Introducing Microsoft Security Copilot Agents
May 2, 2025
This week we had the fantastic opportunity to attend the RSA conference, where Microsoft announced new Security Copilot agents, now available in public preview, marking a significant step forward in leveraging artificial intelligence to combat cyber threats. Microsoft is clearly heavily invested in these new agents; they were the primary focus of most of the sessions we got to see at RSA. That focused investment, and the new capabilities that they unlock, have me excited about the possibilities we can help our customers unleash to strengthen their security and compliance posture. In this post, we’ll go through an overview of the new Security Copilot agents. In subsequent articles, we will dive a bit deeper into scenarios enabled by specific agents and what that might mean for your organization.
Microsoft has initially provided 6 built-in agents that are available in the Security Copilot embedded experiences (with one exception) in Microsoft admin portals. They have also made another 5 agents available from partners that can be used in the Security Copilot standalone experience. Over time, both Microsoft and the larger partner community will continue to add to that opening lineup. Here’s a quick summary of the agents that Microsoft has built for this initial rollout and where you can use them:
Phishing Triage Alert (Defender portal)
Use AI to investigate phishing attempts reported by your end users. Save time as an email security investigator by leveraging this agent to surface the most critical threats.
Alert Triage Agents for Data Loss Prevention (DLP) and Insider Risk Management (IRM) (Purview portal)
This is actually two different agents that perform similar roles: they investigate the alerts generated by your DLP rules or IRM policies and prioritize them for your administrative review.
Conditional Access Optimization (Entra admin center)
Reviews your CA policies to ensure they are still configured correctly, especially over time, as employee turnover and the use of new applications can mean that the policy no longer applies to the changing face of the organization.
Vulnerability Remediation (Intune admin center)
Reviews vulnerabilities and emerging threats and suggests remediation steps, all prioritized by risk, your organizational configuration, and more.
Threat Intelligence Briefing (Security Copilot standalone)
This agent leverages Microsoft’s Threat Intelligence services to quickly and effectively deliver reports about the latest cyber threats to your organization.
While each of the above Security Copilot agents come out of the box ready to use, you can give feedback to the agents to help further tune them for your specific organization. Administrators can provide this feedback in plain text, making it easy to mold the agents for your use cases.
Each of these agents is now in public preview where they will be available for organizations with an existing Security Copilot instance to use. After the agents move from public preview to general availability, they will use the same Security Consumption Units (SCUs) model as Microsoft uses currently in Security Copilot. Microsoft plans to provide more specific details around pricing scenarios prior to the general availability date.
For more information about Security Copilot and its new agentic capabilities, you can contact us at [email protected] for a 1:1 demo and discussion. Also, stay tuned to this space for other articles that explore these capabilities in more detail for specific scenarios. You can also review some of the recent Microsoft announcements here:
Author
Micah LaNasa
Consultant Lead