Dragos, the global leader in cybersecurity for operational technology (OT) environments, today announced the release of EmberAI, an OT-native AI built on the Dragos Intelligence Fabric, the world’s largest OT cybersecurity data set. EmberAI gives every analyst immediate access to Dragos OT-specific intelligence gained from over a decade of OT actions, activity, and knowledge.

Putting historical and real-time intel in the hands of every security analyst, EmberAI enables teams to gain detailed visibility into assets, vulnerabilities, and network activity across their OT environment. They can prioritise threats by operational impact and act on findings specific to their environment. EmberAI empowers every analyst, regardless of experience, to move from alert to informed action faster, and make defensible decisions grounded in real adversary data.

Threat activity against critical infrastructure is accelerating. At the same time, the gap in OT cybersecurity skills that are needed to address these complex tactics and techniques is widening. Existing tools prioritise visibility over understanding, and general-purpose AI lacks the operational context to distinguish a critical exposure from background noise or to prioritise threats by their actual impact on operations. In OT, any delayed or incorrect decision can have direct consequences for operational safety, resilience, and control.

Organisations responsible for securing extended operational technology (xOT) environments, including power grids, manufacturing plants, water systems, pipelines, and data centres, need AI that is built on the right intelligence and grounded in operational reality. EmberAI helps analysts across the full range of experience – from IT practitioners and plant engineers operating in OT environments to seasoned OT professionals – to see, understand, and act with the confidence of an OT expert. They can prioritise what matters operationally, and act effectively on findings that threaten safe operations.

“We built EmberAI to harness Dragos’s decade-plus of experience in threat intelligence, incident response, adversary tracking, and frontline operations for OT environments,” said Robert M. Lee, CEO and Co-Founder, Dragos. “It is hard to reproduce this depth of OT-specific expertise and build AI that understands and can action OT specific findings.”

In our opinion, Gartner guidance on AI for cyber-physical system (CPS) security supports this approach: “Favour solutions that use a highly tuned, CPS-specific intelligence engine, instead of risking intellectual property and data sovereignty by feeding sensitive operational telemetry into an opaque, cloud-based global model.”¹

What Powers EmberAI

The Dragos Intelligence Fabric is built on over five petabytes of daily OT telemetry, 10-plus years of adversary tracking across named OT threat groups, proprietary OT vulnerability research as a CVE Numbering Authority, asset and protocol research spanning more than 600 OT protocols, and frontline incident response experience from critical infrastructure environments. The Dragos Intelligence Fabric continuously learns as new intelligence surfaces, field insights accumulate, and threat groups adopt new behaviours.

This foundation enables EmberAI to operate on a principle that distinguishes it from generic AI: OT specific intelligence applied in context. EmberAI is central to Dragos’s xOT security strategy, securing full extended operational technology environment that influences critical operational processes. As Dragos’s xOT integrations expand the Intelligence Fabric with new data sources, EmberAI’s intelligence and capabilities will grow with it.

How It Works

• Intelligence-Driven Query Engine: Analysts ask questions in plain language and receive precise, OT-contextual answers grounded in the Dragos Intelligence Fabric. This eliminates the need to manually pivot across disconnected tools or correlate data from multiple sources.
• Contextual Correlation Across the Environment: EmberAI connects assets, vulnerabilities, threat intelligence, and network activity into a unified, real-time understanding. Decisions are based on full operational context, not isolated or irrelevant technical signals.
• Adversary-Informed Guidance: Detections and alerts are mapped to known OT threat groups, observed attack patterns, and real behaviours drawn from the Dragos Intelligence Fabric. Analysts understand not just what is happening, but what it means for their environment and how to prioritise their response.
• Workflow Acceleration and Automation Support: From alert triage to incident summaries and reporting, EmberAI reduces hours of error-prone manual work. Analysts spend less time gathering data and more time making informed decisions.
• Expert-Built OT Skills: Dragos analysts are building and validating a rich library of guided, repeatable workflows that encode the same expertise they apply during proactive services, investigations, and incident response. This library will be available soon.
• Continuous Learning Through the Intelligence Fabric: As new intelligence and field insights surface, the Dragos Intelligence Fabric evolves and EmberAI becomes more efficient and effective.

Design Principles

The analyst remains in control at every step. Every recommendation that EmberAI surfaces is transparent and auditable, enabling defensible workflows. Customer data never leaves the customer’s environment. EmberAI operates inside the Dragos Platform deployment the organisation already controls. These design choices reflect a foundational “human in the loop” principle for OT: the person responsible for protecting an environment must own the final decision.

EmberAI is generally available today inside the Dragos Platform. More information is available at dragos.com/emberai.

¹Gartner, Cut Through CPS Security Vendors’ AI Hype with 10 Questions, Katell Thielemann,

27 May 2026. GARTNER is a trademark of Gartner, Inc. and/or its affiliates.

About Dragos

Dragos provides the most comprehensive OT cybersecurity technology to deliver on its global mission: to safeguard civilization. Built for the extended operational technology environment, or xOT, Dragos technology delivers asset visibility, continuous monitoring, OT vulnerability management, segmentation validation, device protection, and real-time threat detection, powered by the industry’s largest OT/ICS threat intelligence team. Dragos serves critical sectors including electric, oil and gas, manufacturing, water, transportation, mining, data centers and government. Privately held and headquartered in the Washington, DC area, Dragos operates globally across North America, EMEA, and APAC. Visit dragos.com.