How a Top 200 Law Firm Uses AI to Stay Ahead of Cyber Threats

Introduction

Spencer Fane LLP is a nationally ranked law firm: 105th in the US by size, 133rd on the Am Law 200, and more than 600 attorneys across roughly 30 offices. At that scale, the security challenge isn’t just technical. It’s cultural. Attorneys move fast, serve demanding clients, and operate in an environment built around flexibility and autonomy. That means restrictive controls aren’t really an option.

Mike Knipple, Director of Information Security, and Jared Fields, Security Analyst, sit on different sides of that challenge. Mike owns strategy and metrics. Jared is in the work every day, triaging emails, managing the stack, and keeping pace with a threat landscape that never slows down. Here’s how they each describe what Embed changed.

The Business Perspective

Q: What makes security different in a law firm environment?
Mike: Law firms operate on trust, responsiveness, and time sensitivity. Attorneys rely heavily on email and collaboration tools to serve clients effectively, often under tight deadlines. From a security standpoint, that means we can’t rely solely on restrictive controls. We have to apply security in a way that’s accurate, fast, and minimally disruptive, while still managing real and evolving risk.

Q: What did your email investigation process look like before Embed?
Mike: Before Embed, email investigations were highly manual. Attorneys would forward suspicious messages to the security team, and analysts would review each one individually. While the approach supported the firm’s service model, it was time-intensive and repetitive, which made it harder for the team to focus on higher-risk and higher-value security work.

Q: How are you measuring the business impact of Embed?
Mike: In any organization you have to get to a metric-level view to quantify the business impact. You’ve got to get the best you can from a metric point of view. Embed allowed us to turn multiple variables of human resources, time to respond, and accuracy to create a baseline. That baseline allows us to continue to improve from there as a business. Through the tool, analysts can see what is good and what is wrong, and it is going through a process to help them improve their internal metrics, adapting to their environment.

Q: What was your initial reaction to using AI for this?
Mike: Like many security leaders, I approached AI with healthy skepticism. We’re cautious about tools that introduce noise or obscure decision logic. What changed my perspective was seeing how Embed applies AI in a focused, explainable way that supports analysts rather than replacing human judgment.

Q: What gives you confidence in the platform?
Mike: Confidence comes from transparency. Embed provides insight into how it reaches its conclusions, highlighting the indicators and behaviors that contribute to risk determinations. That visibility allows our team to validate findings, apply professional judgment, and maintain accountability in decision-making.

Q: What’s your vision for the future of AI in the SOC?
Mike: I see AI helping in multiple phases, including compliance. First, it can be used to identify what’s important and what’s not, and it can help work those important ones before it even goes to the SOC, so the SOC can react immediately. Second, you can get a more in-depth review over time of your environment, find things you missed, find things better and faster. Does it replace the human? No. It can make the human faster and more efficient. AI gets the noise out of the way and allows the human to make the faster decision.

The Technical Perspective

Q: Can you think back to life before Embed, what were the challenges?
Jared: Life before Embed was, oddly enough, many steps back from other places I’ve worked. Essentially, we filtered very little email traffic and left it up to the attorneys. They could forward any email they wanted to the security team, and the security team would manually read the email and say click on it or don’t, or it’s good or it’s bad, or it’s safe or it’s unsafe. We got in touch with Embed, we started talking to them, and that’s where we started to see a great shift in just the speed of being able to look at these types of things.

Q: How did Embed change your day-to-day work?
Jared: Now it’s basically at a glance, we can look at the Embed portal and see each case, each email that comes through for attorneys asking. We can identify issues automatically. All the manual steps that we used to do, Embed does it for us. It knocked it down to a small percentage of the time we used to spend reading emails. There are a lot of times where I would take a link, use an external third-party tool to investigate the link to see if it’s okay. It all is automatically done through Embed now.

Q: Does Embed layer into your existing security stack?
Jared: We do have an email gateway. Emails will come in, they hit the gateway first, and then they’ll come to us. We have SOAR with CrowdStrike, and Embed will also let you know if people are clicking on links and downloading weird stuff, so that is connected to the CrowdStrike data protection module. We do have a SIEM setup as well. We’re also working on getting integrated with CrowdStrike to test bad file hashes for attachments.

Q: What was your first reaction to agentic AI being applied to email security?
Jared: As a security professional working today, I think there’s a lot of hype around AI , you see AI thrown out everywhere. My first reaction when I heard this is a tool that uses AI to look at emails, I thought that’s going to be full of false positives or false negatives. What’s AI going to be doing that I can’t? That being said, the part that really changed my mind about it is the head guys and the developers, explain it from a true security perspective. It wasn’t the sales room where it’s like “look at all this AI you’re going to be using”, it was more like: this is exactly what we’re doing with the tool, and the goal is to solve a security problem, not to check a box and say you’re using AI. That was the most impressive part to me.

Q: What builds your confidence in the platform’s analysis?
Jared: The false positive or false negative rate is minuscule compared to other tools I’ve used. I feel really, really confident. It’s gotten to a point where it’s so efficient and its analysis is really, really trustworthy. It’ll identify what part of the language in the email looks off. It’s easy to identify a dirty link or a suspicious attachment if you’re an analyst, but having to read through and process exactly what an email is saying, identify different parts of the language where it’s saying this is a call to action, that really pops out to me. That’s the number one thing that speeds up the whole process.

Q: If you were talking with your security peers, what would you tell them about Embed?
Jared: I would definitely brag about the platform. The thing that really sticks out to me when I talk to other security professionals about Embed is that these guys are just so, so smart. I’ve learned so much from them just working with them on this, and it goes beyond just the product.

Closing Thoughts

For both Mike and Jared, the story of Embed at Spencer Fane is about doing more with what you have. In an environment where security has to earn its place alongside attorneys who have the final say, speed, accuracy, consistency, and transparency aren’t just nice to have, they’re the whole game. Embed gave the team a way to move faster, build a measurable baseline, and finally get ahead of challenges.