Dragos launches EmberAI for operational technology teams

Dragos has launched EmberAI, an artificial intelligence assistant for operational technology security teams. The product is aimed at critical infrastructure operators, including utilities, manufacturers, pipeline operators and data centre owners.

The system is designed for operational technology environments rather than as a general-purpose AI tool. It draws on Dragos's internal intelligence platform, which combines threat intelligence, incident response work, vulnerability research and operational data gathered over more than a decade.

The launch comes as operators of industrial and essential services face growing concern over cyber attacks that can disrupt physical processes as well as digital systems. The risks have also increased pressure on organisations that often struggle to recruit and retain specialists with operational technology security expertise.

EmberAI lets analysts ask questions in plain language and receive responses tied to assets, vulnerabilities, network activity and known threat behaviour in their own environments. The tool is intended to help teams assess which threats matter most to operations and support decisions during incident response.

Dragos has positioned the assistant around a human oversight model, with analysts retaining control over final security decisions. Recommendations are transparent and auditable, and customer data remains within the customer's own deployment of the Dragos platform.

OT focus

Dragos is targeting sectors where operational technology sits at the centre of service delivery, including power grids, manufacturing plants, water systems, pipelines and data centres. In those settings, an incorrect judgement or delayed response can have direct consequences for production, resilience and safety.

Unlike broad AI systems trained across many types of data, EmberAI has been trained on operational technology-specific information. That includes more than five petabytes of daily telemetry, adversary tracking across named OT threat groups, research covering more than 600 OT protocols and Dragos's work as a CVE Numbering Authority.

This foundation is intended to give analysts more than raw visibility into industrial networks. The product links information on devices, vulnerabilities, threats and activity to provide context around what an alert means for a specific site or process.

It also maps detections and alerts to known OT threat groups and attack patterns. This is designed to help analysts understand whether suspicious activity reflects a known method used against critical infrastructure and how they should rank the issue against other operational risks.

Skills gap

The release reflects a wider push across the cybersecurity industry to apply AI tools to investigation, triage and reporting tasks. In industrial security, vendors argue that specialised models are needed because systems in factories, utilities and other infrastructure settings use different protocols, devices and operational constraints from mainstream IT environments.

EmberAI is intended for staff across a range of experience levels, from IT practitioners and plant engineers working in OT settings to established OT security professionals. The aim is to reduce the manual work involved in gathering information from multiple tools and compiling incident summaries.

Dragos analysts are also building a library of guided workflows based on methods used in investigations, proactive services and incident response. That workflow library will be made available separately.

Robert M. Lee, chief executive officer and co-founder of Dragos, outlined the rationale for the launch.

"We built EmberAI to harness Dragos's decade-plus of experience in threat intelligence, incident response, adversary tracking, and frontline operations for OT environments," said Robert M. Lee, chief executive officer and co-founder of Dragos.

"It is hard to reproduce this depth of OT-specific expertise and build AI that understands and can action OT specific findings," Lee said.

EmberAI is available inside the Dragos platform, where it operates within the environment already controlled by the customer. Dragos said the assistant will continue to develop as it adds more data sources across what it calls the extended operational technology environment.

EmberAI is generally available inside the Dragos platform.