Follow ZDNET: Add us as a preferred source<!–> on Google.
ZDNET’s key takeaways
- Microsoft announced new or improved AI security agents at Ignite.
- Security agent functionality is surfaced within Microsoft’s relevant management portal.
- The agents are free to all Copilot Security customers with 365 E5 subscriptions.
Earlier this week at Microsoft’s Ignite conference in San Francisco, the overwhelming onslaught of artificial intelligence-related announcements made it easy to miss some of the company’s more significant “all-AI all-the-time” news.
Also: Microsoft’s new AI agents create your Word, Excel, and PowerPoint projects now
The word “Copilot” – representative of Microsoft’s flagship AI brand – made thousands of appearances across virtually every functional area of the technology firm’s offerings, a testimony to an AI-first strategy that also blanketed its portfolio of security-related solutions.
AI enters the cat-and-mouse security game
Cybersecurity has always resembled a cat-and-mouse game. Just when the IT department manages to close off one form of intrusion, the adversaries evolve to find another, and the vicious cycle continues. Such has been the case with an ever-evolving series of tactics, techniques, and procedures (TTPs) used by the threat actors who’ve been exfiltrating billions of customer records from the Salesforce instances belonging to some of the world’s biggest and most well-known brands.
Naturally, it’s only a matter of time before hackers start to harness the scalability and speed of AI to more successfully pursue their exploits. For example, Anthropic – developer of the popular Claude LLM – published a report earlier this month that revealed the following:
“In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s ‘agentic’ capabilities to an unprecedented degree – using AI not just as an advisor, but to execute the cyberattacks themselves.”
It should come as no surprise that, as a part of the cat-and-mouse game, Microsoft and other companies are now looking to AI to help their customers even the playing field. Buried in the noise of all of Microsoft’s Ignite AI announcements – including how AI agents will help us code software and enable data centers for autonomous self-repair – was news of a slew of Microsoft and partner-provided AI agents designed to close off new security vulnerabilities before threat actors are able to discover or exploit them.
Also: Microsoft’s new recovery tools rebuild Windows when it glitches – here’s how
Microsoft had previously issued AI agents to improve customer agility in the race against threat actors. However, in this latest round of additional agent announcements and improvements, Microsoft is also standardizing on how those agents are made contextually available across its existing security and management tools.
“We are introducing a dozen new and enhanced Microsoft Security Copilot agents, available in Microsoft Defender, Microsoft Entra, Microsoft Intune, and Microsoft Purview, to empower security teams to shift from reactive responses to proactive strategies and help transform every aspect of organizational security,” wrote corporate vice president for Microsoft Security Vasu Jakkal in a blog post. “These adaptive agents run side by side with security teams to triage incidents, optimize conditional access policies, surface threat intelligence, and maintain secure, compliant endpoints more easily.”
This table shows a partial list of various Microsoft-developed security-oriented AI agents and the security dashboard into which the company is contextually exposing their functionalities.
Screenshot by David Berlind/ZDNET
As shown in the table above, the specific roles of the various agents determine which of the security management tools they’re exposed in. For example, whereas agents specific to identity management will contextually appear in Microsoft’s Entra identity management solution, agents specific to endpoint security will be integrated into Microsoft Intune.
Availability of Microsoft-built agents
The availability of new Microsoft-built agents — along with additional partner-provided agents — will be surfaced through storefronts (all powered by a central Microsoft security store that was previewed on September 30) that are also contextually embedded into the appropriate Microsoft security and management dashboards.
Also: Microsoft’s new AI agents won’t just help us code, now they’ll decide what to code
As shown in the screenshot below, agents such as Microsoft’s Phishing Triage Agent (lower right) are being surfaced in a storefront that’s built into the company’s Defender security operations solution.
–>
Microsoft and partner-provided AI agents are contextually surfaced within the relevant management portal.
Microsoft
The Phishing Triage Agent went into public preview in March 2025 and its general availability was announced at Ignite. According to Microsoft, the Phishing Triage Agent “autonomously handles user-submitted phishing reports at scale. The agent classifies incoming alerts and resolves false positives, escalating only the malicious cases that require human expertise.”
Reflecting Microsoft’s standardized approach to contextually surfacing agents within the appropriate management console, the company’s Threat Intelligence Briefing agent, first introduced in March, is now embedded into the Microsoft Defender portal. The agent not only gathers timely briefings from a variety of different threat intelligence sources, but it also assesses the risk of each briefing, makes recommendations on how to address it, and links to the specific assets within the organization that correspondingly require immediate attention.
Also: Apple, Microsoft, or Google: Whose platform authenticator rules our passkey future?
Within Entra, Microsoft has improved its Copilot Conditional Access Optimization Agent, designed to monitor policies across devices and identities. Many of these will be AI agents themselves as the company pursues a strategy where agent identities are treated with the same first-class citizenship that human identities get within an organization’s digital infrastructure. (This approach is advocated by the OpenID Foundation as well as Okta, a competitor to Microsoft on the identity management front.) For example, the agent can identify a spike in sign-in failures, investigate the policy that may have triggered the issue, and recommend steps to resolve the problem before other users are affected.
There are many other new and improved agents — too many to enumerate here. However, importantly, the Microsoft-provided agents will be made available to existing Security Copilot customers with Microsoft 365 E5 subscriptions at no additional charge, and eventually, to non-Copilot customers, who will be notified 30 days in advance of when they can activate them.
