Introducing the Threat Intelligence Briefing Agent

As cyber threats rapidly evolve, security teams are overwhelmed by the sheer volume of threat intelligence, making it challenging to deliver timely, targeted briefings. That’s why we’re introducing the Security Copilot Threat Intelligence Briefing Agent—a powerful new tool that slashes the time to produce actionable threat reports from hours or days to just minutes. Now in Public Preview, the agent delivers prioritized insights, mapping the latest adversary activity to your unique attack surface so you know exactly which vulnerabilities demand attention now.  

Looking ahead, we’re planning even deeper integrations, such as automated remediation, exposure trend analysis, and more, to empower security teams to stay one step ahead of attackers.

Analysis at Machine Speed 

This next evolution in Security Copilot threat intelligence capabilities builds on its powerful ability to correlate Microsoft threat data, real-time signals, and customer telemetry to add critical context to threats. The agent dynamically builds briefings based on the latest threat actor activity from Microsoft security research and both internal and external vulnerability data sourced from Microsoft Defender Vulnerability Management (MDVM) and Microsoft Defender External Attack Surface Management (EASM). It automates the collection, analysis, and summarization of this powerful threat information, delivering continuous, tailored briefings based on factors such your organization’s evolving attack surface, your industry, and geographic location.  

These briefings, which can be scheduled or run ad-hoc, offer regular executive summaries and technical analysis accessible via the UI or directly to a CISO's inbox. They determine whether a vulnerability is being actively exploited and its potential organizational impact. Instead of sifting through threat feeds and vulnerability reports, security teams receive clear insights aligned with the organization's needs, allowing for effective resource allocation. As a result, cyberthreat intelligence (CTI) analysts gain important data for further research, while CISOs and security leaders get the situational awareness needed to fine-tune their defense strategies. 

How the Agent Works 

Setting up the Agent 

The Threat Intelligence Briefing agent is in the Security Copilot standalone experience. A new area of the product is devoted to agents, where both Microsoft and third parties offer a variety of agents that perform critical tasks to make cybersecurity teams more effective and efficient. CTI analysts can quickly set up the Threat Intelligence Briefing agent to run once for a one-time report or set it to run automatically at an interval of their choosing. Setting up the agent is simple. Customers can choose an identity for the agent using Microsoft’s robust role-based access controls (RBAC): 

Customers can choose an existing identity or create an agent-specific identity.

They can then ensure the required plugins are enabled for the agent to run. At the core of this agent is its integration with Microsoft’s extensive threat intelligence ecosystem. It leverages Microsoft Defender Threat Intelligence (MDTI) profiles, articles, and intelligence on threat actors, tools, and techniques, automatically prioritizing content based on the organization's unique profile.  

Currently, the Threat Intelligence Briefing Agent is best suited for MDEASM and Microsoft Defender for Endpoint (MDE), as it relies on telemetry and insights from these first-party integrations to deliver accurate and context-rich reports. 

For organizations with E5 licenses, the agent can also incorporate insights from MDVM to highlight potential weaknesses in your internal IT infrastructure. If the organization utilizes MDEASM, the agent further tailors its briefings using external data such as vulnerabilities associated with unmanaged assets (e.g., CVE information):

Customers can choose up to three plugins to provide the agent with threat intelligence to build briefings.

Once set up, the agent is ready to run in the background to generate the briefing:  

Once the agent is set up, it's ready to run!

Agent in Action 

 A key benefit of the agent for CISOs and security managers is simplification. The agent runs at regularly scheduled intervals or on-demand: 

Customers can look into any run the agent has made to read past briefings.

Here, we can see the briefing highlighted potentially significant threats facing the organization, focusing on recent campaigns by the riskiest threat actors. These campaigns involve tactics such as exploiting vulnerabilities in network devices, phishing, and ransomware attacks:

Briefings show the latest threats that are most relevant to an organization with a summary of recent campaigns and recommended actions.

The briefings also include the most critical CVEs contextualized with threat intelligence. It also includes links to vulnerable assets for further action:

The briefing also shows the most critical vulnerabilities identified by the agent, mitigation steps, and the affected assets across the organization's IT setup and external attack surface.

The briefing provides concrete recommendations to enhance defenses, including patching vulnerabilities, strengthening endpoint protection, and implementing attack surface reduction rules. Customers can then review the path the agent took to see how it gathered this real-time intelligence: 

Here, we can see the path the agent has taken to generate the briefing. At each step of the way, it is making dynamic decisions about the best threat intelligence to include based on its inherent threat intelligence expertise. This path can change each day based on changes in the threat landscape and on the organization’s attack surface. For example, if a CVE gets remediated, threat intelligence associated with that vulnerability will become less of a priority:

The agent shows the path it took to build each briefing. It makes dynamic decision based on its threat intelligence expertise every step of the way.

What’s Next 

The Threat Intelligence Briefing Agent marks a major step toward AI-driven automation for improving security outcomes, but this is just the beginning. We are continuously listening to our customers and rolling out new updates regularly. This powerful agent will soon be available alongside the rich, continuously updated threat intelligence in the Threat Analytics blade of Defender XDR to enable Defender customers to create these briefings with the click of a button.  

Learn More

Threat Intelligence Briefing Agent offers a strategic way to reduce complexity, optimize security decision-making, and expedite the identification of the most relevant vulnerabilities and threats impacting your organization. By automating and prioritizing threat intelligence—the same intelligence that previously took hours or days to assemble—this agent provides clear, actionable insights that enhance overall security readiness. 

To learn more about this agent and the rest of the first and third-party agents now available, watch our Microsoft Secure digital event. For a closer look at this agent, watch our deep dive in the Microsoft Security Copilot Content Hub. Read this blog to learn more about Security Copilot agents at RSA.