§00 QMC4 · Cyber security & software engineering · Guernsey

Most breaches aren’t clever. They’re unmanaged exposure.

QMC4 is a Guernsey-based cyber-security and software-engineering practice, working with clients worldwide. We run Continuous Threat Exposure Management: we find, rank and prove the exposure an attacker could actually use. Behind it sits a 24/7 SOC, managed security, managed IT, Microsoft engineering and a software team that builds secure AI. No dashboards as decoration. No theatre.

Guernsey · worldwide reach Cyber Essentials certified NIST CSF aligned NCSC aligned Microsoft Partner 24/7 SOC

§01 Flagship / Continuous Threat Exposure Management

Exposure is a state you manage, not a report you file.

An annual pen test and a spreadsheet of CVEs tell you what was true last quarter. CTEM tells you what an attacker could do to you today.

We run it as Gartner’s five-stage cycle, mapped to what your business genuinely can’t afford to lose, so remediation effort lands where it actually reduces risk, not where the scanner shouts loudest.

Gartner’s estimate of how much less likely a breach becomes when you prioritise investment through a continuous exposure-management programme.*

“No wands. Just the unglamorous things, done properly. And again tomorrow.” The QMC4 approach

  1. Scope

    Decide what’s worth defending first: the crown jewels, not the whole estate in one breath.

  2. Discover

    Map the real attack surface: assets, identities, misconfigurations and the kit everyone forgot about.

  3. Prioritise

    Rank by what’s exploitable and what it would cost you, not by raw CVSS theatre.

  4. Validate

    Prove the exposure is real and the control actually holds. Assumptions don’t get a vote.

  5. Mobilise

    Fix it, with named owners and evidence. Then watch the exposure figure come down.

Book an exposure assessment

§02 Service index

What we run, and where it sits.

One accountable practice. CTEM sets the priorities; the SOC and managed security do the work; managed IT, integration and Microsoft engineering keep the ground solid; the software division builds what doesn’t exist yet.

§03 Software Engineering Division

We build the AI systems we’d be willing to defend.

Plenty of “AI solutions” are a prompt and a hope. Our software division builds retrieval-augmented generation (RAG) and bespoke systems the way we build security. Failure modes mapped first, accuracy measured, and a deployment you could put in front of an auditor.

  1. Retrieval pipeline

    Deliberate ingestion, chunking and metadata suited to your data, not copied from a tutorial. Garbage retrieval is where most RAG projects quietly fail.

  2. Embeddings & vector search

    The right embedding model and index for your corpus, with hybrid and re-ranking where it earns its keep, tuned for recall you can actually measure.

  3. Grounding & evaluation

    Answers cited back to source, behind an evaluation harness that catches hallucination and regressions before your users (or your regulator) do.

  4. Secure deployment

    Access control enforced on the data, no secrets in prompts, private inference where the data demands it. Secure-by-design, threat-modelled, not patched on at the end.


§04 Microsoft Partner

A SOC that runs on what you already pay for.

If you’re on Microsoft 365 and Azure, you’ve already bought half a security platform. As a Microsoft partner we turn Sentinel, Defender and Entra into a working, unified SOC across identity, endpoint, email and cloud, without a rip-and-replace.

Vendor-neutral where it counts: if a different tool genuinely fits your environment better, we’ll tell you so.

Discuss your Microsoft estate
  • SIEM / SOAR
    Microsoft Sentinel
    Cloud-native SIEM and automation: the correlation and response backbone of your managed SOC.
  • XDR
    Defender XDR
    Extended detection across endpoint, identity, email and cloud apps, correlated into single incidents.
  • Identity
    Microsoft Entra
    Identity at the centre of a zero-trust posture: conditional access, privileged identity, verification.
  • M365
    Microsoft 365 hardening
    Secure configuration, data protection and compliance baselines tuned to your actual risk.

§05 How we work

Old discipline. New tools. In that order.

The fundamentals don’t change; the tooling and the threats do. We pair foundational security knowledge with modern, AI-assisted operations. Each does what it’s genuinely good at, and neither pretends to be the other.

First / the fundamentals

What actually decides most breaches

  • Asset and configuration hygiene, patching, least privilege
  • Defence in depth and a zero-trust architecture that earns the name
  • Threat modelling: thinking in an attacker’s order of operations
  • Governance mapped to the frameworks your clients answer to: NIST, Cyber Essentials, and the Data Protection (Bailiwick of Guernsey) Law, 2017
Then / the force multipliers

Where automation earns its place

  • AI-assisted triage to cut alert noise and shorten response
  • Automated exposure discovery and attack-path analysis
  • Continuous control validation at a scale humans can’t match by hand
  • SOAR playbooks for a response that’s consistent at 3am

“Automation is a lever. It still needs someone who knows which rock to put it under.”

§06 Why QMC4

How we think.

Plenty of providers sell fear and adjectives. We’d rather sell you reduced exposure you can evidence. Six things we hold to.

  1. 01

    Exposure-led, not alert-led

    We start from what an attacker could actually reach and work backwards, so effort lands on real risk, not the loudest notification.

  2. 02

    Foundations before fashion

    Hygiene, identity, configuration and patching underpin everything. Then, and only then, the modern tooling amplifies it.

  3. 03

    One number to ring

    Strategy, SOC, managed security, IT and software under one roof. No vendors pointing at each other while you’re on fire.

  4. 04

    Evidence a board can read

    Exposure reduction, response times, control effectiveness, all in language executives and auditors both understand.

  5. 05

    We’ll talk you out of things

    If a control isn’t worth the money or a project isn’t worth doing, we’ll say so, and tell you why.

  6. 06

    Plain English, always

    Grounded advice without the acronym fog. If we can’t explain it simply, we don’t understand it well enough yet.

§07 Field Notes

From the practice.

Pattern, posture and the anatomy of real incidents, written by the people doing the work, for the boards, finance teams and IT leads who own the risk.

Bring any of these to your team →

§08 Trust & credibility

What we hold, what we follow, what we help you reach.

No inflated badges. Here is exactly what QMC4 holds, the frameworks we align to, and the certification we take clients through.

Held

Cyber Essentials

We hold Cyber Essentials, the UK government’s baseline of five core technical controls.

Aligned

NIST Cybersecurity Framework

Our practice follows the NIST CSF functions: identify, protect, detect, respond, recover.

Aligned

NCSC guidance

Delivery aligned to National Cyber Security Centre guidance for managed service providers and their clients.

Partner

Microsoft Partner

Recognised capability across Microsoft Sentinel, Defender and Entra security workloads.

Guernsey-based and governed by the Data Protection (Bailiwick of Guernsey) Law, 2017, regulated by the Office of the Data Protection Authority (ODPA). We help GFSC-regulated clients meet the Guernsey Financial Services Commission’s Cyber Security Rules and Guidance (2021), built, like our practice, on the NIST functions.

Offered as a service: Cyber Essentials assessment & certification readiness, which we take clients through. For clarity, QMC4 does not currently hold Cyber Essentials Plus or ISO 27001.

Technology partners

  • Microsoft

Our core technology partner. 24/7 SOC coverage is delivered alongside vetted specialist partners, all orchestrated and held accountable by QMC4, on one contract.

§09 Get started

Book a discovery & exposure assessment.

A short, no-pressure conversation. We’ll map where you are, find your most likely exposure, and show how a CTEM-led programme would work for your organisation.

Call
+44 (0)14 8124 0400
Email
witchcraft@qmc4.com
Connect
QMC4 on LinkedIn
Based
Ohana, Hougues Magues Lane, St Sampson, Guernsey GY2 4WA · serving clients worldwide

Send us a message

Your details go straight to QMC4 and are only used to reply to your enquiry.