Security Copilot for SOC: bringing agentic AI to every defender

Cybersecurity has entered an era of relentless complexity. As threat actors increasingly leverage artificial intelligence to automate attacks, evade detection, and scale their tactics, defenders are challenged to keep up. In this new era, security operations centers (SOCs) must transform to not just react, but to anticipate, disrupt, and outpace the next wave of cyberthreats.

Microsoft’s goal is to empower every organization to meet this challenge head-on by transforming how security operates. We believe the future of the SOC is more than just agentic: it’s predictive and proactive. This means moving beyond fragmented tools and manual processes, and instead embracing a unified, intelligent approach where AI-driven skills and agents work in concert with human expertise.

To bring this vision to life, it’s essential to look at the SOC through the lens of its lifecycle—a dynamic continuum that spans from anticipation and prevention through to recovery and optimization—and to recognize the unique challenges and opportunities within each stage. With Security Copilot’s GenAI and agentic capabilities woven across this lifecycle, Microsoft is delivering an integrated defense platform that enables defenders to move faster, act smarter, and stay ahead of adversaries.

Introducing agentic innovation across the SOC lifecycle

At Ignite, our agentic innovations are concentrated in three of the five SOC lifecycle pillars, and each one represents a leap forward in how analysts anticipate, detect, triage and investigate threats.

Predict and prevent

• Threat Intelligence Briefing Agent: Introduced in March, this agent has already helped security teams move from reactive to anticipatory defense. At Ignite, we’re announcing that the Threat Intelligence Briefing Agent is now fully embedded in the Microsoft Defender portal, delivering daily, tailored briefings that synthesize Microsoft’s unparalleled global intelligence with organization-specific context in just minutes. Teams no longer need to spend hours gathering TI from disparate sources—the agent automates this process, offering the most current and relevant insights. Analysts can reference the summary to prioritize action, using the agent’s risk assessments, clear recommendations, and links to vulnerable assets to proactively address exposures.

Detect and disrupt

• Dynamic Threat Detection Agent: Detections have long been bottlenecked by the limitations of traditional alerting systems, which rely on predefined logic that can’t scale fast enough to match the speed and variability of modern attacks— resulting in blind spots and missed threats. The Dynamic Threat Detection Agent addresses this challenge head-on. Instead of depending on static rules or isolated input, it continuously analyzes incidents and telemetry, searching for gaps in coverage and correlating signals across the entire security stack. For example, this is how it surfaced a recent AWS attack: a threat actor used an EntraID account to federate into an AWS admin account to exfiltrate sensitive data. The Dynamic Threat Detection Agent generated an alert before the intruder even authenticated into the single sign-on flow, driven by a correlated signal from Sentinel. That alert didn’t exist beforehand; the agent created it on the fly to stop the attack. The result is an adaptive system that extends Microsoft’s industry-leading, research-based detections with context-aware alerts tailored to each organization, closing gaps and revealing threats that legacy systems miss.

Triage and investigate

• Phishing Triage Agent: In March 2025, we introduced the Phishing Triage Agent, built to autonomously handle user-submitted phishing reports at scale. The agent classifies incoming alerts and resolves false positives, escalating only the malicious cases that require human expertise. At Microsoft Ignite, we’re announcing its general availability, backed by strong early results: the agent identifies 6.5 times more malicious alerts, improves verdict accuracy by 77%, and frees analysts to spend 53% more time investigating real threats. St. Luke’s even said it’s saving their team nearly 200 hours each month. Coming soon, we’ll be extending these autonomous triage capabilities beyond phishing to identity and cloud alerts, bringing the same precision and scale to more SOC workflows.

• Threat Hunting Agent: this agent reimagines the investigation process. Instead of requiring analysts to master complex query languages or sift through mountains of data, Threat Hunting Agent enables natural language investigations with contextual insight. Analysts can vibe with the agent by asking questions in plain English, receive direct answers, and be guided through comprehensive hunting sessions. It levels up the existing Security Copilot NL2KQL capability by enabling teams to explore patterns, pivot intuitively and uncover hidden signals in real time for a fluid, context-aware experience. This not only accelerates investigations but makes advanced threat hunting accessible to every member of the SOC, regardless of experience level.

Agents built into your workflows

To make the agents easily accessible and help security teams get started more quickly, we are excited to announce that Security Copilot will be available to all Microsoft 365 E5 customers.    

Rollout starts today for existing Security Copilot customers with Microsoft 365 E5 and will continue in the upcoming months for all Microsoft 365 E5 customers. Customers will receive 30-day advanced notice before activation. Learn more: https://aka.ms/SCP-Ignite25

Discover more: the Security Store

The Security Store, now generally available, is the central hub for discovering, deploying, and managing first-party and third-party security agents. Today, it provides instant access to 20+ agents deployable directly in the Microsoft Defender portal, all within a broader ecosystem of 100+ trusted security solutions. Whether you're investigating incidents, hunting threats, or automating response, the Security Store extends Defender with vetted, scenario-aligned tools that can be set up in minutes. Learn more in this blog.

Introducing new GenAI embedded capabilities

Security Copilot isn’t just growing through agents—it’s also gaining new embedded capabilities: GenAI skills that help SOC teams work faster, operate at greater scale, and get upleveled directly inside Microsoft Defender. Today, we’re excited to introduce new innovations:

• Analyst Notes represent a meaningful shift in how investigation work is captured and shared. For organizations that choose to opt into this capability, Copilot automatically reconstructs an analyst’s investigation session—from the moment they open an incident to the moment they close it—and turns that activity into clear, structured notes. The system can even track multiple sessions in parallel and attribute actions to the right incident, and analysts can fully review and edit the generated notes before saving them. This not only saves teams valuable time and effort, it preserves the actual investigation path with far greater accuracy and consistency than manual documentation ever could. The result is a living, cumulative record of how the SOC investigates threats: easier handoffs, stronger auditability, faster onboarding, and a deeper shared understanding of how incidents unfold across multiple SecOps members and phases.
• Standard Operating Procedures (SOPs) for guided response allows organizations to upload their own internal procedures so Security Copilot can align its recommendations with established guidebooks and compliance requirements. Guided response is one of the ways Copilot helps analysts navigate an incident: it offers one-click actions across triage, containment, investigation and remediation that teams can take immediately. With SOPs uploaded, these recommendations draw directly from organizational workflows and policy standards, ensuring they are contextually relevant and trusted. For defenders, this translates into greater confidence and faster, more consistent decision-making.  

We’re also eager to share that we’re introducing auto-generated content configuration for Security Copilot’s incident summaries. This new feature allows security admins to decide how and when summaries are produced, choosing between always auto-generating, manual trigger only, or auto-generating based on incident severity. The configuration is managed directly in the Microsoft Defender portal, giving organizations flexibility to fine-tune Copilot’s outputs to their operational needs.

Join us at Ignite

We invite you to learn more and see these innovations in action at Microsoft Ignite. Don’t miss our featured sessions:

• Microsoft Defender: Building the agentic SOC with guest Allie Mellen on Wednesday, November 19^th with Allie Mellen, Corina Feuerstein, and Rob Lefferts. Learn more.
• Empowering the SOC: Security Copilot and the rise of Agentic Defense on Friday, November 21^st with Corina Feuerstein and Cristina da Gama. Learn more.

Join us to discover how Microsoft is shaping the future of cybersecurity—making intelligent, agentic defense accessible to every organization.