Microsoft Debuts Security Copilot Agents: Five Big Things To Know

The tech giant is announcing six agentic offerings for its Microsoft Security Copilot platform, which is ‘really taking automation to that next step’ for security teams, Microsoft’s Dorothy Li tells CRN.

Microsoft announced a first set of AI agents for its Security Copilot platform Monday, beginning the next phase of the tech giant’s effort to bring greater automation to overburdened security teams.

Speaking with CRN, Dorothy Li, corporate vice president for Microsoft Security Copilot, said the launch of the six agentic offerings is aimed at “really taking automation to that next step” for security teams.

Microsoft said that its new Security Copilot agents will be made available as a preview April 27.

The move comes a year after Microsoft released its Security Copilot platform into general availability — and at a time when interest in AI agents continues to surge as a potential next frontier for LLM technology.

What follows are five big things to know about Microsoft’s Security Copilot agents.

Keeping Up With Threats

Speaking to journalists last week in New York, Microsoft’s Vasu Jakkal said that while the initial set of GenAI-powered capabilities for security teams has made a difference, it still doesn’t go far enough in terms of automation.

“Without the agent capability and the autonomous work that agents can do on behalf of humans, with human agency we cannot keep up with this tremendous volume of alerts and triage them,” said Jakkal, corporate vice president for security, compliance, identity, management and privacy at Microsoft.

The agentic expansion for Security Copilot will have an impact across Microsoft’s full security portfolio — consisting of threat protection (Defender and Sentinel), data governance and compliance (Purview), identity and access management (Entra) and device management (Intune).

“We are integrating these Security Copilot agents into each of our products,” Jakkal said.

Addressing Talent Gaps

Ultimately, Microsoft’s Security Copilot agents are a “natural evolution of a question-and-answer AI assistant — in that it adds this intelligent, autonomous automation to security,” Li told CRN.

With millions of cybersecurity professional roles believed to be unfilled, “I’ve never met a customer who says, ‘I’m right-staffed for my [Security Operations Center],’” she said. “Everyone’s short-staffed.”

The potential advantage of agentic security capabilities, however, is “automate the repetitive, high-volume tasks,” Li said.

This can be as fundamental as helping to improve an organization’s security hygiene and reduce the attack surface, she said — to more advanced uses that enable security teams to “respond faster” when attacks do happen.

All in all, Security Copilot agents can “really automate a lot of the repetitive tasks so the humans can focus on the strategic, truly critical work,” Li said.

Defender Phishing Triage Agent

The first of the agentic capabilities coming to Microsoft Defender is the Phishing Triage Agent, the company said.

The agent will be available in the Microsoft Defender portal and will allow more automated and effective triaging of the massive number of phishing-related alerts that organizations are constantly dealing with, Jakkal said.

Specifically, the Phishing Triage Agent will help security teams to address potential phishing attempts that have been submitted by users — including with making a determination about whether the submission represents a genuine phishing attack or not, according to Microsoft.

Purview Agents

For Purview, Microsoft is unveiling Alert Triage Agents for both its Data Loss Prevention and Insider Risk Management tools.

The Purview agents will “identify the alerts that pose the greatest risk to your organization and should be prioritized first” by analyzing content as well as the likely intent that triggered the alert, Li wrote in a blog post.

Alerts will be categorized by the agents in part “based on the impact they have on sensitive data,” she wrote. Meanwhile, the agents will also provide a “comprehensive explanation” to explain the categorization decisions, according to Li.

More Agents

Microsoft is unveiling additional agents in preview for Entra and Intune.

The new Conditional Access Optimization Agent for Entra will automate the “detection and resolution of policy drift,” Li wrote in the post, through continuous monitoring and analysis.

The new Vulnerability Remediation Agent for Microsoft Intune, meanwhile, will automatically identify and evaluate Windows vulnerabilities while also providing prioritization for responses, according to Li.

Additionally, Microsoft announced it is launching an agentic capability in Security Copilot that can automatically generate a curated threat intelligence report for security teams. The Threat Intelligence Briefing Agent uses information from Defender Threat Intelligence and Defender External Surface Management to “deliver prioritized reports in just 4-5 minutes,” Li wrote in the post.

Along with the six Microsoft agents for Security Copilot, the company also disclosed details about third-party agents being announced for the platform Monday.

The five Security Copilot agents from third-party vendors debuting initially are the Privacy Breach Response agent from OneTrust; the Network Supervisor agent from Aviatrix; the SecOps Tooling Agent from BlueVoyant; the Alert Triage Agent from Tanium; and the Task Optimizer Agent from Fletch.