← Field NotesAI engineering, applied to cyber

Why we built QMC4 Cyber the way we did

Most cyber security companies bolted AI onto what they were already doing. We came at it from the other direction — and that changes the shape of the service.

The QMC4 Cyber team3 min read

Most cyber security companies have added AI to what they were already doing. We came at it from the other direction.

The team behind QMC4 Cyber has spent years designing and shipping agentic AI systems for regulated industries — work where the system has to be explainable, auditable and operationally trusted, because real businesses depend on it. When we started looking at the managed security market, the gap was obvious. A great deal of the day-to-day work in a security operations centre is exactly the kind of work software should be doing: triage at scale, correlation across thousands of signals, the relentless first-pass on anything that looks unusual. And almost none of it is being done that way.

So we built it.

What that actually changes

It’s easy to say “AI-powered” — every MDR pitch deck says it now. What’s worth describing is what changes about the service when AI isn’t bolted on as a thin layer over a tier-one queue.

Engineers see signal, not noise. Our AI agents triage and correlate alerts the moment they land, with the audit trail attached. By the time a human engineer is involved, the question is no longer “what is this?” — it’s “what should we do about it?”. That changes the experience of being on call. It changes the kind of people who want the job. And it changes the time-to-decision when something genuinely matters.

The shape of the team changes. A tier-one SOC is, structurally, a queue of people doing the same triage work in shifts. We don’t have one. We have engineers — senior, named, on-call, accountable. The queue is run by software. The hard problems are run by humans who have the context to handle them well.

The cost shape changes. The economics of managed security have always been driven by headcount. Ours aren’t. That’s not a pricing story — our pricing is contact-only and shaped by what your environment actually needs — it’s a service-shape story. We can afford to put senior people on every account because we’re not paying for a tier-one queue.

What it doesn’t change

Cyber security isn’t a software problem with humans bolted on, and we’re not building it that way either. Three things stay firmly with the humans.

Judgement. When an alert turns into an incident, the response is led by an engineer. Software writes the playbook; people pick which play to run. The runbooks we write for clients are written by people, and tested by people in tabletop exercises that involve the client’s leadership team, not just our SOC.

The board conversation. Our Counsel service exists because what your board, your insurer and your auditor need isn’t a dashboard. It’s a senior security leader who can translate what we see into language they can act on. That work is done by a named human, every quarter, for every client.

The relationship. When something breaks, you reach a human who already knows your environment. Not a tier-one queue, not a chatbot. We’re old-fashioned about this.

Why it matters for UK and Channel Islands businesses

The cyber market is not short of vendors making louder claims. We’d rather be the team your CFO quietly trusts.

Most of our clients aren’t asking for the most advanced security posture money can buy. They’re asking for one accountable supplier who can explain what’s happening, recommend what to do, and do it. They want to walk into a board meeting, an insurer renewal or a client questionnaire with a clear story and the evidence to back it up.

That’s the service we built — and the engineering discipline behind it is what makes it possible to deliver at a price that works for the size of business that actually needs it.

If any of that resonates, book a 30-minute risk review. No theatre, no fear-based pitching — just a clear read on where your business actually stands.