The year that contained DORA applicable from January, the PowerSchool K-12-education compromise, the Bybit cryptocurrency heist, the UK retail wave (M&S, Co-op, Harrods), the NIS2 first-year enforcement environment landing, the EmilyAI v3.5 federated-learning preview, and the continuing supply-chain-and-state-actor activity has been operationally consequential and strategically validating.
The settled questions. The post-NIS2 first-year enforcement environment is settled into a graduated supervisory engagement pattern comparable to the post-GDPR-2018 trajectory. The post-DORA financial-services regulatory regime is operationally settled. The UK-retail-sector cyber-resilience wave produced substantive sector-wide programme-improvement that has been measurable. The customer-portfolio programme work has continued to produce operational benefit measurable against the cumulative-pattern threat landscape. The institutional-capital decision settled in 2024 has held through 2025.
The opened questions. The post-Salt-Typhoon US-policy conversation about encryption-and-government-access continues to develop substantively. The post-XZ-Utils open-source-foundation funding-and-maintainer-trust conversation continues. The continuing language-model-environment progression — both offensive-and-defensive — continues. The continuing state-actor activity across multiple actor-clusters and infrastructure categories continues. The 2026 regulatory deadlines (continuing AI Act milestones, the EU Cyber Resilience Act effective date in 2027) are visible.
The customer-portfolio. Six vCISO clients carrying through. Eighteen SOC customers (no churn through the year). Twenty-eight EmilyAI commercial customers (added four through the year, no churn). Aggregate company revenue at approximately 110% of original full-year plan. The team is at forty-three at year-end. The financial position is healthy.
The product. EmilyAI v3.4 in Q2 with substantive language-model-capability extensions and multi-cloud detection-content support. EmilyAI v3.5 in Q4 with the federated-learning preview that the team has been working on for two years. The product roadmap for 2026 will continue to develop both the language-model-integration and the federated-learning capabilities. The competitive landscape continues to be substantive but the EmilyAI product trajectory continues to differentiate.
The book. The regulatory-environment book is in late drafting and is on track for 2026 publication. The 2025 publication-cycle work has supported the customer-engagement programme through the year.
The personal note. Forty-six posts on the blog this year. The blog discipline continues to be the most useful single intellectual practice. The conferences this year were Black Hat USA in August (continuing customer-prospect-networking pattern), Infosec Europe in June (post-M&S customer-engagement substantively elevated), BSides Manchester in October.
Onward into 2026. The continuing regulatory-environment progression. The continuing language-model-environment evolution. The book publishes. The product roadmap continues. The customer-portfolio work continues. And whatever 2026 produces.