Pattern, posture
and incident anatomy.
Field notes from the QMC4 Cyber team — written for the boards, finance teams and IT leads who own the cyber risk that comes with running a UK or Channel Islands business. No theatre, no fear-based pitching.
Why we built QMC4 Cyber the way we did
Most cyber security companies bolted AI onto what they were already doing. We came at it from the other direction — and that changes the shape of the service.
A phished mailbox is a 90-day breach in slow motion
Anatomy of the most common pattern we see in our segment — what it looks like at week one, week three and week thirteen, and why most businesses only catch it at the end.
Prompt Injection And The New Attack Surface
When the attacker isn't targeting your code, but the AI that reads your code — or worse, the AI agent that runs inside your app. The defensive playbook for an attack that may never be fully solved.
A Free Security Pipeline In An Afternoon
Four layers of automated checks — pre-commit hooks, secret scanning, dependency alerts, and static analysis — wired into GitHub so the boring stuff happens on every commit. Total cost: zero.
Cloud Security For The Accidental SaaS Founder
The grown-up conversation about the cloud layer — RLS, IAM, and secrets management in plain English. Plus a pre-launch checklist you can run through before the next user signs up.
Prompting For Secure Code
How to brief an AI so it gives you code you can actually trust — the same way you'd brief a junior developer who's technically brilliant but has never met a hacker.
Vibe Coding For The Win? True or False?
Part 1 of a 5-part series. What vibe coding is, where the headlines overstate the risk, where the real security failures actually live, and the tools and habits that catch the common mistakes.