Managed Security Services

What this service does

A real security operation, not an alert factory. 24/7 SOC, MDR across endpoint+cloud+identity+SaaS, detection engineering, threat hunting, IR retainer, vCISO. Senior practitioners on every alert.

Senior practitioner on every engagement. Quinnlan Varcoe (Founder and CEO) oversees every engagement and reviews every case before findings leave the practice; Jose Santana, Lead Technical Consultant, oversees the practitioner team executing the technical work under her methodology. NDA-protected. No black-box delivery, no off-shoring, no junior staff bait-and-switch.

What we deliver

• 24/7 SOC + Monitoring. Senior analysts on every alert. P1 detection→containment in 15 min. No tier-1 black-box. Average analyst tenure disclosed at QBR.
• MDR , Managed Detection & Response. Endpoints (CrowdStrike Falcon, SentinelOne, Defender), identity (Push, Permiso), cloud (Wiz, Lacework), SaaS (Push, Adaptive Shield, Obsidian), email (Abnormal, Material). Containment authority pre-negotiated.
• SIEM + Detection Engineering. Splunk / Sentinel / Chronicle. Custom rules tuned to your environment, MITRE ATT&CK-mapped, versioned in Git, peer-reviewed. Detection-as-code.
• Threat Hunting. Hypothesis-driven, monthly cycle. Findings convert to permanent detections. Insider threat hunts for regulated-data partners.
• Threat Intelligence. Vertical-specific briefings, dark web monitoring of your domains/execs/repos, brand monitoring (typosquats, deepfake watch), vendor breach monitoring.
• Vulnerability Management. Continuous scanning (Tenable, Qualys), CSPM (Wiz), SAST/SCA, exploitability-aware prioritization (KEV, EPSS). We patch what we manage. Quarterly external pentest + annual full-scope.
• Incident Response Retainer. 48-hour engagement start. Insurance-carrier-accepted (AIG, Beazley, Coalition, Resilience, Travelers, Chubb, Munich Re Hartford). Ransomware-, BEC-, insider-, cloud-IR ready. Counsel-coordinated.
• SOAR + Automation. Tines / Torq / Splunk SOAR. Automation only where the human cost is high and risk of automation error is low. Human approves contain-and-isolate on production.
• vCISO + Governance. Quarterly risk reviews, board-readable reports, policy framework, vendor risk management, security committee facilitation.
• Compliance Evidence Collection. SOC 2 Type 2, HIPAA, CMMC, ISO 27001, PCI, FedRAMP, NIST 800-171. Continuous, not annual. Auditor pre-coordinated.
• Identity Threat Detection (ITDR). Push, BeyondID, Permiso, native Entra ID Protection. Impossible travel, OAuth abuse, MFA fatigue, session hijack, dormant account re-activation.
• Email + DLP. Beyond M365 / Workspace defaults. Abnormal, Material, Sublime, Tessian for AI-aware phishing. Microsoft Purview / Google DLP tuned to your data classes.
• CSPM / CWPP / CIEM. Wiz, Lacework, Prisma Cloud, native cloud (Security Hub + Defender + SCC). Kubernetes admission control + runtime detection. IaC scanning before merge. Drift detection.
• Tabletop + Simulation. Twice-yearly scenario tabletops. Annual live red-team simulation. Quarterly phishing campaigns with realistic role-targeted pretexts.
• Cyber Insurance Liaison. Carrier-coordinated underwriting, continuous evidence package, policy-aligned MDR, renewal premium negotiation, post-incident carrier coordination. We work alongside your broker with AIG, Beazley, Coalition, Resilience, Travelers, Chubb. See the dedicated cyber insurance page.

How an engagement begins

1. Confidential consultation. NDA-protected. 30 to 60 minutes. Direct conversation with Quinn, not a sales rep.
2. Scoped engagement. Written proposal with defined deliverables and pricing. Hourly with milestone caps for open scopes; fixed fee where the work is well-defined.
3. Delivery and reporting. Court-admissible methodology where evidence matters. Written deliverables you can hand to counsel, the board, or your auditor.

Why this work runs through Witness

Witness is the parent brand for the practice. The same firm operates a B2B sister brand at varcoe.ai for buyers whose procurement workflow expects a B2B website and a B2B sales motion. Same legal entity (Blueberry Security Global, Inc., Delaware C-corp). Same Quinn. Same delivery team. The split is by audience, not by capability.