Modern attacks increasingly exploit the sprawl of today’s digital environments. In the identity space alone, over half of today’s organizations say each person now has more than 21 distinct accounts. Each one of these accounts is a potential entry point that an attacker can exploit. As organizations adopt cloud, SaaS, AI, and autonomous agents, the rapid growth of non‑human identities accelerates sprawl, expanding the attack surface and increasing gaps in protection. At the same time, agents help accelerate the SOC by automating high‑volume tasks, reducing noise, and enabling analysts to act faster and more consistently.
This shift demands a new approach: comprehensive identity security paired with agentic AI to help the SOC better reason across signals, predict risk, and act earlier, while augmenting human analysts to keep pace with increasingly fast and complex attacks.
At RSA, we’re excited to announce innovations in Microsoft Defender and Security Copilot to help customers defend against the latest threats. These include:
- Identity Security: expanded capabilities and enhanced experiences to help the SOC better prepare for, detect and autonomously respond to identity-related threats.
- Collaboration Security: protect against voice‑based attacks in Teams with real‑time user warnings, SOC‑ready investigation, and new threat & posture insights reporting.
- Accelerate the SOC with Security Copilot: expansion of the Security Triage Agent to identity and cloud alerts, a new Security Analyst agent to uncover risk and a new chat experience directly in Microsoft Defender.
- Cloud Security: expansion of multi-cloud visibility to new AWS and GCP services, near real-time container runtime protection to eliminate binary drift, and introducing AI model scanning. Learn more here.
Reshaping Identity Security
Today’s identity landscape is no longer defined by a single directory and a single set of users. It’s a fast-changing fabric of human, non-human, and emerging agentic identities spread across cloud services, SaaS apps, and on-premises infrastructure—that attackers actively target. To meet this new reality, we’re reshaping identity security in Microsoft Defender to move beyond point defenses and reactive investigation to an autonomous, end-to-end approach that continuously strengthens identity posture, stops active threats while they’re happening, and helps the SOC act faster with less manual effort.
To start, we’re broadening our coverage across modern identity fabrics, making posture and activity easier to understand quickly, and tightening the operational loop between identity and the SOC. To do this were delivering new detections, a unified risk score that assesses risk across all accounts and identity types, and updated experiences like the new identity security dashboard that brings your most important posture gaps, active exposures, and identity risk into one place - so security teams can move from fragmented signals to shared context and coordinated action.
On top of this improved foundation we are also unveiling autonomous ITDR in two complementary ways. First, we’re extending Security Copilot’s agentic triage capabilities to identity. With the new Security Alert Triage Agent, Defender can autonomously evaluate high‑volume identity alerts, distinguish true threats from noise, and surface clear, explainable verdicts so analysts can focus immediately on what requires action. Second, we’re bringing the AI-powered just-in-time hardening of predictive shielding to identity allowing Defender to not only disrupt threats but also anticipate an attacker’s next move and automatically enforces targeted controls to block credential- and token-driven pivots before they succeed.
Together, these innovations empower security teams to understand their identity footprint, prioritize what matters most, and stop identity-driven attacks earlier:
- Expanded coverage across modern identity fabrics with new identity-specific detections
- Identity-level insights that turn sprawl into clarity via an updated dashboard that provides a unified inventory and improved correlation across SaaS apps and identity types—elevating the SOC view from accounts to the identity.
- Streamlined protections and aligned workflows across Defender and Entra, including a new identity-level risk score to help identity and SOC teams prioritize and act from shared signals.
- Predictive shielding applies precise, just-in-time hardening actions used during identity attacks including RemoteOps hardening and Remote Registry hardening —helping prevent lateral movement.
- Autonomous triage for identity alerts with Security Copilot, expanding the Security Triage Agent so identity alerts can be investigated consistently and at scale, with clear verdicts and explainable reasoning to speed up response.
Learn more about these innovations here.
Protect collaboration threats and prove security outcomes
As collaboration platforms become a new front door for attackers, Microsoft Defender extends protection beyond email to detect and respond to voice‑based social engineering in Microsoft Teams. New Teams calling protection surfaces suspicious and malicious calls, enables SOC teams to investigate and correlate call activity using Advanced Hunting, and delivers real‑time in‑call warnings when a call appears to impersonate a trusted contact, closing the gap between what users experience and what analysts can investigate.
To help organizations clearly measure and communicate the impact of these protections, Microsoft Defender is introducing the Protection & Posture Insights report. It gives customers a tenant‑specific view of the threats targeting their environment, highlighting spam, phishing, and malware campaigns observed against users. The report delivers personalized insights and policy recommendations to reduce exposure, while enabling teams to validate results, and share credible, executive‑ready security outcomes—without manual data assembly.
Read more here.
Accelerate your security operations at scale with Security Copilot
Adversaries are using AI to accelerate attacks and increase sophistication. At RSA Conference 2026, we’re expanding our innovation around autonomous and assistive AI in Microsoft Defender with Security Copilot—helping defenders operate with the speed, scale, and intelligence required to stay ahead of modern threats across the entire SOC lifecycle.
In addition to expanding agentic triage to identity alerts, we’re extending that same capability to cloud—bringing phish, identity and cloud triage together within a single agent. The Security Alert Triage Agent helps analysts autonomously determine whether these alerts represent real threats or false alarms, delivering natural language verdicts and transparent, step-by-step decision reasoning.
We’re also announcing the Security Analyst Agent, designed to help security teams uncover hidden risk. This agent performs deep, multi-step investigations across Microsoft Defender and Sentinel telemetry to surface high-impact threats, cut through the noise, and deliver prioritized insights in minutes. Every finding is accompanied by transparent reasoning and supporting evidence.
Lastly, we’re bringing a chat experience for Security Copilot directly within Microsoft Defender. Analysts can ask questions, explore hypotheses, and follow investigative threads across incidents, alerts, identities, devices, IPs, and other evidence without switching tools or manually piecing together context.
You can learn more about Microsoft Security Copilot news at RSA Conference 2026 here.
Looking ahead
The Microsoft Defender announcements at RSA 2026 reflect a clear shift toward agentic and autonomous security, while augmenting the SOC with Security Copilot–driven workflows. Together, these capabilities give defenders clearer context, tighter control, and the ability to stop attacks earlier, before adversaries can escalate privileges or move laterally. Microsoft’s continued investment signals a longer-term evolution toward agentic security operations that anticipate attacker behavior, adapt in real time, and steadily reduce risk as environments and threats continue to evolve.
Learn more at RSA Conference 2026!
To learn more about Microsoft Defender and Security Copilot, visit us at booth # at RSA Conference 2026. Our team will be demonstrating how autonomous agents and assistive AI experiences are helping SOC teams move faster through alert triage, investigation, and response.
You can join our booth sessions:
- Empowering the SOC with assistive and autonomous AI with Yuval Derman | March 23rd at 5.15PM
- Predictive Shielding: Protecting identities before attackers pivot | March 24th at 4.30PM
- Identity Security with Microsoft | March 25 at 3:30PM
For a full list of all the ways to connect with us at RSA, check out our dedicated RSAC 2026 page.
Microsoft