Are AI agents the future of cybersecurity?

Last week, Microsoft Security Copilot agents were released by the tech giant. They are a set of cybersecurity-focused AI agents. AI agents can act on their own, in contrast with the AI products that many people may be familiar with, such as ChatGPT’s standard web interface, which only reacts to user prompts.

Microsoft’s new agents essentially use the capabilities of large language models (LLMs) to summarize large volumes of data automatically. They aim to assist in processing the large volumes of security data that organizations struggle to stay on top of, with the aim of being able to free up some analyst time.

One example is the Phishing Triage Agent in Microsoft Defender, which the company claims “…triages phishing alerts with accuracy to identify real cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves detection based on admin feedback.”

We have not tested this product at scale, so we cannot comment on whether or not these claims are true—we are simply reporting on the release because it is an interesting development in the cybersecurity landscape. On top of the Phishing Triage Agent, Microsoft also announced:

• Alert Triage Agents in Microsoft Purview – Aimed at prioritizing critical incidents as well as triaging insider risk and data loss prevention alerts.
• Conditional Access Optimization Agent in Microsoft Entra – A tool for monitoring new apps or users not included in existing policies, as well as for identifying updates that could close security gaps.
• Vulnerability Remediation Agent in Microsoft Intune – Aims to monitor vulnerabilities, prioritize them, and assist in remediation tasks for configuration issues.
• Threat Intelligence Briefing Agent in Security Copilot – A tool that attempts to automate timely and relevant threat intelligence.

There are also five new cybersecurity agents developed by Microsoft’s security partners.

What impact could cybersecurity agents have on the threat landscape?

At a Microsoft press event, the Register reported that Vasu Jakkal, Microsoft’s corporate vice president of security, compliance, identity, and management said:

“For security teams using it, we've seen a 30 percent reduction in mean time to respond," she said, without elaborating on the cost of that improvement. "That means the time it takes them to respond to security incidents. We've seen early career talent, people who really wanted security but didn't know how to get started, being 26 percent faster, 35 percent more accurate. And even for seasoned professionals, we've seen them get 22 percent faster and 7 percent more accurate.”

While this sounds like good news, the Register also noted that Microsoft representatives failed to answer key questions at the event, including:

• “What is an agent?”
• “…in what ways have agents failed when deployed?”
• “…what's the cost of running this in compute resources?”

These are obviously important questions, so it is concerning that they went unanswered. One thing to bear in mind is that many cybersecurity processes are critical, and we cannot afford to make mistakes. While these agents may be able to speed up or automate some tasks, it is likely that we will still need substantial human review to protect from hallucinations and other errors.

We seem to be in the relatively early ages of agentic AI, so it’s hard to determine how these products may impact cybersecurity over the long term. There’s a chance that they are deemed too unreliable and don’t see much deployment at all. Another possibility is that the technology is still immature, and while it may not have much impact in the short term, we could see AI agents deployed widely for cybersecurity purposes in the future. Of course, the other option is that we see relatively swift takeoff and these tools quickly become widespread in certain contexts.

The AI landscape is extremely unpredictable. From AI CEOs hyping up the timelines of artificial general intelligence (AGI) to attract investment, to doomers who think we are all on the cusp of meeting our demise and being replaced by paperclips, it’s really difficult to know what’s going to happen with AI and how it will impact the cybersecurity landscape. All we’re saying is that AI-based cybersecurity agents are here—but will they be useful?