At Microsoft Ignite 2025, Microsoft Defender evolves into the nerve center of the modern Security Operations Center (SOC) empowering teams with autonomous defense capabilities rooted in AI and agentic workflows.
Building the Agentic SOC: Security Copilot Agents
Microsoft introduced four innovative agents that streamline and fortify distinct SOC stages by harnessing AI-driven reasoning, contextual insights, and integrated workflows:
- Phishing Triage Agent – Initially launched in March 2025 to autonomously process user-reported emails, this agent classifies submissions, filters out false positives, and escalates verified threats. On average, security analysts using the agent identified up to 6.5× more malicious emails than manual reviewers. In the coming months, its scope will be extended to identity and cloud-based alerts.
- Phish Admin Email Grading System – A hybrid of large language models and agentic logic, this new grading model replaces manual reviews. It delivers fast, transparent verdicts and comprehensive explanations for every flagged email.
- Threat Hunting Agent – Enables intuitive, natural-language investigations without KQL mastery. Analysts can ask questions in plain English, receive expert-guided insights, and pivot through threat signals dynamically democratizing advanced threat hunting.
- Dynamic Threat Detection Agent – Proactively searches environments for “blind spots” or false negatives right after critical incidents. This keeps adversaries from slipping through unnoticed, providing coverage beyond traditional alerts.
- Threat Intelligence Briefing Agent – Embedded within the Defender portal, this AI-powered briefing assistant generates tailored intelligence summaries by synthesizing global threat data with your specific environment—all without leaving the incident view.
Security Copilot, including access to these agents, is rolling out to all Microsoft 365 E5 customers over the next few months.
Autonomous Defense at Platform Scale
Defender’s strategy transforms security from reactive to proactive, equipping organizations to disrupt threats in real time:
- Automatic Attack Disruption Across SIEM Data – Previous support was endpoint-centric; now this auto-disruption extends to logs from Microsoft Sentinel, AWS, Proofpoint, and Okta. The system automatically contains threats spanning phishing and identity compromise.
- Predictive Shielding – The next step in attack disruption: an AI-driven capability that anticipates adversarial moves and applies just-in-time hardening. This includes disabling SafeBoot, enforcing Group Policy Objects, and other measures to proactively block attacker paths.
Guarding Low-Code and Pro-Code AI Agents
As AI agent adoption grows, so do associated risks. Microsoft Defender now extends its protection to agents built through:
- Copilot Studio, Azure Foundry, and custom solutions using the Agent 365 SDK,
- Addressing threats like prompt injections,
- Offering agent posture management, attack path analysis, and continuous threat protection.
Other Enhancements & Broader Coverage
Microsoft also announced additional Defender advancements:
- Expanded endpoint security on legacy Windows devices,
- Enhanced detection and investigation for identity-centric threats,
- Integration of cloud security posture management directly within the Defender portal.
The Vision: Intelligent, Autonomous, Agentic SOCs
Microsoft’s message is clear: as adversaries scale with automation, defenders must equip themselves with agentic, AI-native tools that operate at machine speed across identities, endpoints, and clouds. This approach:
- Scales expertise through intelligent agents,
- Accelerates detection, containment, and remediation in real time,
- Democratizes advanced security, enabling less specialized analysts to take on complex threats.
