CASE FILE / EMILYAI · v.2026.05
28 · 05 · 2026
London  ·  51°30′N

Meet Emily.

An autonomous AI SOC analyst. Eight years in production — which is, in software years, a rather long time to have been quiet about a working thing. On-premises, customer-owned, glass-box. Built for the SOC you already have, not the one a vendor wishes you'd buy.

Operational since
April 2018
Standard
ISO/IEC 42001 certified
Hosting
On-prem · sovereign · air-gap capable
Integrations
46 native
Request a Proof of Value
§ 01 / OVERVIEW
The SOC gap

Hiring more analysts is, strictly speaking, the wrong answer.
It is also the only one anyone is selling.

Here is the awkward bit. Security teams are spending more, hiring harder, and losing ground faster than ever. The maths of a human-driven SOC is geometric — in the wrong direction — and no one's recruitment policy is going to fix it. Tier-1 triage is, rather obviously, not work that suits a human: repetitive, mostly negative, and precisely the work a competent agent can do without ever needing a coffee.

Industry today
IBM · ISC2 / 2024
Mean time to detect
207days
Mean time to respond
70+ days
Alerts escalated to a human
≈100%
Tier-1 analyst loaded cost
£50–80k/ yr
Global cyber roles unfilled
4M+
Emily in production
Cyber Defence · Q1 2026
Mean time to detect
< 8min
Mean time to respond
< 20min
Signals escalated to a human
0.03%
Cost per tenant served
£1,440/ yr
Years in continuous production
8
Industry figures from IBM Cost of a Data Breach 2024 and ISC2 Cybersecurity Workforce Study 2024. Emily figures from Cyber Defence Ltd — EmilyAI's flagship MSP reference client — Q1 2026.
§ 02 / THE PLATFORM
What Emily is

A fully autonomous SOC analyst.
Not a copilot. (The pilot, frankly, was the bit you wanted automated.)

Emily is an agentic AI built to do the job, not to suggest the job. At three in the morning, a tired analyst doesn't need another recommendation — they need someone reliable to have already handled it. She ingests telemetry from any SIEM, renders a verdict, executes the response playbook in your case-management system, and hands the audit trail back, with her reasoning attached. Rather like a colleague who is, helpfully, never on holiday.

8
Years in production
Continuous live operation since April 2018.
46
Native integrations
Across SIEM, EDR, identity, network, cloud and case management.
3
Operating modes
Advisory · Supervised · Autonomous — switchable per tenant, per shift.
100%
Tenant isolation
Per-tenant model, owned by the customer. Architectural, not bolted on.
ISO/IEC
42001
Certified AI mgmt.
Glass-box reasoning compatible with the EU AI Act, NIS2 and DORA.
§ 03 / EVIDENCE
Q1 2026 telemetry

This is not a demo.
(Demos lie. Telemetry doesn't.)

Two independent MSPs now run Emily in production. Cyber Defence Ltd, our flagship reference client, served sixteen tenants in Q1 2026 — of 263,522 alerts she surfaced, she handled 263,441 herself. Eighty-one made it to a human, which is rather close to the number of meaningful decisions a human ought to be making in a quarter.

Signals ingested
1.29T
1,291,669,444,662
Raw signals from every customer feed across 16 tenants, all hardware running at sustained 20,000 events / second.
Events correlated
256.6M
256,559,417
After in-stream deduplication, parsing and entity resolution. 92% of raw noise eliminated before triage.
Alerts surfaced
263.5K
263,522
Of which Emily resolved 263,441 autonomously — with full glass-box reasoning trace stored for audit.
Escalated to a human
81
0.03% · 27 / month avg.
A single human analyst can supervise the output of 16 SMB tenants without queue accumulation.
Sustained throughput
20,000 ev/s
Noise eliminated
92%
Mean time to detect
< 8 min
Mean time to respond
< 20 min
SECOND REFERENCE MSP

GSL — same instance pattern, a second operator.

Two tenants ·
combined · Q1 2026
Metric
Combined
Signals ingested
1.22B
Events correlated (≥ 4)
438.7M
Alerts surfaced (≥ 7)
19.05M
High-severity (≥ 12)
142,893
Daily signals · average
40.56M
Event-to-signal ratio
36.1%
Alert-to-signal ratio
1.57%
§ 04 / ARCHITECTURE
How Emily is different

Every line below is a question your procurement team is about to ask.
It is helpful to have the answers ready.

Most cloud-AI SOC vendors do something rather odd: they ship one model to everyone, run it on their cloud, and ask you to be comfortable with the arrangement. Emily was architected the other way around — one model per tenant, owned by the tenant, running on the tenant's own hardware. Including, if you require it, hardware that is not connected to anything at all.

Dimension
Cloud-AI SOC vendors
Emily
Deployment
Events flow to vendor cloud.
Events stay on customer premises. Air-gap capable.
Model
Single model, shared across all customers.
Per-tenant model, customer-owned. Trains on the customer's signal, never leaves the customer.
Reasoning
Black-box. Opaque to auditors.
Glass-box — structured reasoning trace stored per alert.
Tenant isolation
Single-tenant by accident; logical only.
MSP-grade isolation, architected from scratch.
Hardware footprint
Customer pays cloud compute per event ingested.
Modest on-prem footprint, fixed cost. Two hardware tiers.
Data sovereignty
Subject to the US Cloud Act.
British / European data, full stop.
§ 05 / OPERATION
Three operating modes

Autonomy is not a single number. It is a setting.

Most attacks happen at the hours no human wants to be at work. Curiously, this is also when most SOCs are least staffed. Customers tend to raise Emily's autonomy overnight, when the room is empty, and lower it during business hours, when the analysts are awake, well-caffeinated and arguably underused. It is, on reflection, the reverse of every other automation conversation you have ever had.

01 — LOWEST
Advisory
Emily proposes; the human analyst decides. Every verdict is fully reasoned and ranked, but no response is executed without explicit approval.
Emily autonomy
02 — MIDDLE
Supervised
Emily acts; the analyst is notified in real time. Suitable for response playbooks the customer has already validated end-to-end during Proof of Value.
Emily autonomy
03 — HIGHEST
Autonomous
Emily acts; the analyst reviews on demand. Reasoning, evidence and outcome are filed to the case-management system for audit and downstream review.
Emily autonomy
§ 06 / SOVEREIGNTY
Compliance & residency

Built for the regulators who, awkwardly, are already here.

NIS2 has transposed. DORA is in force. The EU AI Act has decided, rather sensibly, that "because the model said so" is not a permissible audit response in security. None of this is surprising, and none of it is going away. Emily was designed against these regulations before anyone had got around to writing them down.

CERTIFIED
ISO/IEC 42001

The world's first management system standard for AI. Emily was certified against ISO/IEC 42001 and operates within its assurance framework.

ALIGNED
EU AI Act

Glass-box reasoning traces, model lineage and decision logs satisfy the explainability obligations placed on high-risk AI systems in security.

EVIDENCED
NIS2 & DORA

Mean-time-to-detect and mean-time-to-respond measurable per tenant, per shift, per playbook — evidence regulators want, on the day they ask.

RESIDENT
UK · EU data

On-premises by default; air-gap capable. Where hosting is required, Iron Mountain UK datacentres (SOC 2 Type II, ISO 27001). Never US Cloud Act exposed.

ISOLATED
Per-tenant model

One model per tenant. The customer's signal trains the customer's model — and never moves between tenancies, under any circumstances.

AUDITED
Glass-box trace

Every alert verdict is stored with its full chain of inference. Auditors and analysts read Emily's reasoning the way they read another analyst's.

§ 07 / INTEGRATION
Built for the SOC you have

46 native integrations.
And, for everything else, the dull, sensible protocols that have quietly run the internet for thirty years.

There is a particular flavour of vendor proposal that begins with the words "first, rip out everything you already have." This is not one of them. Emily reads the SIEM you already have, writes to the case management you already have, and triggers the response tooling you already have. The plumbing is included; nobody has to like it.

Splunk
Elastic
IBM
Microsoft
CrowdStrike
SentinelOne
Sophos
Trend Micro
Palo Alto Networks
Fortinet
Cisco
Zscaler
Cloudflare
Okta
Auth0
Amazon AWS
Google Cloud
Snowflake
Datadog
Grafana
Snyk
ServiceNow
Jira
PagerDuty
Opsgenie
Slack
Proofpoint
Wireshark
Sumo Logic
Tenable
+ 16 more
§ 08 / COMPANY
Operators, not narrators

Operators, not narrators.
We have, between us, sold this kind of thing rather a lot of times before.

EmilyAI Ltd is a British platform company based in London. Emily herself has been running, without interruption, at Cyber Defence Ltd — our flagship MSP reference client — since April 2018. Which is, in software years, a remarkably long time to be quiet about a working thing.

Chief Executive · Founder
Peter Bassill
  • 11 years British Army (much under the Official Secrets Act)
  • CISO, Gala Coral Group (FTSE 100) — 6 years
  • Microsoft European CISO Council
  • Founded Hedgehog Security 2009; designed Emily 2016
  • CREST European Council; CREST IR Pan-Europe advisor
Chief Revenue Officer
Tim Warner
  • 37 years in cyber sales — vendor (26y), distribution (8y), reseller (3y)
  • Joined Zscaler in 2014 — IPO 2018
  • 9 vendor tenures across enterprise sales leadership
  • Lived 20-person → 1,400-person growth
  • Average deal experience: £60k–$4m
Head of Product & Engineering
Werner Thalmeier
  • 20+ years product management and systems engineering
  • Head of Product at ProofPoint, Radware, M86, Finjan
  • Built ProofPoint Enterprise SE — 80 engineers, each personally interviewed
  • Bridges deep AI capability into business-led product
  • Owns Emily's roadmap and customer engineering
§ 09 / ENGAGE

Run a Proof of Value.
Three to ten working days. Free — on the entirely defensible grounds that you shouldn't have to pay to find out whether something works.

We provide the hardware, hosted in the Iron Mountain UK estate. You provide the feeds. At the end the instance is wiped — properly wiped, not the sort of wipe a marketing team would describe as wiping — or, if you'd rather, snapshotted into your production deployment.

  1. 01
    Scoping call. Feeds, hardware tier, mode, duration.
  2. 02
    PoV agreement. Mutual NDA, T&Cs, pre-evaluation checklist.
  3. 03
    Kick-off & ingest. Live feed or 30–90 days of archive.
  4. 04
    Mid-point review. Tuning, visibility gaps, emphasis adjustment.
  5. 05
    Wrap-up & recommendation. Snapshot retained on request.
Start a conversation