- 11 years British Army (much under the Official Secrets Act)
- CISO, Gala Coral Group (FTSE 100) — 6 years
- Microsoft European CISO Council
- Founded Hedgehog Security 2009; designed Emily 2016
- CREST European Council; CREST IR Pan-Europe advisor
An autonomous AI SOC analyst. Eight years in production — which is, in software years, a rather long time to have been quiet about a working thing. On-premises, customer-owned, glass-box. Built for the SOC you already have, not the one a vendor wishes you'd buy.
Here is the awkward bit. Security teams are spending more, hiring harder, and losing ground faster than ever. The maths of a human-driven SOC is geometric — in the wrong direction — and no one's recruitment policy is going to fix it. Tier-1 triage is, rather obviously, not work that suits a human: repetitive, mostly negative, and precisely the work a competent agent can do without ever needing a coffee.
Emily is an agentic AI built to do the job, not to suggest the job. At three in the morning, a tired analyst doesn't need another recommendation — they need someone reliable to have already handled it. She ingests telemetry from any SIEM, renders a verdict, executes the response playbook in your case-management system, and hands the audit trail back, with her reasoning attached. Rather like a colleague who is, helpfully, never on holiday.
Two independent MSPs now run Emily in production. Cyber Defence Ltd, our flagship reference client, served sixteen tenants in Q1 2026 — of 263,522 alerts she surfaced, she handled 263,441 herself. Eighty-one made it to a human, which is rather close to the number of meaningful decisions a human ought to be making in a quarter.
Most cloud-AI SOC vendors do something rather odd: they ship one model to everyone, run it on their cloud, and ask you to be comfortable with the arrangement. Emily was architected the other way around — one model per tenant, owned by the tenant, running on the tenant's own hardware. Including, if you require it, hardware that is not connected to anything at all.
Most attacks happen at the hours no human wants to be at work. Curiously, this is also when most SOCs are least staffed. Customers tend to raise Emily's autonomy overnight, when the room is empty, and lower it during business hours, when the analysts are awake, well-caffeinated and arguably underused. It is, on reflection, the reverse of every other automation conversation you have ever had.
NIS2 has transposed. DORA is in force. The EU AI Act has decided, rather sensibly, that "because the model said so" is not a permissible audit response in security. None of this is surprising, and none of it is going away. Emily was designed against these regulations before anyone had got around to writing them down.
The world's first management system standard for AI. Emily was certified against ISO/IEC 42001 and operates within its assurance framework.
Glass-box reasoning traces, model lineage and decision logs satisfy the explainability obligations placed on high-risk AI systems in security.
Mean-time-to-detect and mean-time-to-respond measurable per tenant, per shift, per playbook — evidence regulators want, on the day they ask.
On-premises by default; air-gap capable. Where hosting is required, Iron Mountain UK datacentres (SOC 2 Type II, ISO 27001). Never US Cloud Act exposed.
One model per tenant. The customer's signal trains the customer's model — and never moves between tenancies, under any circumstances.
Every alert verdict is stored with its full chain of inference. Auditors and analysts read Emily's reasoning the way they read another analyst's.
There is a particular flavour of vendor proposal that begins with the words "first, rip out everything you already have." This is not one of them. Emily reads the SIEM you already have, writes to the case management you already have, and triggers the response tooling you already have. The plumbing is included; nobody has to like it.
EmilyAI Ltd is a British platform company based in London. Emily herself has been running, without interruption, at Cyber Defence Ltd — our flagship MSP reference client — since April 2018. Which is, in software years, a remarkably long time to be quiet about a working thing.
We provide the hardware, hosted in the Iron Mountain UK estate. You provide the feeds. At the end the instance is wiped — properly wiped, not the sort of wipe a marketing team would describe as wiping — or, if you'd rather, snapshotted into your production deployment.