Armor Defense Ltd.

Armor Anywhere: Virtual Machine Security Solution

Armor Anywhere is a managed, scalable, virtual machine security solution that protects instances hosted on any infrastructure. Armor Anywhere's OS agent is powered by our Intelligent Security Model and managed by our experienced security operations team (SOC) – providing real-time visibility into your security posture and actionable cyber threat intelligence.


  • Real time anti-virus/malware protection
  • Host intrusion detection
  • Vulnerability scanning - internal network, real time
  • Security event and log management
  • OS file integrity monitoring
  • OS level patch monitoring
  • Security event correlation enhanced by dedicated threat hunting team
  • Security incident response - 2 hours per incident included
  • Single view of your security posture across all environments


  • Universal security management across environments, centralised SOC
  • AWS, Azure, and 3rd party cloud support
  • Management Portal merges visibility to activity and outcomes
  • Best in class technology, designed to work seamlessly across environments
  • Proactively protect, detect and respond in a multi-cloud environment
  • Data monitoring - data constantly monitored and correlated
  • Easily scales to all VM’s in your cloud environment
  • Automated installation with scripts available
  • Analytics enable us to see otherwise hidden trends and activity
  • API’s work with existing platforms, fast integration for established customers


£39.99 to £74.25 per virtual machine per month

  • Free trial available

Service documents

G-Cloud 10


Armor Defense Ltd.

Stephen Gooding


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints Windows requires the following software:
Powershell 3 (for reporting purposes)
.Net 4.0 Framework (for Panopta monitoring agent install)

Linux requires the following dependencies:
System requirements
  • Windows 2008, 2008 R2, 2012, 2012 R2, 2016 (64bit)
  • Ubuntu 14.04, 16.04 (all LTS and 64 bit)
  • RHEL/CentOS 6, RHEL/CentOS 7
  • Amazon Linux 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03
  • Windows - minimum 2 cores, 2GB RAM, 3GB disk space
  • Linux - minimum 1 core, 2GB RAM, 3GB disk space
  • Outbound access to Armor management network (multiple ports)
  • Bandwidth between 50-100Kb per minute per agent
  • For Windows, PowerShell 3 and .NET 4.0 must be installed.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Armor provides 24x7 response to tickets with a targeted initial response time of 15 minutes.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 A
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Armor's chat feature is a pop-up window that enables text only chat.
Web chat accessibility testing Unknown.
Onsite support No
Support levels Armor provides 24x7x365 monitoring and event review for all included security services. Events are logged and correlated by Armor's SIEM and tickets are raised for issues requiring customer attention.

In addition to its routine security monitoring and review activities, Armor maintains an Incident Response and Forensics Service that provides for initial forensic investigation as part of the offering. This initial consultation aids in helping to orient and guide a Customer through Indications of Compromise (IOC) and other similar security activities.

IRF Services are intended to be used as an initial response mechanism. Through this Service, Customers can get consultation on what activities may be recommended or required for their business to correct suspected Indications of Compromise (IOCs). Additional measures past the initial offering may include an additional Statement of Work from Armor to execute agreed upon Services, or a referral to an outside partner for additional activity.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started At a high-level, to install Armor Anywhere, including the agent, you must:

Review requirements, specifically the firewall rules
Complete your account signup
Download and install the agent
Test and verify the agent's connection
Configure your AMP notification preferences

Full documentation for each of these steps plus all information regarding Armor Anywhere is available at:
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction This is not applicable to the service as it is a managed security service and does not directly interact with customer data. The only data that Armor retains are the log files collected with the Log Management service. Customers can access all of these logs and download them from our customer portal (AMP) at any time prior to cancellation of their account.
End-of-contract process Upon termination, Armor will de-register the Armor Anywhere agent, delete the account key and close the Armor Management {Portal (AMP) user accounts. The customer is also directed to uninstall the Armor Anywhere agent from all subscribed servers.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Linux or Unix
  • Windows
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 A
Accessibility testing Unknown.
What users can and can't do using the API Full API documentation is available at:

The base URL is
- This endpoint requires TLS 1.2+.
- The API uses standard OAuth authentication.
- If you account requires multi-factor authentication (MFA), you should configure your HTTP client to have a timeout that allows sufficient time to enter the MFA response.

The following categories of functions are available:

- Log into Armor API
- Authentication API Calls
- Infrastructure API Calls
-Network Services API Calls
- Security API Calls
- Support API Calls
- Account Management API calls
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment No
Customisation available No


Independence of resources The Armor Anywhere agent runs on each subscribed server and there is no crossover impact between subscribed servers. The Armor management infrastructure has been built to accommodate the current subscribed base and our projected capacity through the end of 2017. This infrastructure is easily scaled to handle additional capacity and Armor monitors utilization and manages capacity to ensure continuity of service is maintained.


Service usage metrics Yes
Metrics types The AMP portal contains metrics specific to each of the included security services for each subscribed server.
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach This is not applicable to the service as it does not directly interact with customer stored data. The service does collect operating system logs by default, and other customer defined logs optionally, that may contain IP addresses and/or authentication information (email address, user name) that are considered PII under the GDPR. All log data collected by the service can be exported by the customer via the customer portal or via direct API calls.
Data export formats
  • CSV
  • Other
Other data export formats Via Armor's RESTful API
Data import formats Other
Other data import formats This is not applicable to the service.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability There is currently a critical security incident notification SLA for Armor Anywhere. The details of this SLA can be found at: - a summary follows:

Armor guarantees that customers will be notified of a Critical Security Incident within fifteen (15) minutes of Armor’s knowledge of a security incident (“Critical Incident Notification Time” or “CINT”). “CINT” is defined as the time period between Armor identifying a Critical Security Incident and the time stamp associated with Armor’s initial notification to the customer of the Critical Security Incident.

A “Critical Security Incident” occurs when Armor has positively identified a security incident within the scope of the Services that may have a significant impact to the environment protected by Armor. Examples of Critical Security Incidents include, but are not limited to:

• Successful brute force logins
• Detection of threat escalation of root privileges or lateral movement
• Post compromise activity such as outbound remote shell commands, attack tool downloads

Armor will initially notify the customer of a Critical Security Incident via a ticket in the Armor Management Portal. If Armor receives no response, it will use its best efforts to notify customer’s primary point of contact by telephone.
Approach to resilience Armor has included a heartbeat within the Anywhere agent that reports the status of the agent back to the management infrastructure regularly. The management infrastructure has been built based on high availability and redundancy to ensure that it is available. Armor has the ability to implement additional management pods within 4 hours to address additional capacity and/or redundancy needs.
Outage reporting Email alerts are sent out to all customers for all outage events.
Armor also maintains a status page - - that customer can subscribe to. This page contains the current and recent status for all Armor services and will send notification of outage events to subscribers.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels All management level access to the underlying management infrastructure is controlled by secured jump servers that require a second set of credentials plus two factor authentication. All access within the environment is further controlled by Active Directory group permissions.

API access to the customer portal is also authenticated and subject to two factor authentication.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BrightLine
ISO/IEC 27001 accreditation date 4/1/2016
What the ISO/IEC 27001 doesn’t cover A8.3.1
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Accretive Solutions
PCI DSS accreditation date 15/8/2016
What the PCI DSS doesn’t cover All Armor Anywhere services are included.
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards PCI DSS
Information security policies and processes Armor's information security program has been certified against ISO 27001:2013 and our SOA is available upon request.

The security organization is headed by the Head of Security who is a member of the executive management team and includes a CISO (also a member of executive management), a director of compliance and audit and staff.

Our policies are available on an internal web site and all employees attend mandatory annual training where they also acknowledge that they have read and understand their responsibilities under the policies.

Internal audit conducts regular audits of policies and procedures throughout the year in addition to the four external audits that are performed to ensure that the policies and procedures are being followed and remain effective.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes to all components of the service follow an ITIL based change control process that is implemented through an online tool. All changes require a risk assessment and documentation of all potential security issues they pose along with planned mitigations. All changes go through a review and approval process that includes review and approval from InfoSec. Change details include a detailed description of the change, the components impacted, pre and post implementation test plans, success criteria and backout plans.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Our dedicated Vulnerability and Threat Management (VTM) team is responsible for identifying and tracking vulnerabilities for all components of our infrastructure and service and for conducting weekly and monthly vulnerability testing. Results are verified and prioritised according to our vulnerability scoring system and distributed to the respective teams for remediation. Remediation is verified via the next scheduled scan.
Patches are applied within 30 days of release. The VTM team, in conjunction with our Threat Intel team reviews inputs from more than 150 external threat feeds and sources.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach All security tools and services are monitored by our SecOps team with all logs and events being forwarded to our SIEM that correlates all data and creates events and alerts that require further investigation. These events and alerts are investigated to determine their validity and to gather all available information regarding the type of event, affected systems/files, potential for compromise and an incident report is generated. Each incident is further worked to its conclusion and fully documented. This activity is performed in near real time with response to incidents occurring beginning immediately upon discovery.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Armor has a fully documented IRP that conforms to the requirements of a number of standards including ISO 27001, SSAE 16, PCI and HITRUST.

The IRP contains pre-defined processes for common events including malware infections, IDS events and authentication events. The entire SecOps team is involved in IR and receive periodic training for their respective responsibilities. Due to the nature of our business, we perform IR activities on a daily basis so the plan is actively exercised and changes are made based on lessons learned. Incident reports involving customers are provided via ticket.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £39.99 to £74.25 per virtual machine per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Armor offers limited period Proof Of Concept trials at no charge. These POCs are full featured and typically limited to no more than two weeks.


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑