That pattern continued as defenders embraced automation and AI to manage expanding digital estates. SOCs were often early scale adopters—using machine learning to reduce noise, improve visibility, and respond faster across growing environments. Cyberattackers became more targeted and multistage, moving deliberately across identities, endpoints, cloud resources, and email, where detection was hardest. Success increasingly depended on moving fast enough to act before analysts could connect the dots. Even with this progress, security operations (SecOps) still feel asymmetrical: threat actors only need to be right once, while defenders are judged by every miss. If defense depends on human intervention to begin, defense will always feel asymmetrical.

To change the outcome, SOCs must change how defense itself works. This is the agentic SOC: where security delivers adaptive, autonomous defense, freeing defenders for strategic, high‑impact work. In this series, we’ll break down what that shift requires, what early experimentation has taught us, and where organizations can start today. Read more about how some organizations moving toward the agentic SOC and access a foundational roadmap for this transformation in our new whitepaper, The agentic SOC: Your teammate for tomorrow, today.

What we mean by “the agentic SOC”

At its core, the agentic SOC is an operating model that shifts security from reacting to incidents to anticipating how cyberattackers move—and actively reshaping the environment to cut off their paths.

It brings together a platform that can increasingly defend itself through built-in autonomous defense, with AI agents working alongside humans to accelerate investigation, prioritization, and action—so teams spend less time on execution and more time on judgment, risk, and the decisions that matter.

How does that change day-to-day work? Imagine a credential theft attempt. Built-in defenses automatically lock the affected account and isolate the compromised device within seconds—before lateral movement can begin. At the same time, an AI agent initiates an investigation, hunting for related activity across identity, endpoint, email, and cloud signals, and correlating everything into a single view.

When an analyst opens their queue, the “noise” of overwhelming alerts is already gone. Evidence has been pre-assembled. Likely next steps are suggested. The analyst can start right away by answering higher impact questions: Is this part of a broader campaign? Should this authentication method be hardened? Are there related techniques this cyberattacker commonly uses that the environment is still exposed to?

In today’s SOC, we see that sequence often takes hours—and the proactive improvement is very limited, if it ever happens; there’s simply not enough time. In an agentic SOC, it happens in minutes, and teams can spend the time they’ve gained on deeper investigation, systemic hardening, and reducing the likelihood of repeat cyberattacks.

A layered model for the agentic SOC

This model works because an agentic SOC is built on two distinct, but interdependent layers. The first is an underlying threat protection platform that has fundamentally evolved how cyberattacks are defended against and disrupted. High confidence cyberthreats are handled automatically through deterministic, policy-bound controls built directly into the platform. Known attack patterns are blocked in real time—without deliberation or creativity—shielding the environment from machine-speed cyberthreats before scarce human attention or token intensive reasoning is required. This disruption layer is not optional; it is the prerequisite that makes an agentic SOC safe, scalable, and sustainable.

The second layer operates at the operational level, where agents take on tough analysis and correlation work to dramatically increase the leverage of security teams and shift focus from uncovering insight to acting on it. These agents reason over evidence, coordinate investigations, orchestrate response across domains, and learn continuously from outcomes. Over time, they help identify recurring attack paths, surface gaps in posture, and recommend changes that make the environment harder to exploit—not just faster to respond.

Together, they transform the SOC from a reactive workflow engine into a resilient system.

What’s real now, and why there’s reason for optimism

The optimism around our view of the agentic SOC comes from operational discipline and proven, real-world impact. Autonomous attack disruption has been operating at scale for years.

Attacks like ransomware are disrupted in an average of three minutes, and tens of thousands of attacks are contained every month by isolating compromised users and devices before lateral movement can take hold. This all done with a 99.99% confidence rating, so SOC teams can trust in its efficacy.

Building on that proven foundation, newer capabilities like predictive shielding extend autonomous defense further—anticipating how cyberattacks are likely to progress and proactively restricting high-risk paths or assets during an intrusion.

Together, these system-level protections show that platforms can safely intervene earlier in the cyberattack chain without introducing unnecessary disruption.

Agentic capabilities are also being similarly scoped. Internally, we’ve been testing task agents for triage and investigations under our expert supervision of our defenders. In live environments, these agents automate 75% of phishing and malware investigations. We’ve also tested agents on more complex analytical tasks, such as assessing exposure to specific vulnerabilities—work that once required a full day of engineering effort and can now be completed in less than an hour by an agent.

How day-to-day SOC work will change in the future

In an agentic SOC, the center of gravity will change for roles like an analyst. Fewer analysts are pulled into firefighting; more time is spent investigating how the organization is being targeted and what steps can be taken to reduce exposure. Within this new operating model, security teams will be freed to evolve the team structure and their day-to-day responsibilities.

Agentic systems increase demand for oversight, tuning, and governance. Detection and response engineering becomes more central, as teams design policies, confidence thresholds, and escalation paths. New roles emerge around supervising outcomes and refining system behavior over time.

Expertise becomes more valuable, not less. Judgment, context, and institutional knowledge are no longer consumed by repetitive tasks—they shape how the SOC operates at scale. And skilled practitioners closer to strategy, quality, and accountability.

To make this shift tangible, here’s how key roles are evolving:

• Analysts: from triaging alerts to supervising outcomes. Analysts validate agent‑led investigations, determine when deeper inquiry is needed, focus on ambiguous cases, and guide system learning over time.
• Detection engineers: from writing rules to teaching the system what matters. Engineers decide which signals are trustworthy, add the right context, and set confidence thresholds so detections can be acted on automatically—without human review every time.
• Threat hunters: from manual queries to hypothesis-driven exploration. Hunters use AI to surface anomalies and focus on creative investigation and adversary simulation.
• SOC leadership: from managing queues to orchestrating autonomy. Leaders define automation policies, oversee governance, and align AI actions with business risk.

Each shift reflects a broader truth: in the agentic SOC, people don’t do less—they do more of what matters.

The agentic SOC journey

This is a significant change in how security teams operate, and it doesn’t happen overnight. Based on our own experience, we’ve outlined a maturity model that shows how organizations can progress toward an agentic SOC over time.

Organizations begin by establishing a trusted foundation that unifies security tooling, enables the deployment of autonomous defense and begins unifying security signal in earnest. From there, they introduce agents to take on bounded, high-volume work under human supervision, learning where automation adds leverage and where judgment still matters most. Over time, as confidence, governance, and operational discipline mature, agents expand from assisting individual workflows to coordinating broader security outcomes. At every stage, progress is measured not by how much work is automated, but by how effectively human expertise is amplified.

SOC 1—Unify your platform foundation

The shift begins with a unified security platform that enables autonomous defense. Deterministic, policy-bound protections stop high confidence cyberthreats automatically—removing urgency, reducing blast radius, and eliminating the constant context switching that slows human response. By integrating signals across identity, endpoints, and cloud, defenders gain a shared view of cyberattacks instead of stitching evidence together across tools. This foundation is what makes cross-domain action possible—and separates experimental automation from production-ready operations.

SOC 2—Accelerate operations with generative AI and task agents

With urgency reduced, generative AI changes how work flows through the SOC. Instead of pushing alerts forward, AI assembles context, synthesizes signals across domains, and produces coherent investigations. Repetitive, high-volume tasks like triage, correlation, and basic investigation are absorbed by the system, allowing analysts to focus on higher impact decisions. This stage establishes new operational patterns where humans and AI work together—accelerating response while preserving judgment and accountability.

SOC 3—Deploy agentic automation

As trust grows, agents move from assistance to action. Specialized agents autonomously orchestrate specific tasks—containing compromised identities, isolating devices, or remediating reported phishing—while humans shift into supervisory roles. Over time, agents help identify patterns, anticipate attack paths, and optimize defenses across the environment. Security teams spend less time managing queues and more time shaping posture, risk, and outcomes. These shifts compound across all three stages.

What comes next for the SOC evolution?

We believe the strongest agentic SOC models will begin with autonomous defense—deterministic, policy‑bound actions that safely stop what is already known to be dangerous at machine speed. That foundation removes urgency, noise, and latency from security operations.

Additionally, agents and humans work differently. Agents assemble context, coordinate remediation, and optimize how the SOC operates. Humans provide intent, judgment, and accountability—turning time saved into smarter, more strategic security outcomes.

This is the first of a series of posts that will explore what makes the agentic SOC model real: the platform foundations required to defend autonomously, the governance and trust mechanisms that keep autonomy safe, and the adoption journey organizations take to get there. Some organizations are already rebuilding their businesses around AI, a new class of Frontier Firms. Read more about how they’re making their move toward the agentic SOC and access a foundational roadmap for this transformation in our new whitepaper, The agentic SOC: Your teammate for tomorrow, today.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post The agentic SOC—Rethinking SecOps for the next decade appeared first on Microsoft Security Blog.

The challenge isn’t just scale, it’s fragmentation. From our latest Secure Access report, research shows that 32% of organizations say their access management solutions are duplicative, and 40% say they have too many different vendors. That fragmentation for security vendors makes it harder to maintain consistent access controls and correlate risk across identities. When risk is distributed across dozens of disconnected accounts and permissions, visibility fragments and blind spots emerge—creating ideal conditions for cyberattackers to move laterally without detection. Securing identity in this reality requires more than incremental improvements. It calls for a shift from fragmented controls to an integrated, end-to-end approach that treats identity as a shared control plane that is informed by a continuous, foundational security signal.

Why fragmentation fails—and what must replace it

With the traditional model of identity security—built on siloed directories, disconnected access policies, and bolt-on threat detection—cyberattackers don’t have to break defenses, they just move between them. Permissions go uncorrelated, access policies drift as environments evolve, and lateral movement hides in the gaps.

For defenders, this creates a dangerous imbalance. Identity signals flood the security operations center (SOC) without the context to act, while identity teams enforce access without visibility into active cyberthreats. Risk accumulates across systems, but responsibility—and insight—remains fragmented.

Fixing this doesn’t require more alerts or point solutions. It requires an integrated fabric that brings together all of the identities, access, and signals.

A modern identity security solution must unify three critical layers:

• The identity infrastructure: The systems and services that underpin every access decision. This includes the identity provider, authentication services, single sign-on (SSO), user and group management, and the systems that establish and maintain trust across the enterprise. Without this foundation, there is no authoritative source of truth for who an identity is, what it can access, or how it should be governed. It’s the layer many security vendors lack—and the one Microsoft delivers at global scale.
• The identity control plane: Where privileged identity management and access decisions are enforced in real time, based on dynamic risk signals, behavioral context, and policy intent. This is where identity and security converge to adapt access as conditions change, powering real-time response to identity threats.
• End-to-end identity threat protection: Before a cyberattack, it proactively reduces posture risk by eliminating excessive access and closing identity exposure gaps. When threats emerge, it detects identity misuse in real time, surfaces lateral movement, and drives rapid containment—connecting integrated signals and response across the full attack lifecycle.

When these layers operate in isolation, risk is missed. When they operate as one, identity becomes a powerful security signal—enabling earlier detection, smarter decisions, and faster response.

Redefining identity security for real-time defense

Microsoft is delivering a new standard for identity security solution—one that unifies identity infrastructure, access control, and threat response into a single, real-time platform built for speed, precision, and autonomy.

We start with the identity infrastructure: the foundational identity layer powered by Microsoft Entra. As one of the most widely adopted identity platforms in the world with billions of authentications managed daily, it provides resilient SSO, user and group management, and trust establishment at global scale—a layer many security vendors simply don’t have access to.

We collapse identity sprawl, correlating related accounts across cloud and on-premises into a single identity view, so risk assessment is no longer scattered across disconnected systems. This gives security teams a real‑time understanding of what an identity and its correlated accounts can access, not just who it is—allowing them to spot dangerous access paths early, limit impact, and disrupt lateral movement before attackers turn access into impact. Likewise, it gives identity teams visibility into whether a user flagged as a high risk was just a one-off or if its associated with other accounts, informing what access decisions to make.

On top of that foundation is a real-time identity control plane designed for how attacks actually unfold. Microsoft Entra Conditional Access continuously evaluates risk as access is used, not just when it’s granted—tracking signals from identity, device, network, and broader threat intelligence throughout the session. As conditions change, access adapts in real time, helping identity teams limit exposure and prevent risky access while giving security teams the ability to interrupt attack paths while activity is still in motion. This is adaptive access driven by connected intelligence—not static policy.

And when risk turns into a threat, we act—automatically and inline, which results in a faster response. Microsoft’s threat protection is differentiated by automatic attack disruption: a capability that intervenes mid-attack to isolate compromised assets by terminating user sessions, revoking access, and applying just-in-time hardening to stop lateral movement and privilege escalation. It’s not just detection—it’s defense in motion.

To accelerate response, we’ve extended Microsoft Security Copilot’s triage agent to identity. It uses AI to filter noise, surface high-confidence alerts, and guide analysts with clear, explainable insights—reducing time to action and analyst fatigue.

This end-to-end approach shifts identity from an expanding source of exposure into a strategic advantage. Instead of reacting after access has already been abused, it helps ensure that risk is evaluated continuously, access decisions are made in real-time, and organizations can defend more effectively as attack paths emerge to stop identity‑based attacks before they escalate into business impact.

Innovation that moves the industry forward

At RSAC 2026, we announced a set of innovations in identity security that are designed to help organizations move from fragmented awareness to confident, identity-centric protection:

• The new identity security dashboard in Microsoft Defender doesn’t just summarize alerts, it reveals where identity risk actually concentrates across human and nonhuman identities, account types, and providers. Instead of hopping between consoles, teams can immediately see which access paths matter most, where blast radius is largest, and where action will have the greatest impact.
• A new unified identity risk score correlates together more than 100 trillion signals across Microsoft Security including identity behavior, access risk, and threat signals into a single, actionable view of risk. This allows teams to move directly from understanding exposure to enforcing protection—applying controls at the point of access, natively through risk-based Conditional Access policies.
• Adaptive risk remediation helps identity and security teams contain modern cyberattacks more efficiently while maintaining strong protection. When risk is detected, users easily regain access and Microsoft Entra ID Protection adapts risk remediation based on the type of cyberthreat and the credentials used. This reduces reliance on help desk processes and lowers manual response effort.
• Automatic attack disruption fundamentally changes the outcome of identity-based attacks. Instead of detecting suspicious behavior and waiting for the security teams to respond, it intervenes while cyberattacks are in progress—terminating sessions, revoking access, and applying just-in-time hardening to shut down cyberattacker movement before lateral spread or privilege escalation can occur.
• Security Copilot’s triage agent now extends to identity. Using AI to collapse signal overload into clear, recommended action, the agent surfaces high confidence threats, explaining why they matter, and guides analysts to the right response while attacks are still unfolding. The result is faster containment with far less analyst fatigue.
• Expanded coverage across the modern identity fabric, including deeper visibility into non-human identities and new integrations with third-party platforms like SailPoint and CyberArk—providing protection that spans the full ecosystem, not just first-party assets.
• A new coverage and maturity view helps organizations assess their current identity security posture, identify gaps, and prioritize next steps—transforming identity protection from a static checklist into a dynamic, guided journey.

These innovations are deeply integrated, continuously reinforced, and designed to work together—enabling security and identity teams to operate from a shared source of truth, with shared context, and shared urgency. Read more about redefining identity security for the modern enterprise.

They are designed to help organizations shift from reactive identity management to proactive identity defense—and from fragmented tools to a unified platform built for real-time security across human, non-human, and agentic identities.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Identity security is the new pressure point for modern cyberattacks appeared first on Microsoft Security Blog.

The forces pushing modern SOC operations to a breaking point

The report surfaces five specific operational pressures shaping the modern SOC—spanning fragmentation, manual toil, signal overload, business-level risk exposure, and detection bias. Separately, each data point is striking. But taken together, they reveal a more consequential reality: analysts spend their time stitching context across consoles and working through endless queues, while real cyberattacks move in parallel. When investigations stall and alerts go untriaged, missed signals don’t just hurt metrics—they create the conditions for preventable compromises. Let’s take a closer look at each of the five issues:

1. Fragmentation

Fragmented tools and disconnected data force analysts to pivot across an average of 10.9 consoles¹ and manually reconstruct context, slowing investigations and increasing the likelihood of missed signals. These gaps compound when only about 59% of tools push data to the security information and event management (SIEM), leaving most SOCs manually ingesting data and operating with incomplete visibility.

2. Manual toil

Manual, repetitive data work consumes an outsized share of analyst capacity, with 66% of SOCs losing 20% of their week to aggregation and correlation—an operational drain that delays investigations, suppresses threat hunting, and weakens the SOC’s ability to reduce real risk.

3. Security signal overload

Surging alert volumes bury analysts in noise with an estimated 46% of alerts proving false positives and 42% going uninvestigated, overwhelming capacity, driving fatigue, and increasing the likelihood real cyberthreats slip through unnoticed.

4. Operational gaps

Operational gaps are directly translating into business disrupting incidents, with 91% of security leaders reporting serious events and more than half experiencing five or more in the past year—exposing organizations to financial loss, downtime, and reputational damage.

5. Detection bias

Detection bias keeps SOCs focused on tuning alerts for familiar cyberthreats—52% of positive alerts map to known vulnerabilities—leaving dangerous blind spots for emerging tactics, techniques, and procedures (TTPs). This reactive posture slows proactive threat hunting and weakens readiness for novel attacks even as 75% of security leaders worry the SOC is losing pace with new cyberthreats.

Read the full report for the deeper story, including chief information security officer (CISO)-level takeaways, expanded data, and the complete analysis behind each operational pressure, as well as insights that can help security professionals strengthen their strategy and improve real world SOC outcomes.

What CISOs can do now to strengthen resilience

Security leaders have a clear path to easing today’s operational strain: unify the environment, automate what slows teams down, and elevate identity and endpoint as a single control plane. The shift is already underway as forward-leaning organizations focus on high-impact wins—automating routine lookups, reducing noise, streamlining triage, and eliminating the fragmentation and manual toil that drain analyst capacity. Identity remains the most critical failure point, and leaders increasingly view unified identity to endpoint protection as foundational to reducing exposure and restoring defender agility. And as environments unify, the strength of the underlying graph and data lake becomes essential for connecting signals at scale and accelerating every defender workflow.

As AI matures, leaders are also looking for governable, customizable approaches—not black box automation. They want AI agents they can shape to their environment, integrate deeply with their SIEM, and extend across cloud, identity, and on-premises signals. This mindset reflects a broader operational shift: modern key performance indicators (KPIs) will improve only when tools, workflows, and investigations are unified, and automation frees analysts for higher value work.

The report details a roadmap for CISOs that emphasizes unifying signals, embedding AI into core workflows, and strengthening identity as the primary control point for reducing risk. It shows how leaders can turn operational friction into strategic momentum by consolidating tools, automating routine investigation steps, elevating analysts to higher value work, and preparing their SOCs for a future defined by integrated visibility, adaptive defenses, and AI-assisted decision making.

Chart your path forward

The pressures facing today’s SOCs are real, but the path forward is increasingly clear. As this report shows, organizations that take these steps aren’t just reducing operational friction—they’re building a stronger foundation for rapid detection, decisive response, and long-term readiness. Read State of the SOC—Unify Now or Pay Later for deeper guidance, expanded findings, and a phased roadmap that can help security professionals chart the next era of their SOC evolution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹The study, commissioned by Microsoft, was conducted by Omdia from June 25, 2025, to July 23, 2025. Survey respondents (N=300) included security professionals responsible for SOC operations at mid-market and enterprise organizations (more than 750 employees) across the United States, United Kingdom, and Australia and New Zealand. All statistics included in this post are from the study.

The post Unify now or pay later: New research exposes the operational cost of a fragmented SOC appeared first on Microsoft Security Blog.

To help security teams better face the growing challenges, generative AI offers transformative capabilities that can bridge critical gaps. In a newly released e-book from Microsoft, we share multiple scenarios that showcase how Microsoft Security Copilot, powered by generative AI, can empower security analysts, accelerate incident response, and improve operational inefficiencies. Sign up to get the e-book, From Alert Fatigue to Proactive Defense: What Generative AI Can Do for Your SOC, and learn how AI can transform organizations like yours today.

Enhance every stage of the security operations workflow

The teams we talk to mention how generative AI is dramatically improving the efficacy and efficiency of their security operations (SecOps)—it helps analysts triage alerts by correlating threat intelligence and surfacing related activity that might not trigger a traditional alert. It generates rapid incident summaries so teams can get started faster, guides investigations with step-by-step context and evidence, and automates routine response tasks like containment and remediation through AI-powered playbooks. Additionally, generative AI supports proactive threat hunting by suggesting queries that uncover lateral movement or privilege escalation, and streamlines reporting by producing clear, audience-ready summaries for stakeholders, all of which means SOC teams spend less time on manual, repetitive work and more time focusing on high-impact cyberthreats—ultimately allowing for faster, smarter, and more resilient security operations.

Microsoft Security Copilot helps organizations address critical challenges of scale, complexity, and inefficiencies—as well as streamlining investigations, simplifying reporting, and more. It gives analysts a good idea of where to start, how to prioritize, and improves analyst confidence with actionable insights. By embedding generative AI into existing workflows, SOCs can operationalize and contextualize security data in ways never possible before—delivering guided responses, accelerating investigations, and transforming complex data into clear, actionable insights for both technical teams and business leaders.

Organizations using Security Copilot report a 30% reduction in mean time to resolution (MTTR).⁵

How Security Copilot delivers real value in everyday SOC tasks

The e-book spans four chapters that cover key scenarios, including investigation and response, AI-powered analysis, proactive threat hunting, and simplified security reporting. Each chapter presents the core challenges faced by today’s SOC teams, how generative AI accelerates and improves outcomes, and measurable, real-world results that show improvements for security analysts—like reduced noise, faster critical insights, identified cyberattack paths, and audience-ready summaries generated by AI. For example, when an analyst receives alerts about unusual login activity from multiple geolocations targeting a high-privilege account, generative AI consolidates related alerts, prioritizes the incident, and provides actionable summaries, allowing for faster triage and confident response.

Included in the e-book are summaries of AI in action, with step-by-step explanations of how Copilot is:

• Guiding analysts to confident, rapid decisions—helping SOC analysts quickly triage alerts, summarize incidents, recommend precise actions, and guide responses, for faster, more confident threat containment.
• Turning complex scripts into clear insights—supporting SOC analysts to decode malicious scripts, correlate threat intelligence, and automate investigations.
• Anticipating cyberthreats before they escalate—empowering threat hunters to quickly query indicators of compromise (IOCs), uncover hidden cyberattack patterns, and take proactive actions, for more predictive defense against evolving cyberthreats.
• Simplifying security reporting for analysts–letting SOC analysts to instantly consolidate data, capture critical details, and produce clear, audience-ready reports.

We analyze results about 60% to 70% faster with Security Copilot. It plays a central role in our ability to speed up threat analyses and activities, fundamentally reducing the risks for our IT landscape worldwide.

—Norbert Vetter, Chief Information Security Officer, TÜV SÜD

The future of SecOps is here with generative AI

For security leaders looking to improve their response time and better support their teams, generative AI isn’t just a vision for the future—it’s available today. From triage to reporting, generative AI–powered assistants enhance every stage of the SecOps workflow—delivering faster responses, stronger defenses, and more confident decision-making. At the forefront of this transformation is Microsoft Security Copilot, which unifies tools, operationalizes threat intelligence, and guides analysts through complex workflows, letting SOC teams adapt to evolving cyberthreats with ease. Sign up to access “What Generative AI Can Do for Your SOC” today and learn how your team can move from overwhelmed to empowered, tackling today’s challenges with confidence and preparing for tomorrow’s uncertainties. Or read more about Microsoft AI-powered unified security operations and how they can move your team from overwhelmed to empowered.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Microsoft Ignite

Join us at Microsoft Ignite to explore the latest solutions for securing AI. Connect with industry leaders, innovators, and peers shaping what’s next.

San Francisco on November 17-21
Online (free) on November 18-20

Register now

¹ “Generative AI and Security Operations Center Productivity: Evidence from Live Operations,” page 2, Microsoft, November 2024

² Cybersecurity Workforce Study: How the Economy, Skills Gap, and Artificial Intelligence Are Challenging the Global Cybersecurity Workforce 2023,” page 20, ISC2, 2023

³ The Unified Security Platform Era Is Here,” page 7, Microsoft, 2024

⁴ “Global Security Operations Center Study Results,” page 6, IBM, March 2023

⁵ “Generative AI and Security Operations Center Productivity: Evidence from Live Operations,” page 2, Microsoft, November 2024 

The post ​​Learn what generative AI can do for your security operations center appeared first on Microsoft Security Blog.

Strengthening cyber defense in the age of agentic AI with Microsoft Sentinel

Microsoft Sentinel has now evolved beyond a cloud-native SIEM into a unified, AI-powered security platform, connecting analytics and context across ecosystems at scale. With a centralized, purpose-built security data lake and graph capabilities, organizations gain deeper insights and richer context for more effective cyberthreat detection and investigation. The Model Context Protocol (MCP) server and agentic tools make data agent-ready, paving the way for seamless integration with autonomous security agents and unlocking new possibilities for proactive defense.

We realized that we needed to uplift our capability in the security operations center. We wanted a platform that could help us face the challenges of offensive use of AI so we could defend at machine speed.

—David Boda, Chief Security and Resilience Officer, Nationwide

Optimizing costs and coverage

Now generally available, the Microsoft Sentinel data lake serves as the foundation for modern, AI-powered security operations. Purpose-built for security, it features a cloud-native architecture that centralizes all security data from more than 350 sources across platforms and clouds. The Microsoft Sentinel data lake simplifies data management, eliminating silos, and enables cost-effective long-term retention, empowering organizations to maintain strong security postures while optimizing budget. By unifying historical and real-time security data, the data lake helps AI agents and automation perform advanced analytics, detect anomalies, and execute autonomous cyberthreat responses with precision and speed.

To further help organizations optimize their security operations, Microsoft Sentinel has native features like:

• SOC optimization helps security teams improve coverage, reduce costs, and streamline operations by providing AI-powered recommendations on data usage, cyberthreat detection gaps, and analytics efficiency. These insights empower defenders to make smarter decisions and maximize return on investment.
• New cost management features in preview help customers with cost predictability, billing transparency, and operational efficiency.

Accelerating the SOC with advanced analytics and AI

Microsoft Sentinel is transforming security operations with advanced analytics, agentic AI, and MCP server. Microsoft Sentinel data lake centralizes security data from hundreds of sources, enabling real-time detection, contextual analysis, and autonomous response. The integration of agentic AI and Microsoft Security Copilot allows defenders to automate investigations, correlate complex signals, and respond to cyberthreats at machine speed. The MCP server further enhances these capabilities by making security data agent-ready. Support for tools like Kusto Query Language (KQL) queries, Spark notebooks, and machine learning models within the Microsoft Sentinel data lake empowers agentic systems to continuously learn, adapt, and act on emerging cyberthreats, driving smarter, faster, and more contextual security operations across the SOC. This AI-powered approach reduces alert fatigue and accelerates decision-making, strengthening security posture across the SOC.

Together, these capabilities empower SOC teams to operate at the speed of AI, reduce noise, and focus on high-impact investigations, driving clarity, efficiency, and resilience across the security lifecycle.

Empowering defenders with industry-leading SIEM

Microsoft Sentinel enhances security operations by unifying SIEM, security orchestration, automation, and response (SOAR), user and entity behavior analytics (UEBA), and threat intelligence into a single, integrated experience. With full integration into the Microsoft Defender portal, Microsoft Sentinel delivers a consolidated view for detection, investigation, and response across endpoints, identities, cloud, and network—streamlining workflows and enhancing efficiency for SOC teams.

• Advanced correlation algorithms combine behavioral analytics, machine learning, and threat intelligence to connect events and deliver comprehensive security insights.
• Custom rules and MITRE ATT&CK® mapping allow defenders to tailor detection strategies for their specific needs.
• Built-in orchestration and automation capabilities reduce manual effort, accelerate incident response, and free analysts to focus on high-value tasks.
• UEBA powered by AI provide deep behavioral insights to detect anomalies and insider threats.
• Integrated threat intelligence enriches investigations with real-time insights, enabling faster detection, deeper context, and more accurate response across the SOC.
• Embedded AI and machine learning accelerate threat detection, reduce false positives, and enable advanced hunting and automated investigations—helping SOC teams respond faster and with precision.

Microsoft Sentinel has comprehensive machine learning threat analytics models that allow us to hunt and detect any security threat, no matter how sophisticated or hidden they are. Microsoft Sentinel has intelligent security event management features which help us to accurately investigate security threats to understand the origin, making it easy to identify the most appropriate way to handle them.

—Software Development Project Manager, Software Industry (Source: Gartner Peer Insights™)

Download the report

To learn more about why Microsoft was named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM, download the full report.

Looking forward

As cyberthreats grow in sophistication, the need for intelligent, adaptive, and end-to-end AI security platforms becomes more urgent. Microsoft is committed to leading this transformation by:

• Investing in agentic AI to empower defenders with autonomous capabilities.
• Empowering defenders with a cost-effective data lake for deeper insights and scalable analytics.
• Enhancing cross-platform integrations for holistic protection.
• Driving community collaboration through open content hubs and shared analytics.

We’re not just building tools; we’re shaping the future of cybersecurity. Our roadmap is guided by the real-world challenges faced by SOCs and the outcomes they strive for: faster detection, smarter response, and stronger resilience.

We’re honored by the Gartner recognition and deeply grateful to our customers, partners, and the analyst community for their continued trust and collaboration.

Are you a regular user of Microsoft Sentinel? Share your insights and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Gartner® Magic Quadrant™ for Security Information and Event Management, Andrew Davies, Eric Ahlm, Angel Berrios, Darren Livingstone, 8 October 2025

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant and Peer Insights are registered trademarks of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

The post Microsoft named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM appeared first on Microsoft Security Blog.

Comprehensive visibility across the enterprise

Defender XDR has the broadest signal coverage across the enterprise spanning endpoints, identities, email and collaboration tools, software as a service (SaaS) apps, cloud workloads, and data security—which enables security leaders to consolidate visibility, automate response, and outperform siloed tools. It combines native capabilities in threat detection, prevention, and response backed by AI-powered automation, rich telemetry, and seamless security information and event management (SIEM) integration to deliver a comprehensive and proactive defense strategy for modern enterprises. But Microsoft’s advantage goes beyond coverage. As one of the Big Three public cloud providers—and the originator of widely adopted platforms like Microsoft 365 and Microsoft Entra ID—Microsoft has unparalleled insight into the very technologies it secures.

Driving AI innovation in cybersecurity

Microsoft also stands out for its use of AI in cybersecurity through Microsoft Security Copilot. First introduced in March 2023 with generative AI capabilities, these digital assistants have evolved into a suite of autonomous AI agents announced in 2025, each designed to support specific use cases such as triaging user-reported phishing emails. This agentic approach enhances operational efficiency and empowers security teams with intelligent, task-specific automation. In fact, the phishing triage agent examines thousands of alerts each day—typically within 15 minutes of detection—which saves time, accelerates threat response, and allows security operations center (SOC) teams to focus on more meaningful tasks.   

Complementing this agentic approach, IDC specifically highlighted Microsoft Defender’s automatic attack disruption, an AI-powered capability that disrupts in-progress cyberattacks like ransomware by containing compromised assets to prevent lateral movement—often within an average of just three minutes. Together, these innovations show how Microsoft is redefining the modern SOC to infuse AI throughout standard SOC workflows and rapidly respond to sophisticated cyberattacks.

Microsoft provides a full life cycle offering from preemptive and prevention technologies to detection and response.

—IDC MarketScape: Worldwide XDR Software 2025 report

Preemptive posture that reduces risk

In their report, IDC shared that one key Microsoft strength lies in its ability to unify proactive defense with intelligent response. Defender XDR natively integrates exposure management, attack surface reduction, secure configuration monitoring, and data loss prevention—giving security teams the tools to identify and mitigate vulnerabilities before they’re exploited. This preemptive posture and built-in attack disruption not only reduces risk but also enhances the fidelity of alerts, enabling faster, more accurate threat detection.

Defender script analysis and threat hunting

Sophisticated cyberattacks often evade detection using cloaked scripts and PowerShell commands. Defender XDR includes built-in script analysis, allowing analysts to inspect and classify scripts without external tools—reducing complexity and accelerating response. And for deeper threat hunting, Defender XDR supports Kusto Query Language (KQL), enabling analysts to parse telemetry, discover patterns, and identify outliers. Novice users can leverage a guided user interface experience to build and customize queries with ease while building their skillset.

Seamless integration and correlation between SIEM and XDR

IDC also noted that what sets Microsoft apart is its seamless correlation between SIEM and XDR, allowing insights from threat actor behavior and anomalies to flow across platforms without requiring customers to deploy both. With all this, plus powerful visualizations, KQL-based threat hunting, and deep identity threat detection, Microsoft delivers a strongly competitive, comprehensive, and adaptive security operations experience.

Learn more

Read the complete IDC MarketScape: Worldwide Extended Detection and Response (XDR) Software 2025 report and visit the Microsoft Defender XDR webpage to learn how you can elevate your security with unified visibility, investigation, and response across the cyberattack chain with an industry-leading XDR solution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

IDC MarketScape vendor assessment model is designed to provide an overview of the competitive fitness of technology and service suppliers in a given market. The research utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each supplier’s position within a given market. IDC MarketScape provides a clear framework in which the product and service offerings, capabilities and strategies, and current and future market success factors of technology suppliers can be meaningfully compared. The framework also provides technology buyers with a 360-degree assessment of the strengths and weaknesses of current and prospective suppliers. 

The post Microsoft named a Leader in the IDC MarketScape for XDR appeared first on Microsoft Security Blog.

As IDC notes in their report, the endpoint security market “is growing in response to an increasingly sophisticated threat” powered by AI. Global enterprises like Crocs, Victorionox, and Del Monte Foods are choosing Microsoft Defender more and more to secure their environments because of the value they see not only in our endpoint security, but also our defense-in-depth approach across domains powered by AI. Spanning from the devices to the cloud, the Microsoft Defender platform protects every aspect of their daily operations.

“It was surprisingly simple to enable real-time visibility across our environment. It’s been a leap in our security maturity level, and with the native interoperability of our Microsoft security solutions, we achieved it much faster than we expected.”

—Glauco Sampaio, Chief Information Security Officer, Cielo

Worldwide Modern Endpoint Security 2024 Share Snapshot

Why organizations increasingly prefer Microsoft Defender for endpoint security

Microsoft Defender helps organizations proactively secure their digital estate with AI-powered endpoint protection across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT). It empowers security operations center (SOC) analysts with unique capabilities spanning pre-breach exposure management to post-breach attack disruption.

A key driver behind Microsoft Defender’s growing market share is its deep investment in cross-platform support, especially for Linux. Over the last three years, Microsoft has reengineered its Linux security for zero workload disruption, using eBPF sensor technology for greater visibility with minimal reliance on the kernel mode. This innovation has led to significant performance gains, with the solution consuming less than 1% CPU across 95% of deployments. Defender now supports a broader range of Linux distributions, including ARM64, and is optimized for low-resource environments such as single-core servers. At the same time, we’ve continued to drive cross-platform innovation to further expand comprehensive endpoint security across Windows, macOS, iOS, Android, and IoT.

An organization’s best offense against the rapidly evolving threat landscape is a secure defense, where Microsoft Defender’s next-generation protection and then built-in exposure management capabilities are critical. To help you manage your risk, you get a dynamic risk score that continuously measures vulnerabilities and misconfigurations in your environment and provides actionable recommendations for resolution. In the case of a cyberattack, you immediately see the most critical junctions in your network with attack path analysis. Our unique visibility into your environment provides a risk-based map of the potential devices that adversaries can exploit so you can proactively harden your environment, cutting them off from progressing further.

Advanced detection and response capabilities like automatic attack disruption are next in the stack. Informed by the full breadth of Microsoft Defender’s 84 trillion daily signals, it is a built-in self-defense capability that contains in-progress cyberattacks across the organization to prevent further lateral movement and damage. Meanwhile, the security operations team remains in control of investigation, remediation, and restoring asset availability. Even as attack disruption harnesses extended detection and response (XDR) signal, it can stop cyberattacks in a decentralized way across devices with just Defender for Endpoint deployed.

It also surgically protects critical assets like servers by containing compromised IP addresses while allowing the server to continually operate. You can maximize attack disruption’s reach and effectiveness across assets like identities, email, and additional domains by expanding your Microsoft Defender deployment. In addition, Defender provides analysts a rich set of detection and response capabilities such as live response and advanced hunting to further secure their environment. 

Further supporting SOC teams with a global footprint, the Microsoft Defender portal experience comes in more than 100 languages and dialects, and documentation covers more than 60 languages and dialects. This robust coverage means security analysts can quickly and confidently understand, investigate, and remediate without language barriers. Wherever the security analyst operates from, Defender likely speaks their language. 

These capabilities and global approach to securing organizations are just some of the reasons why organizations are increasingly choosing Defender for Endpoint over other vendors in the market. Thank you to our valued customers and partners for your trust and collaboration that empower us to advance our mission and build a more secure future together. 

To learn more

• Read about Microsoft’s leadership in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.
• Read the Defender for Endpoint e-book.
• Watch the Defender for Endpoint overview video.
• Try out Defender for Endpoint with a free trial.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Worldwide Modern Endpoint Security Market Shares, 2024; (Doc # US53349725, May 2025).

The post Microsoft ranked number one in modern endpoint security market share third year in a row appeared first on Microsoft Security Blog.

Defender for Endpoint’s ability to disrupt ransomware at scale stems from our commitment to empowering security analysts against the most sophisticated cyberthreats. We are honored to be recognized once again as a Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms—our sixth consecutive time. Microsoft was recognized for its completeness of vision and ability to execute, which we believe underscores the effectiveness of Defender for Endpoint in the face of an ever-shifting digital threat environment.

Microsoft Defender for Endpoint is an endpoint security solution that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT) devices. It is core to Microsoft Defender’s unified security operations platform and built on global threat intelligence informed by more than 84 trillion daily signals and more than 10,000 security experts.¹

We thank our customers and partners for their essential role in advancing Microsoft Security.

Over the past year, Microsoft has introduced key advancements to endpoint security that have empowered defenders to stay ahead of evolving cyberthreats, including:

• Proactively securing digital environments with exposure management capabilities spanning pre-to-post breach: Reducing exposure risks like vulnerabilities and misconfigurations is foundational to endpoint security. Defender for Endpoint’s unique visibility into a device estate helps security operations center (SOC) analysts see and harden against their organization’s level of exposure to weaknesses and exploits with an actionable risk score (endpoint security initiative). In the case of a cyberattack, analysts can further protect the organization and accelerate response with potential attack paths embedded into the incident. Analysts gain end-to-end visibility into attack paths bad actors may take across devices to reach high-value assets, enabling fast, informed decisions when it matters most.

• Disrupting ransomware attacks even earlier in the cyberattack chain with automatic attack disruption: Unique to Microsoft, automatic attack disruption is a built-in self-defense capability that contains in-progress cyberattacks to prevent further lateral movement and damage to an organization. The most pervasive cyberthreat to network-connected devices is ransomware, one of the many scenarios covered by attack disruption. Up to 90% of successful ransomware campaigns leverage unmanaged endpoints, which are typically personal devices that people bring to work.¹ Automatic attack disruption now extends to unmanaged shadow IT devices and critical assets. Defender for Endpoint can detect and contain malicious IP addresses associated with unmanaged or undiscovered devices. It stops threat actors from exploiting vulnerable entry points, preventing lateral movement before it starts. Attack disruption now also granularly isolates cyberthreats on critical assets such as domain controllers, helping defenders preserve key network functions and ensure operational continuity during an attack.

• Enhancing Linux support: Microsoft supports even more Linux distributions, including ARM64 and has reduced resource requirements. These releases reflect the continual progress we’ve made for securing Linux servers on top of our strategic shift over a year ago to eBPF sensor technology that improves system control, minimizes resource demands, and boosts security performance. We’ve also continued delivering cross-platform innovation across Windows, macOS, iOS, Android, and IoT for comprehensive endpoint security.

• Unifying our agent across XDR workloads: The single agent makes it faster and easier to activate and manage core capabilities across endpoint, operational technology (OT), identity, and data loss prevention workloads so you can quickly unlock the value of AI-powered protection. Organizations simply deploy it once and then enable each solution as needed. Microsoft applies its long-established safe deployment practices in delivering the latest protections to help organizations outpace evolving cyberthreats without compromising operational stability. As a part of this process, admins have full control over these software updates.

• Accelerating SOC operations with Microsoft Security Copilot: It is the cybersecurity industry’s first generative AI solution, generally available as of April 2024. Built into the Microsoft Defender portal, it helps SOC analysts investigate, contain, and remediate cyberthreats in minutes. It delivers endpoint-specific capabilities such as recommending tailored guided responses related to devices, analyzing suspicious scripts, and translating natural language questions into ready-to-run Kusto Query Language (KQL) queries. Microsoft Security Copilot agents, introduced this year, automate routine tasks by fitting naturally into existing workflows across the security stack. These agents align to Microsoft’s Zero Trust principles, learn from feedback, and remain under SOC control.

• Supporting a global SOC: Security analysts navigate many complexities in their daily operations—language barriers should not be one of them. The Microsoft Defender portal provides experiences in more than 100 languages and dialects. Documentation covers more than 60 languages. This extensive language coverage ensures that analysts can easily navigate, understand, and act with confidence in their native tongue. Wherever the analyst is, Defender likely speaks their language. 

• Extending your SOC team with Microsoft Defender Experts for XDR: Sophisticated threats span beyond endpoints. We’ve been continually enhancing the capabilities and improving the efficiencies of Microsoft Defender Experts for XDR, our managed XDR service. Defender Experts for XDR offers around-the-clocl, expert-led managed triage, investigation, and response across domains, along with proactive threat hunting—strengthening SOC capabilities around the clock.

Market leadership isn’t just about responding to current needs—it’s about driving the next wave of innovation. Microsoft is investing significantly in helping SOC teams quickly scale their endpoint defenses through foundational enhancements designed to radically simplify deployment and advanced AI-powered autonomous capabilities spanning pre-to-post breach, to name just a couple of highlights for what’s ahead.

Thank you to all our customers and partners. Your partnership drives our mission forward as we work side by side to build a safer, more secure world.

Learn more

If you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform. 

Are you a regular user of Microsoft Defender for Endpoint? Share your insights on Microsoft Defender for Endpoint and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Deepak Mishra, Franz Hinner. July 14, 2025.

Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

As the nature of cyberthreats and security challenges evolve, organizations have coalesced around a Zero Trust architecture as the approach to modernize their end-to-end security adoption and posture. In November 2024, we introduced a preview of the Microsoft Zero Trust workshop that focused on the traditional “secure access” pillars (identity, data, and devices). We are announcing the expansion of the Zero Trust workshop to cover the additional technical pillars of Zero Trust—assisting customers on strategies that may contribute to securing their network, infrastructure, and connecting all these elements with security operations (SecOps). We invite you to take a look at the newly expanded workshop, give it a try, and share feedback with us as you continue on your end-to-end security modernization journey.

The need for a Zero Trust workshop

Customers have consistently told us that they see Zero Trust as a strategic foundation for how they approach and run a modern security practice. However, customers have also shared that they need help and guidance understanding how their security products could help them achieve a Zero Trust vision, and how they can measure how far along they are on their journey to implement Zero Trust.

Figure 1. Top areas customers ask for help with in advancing their Zero Trust journey.

Last year, we introduced the Microsoft Zero Trust workshop as a valuable resource for our customers and partners. By guiding participants through a comprehensive journey across the pillars of Zero Trust, this workshop aims to assist with strategies to deploy security products and features. It outlines the priority of tasks, provides a framework to track progress, and allows participants to measure their advancements against established benchmarks in subsequent evaluations.

In the initial launch, we focused on three key pillars of the Zero Trust framework:

• Identity: Ensuring that the right people have access to the right resources through robust authentication and authorization mechanisms.
• Devices: Securing endpoints to prevent unauthorized access and to ensure compliance with organizational policies.
• Data: Protecting sensitive information through encryption, data classification, and access control.

This foundational approach emphasizes strategies on preventative security capabilities and access control to resources. These pillars served as the cornerstone for ways in which organizations could better secure their systems against unauthorized access and data breaches. Since its launch, the workshop has been downloaded more than 3,000 times by customers to enhance their end-to-end security posture. More than 150 Microsoft Partners trained to use it as well, with several adopting it as a delivery mechanism.

Access control, posture, and detection and response

We’re proud to announce that we have expanded the Zero Trust workshop from three Zero Trust pillars to cover a total of six pillars, adding:

• Networking: Implementing micro-segmentation, real-time threat detection, and secure access to network resources to ensure comprehensive network security.

• Infrastructure: Securing cloud and on-premises infrastructure through robust configurations, access management, and continuous monitoring.

• SecOps: Strengthening threat detection and response capabilities through Microsoft Defender for Identity, Defender for Endpoint, Defender for Office, Defender for Cloud Apps, Defender XDR, and Microsoft Sentinel.

These additions highlight the Microsoft commitment to a holistic approach to security: helping to better enable organizations with strategies and tools not only to strengthen protection against cyberthreats but also to detect and respond to incidents effectively. The full workshop has been tested by early adopting customers and partners, and the feedback has been very exciting:

“You’ve captured the Zero Trust model better than any other [Cloud Solution Provider] CSP in the market. It’s very well-articulated and aligns very strongly with the way we approach it.”

—Denis O’Shea, Founder and Chief Executive Officer, Mobile Mentor

Richer guidance connecting the dots

In addition to adding the three new pillars, we’ve made significant enhancements to the workshop based on your feedback:

• Implementation effort and user impact indicators: Now every step in any given pillar of the workshop comes with a high-level estimate of how much effort it would require of your team to deploy, as well as how much of an impact it would have on your users—to help you fully assess when your team and your organization can take on each step.

• Connecting the cross-pillars scenarios: In our Zero Trust deployment conversations with customers, one of the biggest challenges they’ve raised is implementing scenarios that span multiple Zero Trust pillars. These scenarios are difficult because they typically involve different teams and stakeholders across their organization. The updated workshop now explicitly highlights these cross-pillar scenarios and identifies the relevant owners, helping customers bring the right people into the discussion and align on next steps.

We’re committed to helping you secure your organization

The Microsoft Zero Trust workshop is more than a training session—it’s a call to action for organizations to reimagine their approach to security in the modern digital landscape and operationalize this vision. With the expanded pillars, this workshop now includes comprehensive insights for implementing a Zero Trust strategy that covers posture, prevention, detection, and response. Give it a try today.

We are committed to enabling our partners to utilize the workshop to assist our mutual customers in implementing comprehensive security solutions. If you are one of our valued partners, please review our Zero Trust partner kit.

Use the Zero Trust workshop together with the Zero Trust guidance center and learn more about the Zero Trust security framework.

If you have feedback to share with us about the workshop, please provide it here.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft expands Zero Trust workshop to cover network, SecOps, and more appeared first on Microsoft Security Blog.

Organizations also need to embrace AI and automation, moving away from manual, reactive security to an automated, proactive defense. But the transition is easier said than done. For most organizations, this transition will require significant effort that spans not just technology, but people and processes too. To help organizations make the move beyond silos to an integrated, defense-in-depth approach, we’re sharing a new e-book—our introduction to building a coordinated defense. In this post, we walk through the key content you can find in the e-book and share more resources on integrated cyberthreat protection.

Coordinated Defense: Building an AI-powered, Unified SOC

Help your teams shift from a manual, reactive mode to a more automated, proactive stance. Read the e-book.

Recommendations built on real-world lessons

Bad actors are increasingly adept at finding and exploiting weaknesses, especially in legacy infrastructure. The Coordinated Defense e-book was crafted through our own lessons learned in real-world scenarios, as well as our work to help customers defend their own organizations. The e-book can help security teams better understand how a unified solution can improve their ability to defend their increasingly complex and diverse digital environments and:

• Stop fighting fires and become more proactive through streamlined threat hunting, triage, and investigation.
• Adopt a continuous threat exposure management approach that addresses the most critical security domains, including endpoints, identities, and cloud-native applications.
• Accelerate security operations (SecOps) to lower mean time to resolution (MTTR).

Unified security operations

In the e-book, we expand on a new pre-breach/post-breach paradigm that helps organizations shift from reactive and manual processes to an AI-powered, continuous, and autonomous security posture as they prevent, detect, and respond to cyberthreats—unified security operations.

By integrating endpoints, identities, email, apps, data, and cloud environments with the critical security operations functions, including posture management, detection and response, and threat intelligence, security teams can shift from reactive to proactive security. The e-book outlines the unified architecture that can transform security operations by centralizing data and leveraging AI to enhance existing human expertise.

Figure 1. Diagram of unified security operations center (SOC) architecture that integrates data, AI, and human expertise to empower security teams to prevent, detect, and respond to threats seamlessly across the entire lifecycle.

Addressing the complete threat lifecycle

From preventing initial compromise, to detecting and disrupting active cyberattacks, to investigating and responding to incidents, the e-book explains how unifying security operations allows teams to build a closed-loop approach that improves business resiliency and continuously lowers the risk of a breach. The benefits span the lifecycle and include:

• Prevent—Prioritized risk mitigation, reduced attack surface, proactive gap identification, and enhanced resilience.
• Detect—Rapid ransomware response, real-time threat isolation, predictive threat intelligence, and more.
• Respond—A single, prioritized incident queue, automatically correlated alerts, and relevant threat intelligence that helps prioritize cyberthreats based on severity.

Read the e-book to learn more about how AI assistants like Microsoft Security Copilot can enhance unified security by providing valuable insights, automating routine tasks, and correlating alerts into comprehensive incidents.

Tackling your most critical security domains

Unifying security across all areas of your environment can strengthen defenses in each area. To create a truly effective security posture, organizations need to protect endpoints and identities, secure cloud-native applications, protect the entire organization with both security information and event management (SIEM) and extended detection and response (XDR), and protect the data. In the e-book, each domain is discussed in detail with a scenario that models cyberattacker actions, the response of a unified security approach, and the improved outcomes. The e-book also includes information on:

• Endpoint protection—Critical trends shaping endpoint security and strategies to counter ransomware and malware threats.
• Identity protection—Emerging identity-based cyberthreats and how united defenses can prevent account takeovers.
• Securing cloud-native applications—Insights into cloud vulnerabilities and best practices for securing modern application environments.
• Integrating SIEM and XDR—Integrated tools that help address advanced, persistent threats and reduce false positives.
• Protecting your data—Key challenges in safeguarding sensitive data and mitigating insider risks effectively.

Getting started

A unified SOC architecture is imperative to help organizations face the current and future security challenges. Shifting to a proactive, integrated defense means breaking down the barriers between security functions and working across silos. It means embracing and enabling AI-powered automation across your environment. And it allows for a continuous loop of protection and improvement that security teams need to operate faster, smarter, and more resiliently. To get started on a more integrated, defense-in-depth approach to security, read the Coordinated Defense: Building an AI-powered, unified SOC e-book now.

Learn more about AI-powered, unified SecOps from Microsoft to improve your security posture across hybrid environments with unified exposure management and built-in, natively integrated security controls.

Discover even more resources: Integrated Cyberthreat Protection Resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

[1] Microsoft Digital Defense Report 2024

The post Learn how to build an AI-powered, unified SOC in new Microsoft e-book appeared first on Microsoft Security Blog.