Dragos has announced the release of EmberAI, an OT-native AI built on the Dragos Intelligence Fabric. EmberAI gives every analyst immediate access to Dragos’s OT-specific intelligence, gained from more than a decade of OT operations, activity, and expertise.
Putting historical and real-time intel in the hands of every security analyst, EmberAI enables teams to gain detailed visibility into assets, vulnerabilities, and network activity across their OT environment. They can prioritize threats by operational impact and act on findings specific to their environment. EmberAI empowers every analyst, regardless of experience, to move from alert to informed action faster, and make defensible decisions grounded in real adversary data.
Threat activity against critical infrastructure is accelerating. The OT cybersecurity skills needed to address these complex tactics and techniques continue to grow, and the shortage of professionals who can meet that demand continues to widen. Existing tools prioritize visibility over understanding, and general-purpose AI lacks the operational context to distinguish a critical exposure from background noise or to prioritize threats by their actual impact on operations. In OT, any delayed or incorrect decision can have direct consequences for operational safety, resilience, and control.
Organizations responsible for securing extended operational technology (xOT) environments, including power grids, manufacturing plants, water systems, pipelines, and data centers, need AI that is built on the right intelligence and grounded in operational reality. EmberAI helps analysts across the full range of experience—from IT practitioners and plant engineers operating in OT environments to seasoned OT professionals—to see, understand, and act with the confidence of an OT expert. They can prioritize what matters operationally, and act effectively on findings that threaten safe operations.
“We built EmberAI to harness Dragos’s decade-plus of experience in threat intelligence, incident response, adversary tracking, and frontline operations for OT environments,” said Robert M. Lee, CEO, Dragos. “It is hard to reproduce this depth of OT-specific expertise and build AI that understands and can action OT specific findings.”
In our opinion, Gartner guidance on AI for cyber-physical system (CPS) security supports this approach: “Favor solutions that use a highly tuned, CPS-specific intelligence engine, instead of risking intellectual property and data sovereignty by feeding sensitive operational telemetry into an opaque, cloud-based global model.”
What powers EmberAI
The Dragos Intelligence Fabric is built on over five petabytes of daily OT telemetry, 10-plus years of adversary tracking across named OT threat groups, proprietary OT vulnerability research as a CVE Numbering Authority, asset and protocol research spanning more than 600 OT protocols, and frontline incident response experience from critical infrastructure environments. The Dragos Intelligence Fabric continuously learns as new intelligence surfaces, field insights accumulate, and threat groups adopt new behaviors.
This foundation enables EmberAI to operate on a principle that distinguishes it from generic AI: OT specific intelligence applied in context. EmberAI is central to Dragos’s xOT security strategy to secure the full extended operational technology environment that influences critical operational processes. As Dragos’s xOT integrations expand the Intelligence Fabric with new data sources, EmberAI’s intelligence and capabilities will grow with it.
How it works
- Intelligence-driven query engine: Analysts ask questions in plain language and receive precise, OT-contextual answers grounded in the Dragos Intelligence Fabric. This eliminates the need to manually pivot across disconnected tools or correlate data from multiple sources.
- Contextual correlation across the environment: EmberAI connects assets, vulnerabilities, threat intelligence, and network activity into a unified, real-time understanding. Decisions are based on full operational context, not isolated or irrelevant technical signals.
- Adversary-informed guidance: Detections and alerts are mapped to known OT threat groups, observed attack patterns, and real behaviors drawn from the Dragos Intelligence Fabric. Analysts understand not just what is happening, but what it means for their environment and how to prioritize their response.
- Workflow acceleration and automation support: From alert triage to incident summaries and reporting, EmberAI reduces hours of friction laden and often error-prone manual work. Analysts spend less time gathering data and more time making informed decisions.
- Expert-built OT skills: Dragos analysts are building and validating a rich library of guided, repeatable workflows that encode the same expertise they apply during proactive services, investigations, and incident response. This library will be available soon.
- Continuous learning through the Intelligence Fabric: As new intelligence and field insights surface, the Dragos Intelligence Fabric evolves and EmberAI becomes more efficient and effective.
Design principles
The analyst remains in control at every step. Every recommendation that EmberAI surfaces is transparent and auditable, enabling defensible workflows. Customer data never leaves the customer’s environment. EmberAI operates inside the Dragos Platform deployment the organization already controls. These design choices reflect a foundational “human in the loop” principle for OT: the person responsible for protecting an environment must own the final decision.
Leave A Comment