Secret Finder is an AI-powered capability in Microsoft Security Copilot that detects leaked credentials in unstructured content, such as emails, chat logs, documents, and screenshots, where traditional pattern-matching tools struggle. It relies on a multi‑step, multi‑agent reasoning workflow rather than a single pass detector. Detection, verification, and contextual analysis are handled by distinct reasoning stages, allowing Secret Finder to find real credentials without flooding users with false positives. Unlike regex-based scanners, Secret Finder uses reasoning to identify not just credentials, but the systems they unlock, helping security teams understand exposure and respond faster. In benchmark testing on synthetic datasets, Secret Finder achieved 98.33% true credential detection with zero false alarms on realistic emails, chats, notes, and documents—while traditional regex scanners detected only about 40% of the same credentials. Secret Finder is now generally available in Security Copilot, supporting 20+ credential types with high precision and actionable context.

The Problem: Credentials Hide Where Traditional Tools Can’t See

When security incidents happen, leaked credentials don’t always appear in clean, predictable formats. They show up buried in email threads, pasted into Teams messages, embedded in Word documents, or captured in screenshots of logs and terminals. These are exactly the places where security teams spend the most time and where traditional secret scanning tools fail.

Most existing tools rely on regular expressions or simple pattern matching. This works reasonably well for structured environments like source code repositories, where credentials follow predictable formats. But in real-world incidents, secrets look different. A storage key might be split across multiple messages in an email thread. A credential could be reformatted, partially redacted, or embedded alongside explanatory text.

In these situations, pattern matching produces two painful outcomes: it misses real credentials because the format doesn’t match a known rule, or it floods analysts with false positives that waste time. Security teams are left manually reviewing content, guessing which findings are real, and piecing together what systems might actually be at risk. In practice, this failure mode has a real human cost that security analysts end up reviewing thousands of alerts, manually inspecting email threads and chat logs, and trying to determine whether a suspicious string actually unlocks a storage account, API, or production service. Teams can spend days reconstructing context across messages and documents just to understand what a credential grants access to, slowing containment and increasing risk during active incidents.

This is the gap Secret Finder was built to close.

The Solution: Secret Finder Brings Reasoning to Secret Detection

Secret Finder approaches secret detection as a reasoning problem, not a string-matching exercise. Instead of asking “does this text match a pattern?” It asks human-like questions: Is this text describing a credential or access mechanism? Does the value look real and usable? What system or resource could this access?

This shift is subtle but powerful. Secret Finder doesn’t just detect credentials, it connects them to doors: the specific targets those credentials unlock, such as API endpoints, storage accounts, applications, or services. This is critical for triage. Instead of stopping at “this looks like a credential,” Secret Finder tells analysts what that credential actually opens. Without context, a credential triggers manual follow‑up. When it’s linked to a specific target, analysts can immediately assess impact and act.

By understanding messy, real-world content the way a human investigator would, Secret Finder delivers findings that security teams can trust and act on immediately. It’s designed specifically for the unstructured, noisy environments where incidents actually unfold.

Why Secret Finder Outperforms Traditional Pattern Matching

Traditional secret scanners are built for clean data. Secret Finder is built for reality.

Traditional tools struggle when:

• Credentials appear in natural language descriptions rather than code
• Context determines whether a string is sensitive or benign
• Credentials are incomplete, malformed, or partially redacted

Secret Finder excels because it:

• Reasons through context, understanding surrounding text to identify what’s truly sensitive
• Detects credentials and their associated resources together, providing the “what” and the “where” in a single pass
• Handles noisy, unstructured inputs like emails, chat logs, documents
• Assigns confidence scores to help teams prioritize findings and reduce alert fatigue

What Secret Finder Can Do Today

Secret Finder is now generally available in Microsoft Security Copilot, with capabilities shaped directly by real security workflows across incident response, red teaming, and SOC operations.

It detects over 20 major credential categories, spanning cloud provider credentials like Azure Storage Keys and AWS Access Keys, authentication credentials including Microsoft Entra passwords and OAuth tokens, database connection strings, SSH private keys, API keys, and generic secrets that don’t fit predefined patterns. This broad coverage means analysts can scan investigation artifacts without worrying whether the secret type is supported.

What makes Secret Finder particularly effective is where it works. Email threads where credentials are discussed across multiple messages. Teams chats where credentials are pasted quickly during troubleshooting. Word documents and internal wikis where credentials are documented for operational handoffs. Incident reports and post-mortem notes written under pressure. These are the environments where traditional pattern-matching tools fail, and where Secret Finder delivers the most value.

In benchmark evaluations, Secret Finder achieved 100% recall with 0% false positives on synthetic datasets containing embedded Azure Storage credentials, compared to 40% recall from traditional regex‑based tools such as CredScan. In more complex scenarios involving multiple credential types and noisy email content, Secret Finder maintained 98.33% recall with 0% false positives. These results were observed on synthetically generated evaluation datasets spanning emails, chats, notes, and documents, designed to reflect how engineers communicate and how credentials may be inadvertently shared in real‑world workflows.

Secret Finder is currently integrated into Security Copilot, actively supporting incident response workflows, and working toward deeper integrations with developer platforms such as GitHub to bring contextual secret detection to source code analysis at scale.

Using Secret Finder in Security Copilot

Secret Finder is available as a skill in Microsoft Security Copilot, making credential detection a seamless part of analyst workflows.

How to use Secret Finder:

1. Enable the Secret Finder skill in Security Copilot via “Manage Sources” → “Manage Plugins” (Figure 1)
2. Select “FindSecretInText” from Promptbook (Figure 2)
3. Submit unstructured content directly in the Copilot prompt: paste the text blob that might contain credentials
4. Secret Finder analyzes the content using its multi-agent workflow, detecting credentials and associated doors
5. Review actionable findings with contextual details

Figure 1. Enabling the Secret Finder skill in Microsoft Security Copilot (Due to recent naming changes, users might see “Agentic secret finder” in Security copilot. Naming changes will reflect in a few weeks)

Figure 2. Selecting the FindSecretInText prompt, which invokes Secret Finder’s multi‑step credential detection and verification workflow

Figure 3. Submitting a text blob containing embedded credentials for analysis (example is synthetic)

Figure 4. Secret Finder output with detected credentials and associated doors (example credentials and associated doors are synthetic)

What’s Next for Secret Finder

Secret Finder is a living capability. Over the next six months, we are working towards coverage and deepening integrations:

• Exploring integrations with GitHub to reduce false positives in secret scanning for code repositories
• Optimizing for large-scale analysis to handle enterprise-wide scans efficiently with reduced latency
• Exploring graph-based risk modeling to map relationships between credentials, services, and attack paths

Our long-term vision goes beyond detection: we want to help security teams understand how credentials are used, what risks exist if they’re exposed, and what the impact of rotation or revocation would be. By moving from “what’s leaked” to “what does it mean,” Secret Finder will enable smarter prioritization, faster response, and more confident decision-making.

Acknowledgments

Secret Finder has been a cross-team effort over the past year, evolving from early research and prototyping through private preview, public preview, and now general availability.

This milestone reflects contributions across many phases from initial system design and technical direction, to evaluation, product integration, and deployment at scale.

Contributors include Mariko Wakabayashi leading the early research through production and to the team including Zixiao Chen and Avy Challa for GA improvements and bringing Secret Finder to production readiness.

We also appreciate Tony Twum-Barimah, Malachi Jones, and the Security Copilot team, including Austin Trapp and Vinod Jagannathan for their technical and product support throughout the process, as well as Christian Rudnick and Helen Chang for guiding us through the responsible AI reviews before launch.

Finally, a huge thanks to the incident responders and security researchers who shared valuable insights along the way. Secret Finder wouldn’t have been possible without their work and feedback.