Please confirm that your organisation meets the minimum insurance requirements specified in Part A2 (The Invitation).at section "3. Evaluation Criteria".

Is the proposed solution delivered as a fully managed, cloud-hosted Software-as-a-Service (SaaS) platform?

Will all system data be stored and processed within Australian-based data centres? Please confirm the hosting locations and explain how your solution ensures compliance with Australian data sovereignty and privacy regulations.

Question:
1. How many endpoints (desktops/laptops) require EDR coverage?

2. How many physical and virtual servers require EDR coverage?

3. What is the OS breakdown across endpoints and servers (Windows, macOS, Linux)?

4. How many total user accounts exist in the directory, including service accounts?

5. How many privileged/admin accounts require ITDR monitoring?

6. How many email-enabled users are in scope for phishing simulation and security awareness training?

7. What is the estimated volume of log data generated per day (in GB)?

8. If log volume is unknown, can Council provide a list of all log sources and device counts (firewalls, switches, servers, applications, cloud services) that would feed into the SIEM?

9. What is the required log retention period?

10. How many network devices (firewalls, switches, routers, access points) require monitoring?

11. How many cloud tenancies/subscriptions are in scope, and on which platform (Azure, AWS, GCP)?

12. How many physical sites require monitoring coverage?

13. What directory service is in use (on-premises Active Directory, Microsoft Entra ID, hybrid)?

14. What email platform is in use (Microsoft 365, Google Workspace, on-premises Exchange)?

15. What firewall vendor/model is deployed?

16. Is there an existing EDR, SIEM or security monitoring tool that will need to be replaced or run in parallel during transition?

Answered on 10/Mar/2026 03:09 PM:


1. How many endpoints (desktops/laptops) require EDR coverage?

240

2. How many physical and virtual servers require EDR coverage?

27

3. What is the OS breakdown across endpoints and servers (Windows, macOS, Linux)?

All Windows on desktops, 20 Linux Servers, 7 Windows Servers

4. How many total user accounts exist in the directory, including service accounts?

300

5. How many privileged/admin accounts require ITDR monitoring?

7

6. How many email-enabled users are in scope for phishing simulation and security awareness training?

265

7. What is the estimated volume of log data generated per day (in GB)?

Unknown

8. If log volume is unknown, can Council provide a list of all log sources and device counts (firewalls, switches, servers, applications, cloud services) that would feed into the SIEM?

22 Firewalls

27 Servers

Cloud Services:

Civica

RecordPoint

Pulse

Greenlight

Asset Vision

Teams



9. What is the required log retention period?

30 Days

10. How many network devices (firewalls, switches, routers, access points) require monitoring?

22 firewalls, 58 WAPS

11. How many cloud tenancies/subscriptions are in scope, and on which platform (Azure, AWS, GCP)?

1 Azure

12. How many physical sites require monitoring coverage?

22

13. What directory service is in use (on-premises Active Directory, Microsoft Entra ID, hybrid)?

Hybrid

14. What email platform is in use (Microsoft 365, Google Workspace, on-premises Exchange)?

Microsoft 365

15. What firewall vendor/model is deployed?

Unifi UDM Pro Max

16. Is there an existing EDR, SIEM or security monitoring tool that will need to be replaced or run in parallel during transition?

Huntress

Question:
What is the sum and breakdown of endpoints requiring protection? e.g. Laptops, workstations, mobile devices, servers etc

What support is available for deployment and configuration with Council's systems?

Are there any current solutions in place? if so - what are they (for each deliverable)?

what platform is used for IAM?

Answered on 10/Mar/2026 03:15 PM:


240 workstations, 27 servers

Intune and NinjaOne

Huntress/Defender

Entra

Question:
Across the scope of work both on-premise and cloud IAAS, how many workstations and servers do you have?

Do not require network assets count, only workstations (Win,MacOS, Linux) and server (Win, MacOs, Linux).

Answered on 10/Mar/2026 03:10 PM:


240 Windows

20 Linux servers

7 Windows Servere

Question:
Does the council have existing toolsets for endpoint detection and response, SIEM and end user training?

Does council have a preference for toolsets for endpoint detection and response, SIEM and end user training?

For purposes of providing accurate pricing, can council please provide an accurate total number of endpoints (laptops/desktops AND servers to be covered under this MDR agreement) AND also total number of end users?

Can council provide an estimate of expected average log ingestion in GB into the SIEM per day?

Answered on 10/Mar/2026 03:12 PM:


Huntress

No

240 Workstations, 27 Servers

Unknown

Question:
Dear Swan Hill Council, thank you for the opportunity to respond to this requirement. Can you please advise the following details:

1. Rough number of workstations (laptops, desktops, end user computing devices) in the environment

2. Rough number of servers - both on-premises and in any cloud environment

3. Rough number of containers and container hosts (if any any)

4. Rough number of users in Active Directory and/or Entra ID and/or number of mailbox users in M365

Answered on 10/Mar/2026 03:13 PM:


1. 240

2. 27

3. Nil

4. 265 / 374

Question:
Hi team,

Could you please confirm the below:

Number of users

Number of endpoints - Infrastructure - Cloud vs on-Prem. Number of VM's

Total Data ingestion per day (in GB) for the MDR services

Number of sites

Answered on 10/Mar/2026 02:14 PM:


Number of users: 267

Number of endpoints - Infrastructure - Cloud vs on-Prem. Number of VM's

Desktop/Laptop: 220

Server (cloud and on-prem): 27. all on-prem at the moment but migration to Azure cloud over the next 2 months

Total Data ingestion per day (in GB) for the MDR services 2516GB

Number of sites: One Tenancy (365) - Physical sites (21)

Question:
Hi Swan Hill Council, many thanks for your response can I please just confirm two more items:

1. You said you consume 2516Gb per day into the MDR service - do you mean 2.5Tb per day? That seems very high and unusual. Can you please confirm?

2. How long do you need to store data in the SIEM/MDR service for? Do you have a specific retention requirement?

Answered on 11/Mar/2026 01:41 PM:


Sorry, if you are asking about log files this is an unknown at this time

For retention i would expect 3-6 months for operational and 18-24 for critical events

Question:
Can you confirm what Microsoft Licenses you have internally. Just curious to see if we can use Microsoft Defender as the EDR without additional costs.

Any core application or SaaS applications that you require monitoring?

Answered on 11/Mar/2026 01:47 PM:


205 E5, 65 F3

Civica

Pulse

Greenlight

Question:
In the RFT Form, Page 16, clause 5.6 "The Vendor supports multiple languages and accessibility standards within the training platform." - which languages are required (i.e. the list of minimum required languages and list of all preferable languages)?

Answered on 17/Mar/2026 09:56 AM:


The only required language is English

Question:
- Is council open to changing EDR tools?

- Is the assumption that the successful party will perform all configuration/setup required or will Council's internal IT team want to take care of some/all with guidance from the successful party?

- Who will be responsible for the setup, configuration and onboarding and offboarding of devices?

- Will internal council teams have any interest or capacity for responses? e.g. priority 1 or 2 items?

- Is council open to 24x7x365 monitoring being performed offshore?

Answered on 11/Mar/2026 02:34 PM:


We are looking at options for EDR

Configuration will be up to the successful party with internal IT providing deployment

Internal IT can assist in onboarding/offboarding

Yes to priority responses

Monitoring should be onshore

Question:
Hi team,

could you please advise on below?

1) How many Domain Controllers in use?

2) Microsoft licensing construct with quantity - E3, BP, E5, etc.

3) Is Defender running on Servers?

4) Is there a Security Awareness Training (SAT) currently in use? If so, please mention

5) How many SAT campaigns is the council expecting to run during the year?

6) Is there a web proxy in place? If so, please mention

Answered on 26/Mar/2026 08:34 AM:


1. 3

2. F3 - 60, E5 - 202, BB- 8, F1 - 5

3. Windows Only, linux servers currently not running

4 & 5. Phishing Training, Once a quarter

6. No

Question:
To ensure we scope the managed SOC / MDR service accurately, could you please provide a high-level breakdown of the following environment components?

• Number of user endpoints (Windows/macOS/Linux laptops and desktops)

• Number of servers (Windows or Linux, on-premise or cloud hosted)

• Approximate number of network security devices (e.g. firewalls, VPNs, wireless controllers)

• Total user count across the organisation

• Identity platforms in use (e.g. Active Directory / Azure AD)

• Cloud platforms in use (e.g. Azure, AWS)

• Any existing security tools currently deployed that may integrate with the monitoring platform

This will allow us to scope the monitoring coverage and pricing model appropriately.

Thanks.

Answered on 26/Mar/2026 08:38 AM:


These have been answered in previous responses:

• Number of user endpoints (Windows/macOS/Linux laptops and desktops)

• Number of servers (Windows or Linux, on-premise or cloud hosted)

• Approximate number of network security devices (e.g. firewalls, VPNs, wireless controllers)

• Total user count across the organisation

Identity Platforms: Active Directory, Entra ID, Azure AD

Cloud Platforms: Azure and AWS

Existing Security: Microsoft Defender

Question:
Can Council confirm whether the current Huntress solution fully meets its MDR and EDR requirements and if not, what capability or gaps is Council seeking to address through this procurement?

Also, would Council consider an alternative solution that offers enhanced functionality or maturity, even where this represents a higher price point?

Answered on 16/Mar/2026 03:16 PM:


Can Council confirm whether the current Huntress solution fully meets its MDR and EDR requirements and if not, what capability or gaps is Council seeking to address through this procurement?

Yes

Also, would Council consider an alternative solution that offers enhanced functionality or maturity, even where this represents a higher price point?

It would be considered in relation to other tenders

Question:
Where you've mentioned 'Monitoring should be onshore'. Can you please confirm whether that is a mandatory requirement? Or just preferred?

Answered on 16/Mar/2026 03:17 PM:


Data should not be moved offshore as this is a regulatory requirement

Question:
SIEM solution and data resides on AI, analysts based outside AU. Is this in compliance?

If the SIEM solution and its data are hosted on Azure and in AU and the analysts are located outside Australia, is this setup compliant?

Answered on 16/Mar/2026 03:18 PM:


Data sovereignty needs to be maintained

Question:
Please advise re below:

1. Number of network devices required to be monitored and list type of device (firewall, router, switch)

2. Do you have Defender licenses for your Linux Servers?

3. You mentioned monitoring “should” be onshore. Will submitting an offering that uses the “follow the sun” 24x7x365 monitoring be reviewed or accepted?

Thanks

Answered on 26/Mar/2026 08:35 AM:


This has already been answered in another response

Question:
Can you confirm that briefing session(s) are not planned for this request. Section A2 of Invitation (page 4) states on Item 9 that "No briefing sessions are planned for this invitation". Yet in A3, section 2 Communication, 2.2 Briefing Session (page 8) references "Item 10 of A2 and states "Briefing Session will be held at location(s), time(s) specified in Item 10 of Part A2. Assumption is since Item 10 is absent, this is an error. Please confirm. Thank you

Answered on 16/Mar/2026 03:26 PM:


We will do a session with short listed solutions

Question:
Can you please advise when we can expect a response to the question we posted on 12th March.

Repeated here:

Please advise re below: 1. Number of network devices required to be monitored and list type of device (firewall, router, switch) 2. Do you have Defender licenses for your Linux Servers? 3. You mentioned monitoring “should” be onshore. Will submitting an offering that uses the “follow the sun” 24x7x365 monitoring be reviewed or accepted? Thanks

Answered on 17/Mar/2026 09:33 AM:


1. 22

2. not at this time but will probably be reviewed

3. Follow the sun option will be reviewed and compared against other tenders for viability of options

Question:
Would Council accept a proposal where the supplier provides MDR monitoring services only, integrating with Council’s existing EDR and security tools?

Answered on 17/Mar/2026 09:34 AM:


Yes

Question:
What Microsoft Defender products currently configured and deployed (e.g. Defender for Endpoint, Defender for Cloud/Server, Defender for Identity, Defender for Office 365, Defender for Cloud Apps)?

Answered on 26/Mar/2026 08:35 AM:


Defender for Endpoint

Question:
1. Could you please confirm the number of active internet links currently in use by Council, and the average traffic rate across these links during business hours, expressed in Mbps?

2. As information relating to the daily raw data ingestion rate is not currently available, would Council be open to either a usage-based pricing model in lieu of a fixed-price quote, or a proposal based on an estimated daily ingestion rate, with additional charges applicable where actual usage exceeds the estimate?

Answered on 26/Mar/2026 09:44 AM:


Currently Using 24 Active internet links

1. Site at 45Mbs, 6 sites at 3-6Mbs, remainder at sub 200kbs

2. Usage based pricing or base line charge with usage exceptions is fine

Question:
Hi there, please could you kindly respond to our question posted on 11 March. Listed again below:

Please confirm:

Number of user endpoints (Windows/macOS/Linux laptops and desktops)

Number of servers (Windows or Linux, on-premise or cloud hosted)

Approximate number of network security devices (e.g. firewalls, VPNs, wireless controllers)

Answered on 26/Mar/2026 09:47 AM:


Number of user endpoints 240

Number of servers Current 42 on prem but are moving to azure and doing significant work to consolidate or remove servers

Approximate number of network security devices (e.g. firewalls, VPNs, wireless controllers) 22

Question:
Hi:

Are you looking for a fully managed, end-to-end external solution, or would you prefer to maximise you're existing E5 licence by consolidating and optimising capabilities within your current tenancy?

Answered on 20/Mar/2026 01:01 PM:


Maximising our E5 licences would have cost benefits

Question:
1. You mentioned that we you have 22 network devices. Can you please share the details of these devices? We would require:

a. Device Type: Switch/Router/Firewall

b. Make:

c. Model

These details will help us accurately estimate log size for ingestion

2. Does the council have a preference of SIEM? (MS Sentinel?)

Answered on 20/Mar/2026 01:00 PM:


We are currently running Ubiquiti UDM Pro's and although we don't have a preference for the SIEM we can see how MS Sentinel would tie in nicely if defender is the edr solution

Question:
Schedule 12 - KPI's states:

"Compliance and security standards: Compliance with VPDSS, Essential 8 and ISO27001 - Full Compliance"

Please explain what is meant by this KPI:

Do you require vendors to hold certifications/attestations for each framework?

If no, which do you require?

For E8, which maturity level do you require?

Is this a request to ensure that Council complies with these frameworks?

Which frameworks/certifications does Council currently hold?

If council doesn't hold one of these certifications, is it a requirement of this tender to assist council with obtaining them?

Answered on 20/Mar/2026 12:58 PM:


We are moving to achieve compliance with Essential 8 Level One this year and Level 2 in the next. It is not part of vendor requirement to assist in us meeting these requirements just to provide tools as per the requirements section

Question:
For Service Component 5 (Phishing Simulation Tools and Managed End User Training), could you please confirm the approximate number of staff/employees who would be in scope for phishing simulation and security awareness training?

For Service Component 4 (Managed SIEM), could you please provide a list of the key log sources you would expect to be ingested (e.g. firewall, email gateway, cloud platforms, identity provider)?

For Service Component 2 (Managed ITDR), could you confirm whether you operate on-premise Active Directory, Azure AD/Entra ID, or a hybrid of both?

Are there any existing security monitoring, EDR, or SIEM tools currently deployed that the successful vendor would need to transition from or integrate with?

Answered on 26/Mar/2026 08:41 AM:


Component 5: 265

Component 4: Firewalls (22 units), Entra ID,

Component 2: Hybrid of both

Existing: Currently running Huntress

Question:
So to clarify, Swan Hill are open to running Sentinel in its own tenancy and having a vendor monitor/support this?

Answered on 26/Mar/2026 08:42 AM:


That is correct

Question:
Hi,

We would highly appreciate if council can clarify below.

1. Phishing Simulation and Training.

- Approx. number of employees that needs to be targeted per simulation and Frequency of the simulation (quarterly, half yearly etc)

- Number of lookalike domain to be procured

2. Managed SOC and SIEM.

- Would the council be open to any established platforms (including open-source) for SIEM requirements?

- Can the make and models of the devices be shared at this stage:

- Firewall- 22 Nos- Please confirm all are same model, which is UDM-Pro-Max

- Access Points- Make and model details.

- Access Point Controller- Quantity and model details.

- Virtualisation platform used- Hyper V, VMware, Proxmox etc.

- Are there any additional devices or services that need to be integrated with

the SIEM?

- Please confirm if the E5 licenses you have mentioned are M365 E5 and not

O365 E5.

- We understand that Microsoft Defender (for EDR) and Microsoft Entra ID (for identity management) may already be in place. If so, can these be integrated with the SIEM instead of introducing new solutions?

- Will the council provide the servers and storage needed to run the SIEM platform - Cloud or on premises?.

Answered on 26/Mar/2026 08:47 AM:


1. 265, quarterly

2. Yes.

Yes same model

Access Points vary from Unifi Nano to Unifi 7 Pro

Access Controllers- UDM Pro Max

Virtualisation VMWare moving to Azure

M365 Licences is correct

SIEM yes

Council can provide but will need specifications to assess cost to organisation for cloud solution

Question:
Hi team could you please advise if the following products are deployed (in production)



Microsoft Defender for Endpoint Plan 2

Microsoft Defender for Identity

Microsoft Entra ID Protection

Microsoft XDR platform (core correlation engine)

Defender for Office 365 (email security)

Answered on 26/Mar/2026 08:50 AM:


The only inclusion from the above is within the M365 E5 licensing. We aren't using Defender for Office 365 in that sense, but would like to transition to it as an option

Question:
Question sent on 17/Mar/2026

What Microsoft Defender products currently configured and deployed (e.g. Defender for Endpoint, Defender for Cloud/Server, Defender for Identity, Defender for Office 365, Defender for Cloud Apps)?

Can you please confirm when we can expect to receive the answer to this question?

Answered on 26/Mar/2026 08:50 AM:


Defender for Endpoint