tag: soc.

2026·05·19 The agent age and the analyst in the loop Post 21 of the AI series, and the closing piece. Where this is heading. The agent age has arrived; the analyst is still in the loop; the architectural decisions that made EmilyAI durable are now the wider field's emerging consensus. What I will be writing about next. ai · soc · series · closing 8 min 2026·04·14 Six years of EmilyAI: what we kept, what we changed, what we should have done sooner Post 20 of the AI series. A longer reflective piece. Eight years on from the first sketch of the system that became EmilyAI, six years on from production deployment, the architectural retrospective the series has been building toward. ai · soc · retrospective · emilyai · series 9 min 2025·12·09 Year in cyber AI 2025: the agentic year that mostly was not Post 17 of the AI series. The 2025 retrospective. Operator agents arrived but mostly in pilot, the determinism property went mainstream in procurement, the regulators caught up, and constrained agency became the named shape. The honest read going into 2026. ai · retrospective · soc · series 8 min 2025·09·23 The single-tin posture: why we still ship on a Dell Post 15 of the AI series. A single Dell PowerEdge R760, racked at the customer site, running the whole platform — analyst, inference, persistence, audit. The deployment shape the hyperscaler default would have us abandon, and why we have not. ai · soc · deployment · series 7 min 2025·08·05 Determinism and regulatory defensibility, eighteen months later Post 14 of the AI series. The bit-identical-inference property I wrote about in 2024 is showing up in regulatory drafting. What the Cyber Security and Resilience Bill drafting work suggests about how regulators are going to evaluate AI-driven security decisions. ai · regulation · soc · series 7 min 2025·06·24 Agents in production, eighteen months on Post 13 of the AI series. The agent demos at RSA and Black Hat have got slicker. The agent in production cyber operations has, mostly, not arrived. The honest 18-month read on a category whose marketing has run ahead of its engineering. ai · agentic · soc · series 7 min 2025·05·13 Cross-tenant intelligence: the privacy architecture problem Post 12 of the AI series. The architecture that turns one customer's experience into another's protection — without exposing either to the other. The privacy engineering problem nobody in the LLM space is talking about, and EmilyAI's seven principles. ai · soc · privacy · architecture · series 8 min 2025·04·01 Continuous learning at scale Post 11 of the AI series. EmilyAI has been learning from analyst feedback for six years. The LLM-as-frozen-artefact shape gets the operational properties of *the model that improves over time* structurally wrong. What that means in practice. ai · soc · learning · series 7 min 2025·01·07 Year in cyber AI 2024: what was real, what was not Post 9 of the AI series. The 2024 retrospective. Six security copilots shipped; one major outage reshaped the resilience conversation; reasoning models arrived; agents mostly did not. The honest read going into 2025. ai · retrospective · soc · series 8 min 2024·11·26 Agentic AI, year one: the demo vs the deployment Post 8 of the AI series. AI agents in cyber operations have been demoed everywhere this year. The agent that actually ships looks different from the demo. The honest read after twelve months — and the shape of agent EmilyAI already is, not by accident. ai · agentic · soc · series 8 min 2024·10·08 Reasoning models: what o1 changes for SOC work Post 7 of the AI series. OpenAI's o1 launched in September with a different model shape — *think longer, reason step by step*. What this means for the SOC, where the gains are real, and where EmilyAI's purpose-specific architecture continues to win. ai · soc · reasoning · series 7 min 2024·08·27 Single-vendor concentration: the CrowdStrike lesson applied to AI Post 6 of the AI series. The July 2024 CrowdStrike outage was not an AI incident, but it tells us a great deal about where the AI-in-security market is heading. Why single-vendor concentration of intelligent agents is a structural risk worth modelling now. ai · soc · concentration · resilience · series 7 min 2024·07·02 Open-source models and the on-prem option Post 5 of the AI series. Llama 3, Mistral, Mixtral. The serious open-source LLM era arrived in 2024. What it means for security teams who do not want to send data to a hyperscaler, and how the on-prem path reads against EmilyAI's single-tin posture. ai · soc · open-source · llm · series 7 min 2024·05·28 The hexagonal lesson: vendor agnosticism as structure Post 4 of the AI series. Most security AI products are anchored to one vendor's platform. EmilyAI was built in 2018 with a hexagonal architecture that decouples the analyst from the SIEM matrix. Six years on, the choice is paying back in a way I did not anticipate. ai · soc · architecture · series 7 min 2024·04·09 The Copilot-for-security wave: what they actually do Post 3 of the AI series. Microsoft Security Copilot, CrowdStrike Charlotte, SentinelOne Purple, Google Sec-PaLM — the wave of LLM-powered security assistants. What they actually do well, what they do less well, and how the framing reads against EmilyAI. ai · soc · copilot · vendor · series 8 min 2024·02·27 Deterministic inference: the property the market is losing Post 2 of the AI series. Same input, same output, every time. A property that used to be table stakes in production systems and that LLM-based security tooling has quietly let go of. Why it matters and how EmilyAI is built to preserve it. ai · soc · determinism · series 7 min 2024·01·09 AI in cyber: the long view from 2018 Start of a six-weekly series tracking how AI in cyber security is developing through 2024 and beyond — and how each development reads against EmilyAI, the SOC analyst I have been running in production at Hedgehog since 2018. ai · soc · series · emilyai 6 min