What Is Security Copilot and What’s New?
Security Copilot is Microsoft’s AI-driven security assistant, initially introduced earlier in 2025 as a GPT-4-powered tool for security operations. The big news is its evolution from a standalone assistant to an “agentic” system directly integrated into the security workflow.
Embedded AI Agents Across the Stack
There are a dozen new built-in agents from Microsoft and 30+ partner-built agents that plug into various security roles. Agents may autonomously map an attack’s path in Defender, isolate a compromised device, or adjust user access in Entra ID based on risk signals.
Natural Language Operations
Analysts can interact with systems using plain English (“Show me any unusual sign-ins…”). Routine tasks such as alert triage, threat hunting, or writing firewall rules can be handled by describing the goal to the agent.
Seamless Integration for E5 Customers
Security Copilot is now part of the “core entitlement” of E5, automatically lighting up in customer tenants without extra licensing.
Capabilities Across Defender, Intune, Entra, and Purview
- Defender: Incident analysis, attack mapping, and automated response suggestions.
- Intune: Natural-language policy changes, posture checks, and auto-remediation.
- Entra: Identity risk scoring, anomaly detection, and policy adjustments.
- Purview: Data classification, compliance workflows, DSR automation, and policy enforcement.
Key Features and Capabilities of Security Copilot Agents
The inclusion of Security Copilot brings a breadth of new AI-driven features to E5 customers’ security toolkits:
Autonomous Security Agents
“Agentic AI” in this context means the Copilot isn’t just passively suggesting help; it can act. Microsoft introduced 12 new built-in agents spanning its security products, along with an expanding gallery of 30+ partner-built agents available via a Security Copilot “store”. These agents operate much like additional team members specialized in their domains. For instance, a Defender agent might automatically compile an incident report with attack timelines, while an Intune agent remediates policy violations.
Natural Language Threat Hunting & Response
Security Copilot agents allow analysts to interact using conversational language. You might type: “Find any signs of phishing emails targeting our finance team last week”, and the appropriate agent will sift through telemetry. This turns what used to require multiple console clicks and scripts into one AI-orchestrated flow, eliminating the need to write complex KQL or SQL by hand.
Cross-Domain Coordination
Because Security Copilot’s agents span different products, they can coordinate actions that previously were siloed. An attack story that begins with a compromised identity in Entra ID and an endpoint alert in Defender can be automatically correlated. The Copilot can then take actions in tandem—disabling a user account while simultaneously quarantining that user’s device via Intune.
Built-In and Partner Agents
Out-of-the-box, Microsoft provides agents for common tasks in:
Microsoft Defender (SOC operations)
Agents assist with incident analysis, mapping the attack path of threats through the network, and providing automated response suggestions to contain incidents.
Microsoft Intune (Endpoint management)
Agents enable natural-language policy changes (e.g. “block USB storage on executive laptops”), perform continuous device posture checks, and handle troubleshooting by automatically executing remedial steps.
Microsoft Entra (Identity)
AI agents contribute to identity protection by calculating risk scores, finding anomalous sign-in patterns, and suggesting or automatically adjusting conditional access policies.
Microsoft Purview (Compliance & data security)
Agents help classify sensitive data and enforce protection policies. They can automate parts of compliance workflows, such as handling a Data Subject Request (DSR) by gathering all relevant files and emails about an individual instantly.
These capabilities were designed to deliver machine-speed and consistency to security operations. Rather than waiting for humans to notice an alert, cross-reference data, and take action, the agents can do it in seconds following the rules and scope set by your organization.
