Introducing TITAN-Powered Recommendations in Security Copilot Guided Response

In the ever-evolving landscape of cybersecurity, speed and accuracy are paramount. At Microsoft, we’re continuously investing in ways to help analysts make informed decisions under pressure. One of the most powerful of these is Guided Response: a Security Copilot-powered capability in Microsoft Defender that walks analysts through step-by-step investigation and response flows. It provides context-aware recommendations tailored to each incident, enabling teams at all levels to respond with precision and scale. 

Now, with the integration of Threat Intelligence Tracking via Adaptive Networks (TITAN) recommendations, Guided Response is taking a leap forward. By bringing in real-time threat intelligence (TI) to prioritize and explain suggested actions, it enables analysts to surface, prioritize, and act on the most relevant threats with clarity and efficiency. 

What is TITAN? 

TITAN represents a new wave of innovation built on Microsoft Defender Threat Intelligence capabilities, introducing a real-time, adaptive threat intelligence (TI) graph that integrates first and third-party telemetry from the unified security operations platform, Microsoft Defender for Threat Intelligence, Microsoft Defender for Experts, and customer feedback. This graph employs guilt-by-association techniques to propagate known TI labels to unknown neighboring entities (e.g., IP, file, email) at machine scale. By analyzing relationships between entities, TITAN can identify attacker infrastructure before it's leveraged in attacks, giving defenders a critical window to proactively disrupt threats. 

One of TITAN’s greatest strengths is its ability to learn from indicators of compromise (IOCs) observed throughout the global threat landscape. Microsoft Defender analyzes over 24 trillion security signals every day, across identities, endpoints, apps, and beyond. When a new IOC (such as an IP address, an IP range or an email sender) is identified in one environment, Microsoft Defender rapidly leverages that intelligence to protect other environments. These live, TI-based Guided Response recommendations help identify, manage and block threats before they impact your organization, turning every detection into a defense signal for the entire Microsoft ecosystem. 

Why bring TITAN into Security Copilot Guided Response?

Security Copilot Guided Response already provides analysts with a curated set of recommendations. TITAN enhances this by introducing a new dimension: real-time, threat-intel-driven recommendations that are grounded in global telemetry and threat actor behavior. 

The integration improves Guided Response by: 

• Expanding coverage to incidents that previously lacked actionable context. 

• Prioritizing recommendations with higher confidence. 

• Surfacing targeted triage and remediation actions based on live threat infrastructure. 

How it works

TITAN suggestions are now integrated into Guided Response as both triage and containment recommendations. When an incident involves an entity with known malicious threat intelligence flagged by TITAN, Security Copilot automatically generates a Guided Response recommendation. Analysts receive prioritized, natural language guidance on how to triage the incident and contain specific threat entities, including: 

• IP addresses 

• IP ranges 

• Internet Message-ID

• Email senders 

Real-world impact

In early testing, TITAN-powered triage recommendations have shown promising results: 

• Increased model accuracy: TITAN’s integration has helped improve the precision of Guided Response triage recommendations.

• Improved analyst trust: explainable, threat-intel-backed recommendations, have helped analysts gain more confidence in their response actions.

• Faster decision-making: TITAN’s real-time scoring and threat attribution have accelerated incident investigation and response times.

Evolving Guided Response with threat intelligence

TITAN recommendations mark a significant leap in our mission to empower defenders. By combining the scale of Microsoft’s Defender Threat Intelligence with the precision of Security Copilot’s Guided Response, we’re helping analysts move from reactive to proactive— responding faster, working smarter, and acting with greater confidence. 

Stay tuned for more updates as we continue to evolve this capability. And if you’re already using TITAN recommendations in your environment, we’d love to hear your feedback. Join the Microsoft Customer Connection Program to share your insights and help shape future Microsoft Security products and features. 

Learn more

Check out our resources to learn more about our new approach to AI-driven threat intelligence for Guided Response, and our recent security announcements: 

• See TITAN in action in the session delivered at Ignite 

• Read our blog and conference paper on the TITAN architecture, accepted to KDD 2025, the premier data-mining conference. 

• Read the Security Copilot Guided Response paper & blog