This session explores the evolution and capabilities of Microsoft Security Copilot, focusing on how it's transforming security operations. Microsoft Security Copilot has evolved to incorporate AI agents, offering a fundamentally different approach to security tasks compared to traditional automation. These agents dynamically plan, reason, and execute tasks, adapting their approach as new information emerges, much like human analysts. This capability has already shown significant benefits, with security teams using Security Copilot reporting incident response times that are approximately 30% faster. The platform is designed to be an ecosystem, with 13 active agents, including six developed by Microsoft and seven by partners, demonstrating a commitment to partner integration and extending AI capabilities across the Microsoft Security Suite.

One notable Microsoft-developed agent is the phishing triage agent, designed to address the overwhelming volume of user-reported phishing incidents. This agent autonomously triages these submissions, analyzing email content, threat intelligence data, and links to determine if an email is genuinely malicious or benign. This frees up human analysts from mundane tasks, allowing them to focus on true threats. The agent learns from human feedback, enabling it to adapt to specific business contexts and improve its accuracy over time. This active learning mechanism, where administrators can provide feedback to the agent, ensures that the AI's reasoning process is continuously refined, addressing scenarios where the AI might initially misclassify an email due to a lack of organizational-specific knowledge.

Beyond phishing triage, Microsoft Security Copilot includes agents for data loss prevention and insider risk management, which leverage generative AI to classify documents and assist privacy analysts in reviewing alerts. The Conditional Access Agent helps organizations maintain up-to-date security policies by constantly reviewing and suggesting adjustments to conditional access policies, significantly reducing the risk window caused by policy drift. The vulnerability intelligence agent automates the process of reading vulnerability reports, assessing device estates (specifically Windows endpoints), and recommending patching groups in Intune. Lastly, the threat intelligence briefing agent provides organizations with customized reports on cyber threats and vulnerabilities relevant to their specific profile, empowering analysts and organizations that may lack dedicated threat intelligence teams. These agents are designed to integrate seamlessly into existing workflows, enhancing efficiency and enabling security teams to focus on higher-value activities.

Presented by Nick Goodman, Product Manager, Microsoft Security Copilot. Recorded live at Security Field Day 13 in Santa Clara, CA on May 29, 2025. Watch the entire presentation at https://techfieldday.com/appearance/microsoft-security-presents-at-security-field-day-13/ or visit https://techfieldday.com/event/xfd13/ or https://techcommunity.microsoft.com/category/security-copilot/blog/securitycopilotblog for more information.