In a time of escalating cyber threats, security teams face relentless pressure to do more with less – more threats, more data, more tools, fewer resources. Microsoft Security Copilot was built to bridge that gap, delivering an AI-driven assistant that enhances detection, investigation, and response across the entire Microsoft Security stack. Since it was launched in April 2024, Copilot has been integrated into customer environments to assist security professionals at every level – amplifying human expertise, streamlining complex workflows, and helping teams stay ahead of evolving threats. 

New research from Microsoft live operations highlights Security Copilot’s tangible impact, showing productivity gains across security and IT. Organizations using Security Copilot have seen: 

At this year’s RSA Conference, we are excited to share updates that make Security Copilot even more powerful, flexible, and accessible to customers and partners. 

Security Copilot agents are now in preview 

Last month at Microsoft Secure, we introduced Security Copilot agents – autonomous AI designed to tackle high-volume security tasks. Built on Security Copilot and seamlessly integrated with Microsoft Security solutions and partner ecosystem, these agents are tailored to security-specific use cases, adapt to your workflows, and learn from feedback, all while keeping your team fully in control. Every agent launched is built on the Security Copilot platform, ensuring a consistent, secure, and unified experience across capabilities.  

Starting today, we’re beginning a phased public preview rollout which will gradually expand to more customers to ensure a smooth and scalable experience.  The following agents are now available in preview to select customers: 

• Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for identity teams to apply with a single click. 

• Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and remediation tasks to address app and policy configuration issues and expedites Windows OS patches with admin approval. 

• Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat intelligence based on an organization’s unique attributes and cyberthreat exposure. 

And there’s more to come. Over the next few weeks, additional agents will become available to customers: 

• Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves detection based on admin feedback. 

• Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize critical incidents, and continuously improve accuracy based on admin feedback. 

• Partner agents from OneTrust, Tanium, BlueVoyant, Fletch, and Aviatrix that automate tasks like privacy breach response, SOC assessment, alert triage, task optimization, and root cause analysis.  

We’re also thrilled to announce two new partner agents that have joined our growing ecosystem since our Secure event last month, now in private preview:

• Email Threat Analyst Agent by Performanta conducts investigations into email-based threats and compromised user activity and provides an impact and recommended mitigation assessment.  

• IAM Supervisor Agent by Performanta uncovers and triages identity and access threats and provides an impact and recommended mitigation assessment. 

With these additions, our growing ecosystem of Security Copilot agents – now in preview – offers broader insights and powerful automation to help security teams respond faster and more effectively. We are excited to continue advancing agentic capabilities both at Microsoft and through collaboration with our third-party partners. Please visit the new Security Copilot video hub for demos or deep dives of Security Copilot agents.

Partner ecosystem updates 

Azure Lighthouse support for Sentinel use cases 

Security Copilot support for Azure Lighthouse Sentinel use cases for managed security service provider (MSSP) tenants is now generally available. With this support, MSSPs can purchase SCUs and attach them to the managing tenant in Azure Lighthouse and use those SCUs to run Security Copilot skills related to Microsoft Sentinel on their customer tenants via Azure Lighthouse. All the Sentinel skills available in Security Copilot will be invokable from the Azure Lighthouse tenant without the customer needing to have Security Copilot, thereby making Security Copilot available to MSSPs who manage multiple customers. 

Supported scenarios include querying the customer Sentinel incident, incident entities/ details, querying Sentinel workspaces, and fetching Sentinel incident query. These skills can be invoked on per customer Sentinel workspace. Managing tenants using Azure Lighthouse now can do the following, without their customers needing to provision SCUs: 

• Use the same natural language-based prompts using Sentinel skills on customer data 

• Create custom promptbooks using Sentinel skills to automate their investigations 

• Use Logic Apps to trigger these promptbooks 

Learn more about how to get started with Azure Lighthouse Support for Sentinel use cases here. 

New Security Copilot plugins 

As part of our effort to provide customers with truly end-to-end security protection, we continue to prioritize expanding our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot.  

The following plugins are now in preview:  

• Censys plugin enables users to enrich investigations using threat intelligence from the Censys platform to scan a URL or domain and scan an IP address.  

• HP Workforce Experience Platform (WXP) plugin for Security Copilot allows users to gain insight into warranty of devices, application crashes, data about their fleet, and more.  

• Splunk plugin allows Security Copilot users to make calls to Splunk to perform queries to create, retrieve, and dispatch saved Splunk searches, and retrieve and view information about fired alerts.  

• Quest Security Guardian plugin reduces alert fatigue by prioritizing your most exploitable vulnerabilities and Active Directory configurations that demand attention. 

• The following plugins are now in GA:  

• CheckPhish plugin allows users to utilize the CheckPhish AI to analyze URLs for potential phishing threats, tech support scams, cryptojacking, and other security risks.   

Integration spotlight: ServiceNow SIR plugin 

The integration of ServiceNow AI and Microsoft Security Copilot capabilities brings joint capabilities to empower our customers and enhance their security posture. The integration optimizes incident insights within SIR and enhances Microsoft Security product’s security incident resolution status and threat prioritization capabilities, driving continuous security posture and awareness. As a result, security teams benefit from faster, more accurate incident resolution – reinforcing our commitment to delivering cutting– edge, AI-driven solutions that elevate the entire security ecosystem.  

Flexibility, scalability, and security for AI 

Microsoft Purview for Security Copilot 

As organizations adopt AI, implementing data controls and a  Zero Trust approach is crucial to mitigate risks like data oversharing and leakage, and potential non-compliant usage in AI. We are excited to announce Microsoft Purview capabilities in preview for Security Copilot. By combining Microsoft Purview and Security Copilot, users can: 

• Discover data risks such as sensitive data in user prompts and responses and receive recommended actions in their Microsoft Purview Data Security Posture Management (DSPM) for AI dashboard to reduce these risks.  

• Identify risky AI usage with Microsoft Purview Insider Risk Management to investigate risky AI usage, such as an inadvertent user who has neglected security best practices and shared sensitive data in AI or a departing employee using AI to find sensitive data and exfiltrating the data through a USB device. 

• Govern AI usage with Microsoft Purview Audit, Microsoft Purview eDiscovery, retention policies, and non-compliant usage detection. 

Learn more about Purview for Security Copilot here. 

Copilot in Microsoft Defender for Cloud 

Copilot in Defender for Cloud helps security teams accelerate risk remediation, making it faster and easier for security admins to remediate cloud risks by providing AI-generated summaries, remediation actions, and delegation emails, guiding users in each step of the risk reduction process. Security admins can use AI to quickly summarize a specific recommendation, generate remediation scripts, and delegate tasks via email to resource owners. The capabilities help reduce investigation time, enabling security teams to understand the risk in context and identify resources to quickly remediate. The capabilities are now generally available. Learn more about Copilot in Defender for Cloud here. 

Enriched Incident Summaries in the Microsoft Sentinel Azure portal 

We’re excited to announce Security Copilot Incident Summaries in the Microsoft Sentinel Azure portal are now in public preview. This capability provides enriched, easy-to-digest insights into security incidents – streamlining triage and helping analysts quickly understand scope, impact, and next steps. Read the blog post here. 

Enhanced Consumption Flexibility for Security Copilot 

This month we introduced enhancements to Security Copilot to enhance customer flexibility and scalability, by supplementing the existing provisioned pricing structure for Security Copilot with the addition of an overage Security Compute Unit (SCU). This capability ensures that users can scale their Copilot workloads beyond their provisioned capacity, for uninterrupted protection. Read the blog post here. 

Learn more about Security Copilot at RSA Conference 2025

To learn more about Security Copilot and explore how it can elevate your organization’s security strategy, we invite you to connect with us at booth #5744. This is a great opportunity to engage with Microsoft security experts, dive deeper into the latest innovations, and experience how Security Copilot can simplify and strengthen your security operations. Join us for our Security Copilot sessions below, stop by our booth for a live demo, or schedule a one-on-one meeting with our team. 

Introduction 

There are many different approaches when it comes to prioritizing the vulnerabilities which need addressing with urgency. Any information or guidance to help you make better informed decisions can be critical but how can you stay informed? Leveraging all the information sources available to you can be the difference and allow you to be proactive when trying to protect your organization. 

 One useful feed is offered by CISA (Cybersecurity & Infrastructure Security Agency) who works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future. The Known Exploited Vulnerabilities (KEV) Catalog is a curated list maintained by CISA. It identifies vulnerabilities that have been actively exploited in the wild, posing significant risks to organizations and individuals. The catalog aims to enhance cybersecurity by providing timely information on these vulnerabilities, enabling proactive mitigation efforts. 

Key features of the KEV Catalog include: 

• Identification: Lists vulnerabilities that are confirmed to be exploited. 

• Details: Provides technical details, including affected products and versions. 

• Mitigation: Offers guidance on how to address and remediate the vulnerabilities. 

• Updates: Regularly updated to reflect new threats and exploited vulnerabilities. 

The KEV Catalog serves as a critical resource for cybersecurity professionals, helping them prioritize patching and defense strategies to protect against known threats.

The feed is designed to help organizations stay informed about vulnerabilities that have been exploited in the wild. It is part of CISA’s efforts to defend against current threats and build a more secure and resilient infrastructure for the future 

Workflow overview 

The automated CISA feed solution addresses prioritization challenges by streamlining the process of vulnerability management. This solution checks the latest CISA feed every 24 hours and queries the CVE findings against devices within Microsoft Defender for Endpoint. Security Copilot then checks for remediation actions and enriches the description, providing a comprehensive overview of the vulnerability. 

Figure 1: Example of the email output from the Logic App

Key benefits of the Logic App include: 

• Automated Updates: The Logic App automatically retrieves the latest CISA feed, ensuring that analysts have up-to-date information without manual intervention. This eliminates the need for manual checks and reduces the risk of missing critical updates. 

• Device Vulnerability Assessment: It queries the CVE findings against devices within the organization, identifying which devices are vulnerable to the reported CVEs. This targeted approach allows analysts to focus on the most critical vulnerabilities affecting their specific environment, enhancing the efficiency of the remediation process. 

• Remediation Insights: Security Copilot provides detailed remediation actions, helping analysts understand the steps needed to mitigate the vulnerabilities. By enriching the description with actionable insights, it simplifies the decision-making process and accelerates the implementation of security measures. 

• Email Notifications: An email with the findings is sent to a designated mailbox, allowing for easy review and follow-up. This ensures that all relevant stakeholders are informed promptly, facilitating coordinated responses and continuous monitoring of the organization’s security posture. 

Figure 2: Screenshot of the CISA Logic App

Click here to get started and install the Logic App today. 

Conclusion 

To prioritize effectively, gather all necessary information for informed decisions. While the Logic App CISA workflow is one approach, other methods may better suit your organization. Function Apps can enhance decision making by automating and streamlining security operations with integrated tools and processes. The Security Copilot GitHub repository offers AI-powered solutions using machine learning and natural language processing to improve security. These tools help identify vulnerabilities, predict risks, and implement protective measures. Check it out!