Microsoft unveils AI agents to automate security operations

Microsoft is rolling out more than a dozen new artificial intelligence (AI) agents to automate critical cyber security tasks, as organisations grapple with sophisticated cyber threats and a shortage of cyber security experts.

The new agents, part of the company’s Security Copilot platform, will be embedded directly in Microsoft’s suite of security products, serving as digital assistants for security operations centre (SOC) analysts.

The move comes as threat actors increasingly leverage AI to create more convincing phishing lures and self-generating malware, putting immense pressure on cyber security teams.

“We are facing a pretty intense threat landscape right now,” said Vasu Jakkal, Microsoft’s corporate vice-president of security, in an interview ahead of the Microsoft Ignite conference. “On one hand, we’re seeing organisations embrace AI, and on the other, they are worried about new and novel threat techniques.”

She warned of AI becoming double agents, where AI is used for malicious intent even as they help improve security operations within organisations. “To defend against AI-powered attacks, you need AI-powered defence,” Jakkal said.

The new agents, available to customers with a Microsoft 365 E5 enterprise licence at no additional cost, are designed to handle specific, often repetitive, tasks across Microsoft’s security portfolio, from threat detection in its Defender product to identity policy management in Entra and data security in Purview.

One of the flagship examples is a phishing triage agent, which can autonomously analyse and sieve through potential phishing email alerts that inundate security teams every day. According to Microsoft, SOC analysts using the agent were able to detect malicious emails 6.5 times faster per minute, improving efficiency by 550%.

The company reported that the agent had also improved detection accuracy by up to 77%, allowing analysts to spend 53% more time investigating confirmed phishing cases and directing their attention to the most critical areas. These results showed how security agents can transform security operations, driving speed, precision and confidence for defenders everywhere.

Security agents can also help to address the global cyber security talent gap, which Microsoft estimates at 4.7 million unfulfilled jobs. By handling complex queries in natural language, the agents can make advanced capabilities like threat hunting accessible to less experienced analysts.

“What we’re trying to do is really democratise security and intelligence with our Security Copilot agents,” Jakkal said. “To get to a level three analyst, you require a lot of training, so we wanted to make it accessible.”

In addition, Microsoft’s security agents are designed to provide context-aware intelligence that’s required in threat hunting. “If I’m in Singapore, I want to understand the threat intelligence related to Singapore and my industry more deeply,” she said, adding that the agents are capable of processing trillions of threat signals daily to provide localised situational awareness.

While the agents are designed with increasing autonomy, Jakkal said guardrails are in place, including constant monitoring and compliance with Microsoft’s responsible AI guidelines, to ensure they do not go off the rails. A human analyst remains in the loop, with the ability to trace and audit every action taken by an agent.

Beyond the pre-built agents, Microsoft is also enabling customers to create their custom AI agents. Since announcing this capability in September, Jakkal noted that Microsoft customers have already built over 370 unique agents tailored to their environments and specific use cases.

Moving forward, Jakkal expects dedicated teams of AI agents to support security analysts, providing what she described as ambient and autonomous security. “You will be the main security analyst, but you will also have a team of agents that are going to do everything from enriching data to threat detection and advanced threat hunting,” she said.