Most people arrive with the same dozen questions — many of them, understandably, sceptical. Here are plain answers to the ones we hear most.
No. Emily is not an LLM, and there are no tokens to count.
EmilyAI is sold on an annual contract, with pricing based on two honest, predictable variables: the number of tenants Emily protects, and the volume of data ingested. That's it. No per-token meter, no per-seat creep, no surprise bill at the end of a busy month.
The confusion is understandable — the market has trained everyone to expect token-based pricing from anything with “AI” in the name. But Emily is an autonomous agent, not a large language model wrapped in a console. She doesn't generate tokens to do her job, so it would make no sense to charge for them. You can model your annual cost on day one and it won't move because a threat actor had a busy quarter.
Two inputs:
We size both during the Proof of Value, so the number we quote is grounded in your real environment rather than a guess. The price is fixed for the contract term — predictable budgeting is part of the point.
No. This is precisely why we don't bill by token or by alert. A token- or event-metered model punishes you for being attacked — the busier the threat landscape, the bigger the bill, at exactly the moment you can least afford a surprise. Emily's annual contract is flat. A quiet quarter and a brutal one cost the same.
No. Emily replaces the Tier-1 triage workload, so charging per human seat would be a contradiction. Your analysts use her output freely — the contract is tied to tenants and ingest, not headcount.
Emily runs on a modest on-premises footprint, in one of two hardware tiers sized to your throughput. Hardware can be purchased outright or rolled into the annual contract — most customers prefer the latter for a single predictable line item. Either way it's a fixed, known cost, not cloud compute metered per event.
Contracts are annual. Many customers run a no-charge Proof of Value first, so the first real commitment is made on evidence from their own environment rather than a sales promise. Multi-year terms are available and discounted.
Emily is an agentic AI — an autonomous SOC analyst. She is built to take action against a defined goal, not to generate text. She ingests telemetry from your SIEM, correlates and triages it, renders a verdict, executes the response playbook in your case-management system, and files the reasoning back for audit.
Think of her as a competent Tier-1 analyst who happens to be software: she does the job rather than suggesting it. The architecture predates the current LLM wave — she went into production in 2018.
No. A copilot hands a recommendation to a tired human at 3am and waits. Emily handles it. She can be configured to ask for approval — that's Advisory mode — but at full autonomy she acts and files the audit trail, rather than adding to an analyst's queue.
Three, switchable per tenant and per shift:
Customers frequently raise autonomy overnight, when the room is empty, and lower it during business hours. It is, on reflection, the reverse of every other automation conversation.
Every verdict Emily reaches is stored with its full chain of inference — the evidence she weighed and why she concluded what she did. An auditor, a regulator or a tired analyst can read her reasoning the way they'd read another analyst's notes. This is the opposite of a black-box model that simply emits an answer.
She replaces the work they shouldn't be doing — repetitive Tier-1 triage, most of it negative, at hours no human wants to be awake. That frees your analysts for the judgement-heavy work humans are actually good at. In our reference deployment, a single human supervises the output of sixteen tenants without the queue accumulating.
46 native integrations across SIEM, EDR/XDR, identity, network, cloud and case management — Splunk, Sentinel, QRadar, CrowdStrike, SentinelOne, Defender, Okta, Entra ID, Palo Alto, ServiceNow and more. For anything non-native she reads the dull, sensible protocols that have quietly run the internet for thirty years: OTel, Syslog, CEF, and JSON over HTTPS. The plumbing for any non-native feed is included in every deployment.
On your premises, on your hardware. Events stay inside your estate. Where managed hosting is preferred, we use Iron Mountain UK datacentres (SOC 2 Type II, ISO 27001). Emily is never routed through a vendor cloud, and she is air-gap capable for the most sensitive environments.
Yes. Because the model is per-tenant and lives on your hardware, Emily can run on infrastructure connected to nothing at all. This is a genuine architectural property, not a configuration flag bolted on afterwards.
A Proof of Value runs in three to ten working days. A production deployment is sized during that PoV; because Emily reads your existing SIEM and writes to your existing case management, there's no rip-and-replace and no multi-month integration project.
No. There is a particular flavour of vendor proposal that begins with “first, rip out everything you already have.” This is not one of them. Emily reads the SIEM you have, writes to the case management you have, and triggers the response tooling you have.
Very much so — two reference MSPs run her in production today. Tenant isolation is MSP-grade and architected from scratch: one model per tenant, no leakage between tenancies under any circumstances. A single analyst can supervise many tenants at once.
No. Events stay on your premises. The model trains on your signal and never leaves your tenancy. There is no telemetry phoned home to a vendor cloud, which is exactly why Emily suits regulated and sovereignty-sensitive environments.
Never. One model per tenant, owned by the customer. Your signal trains your model. It is not pooled, shared, or used to improve anyone else's deployment. This is the opposite of the single-shared-model approach most cloud-AI SOC vendors take.
No. EmilyAI is a British company, Emily runs on UK/European infrastructure (or your own), and data never transits a US cloud provider. For organisations worried about extraterritorial reach, that's a deliberate design choice, not an accident.
Architecturally, not logically. Each tenant has its own model and its own data boundary. Isolation was designed in from the start for MSP use, rather than approximated with row-level filtering in a shared system.
Emily is certified against ISO/IEC 42001 — the world's first management-system standard for AI — and operates within its assurance framework. Managed hosting is SOC 2 Type II and ISO 27001. We were certified against 42001, rather than written around it.
Yes. NIS2 is transposed, DORA is in force, and the EU AI Act now requires explainability and traceability for high-risk AI in security. Emily's glass-box reasoning traces, model lineage and per-tenant decision logs were built against these obligations before they were drafted. Mean-time-to-detect and respond are measurable per tenant, per shift — the evidence regulators ask for, on the day they ask.
Yes — that's the point of glass-box reasoning. Every verdict is stored with its full chain of inference, so an auditor can review exactly why Emily reached a conclusion, the same way they'd review a human analyst's case notes.
Because it has, in production, for eight years. In Q1 2026 our flagship reference MSP processed 1.29 trillion signals across sixteen tenants. Of 263,522 alerts Emily surfaced, she handled 263,441 herself — 81 reached a human. A second MSP, Gradian Systems, runs her live too. These are telemetry figures from real deployments, not demo numbers.
For context, the industry mean time to detect is around 207 days. The full Q1 telemetry is on the homepage.
Yes — that's exactly what the Proof of Value is for. You bring the feeds; we bring the analyst. At the end the instance is wiped, verifiably, or snapshotted into your production deployment.
A scoping call — feeds, hardware tier, operating mode, duration. From there we set up a Proof of Value on EmilyAI-managed hardware inside the Iron Mountain UK estate. The whole evaluation runs in three to ten working days.
Nothing.
On the entirely defensible grounds that you shouldn't have to pay to find out whether something works. You provide the feeds; we provide the hardware and the analyst.
Either a live feed or 30–90 days of archived telemetry, plus a mutual NDA and a short pre-evaluation checklist. We handle the rest, including a mid-point review to tune visibility and emphasis.
Start a conversation through the contact page, or email hello@emilyai.com. A human in London replies — usually within one working day.
If your question isn't answered above, it's probably a good one. A human in London reads every note.
Start a conversation