Microsoft is moving aggressively — in the form of an initial set of agents developed internally as well as a group from partners — to apply AI to the burgeoning set of attacks and attackers, intensified by AI, that customers are facing.
And a top Microsoft security executive made clear that these agents are just the beginning of a strategy to scale cybersecurity efforts to augment humans and help them sort through the staggering array of signals, attacks, and threats impacting their entire software estate. A few data points shared by Microsoft are relevant in understanding the scale and complexity of the cybersecurity challenge that these agents address:
- Microsoft technology is processing 84 trillion “signals” daily
- Those signals include 7,000 password attacks per seconds
- In a roughly two-month period, Microsoft reported more than 30-billion phishing emails targeting customers
Agents represent that next frontier…to finally scale defenders and have a chance to defend against the bad actors.”
Dorothy Li, Corporate Vice President, Microsoft
The new agents from Microsoft and partners take existing automation to the next level of sophistication due to their ability to learn and adapt as opposed to past automations that have been rigid and therefore limiting, said Dorothy Li, corporate vice president, engineering lead for Security Copilot and ecosystem at Microsoft.
“With agents and the latest LLMs, we finally have an opportunity to do intelligent automation where you’re not relying on the rules catalog. If there is a new threat or zero day phishing, the agent could now reason over and make up flexible rules, with a human in in the loop,” Li said. “So agents represent that next frontier…to finally scale defenders and have a chance to defend against the bad actors.”
Agents’ ability to learn and be customized to the needs of a particular business will make them far more effective and adaptable to the constantly changing threat landscape.
Security Agent Lineup
Microsoft detailed a series of agents it’s offering, and Li explained each of them in detail:
Phishing Triage Agent for Microsoft Defender Antivirus Software is built to help combat and manage the vast amount of reported phishing emails, which require lots of time and energy for security pros to sort through and analyze. The agent will analyze an email message, images, headers, URLs, and more using GPT-4. “It’s going to look at the image and do all kinds of interesting things, like look at the URL, look at the attachment, detonate it in our sandbox, and see if that attachment is harmful or not.” Users can give the agent feedback on its reasoning.
AI Agent & Copilot Summit is an AI-first event to define opportunities, impact, and outcomes with Microsoft Copilot and agents. Building on its 2025 success, the 2026 event takes place March 16-18 in San Diego. Get more details.
Alert Triage Agent for the Purview data management platform will review alerts regarding insider risk management or data loss, perform reasoning and determine which alerts actually require human attention.
Conditional Access Optimization Agent for the Entra identity management system reviews policies governing user and application access, matches those against the actual context of the organization to determine where policy “drift” has occurred over time, then recommends how to optimize the policy to reflect the current state of the business.
Vulnerability Remediation Agent for Intune unified endpoint management system takes Common Vulnerability and Exposures (CVE) – a glossary of publicly known vulnerabilities – data in order to understand which ones affect an organization, devices that could be impacted, patches that need to be applied, and automatically address the vulnerabilities where appropriate.
Threat Intelligence Briefing Agent for Security Copilot takes Microsoft Threat Intelligence insights and compares them with a customer’s current security posture to provide details on which threats affect that company. With that visibility, customers can deploy agents on Intune or Entra, for example, to ensure actual threats are being remediated.
Insider Risk and Data Loss Prevention Agents help analysts on the Security Operations Center —(SOC) or data security teams efficiently categorize threats and help humans understand those that truly require attention.
Li explained how these agents will work with Security Copilot: agents should be thought of as a system of LLMs that need to use tools, gain knowledge, have memory and adapt to user feedback; they can mostly run autonomously. Copilot should be thought of as a central brain to orchestrate among the tools that agents are using.
Ecosystem Expands Security Breadth
Microsoft also detailed security agents from five partners — OneTrust, Aviatrix, BlueVoyant, Tanium, and Fletch, that add more security functionality; in each case, those agents relate to the core functionality of those companies’ platforms. Customers can acquire these agents detailed below — in the Security Copilot Portal agent library.
The partner agents more specifically are:
Privacy Breach Response Agent by OneTrust, a provider of enterprise privacy management, analyzes data breaches to generate guidance for the privacy team on how to ensure compliance with regulatory requirements.
Network Supervisor Agent by cloud-network security provider Aviatrix performs root cause analysis and summarizes issues about VPN, gateway, or other outages and failures related to network connections.
SecOps Tooling Agent by SOC platform provider BlueVoyant assesses a SOC and related controls to make recommendations that help optimize security operations and improve controls, efficacy, and compliance.
Alert Triage Agent by autonomous endpoint management vendor Tanium provides analysts with context to quicklymake decisions on each alert.
Task Optimizer Agent by Fletch, which tracks the cyberthreat landscape, helps organizations forecast and prioritize the most critical cyberthreat alerts to reduce alert fatigue and improve security.
Microsoft needs to enlist partners such as these to provide comprehensive security. “Many of our customers tell me that you cannot just secure one particular product or one area. You have to secure all the surfaces. And so this is why we have an ecosystem strategy where it’s Microsoft products, but also with our partners together, we have this alliance, if you will, to secure your entire estate,” Li said.
Securing that data estate comprehensively is one key way Microsoft aims to scale the work of humans and make that work more effective. And it’s clear customers should anticipate many more agents to come. In the past, there were apps for each function. “I think in the future, there will be an agent for just about every task that we can do in security,” Li noted.
