 minute response for critical incidents
  • Threat Response - 24/7 threat containment and triaging
  • Incident Management & Analytics Platform
  • Weekly security operations meetings, led by Senior Analysts
  • SIEM Technology - Powered by IBM QRadar / Microsoft Sentinel
  • Daily, weekly and monthly reports with granular statistical graphing
  • Business Intelligence Analytics & Visualisation
  • Threat Intelligence - IBM XForce, Virus Total, and more
  • SOAR - For accelerated enrichment, playbooks and threat containment


  • 24/7 Detection of threats powered by IBM QRadar.
  • 24/7 Incident response by GCIH certified incident handlers.
  • Advanced Correlation & ML to detect complex threats
  • Incident Containment & Triage Contain threats via incident playbooks
  • Cloud Native: Azure, AWS, Office365, Oracle Cloud & more.
  • Reduced Cost & Complexity & up/ downscale effortlessly.
  • Improved Speed of detection & response.
  • Bespoke packages & advanced modules.
  • Feel empowered with 300+ Security Analysts on demand.
  • Retailed weekly security reports with granular statistical analysis


£0.05 to £0.10 a device an hour

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

3 7 2 7 0 3 7 8 7 3 9 3 5 2 7


SecurityHQ Chris Cheyne
Telephone: 0203456029

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Security Monitoring for threat detection and incident response for all Software services
Cloud deployment model
Private cloud
Service constraints
Planned maintenance for software upgrades scheduled on Quarterly basis on Thursday UK morning hours for over 30 minutes. This does not affect security log collection. It only affects real-time monitoring during upgrade activity.
System requirements
  • Local host for Event Collector
  • Local host for WinCollect (Windows Event Collector)
  • Site to Site VPN

User support

Email or online ticketing support
Email or online ticketing
Support response times
For existing clients we have response time of 15mins for Security Incidents and Service tickets with P1 severity.

For all other requests we respond within 30mins.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Web Chat is accessible for existing clients. Through our web chat, client can raise service requests for additional information about incident tickets, incident investigation or generate ad-hoc reports.
Web chat accessibility testing
Web chat testing for assistive technology users is yet to be performed.
Onsite support
Yes, at extra cost
Support levels
1. We provide incident response support to all our customers. Critical and major incidents are support by our L3/L4 level Engineers and Minor are supported by L2 Engineers.
2. Additionally, clients can raise service requests with our team for support, ad-hoc reports or any specific queries. Depending on the severity of the service requests, SOC team responds within the SLA period.
3. We also have dedicated Service Delivery Manager (SDM) identified for each customer. He/She is responsible for quality of service, coordination, escalations and to ensure timely delivery of our services to the client.
Support available to third parties

Onboarding and offboarding

Getting started
Dedicated Service Delivery Manager (SDM) is appointed for every customer. SDM will setup a meeting with clients to help them understand the process to get started. This is followed by online training along with sharing user documentation.
Service documentation
Documentation formats
End-of-contract data extraction
Once the contract ends, SOC Team will extract client data and share it with client in password protected file.
End-of-contract process
At the end of the contract, we inform client about the cut-off date and time of the service. Post that we extract client data and share it with client. After this we off-board client from the SIEM platform.

client data extraction and sharing, as well as off-boarding of client log sources is included in pricing.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
No difference in services and features.
Service interface
User support accessibility
None or don’t know
Description of service interface
1. Users can subscribe to different types and levels of services once Onboarded on our platform.
2. Every customer is provided with Admin rights to select the type of service and the level of service he/she wants to subscribe to
3. Users can not perform activities such as on-boarding of Log Sources, Use-case additions/modification, Off-boarding of Log Sources, schedule ad-hoc reports
Accessibility standards
None or don’t know
Description of accessibility
Web interface is accessible over the internet.

Following activities are permitted on web interface
1. Create and responding to security incidents raised on our incident management platform - SecurityHQ
2. Create and respond to service requests for ad-hoc incident investigation, reports and specific details to SOC team
3. Run custom SIEM queries any time
4. Create custom dashboard and monitor any time
5. Upload or download scheduled and ad-hoc reports any time
Accessibility testing
Our platform presently does not support WCAG standards. Supporting WCAG standard is on the long term roadmap for our cloud platform.
What users can and can't do using the API
APIs are provided to support integration with client side ticketing system. Using API's following operations can be performed:
1. Fetching details for the ticket
2. Submitting request tickets
3. Modifications to open tickets
4. Fetching reports
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Customisation is possible for count and type of devices to be integrated under MDR service. SecurityHQ's onboarding team will help customer to customise the service as per customer requirement.


Independence of resources
We configure threshold limit for every customer to ensure that there is NO impact, because of sudden resource demand from other clients. Additionally we have dedicated team 24x7 to continuously monitor platform resource utilization to ensure that all clients have sufficient buffer for sudden/spikes in demands.


Service usage metrics
Metrics types
Incident SLA metrics
Service Request SLA metrics
Mean Time to Respond (MTTR)
Service Up-time
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Additionally, data collected is protected from tampering by using hasing function in IBM QRadar. This prevents tampering of data when stored or backed-up.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can raise service request to export data. Exported data will be shared with customer up loading it on the client platform - SHQ Response.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
IPsec or TLS VPN gateway
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our SLA for SIEM platform is 99%. For any SLA breach, users are compensated by giving equal number of service credits.
Approach to resilience
Available on Request
Outage reporting
All Planned outages are reported by opening a service request with individual customers who gets alerted by emails.

Email alerts are sent immediately for unplanned outages to inform clients about outages. Also update emails are sent every 30 minutes to inform customers about progress, expected ETA and recovery, including root cause analysis (RCA) as applicable.

Identity and authentication

User authentication needed
User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
Access to management interface and support channels is provided on need-to-know and need-to-do basis. Access to management interface and support channels is provided only through VPN and protected with two-factor authentication. Access to this interface are monitored 24x7 for anomalies by SOC Team.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
DNV GL Business Assurance UK
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Physical and Environmental Controls for our IT Infrastructure hosted in third party Data Center. This is covered by our Data Center provider who are certified by ISO 27001 covering physical and environmental controls.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
PCI DSS accreditation date
What the PCI DSS doesn’t cover
We are certified for PCI DSS quarterly ASV scans. No cardholder data is collected, stored, processed or transmitted as part of the SOC operations. We process security event logs which are generated from machines and systems within cardholder data environment (CDE). The security event logs do not include any cardholder data, only system security event data.
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
  • Cyber Essentials.
  • ISO 27701 Certification (In process)

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We follow information security policies which are in compliant with ISO27001 standard, SANS CIS Security Guidelines and NIST Cyber Security Framework. Details can be provided on request.

We have identified a dedicated CISO responsible for manage information security at the organization level. CISO reports to Information Security Forum (ISF) which is chaired by COO.

Policy compliance is verified by multiple ways:
1. External Audit - Yearly
2. External ISO27001 Audit - Yearly
3. Internal Audit - Yearly
4. Vulnerability Assessment - monthly
5. Penetration Testing - biannual
6. PCI DSS ASV Scanning - quarterly
7. SOC Monitoring 24x7

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Standardized methods and procedures based on ITIL guidelines are used for efficient and timely handling of all changes to platform components and their configuration. A change request is documented formally on the platform with information such as • Business driver(s) • Impact on business processes, systems and security impact • Change Schedule • Impacted Configuration Items (CI) • Change & Rollback procedure The documented Change Requests are submitted to the Change Advisory Board (CAB) for review. Any security impact due to the change is also assessed and discussed in CAB meeting
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We have a dedicated team responsible for vulnerability management. This team is responsible to schedule multiple security tests such as: 1. Host Discovery scan 2. Authenticated Vulnerability Scan 3. Misconfiguration Scan 4. Policy Compliance 5. Web Application Security Testing 6. Source Code Review. Results of the tests are thoroughly analyzed and shared with the engineering team with proposed remediation. As practice all critical vulnerabilities are fixed within 24 hours and for rest monthly patching cycle is applied. The team keeps tap of all potential threats by looking for alerts on our commercial threat intelligence platform for the technologies we use.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Our infrastructure is protected with industry leading preventive and detective security technologies to detect cyber attacks from external and internal network. We have 24x7 SOC monitoring team with experienced SANS certified cyber incident handler. Our SOC is powered by real-time analytics & IBM QRadar with advanced Correlation & ML to detect complex threats.With documented and full tested incident playbooks & IBM Resilient as SOAR platform, our team can perform detection, analysis & notification of critical cybersecurity incidents within 15 minutes.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Incident management takes a high priority for us, managed exclusively by Security Incident Response Team (SIRT). SIRT Team consists of identified team members from Senior Management, IT, CISO, HR, Legal, Administration and Operations Team. We have pre-defined processes to handle most common incidents and well documented plans to handle major incidents. These are tested at regular intervals by table-top exercise and simulations. Users can report incidents by sending an email to a dedicated SIRT email id or by reporting to CISO of their immediate managers. Incident reports are shared by email to the identified stakeholders and on demand.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Equal opportunity

Equal opportunity

We are only as good as our people. Like a sports team, everyone has a part to play for the match against cybercrime to be won. SecurityHQ is a multinational company. Which means we employ different people, of different nationalities, backgrounds, religions, sexual orientations, abilities, ages, and genders. It is this combination of difference and inclusivity that makes us such a rich and diverse organisation. All employees have equal opportunity to progress and grow. Discrimination and harassment will not be tolerated, or any other behavior which diminishes a person’s integrity and self-esteem.


£0.05 to £0.10 a device an hour
Discount for educational organisations
Free trial available
Description of free trial
We provide a 30 Day Proof of Value trial for our Managed Detection and Response (SIEM as a Service) service.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.