Microsoft used the industry’s top security gathering – this week’s RSAC 2026 Conference – to advance its lineup of AI-powered agents and features within its security portfolio.
The company introduced five new or enhanced agents as part of its Security Copilot lineup and outlined a series of agents from third parties that continue to build out the Security Copilot ecosystem.
The new products build on a steady stream of AI-powered security features and developments we’ve analyzed in recent months:
- Microsoft Advances Enterprise-Level Controls for AI Agent Estates
- Microsoft Sentinel MCP Server Democratizes Access to Internal, External Security Data
- Microsoft Taps Power of AI To Expand Breadth, Depth of Security Investigations
- Microsoft Strengthens Threat Protection for Defender, Agent 365 AI Control Plane
- Microsoft Exec Details Role of AI Agents, Ecosystem in Security
First-Party Agents
New and enhanced agents augment the features of Microsoft’s Defender threat detection platform, Entra identity management software, and Purview data governance platform. The agents and their functions:
Security Analyst Agent in Defender helps security pros gain in-depth understanding of security signals and data through multi-step investigations. It can analyze up to 100MB of security data with the goal of uncovering anomalies and high-impact threats. Analysts can chat directly with the agent to explore hypotheses and dig into findings the agent delivers.
Security Alert Triage Agent in Defender helps security teams decide which alerts require attention, cutting through high alert volume so analysts can focus on the most urgent threats. Building on its existing phishing triage capabilities, the agent now extends autonomous triage to identity and cloud alerts. It makes its reasoning transparent so analysts can quickly understand the outcome and prioritize the alerts that matter most.
At St. Luke’s University Health Network, Microsoft AI agents are saving security analysts more than 200 hours every month, automatically triaging phishing alerts and surfacing those that actually matter, the health system said. In a previous interview, a St. Luke’s tech executive said Microsoft Security Copilot was helping to respond more quickly to phishing campaigns and other security incidents by automating playbooks and remediation steps.
Conditional Access Optimization Agent in Entra has been enhanced to identify and close critical policy gaps faster, while making recommendations tailored to the organization. The agent will support phased rollout of new policies and enable automated enforcement of least-privilege policies for supported third-party agent identities.
Data Security Posture Agent in Purview incorporates new credential scanning capabilities to proactively identify exposed credentials within an organization. The agent surfaces potential risks and helps to quickly investigate and remediate those risks.
Data Security Triage Agent in Purview is being enhanced with advanced AI reasoning to evaluate signals from multiple sources holistically. Through multi-step analysis of signals from users, devices, and data activity, it surfaces incidents that require human attention and filters out noise to better combat insider risks.
Data Security Triage Agent in Purview is also gaining new features to make custom Sensitive Information Types, or SITs (examples: social security numbers, credit card numbers), easier to understand in Data Loss Prevention alerts. Purview interprets custom SIT definitions, generates semantic descriptions of data, and provides context with the agent to classify and prioritize alerts involving custom data more accurately.
Microsoft also detailed Security Copilot enhancements. They include an interactive chat experience in Defender whereby analysts can ask questions, explore investigative hypotheses, and follow threat activity across incidents, alerts, identities, and devices, all within the same workflow as the investigation. Security Copilot is also gaining a new connector capability that allows team members to invoke partner-built agents and custom agents as part of workflows.
Partner Security Agents
Microsoft partners added to the roster of third-party agents, now totaling more than 70 available in the Microsoft Security Store, to bring additional security signals and investigation capabilities into Security Copilot. They include:
- Security Investigation Agent (from Commvault), which correlates backup anomalies with identity and security signals across platforms such as Entra and third-party platforms including CrowdStrike
- MITRE Attack Coverage Insight Agent (Inspira), which evaluates analytic rule coverage, calculates ATT&CK coverage, identifies detection gaps, generates detection recommendations, and provides maturity scoring for Security Operations Centers. ATT&CK is a Mitre knowledgebase of adversarial tactics, techniques, and procedures
- Endpoint Risk Insights Agent (Avanade), which correlates signals across security telemetry sources
- Identity Role Mining Agent (Invoke), which allows user to precisely discover and analyze administrator roles in Entra ID
- Identity Threat Triage Agent (Silverfort), which correlates Silverfort’s identity risk signals with Entra ID and Defender to surface risky sign‑ins, multi-factor authentication abuse, suspicious processes, and anomalies.
Ask Cloud Wars AI Agent about this analysis
