Microsoft Security Copilot Blog

6 MIN READ

RSA Conference 2025: Security Copilot Agents now in preview

Microsoft

Apr 28, 2025

In a time of escalating cyber threats, security teams face relentless pressure to do more with less – more threats, more data, more tools, fewer resources. Microsoft Security Copilot was built to bridge that gap, delivering an AI-driven assistant that enhances detection, investigation, and response across the entire Microsoft Security stack. Since it was launched in April 2024, Copilot has been integrated into customer environments to assist security professionals at every level – amplifying human expertise, streamlining complex workflows, and helping teams stay ahead of evolving threats.

New research from Microsoft live operations highlights Security Copilot’s tangible impact, showing productivity gains across security and IT. Organizations using Security Copilot have seen:

At this year’s RSA Conference, we are excited to share updates that make Security Copilot even more powerful, flexible, and accessible to customers and partners.

Security Copilot agents are now in preview

Last month at Microsoft Secure, we introduced Security Copilot agents - autonomous AI designed to tackle high-volume security tasks. Built on Security Copilot and seamlessly integrated with Microsoft Security solutions and partner ecosystem, these agents are tailored to security-specific use cases, adapt to your workflows, and learn from feedback, all while keeping your team fully in control. Every agent launched is built on the Security Copilot platform, ensuring a consistent, secure, and unified experience across capabilities.

Starting today, we’re beginning a phased public preview rollout which will gradually expand to more customers to ensure a smooth and scalable experience. The following agents are now available in preview to select customers:

Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for identity teams to apply with a single click.

Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and remediation tasks to address app and policy configuration issues and expedites Windows OS patches with admin approval.

Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat intelligence based on an organization’s unique attributes and cyberthreat exposure.

And there’s more to come. Over the next few weeks, additional agents will become available to customers:

Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves detection based on admin feedback.

Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize critical incidents, and continuously improve accuracy based on admin feedback.

Partner agents from OneTrust, Tanium, BlueVoyant, Fletch, and Aviatrix that automate tasks like privacy breach response, SOC assessment, alert triage, task optimization, and root cause analysis.

We’re also thrilled to announce two new partner agents that have joined our growing ecosystem since our Secure event last month, now in private preview:

Email Threat Analyst Agent by Performanta conducts investigations into email-based threats and compromised user activity and provides an impact and recommended mitigation assessment.

IAM Supervisor Agent by Performanta uncovers and triages identity and access threats and provides an impact and recommended mitigation assessment.

With these additions, our growing ecosystem of Security Copilot agents – now in preview – offers broader insights and powerful automation to help security teams respond faster and more effectively. We are excited to continue advancing agentic capabilities both at Microsoft and through collaboration with our third-party partners. Please visit the new Security Copilot video hub for demos or deep dives of Security Copilot agents.

Partner ecosystem updates

Azure Lighthouse support for Sentinel use cases

Security Copilot support for Azure Lighthouse Sentinel use cases for managed security service provider (MSSP) tenants is now generally available. With this support, MSSPs can purchase SCUs and attach them to the managing tenant in Azure Lighthouse and use those SCUs to run Security Copilot skills related to Microsoft Sentinel on their customer tenants via Azure Lighthouse. All the Sentinel skills available in Security Copilot will be invokable from the Azure Lighthouse tenant without the customer needing to have Security Copilot, thereby making Security Copilot available to MSSPs who manage multiple customers.

Supported scenarios include querying the customer Sentinel incident, incident entities/ details, querying Sentinel workspaces, and fetching Sentinel incident query. These skills can be invoked on per customer Sentinel workspace. Managing tenants using Azure Lighthouse now can do the following, without their customers needing to provision SCUs:

Use the same natural language-based prompts using Sentinel skills on customer data

Create custom promptbooks using Sentinel skills to automate their investigations

Use Logic Apps to trigger these promptbooks

Learn more about how to get started with Azure Lighthouse Support for Sentinel use cases here.

New Security Copilot plugins

As part of our effort to provide customers with truly end-to-end security protection, we continue to prioritize expanding our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot.

The following plugins are now in preview:

Censys plugin enables users to enrich investigations using threat intelligence from the Censys platform to scan a URL or domain and scan an IP address.

HP Workforce Experience Platform (WXP) plugin for Security Copilot allows users to gain insight into warranty of devices, application crashes, data about their fleet, and more.

Splunk plugin allows Security Copilot users to make calls to Splunk to perform queries to create, retrieve, and dispatch saved Splunk searches, and retrieve and view information about fired alerts.

Quest Security Guardian plugin reduces alert fatigue by prioritizing your most exploitable vulnerabilities and Active Directory configurations that demand attention.

The following plugins are now in GA:

CheckPhish plugin allows users to utilize the CheckPhish AI to analyze URLs for potential phishing threats, tech support scams, cryptojacking, and other security risks.

Integration spotlight: ServiceNow SIR plugin

The integration of ServiceNow AI and Microsoft Security Copilot capabilities brings joint capabilities to empower our customers and enhance their security posture. The integration optimizes incident insights within SIR and enhances Microsoft Security product’s security incident resolution status and threat prioritization capabilities, driving continuous security posture and awareness. As a result, security teams benefit from faster, more accurate incident resolution - reinforcing our commitment to delivering cutting- edge, AI-driven solutions that elevate the entire security ecosystem.

Flexibility, scalability, and security for AI

Microsoft Purview for Security Copilot

As organizations adopt AI, implementing data controls and a  Zero Trust approach is crucial to mitigate risks like data oversharing and leakage, and potential non-compliant usage in AI. We are excited to announce Microsoft Purview capabilities in preview for Security Copilot. By combining Microsoft Purview and Security Copilot, users can:

Discover data risks such as sensitive data in user prompts and responses and receive recommended actions in their Microsoft Purview Data Security Posture Management (DSPM) for AI dashboard to reduce these risks.

Identify risky AI usage with Microsoft Purview Insider Risk Management to investigate risky AI usage, such as an inadvertent user who has neglected security best practices and shared sensitive data in AI or a departing employee using AI to find sensitive data and exfiltrating the data through a USB device.

Govern AI usage with Microsoft Purview Audit, Microsoft Purview eDiscovery, retention policies, and non-compliant usage detection.

Learn more about Purview for Security Copilot here.

Copilot in Microsoft Defender for Cloud

Copilot in Defender for Cloud helps security teams accelerate risk remediation, making it faster and easier for security admins to remediate cloud risks by providing AI-generated summaries, remediation actions, and delegation emails, guiding users in each step of the risk reduction process. Security admins can use AI to quickly summarize a specific recommendation, generate remediation scripts, and delegate tasks via email to resource owners. The capabilities help reduce investigation time, enabling security teams to understand the risk in context and identify resources to quickly remediate. The capabilities are now generally available. Learn more about Copilot in Defender for Cloud here.

Enriched Incident Summaries in the Microsoft Sentinel Azure portal

We’re excited to announce Security Copilot Incident Summaries in the Microsoft Sentinel Azure portal are now in public preview. This capability provides enriched, easy-to-digest insights into security incidents - streamlining triage and helping analysts quickly understand scope, impact, and next steps. Read the blog post here.

Enhanced Consumption Flexibility for Security Copilot

This month we introduced enhancements to Security Copilot to enhance customer flexibility and scalability, by supplementing the existing provisioned pricing structure for Security Copilot with the addition of an overage Security Compute Unit (SCU). This capability ensures that users can scale their Copilot workloads beyond their provisioned capacity, for uninterrupted protection. Read the blog post here.

Learn more about Security Copilot at RSA Conference 2025

To learn more about Security Copilot and explore how it can elevate your organization’s security strategy, we invite you to connect with us at booth #5744. This is a great opportunity to engage with Microsoft security experts, dive deeper into the latest innovations, and experience how Security Copilot can simplify and strengthen your security operations. Join us for our Security Copilot sessions below, stop by our booth for a live demo, or schedule a one-on-one meeting with our team.

Updated Apr 28, 2025

Version 1.0

what's new

Dilip_Radhakrishnan

Microsoft

Joined May 07, 2019

View Profile

Microsoft Security Copilot Blog

Microsoft Security Copilot is a generative AI-powered assistant for daily operations in security and IT that empowers teams to manage and protect at the speed and scale of AI.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Security Copilot by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.