§00 QMC4 · Cyber security & software engineering · Guernsey
Most breaches aren’t clever. They’re unmanaged exposure.
QMC4 is a Guernsey-based cyber-security and software-engineering practice, working with clients worldwide. We run Continuous Threat Exposure Management: we find, rank and prove the exposure an attacker could actually use. Behind it sits a 24/7 SOC, managed security, managed IT, Microsoft engineering and a software team that builds secure AI. No dashboards as decoration. No theatre.
§01 Flagship / Continuous Threat Exposure Management
Exposure is a state you manage, not a report you file.
An annual pen test and a spreadsheet of CVEs tell you what was true last quarter. CTEM tells you what an attacker could do to you today.
We run it as Gartner’s five-stage cycle, mapped to what your business genuinely can’t afford to lose, so remediation effort lands where it actually reduces risk, not where the scanner shouts loudest.
Gartner’s estimate of how much less likely a breach becomes when you prioritise investment through a continuous exposure-management programme.*
“No wands. Just the unglamorous things, done properly. And again tomorrow.” The QMC4 approach
Scope
Decide what’s worth defending first: the crown jewels, not the whole estate in one breath.
Discover
Map the real attack surface: assets, identities, misconfigurations and the kit everyone forgot about.
Prioritise
Rank by what’s exploitable and what it would cost you, not by raw CVSS theatre.
Validate
Prove the exposure is real and the control actually holds. Assumptions don’t get a vote.
Mobilise
Fix it, with named owners and evidence. Then watch the exposure figure come down.
§02 Service index
What we run, and where it sits.
One accountable practice. CTEM sets the priorities; the SOC and managed security do the work; managed IT, integration and Microsoft engineering keep the ground solid; the software division builds what doesn’t exist yet.
- 01 Exposure Management (CTEM) Continuously find, rank and prove the exposure an attacker could actually exploit. exposure mgmt · attack surface · continuous validation
- 02 Managed Security (MSSP) We run your security operations: detection, response and the boring vigilance in between. MSSP · MDR · 24/7 monitoring
- 03 Security Operations (SOC) A SOC without the capital cost. Monitoring, threat hunting and incident response on tap. SOC as a service · threat hunting · IR
- 04 Managed IT (MSP) The IT that keeps working, with security built in rather than bolted on afterwards. managed IT · IT support · cloud
- 05 Systems Integration We make the parts of your estate agree with one another, securely and on purpose. system integrator · secure architecture · migration
- 06 Microsoft Security Sentinel, Defender and Entra, run properly. A Microsoft partner, not a box-shifter. Microsoft partner · Sentinel · Defender XDR · Entra
- 07 Software Engineering Production RAG and secure AI systems, built by people who also know how to break them. RAG · vector search · secure-by-design AI
- 08 Cyber Essentials Assessment We take you through Cyber Essentials assessment and certification readiness: the real work, not a checkbox. cyber essentials · certification readiness · compliance
Flagship
Delivery engine · 24/7
Foundation · build & run
Engineering
Compliance
§03 Software Engineering Division
We build the AI systems we’d be willing to defend.
Plenty of “AI solutions” are a prompt and a hope. Our software division builds retrieval-augmented generation (RAG) and bespoke systems the way we build security. Failure modes mapped first, accuracy measured, and a deployment you could put in front of an auditor.
Retrieval pipeline
Deliberate ingestion, chunking and metadata suited to your data, not copied from a tutorial. Garbage retrieval is where most RAG projects quietly fail.
Embeddings & vector search
The right embedding model and index for your corpus, with hybrid and re-ranking where it earns its keep, tuned for recall you can actually measure.
Grounding & evaluation
Answers cited back to source, behind an evaluation harness that catches hallucination and regressions before your users (or your regulator) do.
Secure deployment
Access control enforced on the data, no secrets in prompts, private inference where the data demands it. Secure-by-design, threat-modelled, not patched on at the end.
§04 Microsoft Partner
A SOC that runs on what you already pay for.
If you’re on Microsoft 365 and Azure, you’ve already bought half a security platform. As a Microsoft partner we turn Sentinel, Defender and Entra into a working, unified SOC across identity, endpoint, email and cloud, without a rip-and-replace.
Vendor-neutral where it counts: if a different tool genuinely fits your environment better, we’ll tell you so.
Discuss your Microsoft estate- SIEM / SOARMicrosoft SentinelCloud-native SIEM and automation: the correlation and response backbone of your managed SOC.
- XDRDefender XDRExtended detection across endpoint, identity, email and cloud apps, correlated into single incidents.
- IdentityMicrosoft EntraIdentity at the centre of a zero-trust posture: conditional access, privileged identity, verification.
- M365Microsoft 365 hardeningSecure configuration, data protection and compliance baselines tuned to your actual risk.
§05 How we work
Old discipline. New tools. In that order.
The fundamentals don’t change; the tooling and the threats do. We pair foundational security knowledge with modern, AI-assisted operations. Each does what it’s genuinely good at, and neither pretends to be the other.
What actually decides most breaches
- Asset and configuration hygiene, patching, least privilege
- Defence in depth and a zero-trust architecture that earns the name
- Threat modelling: thinking in an attacker’s order of operations
- Governance mapped to the frameworks your clients answer to: NIST, Cyber Essentials, and the Data Protection (Bailiwick of Guernsey) Law, 2017
Where automation earns its place
- AI-assisted triage to cut alert noise and shorten response
- Automated exposure discovery and attack-path analysis
- Continuous control validation at a scale humans can’t match by hand
- SOAR playbooks for a response that’s consistent at 3am
“Automation is a lever. It still needs someone who knows which rock to put it under.”
§06 Why QMC4
How we think.
Plenty of providers sell fear and adjectives. We’d rather sell you reduced exposure you can evidence. Six things we hold to.
- 01
Exposure-led, not alert-led
We start from what an attacker could actually reach and work backwards, so effort lands on real risk, not the loudest notification.
- 02
Foundations before fashion
Hygiene, identity, configuration and patching underpin everything. Then, and only then, the modern tooling amplifies it.
- 03
One number to ring
Strategy, SOC, managed security, IT and software under one roof. No vendors pointing at each other while you’re on fire.
- 04
Evidence a board can read
Exposure reduction, response times, control effectiveness, all in language executives and auditors both understand.
- 05
We’ll talk you out of things
If a control isn’t worth the money or a project isn’t worth doing, we’ll say so, and tell you why.
- 06
Plain English, always
Grounded advice without the acronym fog. If we can’t explain it simply, we don’t understand it well enough yet.
§07 Field Notes
From the practice.
Pattern, posture and the anatomy of real incidents, written by the people doing the work, for the boards, finance teams and IT leads who own the risk.
-
Read →
Why we built QMC4 Cyber the way we did
Most cyber security companies bolted AI onto what they were already doing. We came at it from the other direction, and that changes the shape of the service.
-
Read →
A phished mailbox is a 90-day breach in slow motion
Anatomy of the most common pattern we see: what it looks like at week one, week three and week thirteen, and why most businesses only catch it at the end.
-
Read →
Prompt injection and the new attack surface
When the attacker isn’t targeting your code, but the AI that reads it, or the AI agent that runs inside your app. The defensive playbook for an attack that may never be fully solved.
-
Read →
A free security pipeline in an afternoon
Four layers of automated checks (pre-commit hooks, secret scanning, dependency alerts and static analysis) wired into GitHub, so the boring stuff happens on every commit. Total cost: zero.
-
Read →
Cloud security for the accidental SaaS founder
The grown-up conversation about the cloud layer: RLS, IAM and secrets management in plain English. Plus a pre-launch checklist to run before the next user signs up.
-
Read →
Prompting for secure code
How to brief an AI so it gives you code you can actually trust, the same way you’d brief a junior developer who’s technically brilliant but has never met a hacker.
-
Read →
Vibe coding for the win? True or false?
Part 1 of a 5-part series. What vibe coding is, where the headlines overstate the risk, where the real security failures live, and the tools and habits that catch the common mistakes.
§08 Trust & credibility
What we hold, what we follow, what we help you reach.
No inflated badges. Here is exactly what QMC4 holds, the frameworks we align to, and the certification we take clients through.
Cyber Essentials
We hold Cyber Essentials, the UK government’s baseline of five core technical controls.
NIST Cybersecurity Framework
Our practice follows the NIST CSF functions: identify, protect, detect, respond, recover.
NCSC guidance
Delivery aligned to National Cyber Security Centre guidance for managed service providers and their clients.
Microsoft Partner
Recognised capability across Microsoft Sentinel, Defender and Entra security workloads.
Guernsey-based and governed by the Data Protection (Bailiwick of Guernsey) Law, 2017, regulated by the Office of the Data Protection Authority (ODPA). We help GFSC-regulated clients meet the Guernsey Financial Services Commission’s Cyber Security Rules and Guidance (2021), built, like our practice, on the NIST functions.
Offered as a service: Cyber Essentials assessment & certification readiness, which we take clients through. For clarity, QMC4 does not currently hold Cyber Essentials Plus or ISO 27001.
Technology partners
- Microsoft
Our core technology partner. 24/7 SOC coverage is delivered alongside vetted specialist partners, all orchestrated and held accountable by QMC4, on one contract.
§09 Get started
Book a discovery & exposure assessment.
A short, no-pressure conversation. We’ll map where you are, find your most likely exposure, and show how a CTEM-led programme would work for your organisation.
- Call
- +44 (0)14 8124 0400
- witchcraft@qmc4.com
- Connect
- QMC4 on LinkedIn
- Based
- Ohana, Hougues Magues Lane, St Sampson, Guernsey GY2 4WA · serving clients worldwide