EmilyAI · Autonomous SOC Analyst · ISO/IEC 42001 Certified
Gartner says AI SOC agents are unproven.
We've been proving it since April 2018.
Emily is not a chat wrapper, a rule engine in a new jumper, or a copilot waiting for an analyst to drive. She is a production SOC analyst — built and operated by UK Cyber Defence, running 24/7 across 16 tenants, ingesting 1.9 million alerts a day, with a 0.0074% false-positive rate and a three-minute mean time from alert to triaged verdict.
1.9M
Alerts / day
8 yrs
In production
16
Live tenants
0.0074%
False-positive rate
3 min
Alert → verdict
6.2 hr
Returned / analyst / day
The evidence
Nine claims Gartner calls unproven.
Nine answers from eight years of production.
In June 2025, Gartner placed AI SOC agents at the Peak of Inflated Expectations and listed the reasons it considers the category unproven. Each of those reasons describes a vendor with a roadmap. Emily isn't one of those vendors — UK Cyber Defence has been running her against live customer telemetry since 4 April 2018, and the figures below are operational, not aspirational.
Gartner says — 01
“Claims outpace evidence of sustained, measurable improvement.”
Emily, in production
2,924 days of continuous operation. 1.9 million alerts ingested every day. 0.0074% false-positive rate, measured monthly, audited under our ISO/IEC 42001 management system. The improvement is not a forecast — it is the line on the board.
Gartner says — 02
“Most use cases are narrow and task-specific — not end-to-end.”
Emily, in production
Emily owns the analyst role from ingest to action: triage, enrichment, correlation, verdict, containment, communication. She quarantines and isolates systems, resets credentials, integrates with IAM platforms, kills processes, deploys honeypots, and pushes new rules to edge devices — without waking a human up unless her confidence drops below threshold.
Gartner says — 03
“Over-automation introduces risk if agents act on flawed assumptions.”
Emily, in production
Every decision Emily makes carries a confidence score and a recorded provenance chain. Below a per-tenant handoff threshold she escalates — via Slack, Teams, email, SMS, or voice — to the named human contact for that shift. She operates in crystal: every action is visible, reviewable, and replayable.
Gartner says — 04
“Hallucinations and false positives remain a real operational risk.”
Emily, in production
Emily is not built on a chat LLM. Her detection and correlation runs on INT8-quantised inference models on NVIDIA L40S GPUs, trained over six years on UKCD's own SOC verdicts — 107 trillion events across health, financial services, logistics, research, and banking. The chat-LLM is local-only and used to talk to humans, not to make verdicts. Hallucinations are architecturally segregated from decisions.
Gartner says — 05
“AI assistants inherit the blind spots of the tools they sit on top of.”
Emily, in production
Emily's architecture is hexagonal: SIEM and case-system are connectors, not foundations. She does not depend on a vendor's view of the world. Last month alone, she identified three nation-state-style low-and-slow intrusions by chaining low-severity events that the source SIEMs had each filtered as noise.
Gartner says — 06
“Trust, privacy, and data-handling concerns slow broader deployment.”
Emily, in production
Emily is ISO/IEC 42001 certified — the AI Management System standard — not merely aligned. SaaS tenants run in UKCD facilities under full British data sovereignty; on-premises deployments keep telemetry entirely inside the customer's boundary. No third-party LLM APIs are ever called with customer data. mTLS internal, AppArmor-confined, default-deny by design.
Gartner says — 07
“Initial adoption frequently adds work before it reduces it.”
Emily, in production
Emily slots into the connector matrix in days, not quarters. New tenants typically reach steady-state in under two weeks — and from day one she returns an average of 6.2 hours per analyst per day, totalling 28 hours per week. There is no ramp-up tax paid in analyst overtime.
Gartner says — 08
“Cost models often limit broad deployment across SOC roles.”
Emily, in production
Emily is priced on tenants and data ingested, not seats — so every analyst on a customer team benefits without per-head cost inflation. We publish what we charge to anyone who asks, in the open. Crystal-clear pricing, on a single call with our team.
Gartner says — 09
“Many features labelled as ‘AI’ are simply rule engines with new branding.”
Emily, in production
Emily's correlation engine is not a rules system. It is INT8-quantised inference, GPU-accelerated, trained on 107 trillion historical SOC events with human-validated verdicts as ground truth. Rules exist as a thin safety floor; the analyst-grade decisioning is model-driven and continuously refreshed. No genAI washing here — we will show you the model card.
End-to-end
What Emily owns — without waking you up
Define her shift pattern, name her escalation contact, and set her handoff threshold. From that moment, Emily is the analyst on the chair.
> 01 / INGEST
Normalise
Connector matrix pulls from SIEMs, EDRs, identity, and cloud — no vendor lock-in.
> 02 / TRIAGE
Correlate
INT8 inference chains low-severity signals into adversary narratives.
> 03 / VERDICT
Decide
Confidence-scored verdict in three minutes, with full provenance chain.
> 04 / ACT
Contain
Isolate, kill, quarantine, reset credentials, push edge rules, deploy honeypots.
> 05 / HANDOFF
Escalate
Below threshold: Slack, Teams, email, SMS, or voice to your named contact.
Containment, not just notification
Emily doesn't write a ticket and walk away. She quarantines, isolates, kills processes, resets credentials, and integrates with your IAM — closing the loop the same minute she opens it.
Operates in crystal
Every decision Emily makes is visible, reviewable, and replayable. Confidence scores, input chain, model version, action taken — logged immutably. This is what ISO/IEC 42001 certification actually demands.
Knows when to call you
When her confidence drops below your handoff threshold, Emily reaches you through whichever channel suits the shift — chat, email, SMS, voice. She is built to hand off, not hand-wave.
Built for
Three audiences. One Emily.
MSPs & MSSPs
Multi-tenant by design from day one. White-label and co-brand options. The connector matrix means your existing customer estates plug in without ripping out their SIEM. Emily scales with your book — not with your headcount. Bring on tenants without bringing on shifts.
Regulated Enterprise
ISO/IEC 42001 certified. British data sovereignty under UKCD hosting; full air-gap option on your own hardware. UK GDPR, DPA 2018, financial services regulator-friendly. The security committee question “where is the model running and who can see our data” has a clean answer.
SOC Managers
Hexagonal architecture, transparent decision provenance, hardenable from the host up. You set the shift, the escalation contact, and the confidence floor — Emily does the rest. Give your team back 6.2 hours a day each, and let them do the work only humans can do.
In production with
Sectors that don't accept “unproven”
Sixteen tenants today. These are three of them.
Research & Engineering
The Welding Institute (TWI)
A world-leading research and technology organisation, protecting industrial IP and OT-adjacent environments under Emily's continuous watch.
Financial Services · CH
A Swiss Private Bank
FINMA-regulated. Emily operates inside the bank's perimeter under data-sovereignty constraints that rule out every US-hosted competitor.
Financial Services · EU
A European Commercial Bank
DORA-aligned. Emily provides the operational resilience evidence the regulator now asks for — every decision logged, every action reviewable.
How Emily is different
The AI SOC market, honestly compared
Most AI SOC vendors launched into the category in the last 24 months. Emily has been doing the work since 2018. The gap shows.
| Capability | EmilyAI | Typical AI SOC vendor (Cynet, Prophet, Dropzone, Torq, CrowdStrike Charlotte, Microsoft Security Copilot, Radiant) |
|---|---|---|
| Years in customer production | 8 years (since April 2018) | 12–24 months, mostly |
| Training-data scale on real SOC verdicts | 107 trillion events, 6 verticals | Vendor-curated demo datasets |
| Inference architecture | INT8 on NVIDIA L40S, model-driven | Often a chat LLM with rule scaffolding |
| Autonomous containment (not just alerting) | Quarantine, isolate, kill, IAM, edge rules | Notification-first, action gated to human |
| British data sovereignty / on-prem option | UK SaaS or full air-gap on customer hardware | Mostly US-hosted, no air-gap path |
| AI Management System certification | ISO/IEC 42001 certified | Not yet held by the major listed competitors |
| Decision provenance & replay | Every action visible, reviewable, replayable | Logs vary; full replay is rare |
| SIEM independence | Connector matrix — SIEM is a peripheral | Tightly coupled to a vendor's own stack |
| Pricing transparency | Published per-tenant + ingest, on request | “Contact for quote” with sales gating |
Vendor names listed are trade marks of their respective owners and used here for comparative reference only.
Built and operated by
“Emily was never an experiment. She is the SOC analyst I needed UK Cyber Defence to have on the chair around the clock, and she has been on that chair since April 2018. Every figure on this page is a measurement, not a forecast. We don't run a pilot to find out whether AI SOC works — we run a business that proves it works every minute.”
Peter Bassill
Founder, UK Cyber Defence · Author of EmilyAI · 2018–present
Founder, UK Cyber Defence · Author of EmilyAI · 2018–present
Questions we get asked
Before you book the demo
Is Emily a chatbot?
No. Detection, correlation, and decisioning run on INT8 inference on NVIDIA L40S GPUs, trained on six years of UKCD's own SOC verdicts — 107 trillion events. Emily uses a locally-hosted LLM only to talk to humans through chat, email, SMS, and voice. The chat layer can never make a verdict.
Where does our data sit?
SaaS customers' data resides in UKCD's UK facilities under full British data sovereignty. On-premises customers' data never leaves their boundary. No third-party LLM APIs are called with customer telemetry under any deployment mode.
Can we try Emily on our own telemetry?
Yes. We run a 20-day demo platform on your live telemetry with no commitment. You see her decisions, you keep the logs, you decide.
How is pricing structured?
Per tenant and per volume of data ingested — not per seat. That means every analyst on your team benefits without per-head cost. We don't gate prices behind sales calls — book a demo and ask, and you'll get the figure on the same call.
What happens when Emily is uncertain?
She holds and escalates. Every verdict carries a confidence score; below the per-tenant handoff threshold you set, she contacts your named human via the channel that suits the shift — Slack, Teams, email, SMS, or voice. Nothing she cannot stand behind goes through autonomously.
How do you address governance and AI assurance?
UKCD holds ISO/IEC 42001 certification — the AI Management System standard — not just alignment. Every decision Emily takes is logged, replayable, and auditable. The AI Risk Register, AI Policy, AIA records, and audit programme are maintained in our compliance management system and made available to customers under NDA.
Which SIEMs and case-management systems do you connect to?
Emily uses a hexagonal connector matrix — SIEM and case-management are peripherals, not foundations. Pilot connectors include Wazuh inbound and TheHive outbound; the major commercial SIEMs and CIRM platforms are on the roadmap and we add connectors against committed customer demand.
Book a demo
Fourteen days on your telemetry.
No commitment.
Pick a slot for a guided walkthrough with our team. We will show you Emily handling live data — not a sandbox — and we will tell you the price on the call. Crystal-clear, every time.
- 30-minute guided walkthrough
- 14-day pilot on your own telemetry
- Pricing disclosed on the call
- Run by UKCD engineers, not BDRs