Announcing public preview: Uncovering hidden threats with the Dynamic Threat Detection Agent

Microsoft

Jan 05, 2026

At Ignite, we announced the Security Copilot Dynamic Threat Detection Agent in Microsoft Defender: an always on, adaptive backend agent that uncovers hidden threats across Defender and Microsoft Sentinel environments. Today we are excited to share that the customers who meet the prerequisites will now enter public preview of this agent. Running in the Defender backend, the agent delivers Copilot-sourced alerts directly into familiar workflows—complete with natural language explanations, mapped MITRE techniques, and tailored remediation steps.

Why adaptive AI-driven detection changes the game

Traditional rule-based and machine learning (ML) systems struggle to keep pace with ever-evolving threats. Attackers now leverage AI to evade detection, leaving organizations exposed. The Dynamic Threat Detection Agent addresses this through:

Adaptive AI that finds what rules miss – GenAI-driven detection continuously investigates across Defender and Sentinel telemetry to uncover false negatives and blind spots, providing always-on protection with clear risk context and concrete next steps (see Figure 1 below).
Reduce noise, increase confidence – The agent minimizes SOC noise and boosts analyst confidence, with customer-validated precision above 85% in recent months across thousands of alerts and 28 threat types (e.g., Initial Access, Privilege Escalation, Lateral Movement).
Hyperscale TI + UEBA driven entity risk scoring – The agent fuses Threat Intelligence Tracking via Adaptive Networks (TITAN)’s hyperscale, ML-driven threat intelligence with UEBA risk signals to continuously score accounts, devices, and IPs. This combination of global TI, customer-specific context, and behavioral anomalies surfaces genuinely risky behaviors earlier while filtering noise and providing key context during the agent’s investigations.
Always on, zero-touch—with customer control – Because the agent runs in the Defender backend, it automatically generates alerts into your existing XDR workflows with no tuning or onboarding required. During public preview it’s enabled by default for eligible customers, and starting in July it will be available for E5 customers through the Security Copilot inclusion. Once billing begins, customers can disable it at any time and manage usage through detailed consumption reporting.
Deep integration across the Microsoft security ecosystem – The agent works with Security Copilot, Sentinel, and Defender, correlating native and third-party telemetry to surface missed behaviors and deliver richer context across your SOC workflows.

Figure 1. Clicking into the Dynamic Threat Detection alert reveals key details such as its classification, detection source, and a ‘What Happened’ summary. This description explains the detection logic behind the alert and why it’s relevant to the organization.

Inside the Dynamic Threat Detection engine

Under the hood, the Dynamic Threat Detection Agent runs a five-step investigation loop at machine scale—starting from signals you already care about, building a rich activity timeline, testing hypotheses, and closing detection gaps with explainable, actionable alerts. This loop executes across thousands of parallel investigations, delivering detections in near–real time for your SOC.

Start with an incident – Running continuously in the Defender backend, the agent monitors for security activity you care about: incidents with a high priority score, critical assets, disruption signals, threat actor notifications, and more.
Build a focused timeline – From that incident, it builds a unified activity timeline that stitches together alerts, events, UEBA anomalies, and threat intelligence.
Iterative Q/A loop – Given the incident and its unified timeline, the agent automatically generates attack-specific hypotheses (e.g., “Was this account compromised via phishing from this IP?”) and runs its own chain of targeted questions over relevant entities and events. Without any manual prompts or intervention, the agent investigates its hypotheses, rules out alternate explanations, and autonomously converges on a single, well-supported triage decision with an explicit, transparent reasoning trace.
Close detection gaps with explainable, actionable alerts – When evidence converges on a true positive, the agent automatically emits a dynamic alert—complete with title, description, severity, mapped MITRE techniques, and remediation steps—directly into your Defender workflows with Security Copilot as the detection source. Alongside the structured fields, the agent generates a natural language narrative that explains why the activity is risky, which entities and signals drove the decision, and how the attack unfolded, giving analysts a transparent window into its reasoning.
Learn and improve continuously – Your grading feedback (TP/FP/BP) is leveraged to recalibrate seed points, refine table selection, tune hypothesis questions, and adjust thresholds so detection quality improves over time. This feedback continuously sharpens the agent’s ability to detect meaningful threats and reduce alert noise.

Answering the questions security experts ask first

Before adopting a new detection capability, security teams want more than features—they want clear answers on noise, effort, cost, explainability, and how it fits with their existing tools and compliance posture. The Dynamic Threat Detection Agent is built with those questions in mind, so from day one you know how it behaves in your SOC, how it’s governed, and what value it delivers.

What’s the value? The agent uncovers hidden threats (i.e., false negative alerts), enriching investigations with context so analysts can resolve incidents faster and with greater confidence.
Will this add noise? The agent is tuned for high precision—measured at 85+% over the past few months across thousands of alerts and numerous threat types (e.g., Initial Access, Privilege Escalation, Lateral Movement).
How much effort is required? Zero setup—it runs in the Defender backend and delivers alerts into your current workflows.
What about cost and control? Public Preview is free for Security Copilot customers. At General Availability (July 2026), the agent transitions to the Security Copilot SCU-based model; you’ll have consumption reporting and the ability to disable the agent if desired. Microsoft Security Copilot is now included for all eligible Microsoft 365 E5 customers. Learn more.
Is it explainable? Every alert includes a custom description, mapped MITRE techniques, and tailored remediation actions. Alongside the structured fields, it generates a natural language narrative that explains why the activity is risky, which entities and signals drove the decision, and how the attack unfolded, giving analysts a transparent window into the agent’s reasoning
Does it respect data residency? The service runs region local, ensuring that customer data and required telemetry stay inside the designated geographic boundary.
How does it fit with Sentinel and Security Copilot? The agent uses Sentinel to correlate third-party and native telemetry, and runs as part of the Security Copilot platform—surfacing its alerts as Copilot-sourced detections in Defender.
How fast and at what scale? The agent is built for massive scale with Azure Synapse, capable of running thousands of parallel investigations and delivering detections in near–real time for your SOC.

The future of dynamic threat detection in your SOC

The Dynamic Threat Detection Agent is a milestone in adaptive security—bringing GenAI to detection at scale, integrated across Defender and Sentinel, and delivered through Security Copilot. We’re just getting started: expect continued enhancements in coverage, contextual explainability, and integration with your SOC workflows.

Public Preview starts now. The Dynamic Threat Detection Agent is available as a free Public Preview for Security Copilot customers.
General Availability (GA) planned for late 2026, the agent will transition to the Security Copilot SCU-based consumption model. Microsoft Security Copilot is now included for all eligible Microsoft 365 E5 customers, and this agent will be included as part of that entitlement.