At Microsoft, we believe that security is a team sport. That’s why we are committed to meeting customers where they are, integrating with the solutions they already use to ensure that everyone can take advantage of the agentic capabilities of Security Copilot.

And it’s not just an idea—it’s a reality. We’re excited to share why partners such as BlueVoyant, OneTrust, and Tanium chose to build agents with Security Copilot—and the value this brings to their customers.

By watching the videos featuring BlueVoyant, OneTrust, and Tanium, you’ll see firsthand how collaboration drives innovation and empowers security teams to tackle today’s threats with agility and confidence. Together, these partner-built agents show how organizations and partners can transform Security Copilot into an integrated force multiplier—proving that security is a team sport.

Partner-built agents power smarter protection

BlueVoyant – Specializing in comprehensive cyber risk management, BlueVoyant provides a suite of services to protect organizations from cyberattacks. In this video, we learn about BlueVoyant Watchtower and how their agents help customers get the most out of their Sentinel and Defender products by using an agent to always review the environment and recommend updated rules, configurations, and policies that catch bad actors Security Copilot gives us the advantage of moving more quickly.” – Micah Heaton, Executive Director, Microsoft Product & Innovation Strategy at BlueVoyant

OneTrust – OneTrust, a privacy and consent management platform, specializes in helping customers responsibly use data and AI. By partnering with Microsoft—specifically Microsoft’s Sentinel platform—OneTrust is able to provide their customers with a full view of their data estate. The Privacy Breach Response Agent by OneTrust combines the deep privacy and regulatory expertise of OneTrust with the robust generative AI capabilities of Microsoft Security Copilot, automating privacy risk assessments improving their accuracy.

Tanium – Specializing in endpoint management and security, Tanium gives IT teams visibility and control over every device in their environment. Tanium’s partnership with Microsoft provides Tanium with seamless integration into Microsoft’s Security products via Copilot, which combined with Tanium’s real-time environment insights, power powerful end to end workflows across Defender, Entra, Tanium, and Intune. The Security Triage Agent by Tanium accelerates alert triage, providing security teams with the context they need to make informed decisions on Tanium Threat Response alerts swiftly.

The work of partners like BlueVoyant, OneTrust, and Tanium is shaping a new security ecosystem—one where the Microsoft Security Store is a launchpad for partner innovation to drive real-world customer impact. The Store turns partner-built agents into enterprise-ready solutions by providing Microsoft-validated certification, high‑quality metadata, consistent deployment flows, secure authentication and transactions, and in‑product visibility inside Defender, Entra, and Security Copilot. These deployed agents run securely in your Security Copilot zero-trust environment.

The power of the Security Store is that it doesn’t just distribute agents—it amplifies them. It gives partners a unified, trusted surface where their solutions are discoverable directly within Microsoft Security products; where customers can compare capabilities through standardized metadata; where installation is guided and repeatable; and where Microsoft’s AI foundation elevates the value of every partner-built capability. For customers, this means direct access to the best of partner-driven security innovation. Partner-built agents deliver value at every stage of the security journey: proactively monitoring sensor health, surfacing actionable insights, accelerating investigations, and automating incident response. These capabilities help organizations strengthen their security posture, respond faster to threats, and stay ahead of attackers.

For partners, success begins with identifying the unique value their agent brings to customers and designing real security outcomes—such as improved detection, automated investigations, and measurable risk reduction. As more partners publish agents, the ecosystem expands- unlocking advanced scenarios like phishing and identity alert triage, incident enrichment, policy optimization, and automated remediation. By combining Microsoft’s AI foundation with specialized partner expertise, Security Copilot agents deliver differentiated solutions that address a wide range of security challenges—from privacy and compliance workflows to vulnerability management and forensics—helping customers strengthen their security posture and respond faster to threats.

Explore resources and documentation

Explore all the partner-built agents in Security Copilot and partner SaaS offerings at the Microsoft Security Store and at the Security Store Learn page Security Store documentation – Security Store | Microsoft Learn. Or read more documentation on Security Copilot agents to learn:

• What agents are and how they work in Security Copilot
• How partners build and integrate agents
• Links to related resources for development and deployment

A major wave of updates has landed: integration with the new Sentinel data lake and graph, new ready-made and custom agents, and the debut of the Microsoft Security Store.

Let’s take a look at what’s new.

 

Microsoft Sentinel and Security Copilot integration delivers deeper context and smarter AI

Sentinel data lake is now generally available, and new capabilities like Sentinel graph and the Model Context Protocol (MCP) server are in public preview, bringing in a new level of integration with Security Copilot. Agents can now access richer, more connected data from across Sentinel, combining graph, structured, and semantic context to reason and act with greater precision. This enhanced foundation transforms AI-driven detection and response, helping teams resolve incidents faster and uncover deeper insights across their environments.

Read more in the Sentinel announcement blog: Introducing Microsoft Sentinel graph

 

Build your own Security Copilot agents, no coding required

Now anyone on your team can create custom Security Copilot agents. Use a no-code portal or developer tools to design, test, and deploy agents that automate the workflows you need most. Your team controls how they work and what they do.

Learn more: Build your own Security Copilot agent

 

New Microsoft and partner ready-made agents for real challenges

These new agents help teams address common security and IT challenges faster and smarter:

• Access Review Agent in Microsoft Entra: Streamline access reviews, flag unusual patterns, and reduce fatigue for security and compliance teams. It helps maintain governance and compliance by automatically analyzing ongoing access reviews and highlighting potential risks.

o   Learn more: The Microsoft Entra agent for smarter access governance: Access Review Agent

• Phishing Triage Agent in Microsoft Defender saves nearly 200 hours a month: In this new customer spotlight, St. Luke’s is seeing the impact of integrating Security Copilot agents into their daily workflows. ACISO Krista Arndt says, “The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.” With routine triage automated, security teams can shift from reactive response to proactive threat hunting, freeing up time for higher-value work and faster threat mitigation.

The launch of 30 new partner-built agents that can be found on the Microsoft Security Store with solutions like:

• Forensic Agent by glueckkanja AG: Delivers deep-dive analysis of Defender XDR incidents to accelerate investigations and uncover root causes faster.
• Privileged Admin Watchdog Agent by glueckkanja AG: Helps enforce zero standing privilege principles by removing persistent admin identities, reducing risk, and strengthening administrative security.
• Ransomware Kill Chain Investigator Agent by adaQuest: Automates ransomware triage to quickly detect and respond to threats, enabling security teams to focus on high-priority incidents.
• Entity Guard Investigator Agent by adaQuest: Investigates Defender incidents and provides actionable insights to accelerate incident resolution and strengthen security posture.
• Admin Guard Insight Agent by adaQuest: Analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, and delivers actionable guidance to improve administrative security.
• Identity Workload ID Agent by Invoke: Empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, reducing risk, strengthening compliance, and controlling identity sprawl.

o   Find these agents and more in the Microsoft Security Store

 

Microsoft Security Store – one, centralized place to find agents and SaaS solutions

The Microsoft Security Store makes it simple to discover, deploy, and buy Security Copilot agents and partner solutions. Start using any of the 30 new agents or 50 SaaS solutions to power your SOC, IT, privacy, and compliance workflows.

Read more in the announcement blog: Introducing Microsoft Security Store

 

Stay tuned and explore more!

Security Copilot is transforming how security and IT teams operate – bringing AI-powered insights, automation, and decision support into everyday workflows. With new capabilities landing every month, the pace of innovation is accelerating.

We’ll be back in November with more updates. Until then, explore these resources to get hands-on, deepen your understanding, and see what’s possible:

• Security Copilot Video Hub – Watch demos and walkthroughs to see Security Copilot in action
• Microsoft Security Copilot Website – Learn about capabilities, use cases, and product details
• Security Copilot Adoption Hub – Access rollout guides, templates, and best practices

Don’t miss Microsoft Ignite – we’ll be announcing exciting new capabilities for Security Copilot and sharing what’s next in AI-powered security.

Introduction 

Microsoft Security Exposure Management (MSEM) provides the Cyber Defense team with a unified, continuously updated awareness of assets exposure, relevant attack paths and provides classifications to these findings. While MSEM continuously creates and updates these finding, the Security Operations Center (SOC) Engineering team needs to reach to this data and interact with it as a part of their proactive discovery exercises. 

Microsoft Security Copilot (SCP) on the other hand, acts as an always-ready AI-powered copilot to the SOC Engineering team. When combined, the situational awareness from MSEM and the quick and consistent retrieval capabilities of SCP, MSEM and SCP empower the SOC Engineers with a natural-language front door into exposure insights and attack paths, this combination also opens the door to include MSEM content, and the reasoning over this content in Security Copilot prompts, in prompt books and allows the use of this content in automation scenarios that leverage security copilot. 

Traditionally, a SOC person needs to navigate to Microsoft Security Advanced Hunting, retrieve data related to assets with a certain level of exposure, and then start building plans for each asset to reduce its exposure, a plan that needs to take into consideration the nature of the exposure, the location the asset is hosted and the characteristics of the asset and requires working knowledge of each impacted system. This approach: 

• Is a time-consuming process, especially when taking into consideration the learning curve associated with learning about each exposure before deciding on the best course of exposure reduction; and 
• Can result in some undesired habits like adapting a reactive approach, rather than a proactive approach; Prioritizing assets with a certain exposure risk level; or attending to exposures that are already familiar to the person reviewing the list of exposures and attack paths.  

Overview of Exposure Management 

Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. Security Exposure Management enriches asset information with security context that helps you to proactively manage attack surfaces, protect critical assets, and explore and mitigate exposure risk. 

Who uses Security Exposure Management? 

Security Exposure Management is aimed at: 

• Security and compliance admins responsible for maintaining and improving organizational security posture. 

• Security operations (SecOps) and partner teams who need visibility into data and workloads across organizational silos to effectively detect, investigate, and mitigate security threats. 

• Security architects responsible for solving systematic issues in overall security posture. 

• Chief Information Security Officers (CISOs) and security decision makers who need insights into organizational attack surfaces and exposure in order to understand security risk within organizational risk frameworks. 

What can I do with Security Exposure Management? 

With Security Exposure Management, you can: 

• Get a unified view across the organization 

• Manage and investigate attack surfaces 

• Discover and safeguard critical assets 

• Manage exposure 

• Connect your data 

Reference links: 

Overview of Security Copilot plugins and skills 

Microsoft Security Copilot is a generative AI-powered assistant designed to augment security operations by accelerating detection, investigation, and response. Its extensibility through plugins and skills enables organizations to tailor the platform to their unique environments, integrate diverse data sources, and automate complex workflows. 

Plugin Architecture and Categories: 

Security Copilot supports a growing ecosystem of plugins categorized into: 

• First-party plugins: Native integrations with Microsoft services such as Microsoft Sentinel, Defender XDR, Intune, Entra, Purview, and Defender for Cloud. 

• Third-party plugins: Integrations with external security platforms and ISVs, enabling broader telemetry and contextual enrichment. 
• Custom plugins: User-developed extensions using KQL, GPT, or API-based logic to address specific use cases or data sources.

Plugins act as grounding sources—providing context, verifying responses, and enabling Copilot to operate across embedded experiences or standalone sessions. Users can toggle plugins on/off, prioritize sources, and personalize settings (e.g., default Sentinel workspace) to streamline investigations. 

Skills and Promptbooks 

Skills in Security Copilot are modular capabilities that guide the AI in executing tasks such as incident triage, threat hunting, or policy analysis. These are often bundled into promptbooks, which are reusable, scenario-driven workflows that combine plugins, prompts, and logic to automate investigations or compliance checks. 

Security analysts can create, manage, and share promptbooks across tenants, enabling consistent execution of best practices. Promptbooks can be customized to include plugin-specific logic, such as querying Microsoft Graph API or running KQL-based detections. 

Role-Based Access and Governance 

Security Copilot enforces role-based access through Entra ID security groups: 

• Copilot Owners: Full access to manage plugins, promptbooks, and tenant-wide settings. 

• Copilot Contributors: Can create sessions and use promptbooks but have limited plugin publishing rights. 

Each embedded experience may require additional service-specific roles (e.g., Sentinel Reader, Endpoint Security Manager) to access relevant data. Governance files and onboarding templates help teams align plugin usage with organizational policies.  

Connecting Exposure Management with Security Copilot 

There are multiple benefits of connecting MSEM with Security Copilot (as explained in section 1 [Introduction] of this paper). We wrote a plugin with two skills to harness the Exposure Management insights within Security Copilot and to eventually understand the exposure of assets hosted in a particular cloud platform by your organization and of assets belonging to a specific user. 

A high-level architecture of the connectivity looks like this: 

 

The two skills of the plugins correspond to the following two use cases: 

1. Obtain exposure of an asset hosted on a particular cloud platform by your organization  
2. Obtain exposure of an asset belonging to a specific user  

As a user you could also specify the exposure level for which you want to extract the data, in each of the above use cases. 

Plugin Code (YAML) 

GitHub – Microsoft Security Exposure Management plugin for Security Copilot – YAML 

Proof of Concept (screen video) 

Conclusion

Here, we proposed an alternative approach that drives up the SOC’s efficiency and helps the organization reduce the time from exposure discovery to exposure reduction. The alternative approach proposed allows the SOC person to retrieve assets that fit a certain profile, i.e. prompt Security Copilot to “List all assets hosted on Azure with Low Exposure Level” and after all affected assets are retrieved, the user can then prompt Security Copilot to “For each asset, help me create a 7-days plan to reduce these exposures” and can then finally conclude with the prompt “Create an Executive Report, start by explaining to none-technical audience the risks associated with the identified exposures, then list all affected assets, along with a summary of the steps needed to reduce the exposures identified”. These prompts can also be organized in a promptbook, further reducing the burden on the SOC person, and can also be made using Automation on regular intervals, where the automation can later email the report to intended audience or can be further extended to create relevant tickets in the IT Service Management System. 

An additional approach to risk management is to keep an eye on highly targeted personas within the organization, with the proposed integration a SOC person can prompt Security Copilot to find “What are the exposure risks associated with the devices owned by the Contoso person john.doe@contoso.com”. This helps the SOC person identify and remediate attack paths targeting devices used by highly targeted persons, where the SOC person can, within the same session, start digging deeper into finding any potential exploitation of these exposures, get recommendations on how to reduce these exposures, and draft an action plan. 

This week at Microsoft Secure, we announced the next big step forward in agentic security. In addition to Microsoft and partner-built agents, you can now create your own Security Copilot agents, extending the growing ecosystem of agents that help teams automate workflows, close gaps, and drive stronger security and IT outcomes.

Why it matters: no two environments are the same. Out-of-the-box agents give you powerful starting points, but your workflows are unique. With custom agents, you get the flexibility to design and deploy solutions that fit your organization.

Two ways to build: Your choice, your workflow

Security Copilot gives you options. Analysts can easily build with a no-code interface. Developers can stay in their preferred coding environment. Either way, you end up with a fully functional, testable, and deployable agent.

For full documentation and detailed guidance on building agents, check out the Microsoft Security Copilot documentation. But now, let’s walk through the key steps so you can get started building your own agent today.

Option 1: Build in Security Copilot, no coding required

Step 1: Create in natural language

Click ‘Build’ in the left nav, describe what you want your agent to do in plain language, and submit. Security Copilot will engage in a back-and-forth conversation to clarify and capture your intent so you start with precision.

Step 2: Auto-generate the configuration
Security Copilot instantly creates a starter setup, giving you:

• An agent name and description
• Clear instructions and input parameters
• Recommended tools pulled from the catalog, including Microsoft, partner, and Sentinel MCP tools

This saves time and generates a strong foundation you can build on

 

Step 3: Customize to fit your needs
Tailor the configuration to your needs, you can edit any part. Update instructions, swap tools, or add new ones from the tool catalog. If the right tool isn’t available, you can create one in natural language or a form-based experience. You’re in full control of how your agent works.

 

Step 4: Keep YAML and no-code views aligned
Every change you make is automatically reflected in the underlying YAML code. This ensures consistency between the no-code visual and code views, so both analysts and developers can work with confidence. Toggle on ‘view code’ to see it live.

 

Step 5: Test and elevate with autotune instruction optimization
Run full end-to-end tests or test individual components to see how your agent performs. Security Copilot shows detailed outputs and a step-by-step activity map of the agent’s dynamic plan, including the tools, inputs, and outputs.

While you can test without it, turning on autotune instruction optimization delivers major advantages:

• Refined instruction recommendations you can copy directly into your config
• AI quality scoring on clarity, grounding, and detail to ensure your agent is effective before publishing
• Faster iteration with confidence your agent is tuned for real-world use

Explore the activity graph tab to view a visual node map of the run, and click any node to see details of what happened at each step.

 

Step 6: Publish and share
When you’re ready, publish the agent into your Security Copilot instance at either a user or workspace scope (depending on admin permissions). If you’re a partner, you can also download the agent code, publish to the Microsoft Partner Center and contribute it to the Microsoft Security Store for broader visibility and adoption by customers.

Benefit: Build production-ready agents in minutes without writing a single line of code.

It’s that easy to build an agent tailored to your unique workflows, and you are not limited to the Security Copilot portal. If you prefer a developer-friendly environment, you can build entirely in VS Code using GitHub Copilot and Microsoft Sentinel MCP tools. You still get AI-powered guidance, YAML scaffolding, and testing support, along with rich context from Sentinel data and the full platform toolset, all while staying in the environment that works best for you.

Option 2: Build in VS Code using GitHub Copilot + Microsoft Sentinel MCP Tools

Step 1: Set up your development environment
Enable the Microsoft Sentinel MCP server in VS Code. This gives you direct access to the collection of Security Copilot agent creation MCP tools and integrates with GitHub Copilot for code generation – all while staying in your preferred workspace.

 

Step 2: Define agent behavior from natural language with platform context
Describe the agent you want to build in natural language. GitHub Copilot interprets your intent, selects the relevant MCP tools, find relevant skills and tools in Security Copilot for your agent, and crafts the agent instructions. The agent YAML gets generated and outputted back to you. Because your agent is built on Microsoft Security Copilot and Sentinel, it automatically leverages rich data and tooling across the platform for context-aware, more effective results.

 

 

 

Step 3: Iterate, customize and extend your agent
Modify instructions, add tools, or create new tools as needed. Use prompts to vibe code your edits or copy the YAML into the code editor and directly modify the agent YAML there. GitHub Copilot keeps the chat and code in sync.

 

 

Step 4: Deploy to Security Copilot for testing
Once you’re ready to test your agent YAML, prompt GitHub Copilot to deploy the agent to your user scope. Then head to the Security Copilot portal to test and optimize your agent with autotune instruction optimization. Take advantage of detailed outputs, activity maps, and AI scoring to refine instructions and ensure your agent performs effectively in real-world scenarios.

 

Step 5: Publish and share your agent

Once validated, publish the agent into your Security Copilot instance at either user or workspace scope (depending on admin permissions). Partners can also download the agent code, publish to the Microsoft Partner Center, and contribute it to the Microsoft Security Store for broader discoverability and adoption.

What you get: Full code-level control and the same AI-powered agent development experience while staying in your preferred workspace.

Whichever approach you choose, you can build, test, and deploy agents that fit your workflows and environment. Microsoft Security Copilot and Microsoft Sentinel give you the tools and advanced AI guidance to create agents that work for your organization.

Explore the Microsoft Security Store

Automate your workflows with pre-built solutions. The Microsoft Security Store gives you a central place to discover and deploy agents and SaaS solutions created by Microsoft and partners. Browse ready-to-use solutions, learn from proven approaches, and adapt them with your own customizations. It’s the quickest way to expand your ecosystem of agents and accelerate impact. More resources about the Security Store: What is Security Store? Microsoft Learn

Build, deploy, defend

Security Copilot puts the power of agentic AI directly in your hands. Start with ready-to-use agents from Microsoft and partners, or create custom agents designed specifically for your environment and workflows. These agents streamline decision-making, surface critical insights, and free your team to focus on strategic security initiatives – making operations faster, smarter, and more responsive.

Join us at Microsoft Ignite, online or in-person, for hands-on demos and insights on how Security Copilot agents empower teams to act faster and protect better.

More resources on building Security Copilot agents:

• Watch the Mechanics video to see agents in action: Security Copilot agents Mechanics video
• For more detailed guidance on building agents, check out the Microsoft Security Copilot documentation

 

Special thanks to my co-authors, Namrata Puri (Principal PM, Security Copilot) and Sherie Pan (PM, Security Copilot), for their insights and contributions