AI twins of your leadership team. Real crisis scenarios. Every cascade, every missed handoff, every tolerance breach, visible before the regulator comes looking.
You filed your impact tolerances on time. Your IBS register is mapped. On paper, it all looks solid.
But you've never actually tested what happens when someone pulls the trigger on isolating a compromised claims system at 2am. Who calls who? How long before the broker portal goes dark? Does anyone even know the FCA notification threshold's been crossed, or does that surface three days later in a review?
The FCA already knows this is where firms are weakest. They reviewed 47 insurers and found exactly what you'd expect: tolerances that don't account for real consumer harm, missing services, frameworks that look complete until something actually goes wrong.
And now the clock's ticking on something new. The FCA confirmed new operational incident and third-party reporting rules in March 2026, giving firms 12 months before enforcement starts. That means a structured pipeline for detecting, escalating, and reporting serious incidents through a single portal shared with the PRA and Bank of England, and most firms haven't started building it.
Your Head of Op Res has done good work mapping the dependencies. But a static register can't tell you what breaks when things move fast. And the annual tabletop (two hours, everyone on best behaviour, £50k to a consultancy) doesn't come close to replicating the pressure of a real incident unfolding over days.
You're the one who'll be answering the board's questions when it goes wrong. Right now, you're answering with assumptions.
Not your infrastructure. Your people.
We model your escalation paths, your RACI, your decision-makers: how your organisation actually works when the pressure's on, not how the org chart says it should work.
Then we run a crisis scenario. AI personas of your CISO, CEO, CRO, and functional heads make decisions in real time. You watch the cascade unfold: which handoffs get missed, which tolerances breach, which downstream services nobody thought about until they went dark.
You stop defending a paper framework and start showing the board evidence: either that your response works, or exactly what needs fixing and why. Either answer is more valuable than what you've got today.
This is the moment their tolerance mapping and IBS register finally get tested against something that moves. Monthly, not annually. Dynamic, not scripted. And every run produces documentation they don't have to write by hand.
We build AI personas of your actual C-suite and functional heads. Not generic roles, but twins calibrated to your org structure, your escalation chains, and your decision patterns. They respond inside the simulation. You see who escalates late, where accountability gets fuzzy, and which handoffs fall through. A tabletop will never surface this because everyone's performing. The simulation doesn't perform.
When you isolate a system, we show you everything downstream that breaks: broker SLAs, policyholder journeys, third-party dependencies, regulatory notification thresholds. The FCA reported that more than 40% of cyber incidents in 2025 involved a third party, and the regulator is explicitly working to see through firms' supply chains. This gives you that view before they ask for it.
Real-time alerts when simulated response times blow past your stated tolerances. Not a retrospective finding in a report three weeks later. Instead, a flag in the moment, tied to the specific service and the specific decision that caused the breach. Your Head of Op Res can see exactly where the register's assumptions don't match reality.
The new regime streamlines reporting with clearer thresholds, definitions, and a simplified form for solo-regulated firms. We let your team rehearse the full detect-escalate-classify-report flow under realistic pressure. Because the worst time to learn your incident reporting process is during an actual incident.
Every simulation run produces FCA/PRA-grade after-action documentation automatically. Board-ready, audit-ready, no manual formatting. You walk into the next board meeting with a clear trail: what was tested, what broke, what's been fixed.
Run scenarios as often as you need. Compare results over time. Watch your response capability actually improve instead of hoping it has since last year's exercise. Your Head of Op Res gets a living resilience programme. You get evidence the PRA stress test is looking for: proof that your organisation learns.
Founded AI Dionic in March 2024 after a 16-year cybersecurity career spanning payment services, gaming, insurance, and tech sectors. Former CISO at Gett and Valarian, Global Head of Digital Cybersecurity at Marsh McLennan. Named a Top 30 UK CISO in 2022 by CSO Online. PhD in Artificial Intelligence from the University of Surrey, specialising in Natural Language Processing.
Specialises in designing complex Agentic AI systems with significant open-source contributions. Master's in Operations Research, Applied Statistics, and Risk from Cardiff University. Extensive experience developing AI solutions for financial services including NatWest Group, HSBC, and Shawbrook Bank.
Strong track record taking early-stage cybersecurity companies to international markets while building pipeline and developing partner programmes. Previously VP International (EMEA) at ThreatQuotient and EMEA Sales leadership roles at Sourcefire and Cisco Security.
Led the Global System Integrator Division at BT Global Services. Helped establish World Economic Forum cyber resilience programmes and sat on the Information Security Forum advisory board. Received the Lifetime Achievement Award in 2025.
Founded Aptec as a student, growing it to a $2 billion company before its acquisition by Ingram Micro, where he became CEO for the META region and SVP. Holds several pending AI and Cyber Security patents. PhD in Computer Science from Imperial College London.
We're looking for three firms to co-design the Crisis Room Simulator. You get early access, direct input into the product, and priority onboarding.