How does EchoDepth support cyber security teams?

EchoDepth provides cyber security teams with behavioural and emotional signal analysis across three vectors: facial AU analysis of personnel for insider risk and SOC analyst readiness; text analysis of communications for phishing intent and social engineering signatures; and deepfake detection using Action Unit temporal coherence analysis. It integrates directly with SIEM, SOAR, and GRC platforms via REST API.

Can EchoDepth detect phishing and social engineering attempts?

Yes. EchoDepth analyses text communications for emotional fingerprints associated with manipulation, deception, and social engineering. Phishing emails and insider messages carry detectable emotional signatures — elevated urgency, artificial authority, suppressed ambiguity — that EchoDepth surfaces in real time as a risk score.

Does EchoDepth integrate with SIEM and SOAR platforms?

Yes. EchoDepth provides REST API and WebSocket output that integrates directly with SIEM platforms including Splunk and Microsoft Sentinel, SOAR orchestration workflows, and GRC risk management systems. Alert escalation and threshold-based notifications are configurable for cyber security operations teams.

Cyber Security · Human Risk Intelligence

82% of breaches have
a human at the centre.

Q: Can EchoDepth detect deepfakes?

Yes. EchoDepth's Action Unit architecture provides a strong foundation for deepfake detection. Deepfakes synthesise pixel patterns but cannot accurately reproduce the micro-coordination of real AU sequences. EchoDepth flags temporal coherence breaks in brow, lip, and eye muscle groupings, and detects voice-face alignment mismatches when audio and facial signals are analysed together.

Your security stack monitors systems, networks, and endpoints. EchoDepth monitors the humans — detecting the emotional and behavioural signals that precede insider incidents, enable phishing attacks, and hide inside deepfake communications before your existing tools can see them.

EchoDepth by Cavefish AI Ltd · Cardiff, Wales · Camera-based emotion recognition AI

Request a Cyber Security Briefing How the Technology Works

82%of breaches: human factor

44facial action units tracked

~700msreal-time detection

SIEMSOAR · GRC ready

The Cyber Security Blind Spot

Why do 82% of cyber breaches involve a human?

The Verizon DBIR consistently finds that 82% of data breaches involve a human element — phishing, misuse of credentials, social engineering, or insider action. Your existing security stack generates alerts after the event. EchoDepth generates signals before it.

Employees under emotional duress show measurable behavioural patterns weeks before a security incident. Phishing emails carry distinct emotional signatures. Deepfake video calls produce facial AU sequences that authentic faces cannot. EchoDepth reads all of it — and feeds structured signal directly into your SIEM, SOAR, and GRC workflows.

// ECSO Cyber Solution Days · Cardiff · March 2026

"The most exploited vulnerability in your organisation doesn't have a CVE. It has a pulse."

Breaches with human involvement

82%

Verizon DBIR 2024. Phishing, insider action, credential misuse, social engineering — all human-originated vectors.

Insider incidents with prior signals

~82%

Of insider security incidents show elevated emotional markers in the 30 days prior — CISA research. EchoDepth surfaces that window.

Average time to detect insider threat

197 days

IBM Cost of a Data Breach 2024. EchoDepth compresses the detection window to hours, not months.

EchoDepth Cyber Capabilities

Three signal channels.
One human risk score.

EchoDepth analyses the human layer of your security environment across facial behaviour, text communications, and voice-face alignment — producing a unified human risk signal for your security operations team.

Facial Analysis

Real-time cognitive & emotional state

44 facial Action Units mapped live. Detects stress, deception, cognitive overload, and disengagement as they happen — in access-controlled areas, SOC analyst workstations, and interview environments.

Trust score0.71

Cognitive loadHIGH

Stress indexELEVATED

Text Analysis

The intent behind the words

Every phishing email, insider message, or board communication carries an emotional fingerprint. EchoDepth reads the intent behind the words — surfacing manipulation, urgency amplification, and suppressed deception signals in real time.

Detected: Annoyance · Disapproval

Surprise (negative) · Urgency

Deepfake Detection

Real AU analysis. Not pixel prediction.

Deepfakes synthesise pixel patterns — they cannot accurately reproduce the micro-coordination of real AU sequences. EchoDepth flags temporal coherence breaks and voice-face alignment mismatches as a compound authenticity score.

AU coherenceANOMALOUS

AuthenticityLOW

Cyber Security Use Cases

Where human risk
meets operational reality.

Insider Risk Detection

Employees under emotional duress show measurable AU patterns weeks before a security event. EchoDepth establishes a continuous emotional baseline per individual and flags significant deviations to your security operations team — before the incident, not after the investigation.

// STRESS BEFORE THE INCIDENT

Phishing & Social Engineering Defence

Social engineering emails carry distinct emotional signatures — urgency amplification, artificial authority, suppressed ambiguity. EchoDepth's text analysis surfaces the manipulation pattern in real time, before the user clicks. Integrate directly with your email security gateway or SOAR playbook.

// INTENT HIDDEN IN PLAIN TEXT

Board & Leadership Oversight

Leadership presentations during cyber incidents can be analysed for confidence, alignment, and hidden resistance. EchoDepth provides boards and audit committees with an objective emotional signal layer during crisis communications — detecting inconsistency between stated position and physiological state.

// CRISIS COMMS UNDER PRESSURE

// DEEPFAKE DETECTION · POKERFACE

Can EchoDepth detect deepfakes?

Yes — and it's a natural fit for how the engine works.

Action Units require real muscle

EchoDepth maps 44 facial muscle movements. Deepfakes synthesise pixel patterns — they cannot reproduce the micro-coordination of real AU sequences. The tell is in the gaps.

Temporal coherence breaks down

Authentic faces show consistent AU transitions over time. Generative models introduce frame-level inconsistencies in brow, lip, and eye muscle groupings that EchoDepth flags as anomalous.

Voice-face alignment mismatch

A cloned voice paired with a synthetic face produces mismatched emotional signatures — detectable as a compound authenticity score when audio and facial signals are analysed together.

Discuss deepfake detection capability →

SIEM · SOAR · GRC Integration

Plugs into your existing
security stack.

EchoDepth is not a standalone tool. It is a human risk signal layer that feeds directly into the platforms your security operations team already uses.

SIEM Integration

Human signals in your security console

REST API and WebSocket output feeds human risk scores, insider anomaly alerts, and phishing intent signals directly into Splunk, Microsoft Sentinel, IBM QRadar, and other SIEM platforms. Structured JSON output maps to your existing alert taxonomy.

Splunk · Microsoft Sentinel · IBM QRadar compatible
Configurable alert thresholds per individual baseline
Timestamped audit trail for incident response

SOAR & GRC

Automated response and risk reporting

EchoDepth integrates with SOAR orchestration workflows to trigger automated response playbooks when human risk thresholds are breached. GRC platform integration provides continuous human risk scoring for board-level reporting and regulatory audit requirements.

SOAR playbook trigger via webhook or API event
GRC risk register feeds with continuous human risk scores
UK GDPR and ISO 27001 compliant data handling

SOC Analyst Readiness

Your analysts are human too

SOC analysts operating on extended shift patterns face sustained cognitive load — and fatigued analysts miss threats. EchoDepth monitors analyst cognitive readiness across the shift, alerting supervisors before performance degradation affects alert handling accuracy.

Passive monitoring via existing workstation cameras
Fatigue and overload alerts before accuracy degrades
Shift handover readiness scoring for SOC management

Deployment

UK sovereign cloud or full air-gap

All data processed within UK borders as standard. Full on-premise deployment available for environments where cloud connectivity is not acceptable. No external telemetry, no outbound data transmission. Docker-based deployment compatible with existing security infrastructure.

UK sovereign cloud — all data stays in the UK
Full on-premise / air-gapped deployment available
Cyber Essentials compatible infrastructure

Common Questions

What CISOs and security teams ask.

How does EchoDepth address the human factor in cyber security?+

EchoDepth provides cyber security teams with a continuous human risk signal layer — monitoring the emotional and behavioural state of personnel in real time. It detects insider risk precursors through facial AU analysis, surfaces phishing and social engineering intent through text emotional fingerprinting, and identifies deepfake communications through AU temporal coherence analysis. All output feeds into existing SIEM, SOAR, and GRC platforms.

Can EchoDepth detect phishing and social engineering?+

Yes. Phishing emails and social engineering messages carry distinct emotional signatures — elevated urgency, artificial authority framing, suppressed ambiguity. EchoDepth's text analysis engine surfaces these manipulation patterns as a real-time risk score. The output integrates with email security gateways and SOAR playbooks to trigger automated protective responses before users interact with malicious content.

How does EchoDepth detect deepfakes?+

EchoDepth maps 44 facial Action Units in real time. Deepfakes synthesise pixel patterns but cannot reproduce the micro-coordination of authentic AU sequences. EchoDepth flags frame-level inconsistencies in brow, lip, and eye muscle groupings — and when audio is present, detects voice-face alignment mismatches that indicate a cloned voice paired with a synthetic face. Output is a compound authenticity score. Contact us to discuss deepfake detection requirements.

Does EchoDepth work with our existing SIEM?+

Yes. EchoDepth provides REST API and WebSocket output that integrates with Splunk, Microsoft Sentinel, IBM QRadar, and other major SIEM platforms. Structured JSON output maps to standard alert taxonomies. SOAR webhook triggers and GRC risk feed integrations are also available. A full API and integration specification is available on request.

Is EchoDepth compliant with UK cyber security standards?+

EchoDepth processes biometric data with pseudonymisation by default, role-based access controls, and full audit logging. The platform operates within UK GDPR requirements, is aligned with NCSC principles, and is on the ISO 27001 certification pathway. All data is processed within UK borders as standard. A full data processing agreement and security questionnaire response is available under NDA. Compatible with Cyber Essentials infrastructure requirements.

Comparison

How does EchoDepth differ from SIEM, UEBA, and DLP tools?

Existing tools detect events after they happen. EchoDepth detects the human signals that precede them.

Capability	SIEM (e.g. Splunk, Sentinel)	UEBA Tools	DLP Solutions	EchoDepth
Detects pre-incident signals	✗ Post-event alerts	Partial — behavioural only	✗ Post-exfiltration	✓Emotional + behavioural
Human emotional state	✗	✗	✗	✓44 FACS Action Units
Phishing intent detection	✗	✗	Partial — keywords only	✓Text emotional fingerprint
Deepfake detection	✗	✗	✗	✓AU temporal coherence
SOC analyst readiness	✗	✗	✗	✓Real-time fatigue scoring
SIEM/SOAR integration	✓ Native	✓	Partial	✓REST API / WebSocket
Air-gap / on-premise	Partial	Partial	Partial	✓Full on-premise / Docker

Briefings Available

See What Your Security Stack Is Missing.

Structured technical briefings for defence procurement, security leadership, and intelligence teams. NDA available. Air-gapped demo environment on request.

Request a Classified Briefing How It Works

DEFENCE@CAVEFISH.CO.UK · CARDIFF, WALES · UK DATA RESIDENCY STANDARD

82% of breaches havea human at the centre.

Why do 82% of cyber breaches involve a human?

Three signal channels.One human risk score.

Real-time cognitive & emotional state

The intent behind the words

Real AU analysis. Not pixel prediction.

Where human riskmeets operational reality.

Insider Risk Detection

Phishing & Social Engineering Defence

Board & Leadership Oversight

Can EchoDepth detect deepfakes?

Plugs into your existingsecurity stack.

Human signals in your security console

Automated response and risk reporting

Your analysts are human too

UK sovereign cloud or full air-gap

What CISOs and security teams ask.

How does EchoDepth differ from SIEM, UEBA, and DLP tools?

See What Your Security Stack Is Missing.

82% of breaches have
a human at the centre.

Three signal channels.
One human risk score.

Where human risk
meets operational reality.

Plugs into your existing
security stack.