The Hedgehog SOC has been operating fully-remote since the 16th of March — six weeks. The customer-organisation-facing operational measures (mean time to triage, mean time to escalation, false-positive rate, customer-satisfaction survey results) have held within normal ranges. The team-side measures (analyst engagement, training-and-development continuity, the tacit-knowledge-transfer that happens in shared-office settings) have been more difficult to sustain. The EmilyAI deployment's role in operational continuity has been larger than I would have predicted in the planning conversations through January and February.
The functional measures. Median time-to-triage across customer alerts is at 2 minutes 15 seconds — within 10% of the pre-lockdown baseline. Mean time to incident-grade escalation is at 16 minutes — slightly elevated from the 14-minute pre-lockdown baseline but within the customer SLA targets across the portfolio. False-positive rate at the analyst-classification level is unchanged. Customer-satisfaction survey responses (we run quarterly, the Q1 survey closed in mid-April so includes the early-lockdown period) are stable. The operational service is, on the measurable indicators, holding.
The team-side challenges. The shared-office tacit-knowledge transfer that has historically been a substantial part of how junior analysts develop into senior analysts is materially harder in fully-remote operation. The mentor-mentee relationships between senior and junior analysts continue but the interactions are explicit rather than ambient — the junior analyst has to ask, the senior analyst has to be available, the asynchronous communication channel is the medium. The cross-pollination of detection-engineering ideas between analysts is similarly more deliberate. The team has adapted by increasing the frequency of structured knowledge-share sessions (weekly tier-1-2-3 calls, daily tier-2-3 huddles, fortnightly detection-engineering shares) and the substantive output is acceptable but the cost in calendar time is higher than the pre-lockdown ambient transfer was.
The mental-health and team-cohesion measures are something I have been watching more carefully than the functional measures. The fortnightly anonymous pulse survey has been showing modest declines in self-reported engagement and in the "I feel connected to the team" measure since mid-March, which is consistent with what other organisations are reporting and is to be expected. We have been making explicit interventions — virtual social events that I am personally awkward about but that the team enjoys, a slight expansion of the wellbeing budget for individual support, more frequent 1:1s for the line management with their reports — and the trend is, in the most recent survey, levelling off. The longer-term sustainability of fully-remote operation against team-cohesion measures is the question I am most concerned about for the rest of 2020.
The EmilyAI continuity contribution. The model's role in handling alert-classification load during the early lockdown weeks was larger than the planning had assumed. The customer-organisation alert volume in the first two weeks of lockdown was elevated (a spike of around 40% above the running baseline, attributable to the remote-access expansion and the related authentication-anomaly profile), and the analyst-team capacity in the same window was reduced (analysts adapting to home-office operations, some reduced availability due to family circumstances, the on-boarding lag of moving operational tooling to home environments). The model's high-confidence classification path absorbed a substantial fraction of the elevated load, freeing analyst attention for the alerts that needed human judgement. The customer-experienced quality of service held during the period when, without the model, it would have degraded. The internal team has been clear that the model's contribution to operational continuity through March has been substantive, and the customer-side feedback on the response quality through the period has been (where given) positive.
For the EmilyAI commercial customers, the experience has been broadly similar. The model's adaptation to the changed alert-distribution profile through April has been on the weekly retraining cycle and has held within acceptable ranges; per-customer agreement rates are at 91-95% across the deployment, slightly below the pre-lockdown ranges (which were 92-96%) but not enough to require operational intervention. The threat-intelligence integration has been particularly valuable in the period because the COVID-themed threat-content has been changing weekly and the model's incorporation of threat-intel signals through the integration has tracked the changes well.
The wider business impact. The pen-testing engagement queue has been substantially affected — engagements requiring physical presence at customer sites are deferred, and the engagement mix has shifted toward remote-access-and-cloud-focused work. The vCISO portfolio has been more demanding through April — customers in periods of substantial change (rapid remote-access expansion, accelerated cloud migration, new third-party-tooling adoption) need more strategic support than in steady-state operations. The EmilyAI commercial pipeline has been quieter — customer-organisation procurement decisions are delayed, the senior leadership at customer prospects is consumed with operational continuity rather than capability investment — but the existing customer renewals and expansions have held. The overall company-revenue picture for Q2 is below plan but not by a worrying margin.
The personal note. I have been wearing the same three pairs of trousers since mid-March because the dry-cleaner is closed and the alternative is the laundry-hanging arrangement we have constructed in the spare bedroom. The home-office posture is now a formal piece of furniture rather than the corner-of-the-dining-room arrangement of the first three weeks. The morning structure (early start, walk before work, structured break midday, end-of-day shutdown ritual) is producing a sustainable cadence. The work continues. The world continues. The blog continues.