{“lastseen”:”2026-04-09T20:57:34″,”description”:”Every major shift in cyberattacker behavior over the past decade has followed a meaningful shift in how defenders operate. When security operation centers (SOCs) deployed endpoint detection and response (EDR)\u2014and later extended detection and response (XDR)\u2014security teams raised the bar, pushing cyberattackers beyond phishing, commodity malware, and perimeter\u2011based attacks and into cloud infrastructure built for scale and speed.\\n\\nRead the new whitepaper\u2014The agentic SOC: Your teammate for tomorrow, today\\n\\nThat pattern continued as defenders embraced automation and AI to manage expanding digital estates. SOCs were often early scale adopters\u2014using machine learning to reduce noise, improve visibility, and respond faster across growing environments. Cyberattackers became more targeted and multistage, moving deliberately across identities, endpoints, cloud resources, and email, where detection was hardest. Success increasingly depended on moving fast enough to act before analysts could connect the dots. Even with this progress, security operations (SecOps) still feel asymmetrical: threat actors only need to be right once, while defenders are judged by every miss. If defense depends on human intervention to begin, defense will always feel asymmetrical.\\n\\nTo change the outcome, SOCs must change how defense itself works. This is the agentic SOC: where security delivers adaptive, autonomous defense, freeing defenders for strategic, high\u2011impact work. In this series, we\u2019ll break down what that shift requires, what early experimentation has taught us, and where organizations can start today. Read more about how some organizations moving toward the agentic SOC and access a foundational roadmap for this transformation in our new whitepaper, The agentic SOC: Your teammate for tomorrow, today.\\n\\n## What we mean by \u201cthe agentic SOC\u201d\\n\\n**At its core, the agentic SOC is an operating model that shifts security from reacting to incidents to anticipating how cyberattackers move\u2014and actively reshaping the environment to cut off their paths.**\\n\\nIt brings together a platform that can increasingly defend itself through built-in autonomous defense, with AI agents working alongside humans to accelerate investigation, prioritization, and action\u2014so teams spend less time on execution and more time on judgment, risk, and the decisions that matter.\\n\\nHow does that change day-to-day work? Imagine a credential theft attempt. Built-in defenses automatically lock the affected account and isolate the compromised device within seconds\u2014before lateral movement can begin. At the same time, an AI agent initiates an investigation, hunting for related activity across identity, endpoint, email, and cloud signals, and correlating everything into a single view.\\n\\nWhen an analyst opens their queue, the \u201cnoise\u201d of overwhelming alerts is already gone. Evidence has been pre-assembled. Likely next steps are suggested. The analyst can start right away by answering higher impact questions: Is this part of a broader campaign? Should this authentication method be hardened? Are there related techniques this cyberattacker commonly uses that the environment is still exposed to?\\n\\nIn today\u2019s SOC, we see that sequence often takes hours\u2014and the proactive improvement is very limited, if it ever happens; there\u2019s simply not enough time. In an agentic SOC, it happens in minutes, and teams can spend the time they\u2019ve gained on deeper investigation, systemic hardening, and reducing the likelihood of repeat cyberattacks.\\n\\n## A layered model for the agentic SOC\\n\\nThis model works because an agentic SOC is built on two distinct, but interdependent layers. The first is an underlying threat protection platform that has fundamentally evolved how cyberattacks are defended against and disrupted. High confidence cyberthreats are handled automatically through deterministic, policy-bound controls built directly into the platform. Known attack patterns are blocked in real time\u2014without deliberation or creativity\u2014shielding the environment from machine-speed cyberthreats before scarce human attention or token intensive reasoning is required. This disruption layer is not optional; it is the prerequisite that makes an agentic SOC safe, scalable, and sustainable.\\n\\nThe second layer operates at the operational level, where agents take on tough analysis and correlation work to dramatically increase the leverage of security teams and shift focus from uncovering insight to acting on it. These agents reason over evidence, coordinate investigations, orchestrate response across domains, and learn continuously from outcomes. Over time, they help identify recurring attack paths, surface gaps in posture, and recommend changes that make the environment harder to exploit\u2014not just faster to respond.\\n\\nTogether, they transform the SOC from a reactive workflow engine into a resilient system.\\n\\n## What\u2019s real now, and why there\u2019s reason for optimism\\n\\nThe optimism around our view of the agentic SOC comes from operational discipline and proven, real-world impact. Autonomous attack disruption has been operating at scale for years.\\n\\n\\u003e **Read more about how****Microsoft Defender establishes confidence for automatic action**.\\n\\nAttacks like ransomware are disrupted in **an average of three minutes** , and tens of thousands of attacks are **contained every month** by isolating compromised users and devices before lateral movement can take hold. This all done with a 99.99% confidence rating, so SOC teams can trust in its efficacy.\\n\\nBuilding on that proven foundation, newer capabilities like predictive shielding extend autonomous defense further\u2014anticipating how cyberattacks are likely to progress and proactively restricting high-risk paths or assets during an intrusion.\\n\\n\\u003e ****Read the case study about howpredictive shielding in Microsoft Defender stopped Group Policy Object (GPO) ransomware before it started****\\n\\nTogether, these system-level protections show that platforms can safely intervene earlier in the cyberattack chain without introducing unnecessary disruption.\\n\\nAgentic capabilities are also being similarly scoped. Internally, we\u2019ve been testing task agents for triage and investigations under our expert supervision of our defenders. In live environments, these agents automate **75% of phishing and malware investigations**. We\u2019ve also tested agents on more complex analytical tasks, such as assessing exposure to specific vulnerabilities\u2014work that once required a full day of engineering effort and can now be completed in less than an hour by an agent.\\n\\nExplore integrated security solutions with Microsoft Defender\\n\\n## How day-to-day SOC work will change in the future\\n\\nIn an agentic SOC, the center of gravity will change for roles like an analyst. Fewer analysts are pulled into firefighting; more time is spent investigating how the organization is being targeted and what steps can be taken to reduce exposure. Within this new operating model, security teams will be freed to evolve the team structure and their day-to-day responsibilities.\\n\\n\\n\\nAgentic systems increase demand for oversight, tuning, and governance. Detection and response engineering becomes more central, as teams design policies, confidence thresholds, and escalation paths. New roles emerge around supervising outcomes and refining system behavior over time.\\n\\nExpertise becomes more valuable, not less. Judgment, context, and institutional knowledge are no longer consumed by repetitive tasks\u2014they shape how the SOC operates at scale. And skilled practitioners closer to strategy, quality, and accountability.\\n\\nTo make this shift tangible, here\u2019s how key roles are evolving:\\n\\n * **Analysts** : from triaging alerts to supervising outcomes. Analysts validate agent\u2011led investigations, determine when deeper inquiry is needed, focus on ambiguous cases, and guide system learning over time.\\n * **Detection engineers** : from writing rules to teaching the system what matters. Engineers decide which signals are trustworthy, add the right context, and set confidence thresholds so detections can be acted on automatically\u2014without human review every time.\\n * **Threat hunters** : from manual queries to hypothesis-driven exploration. Hunters use AI to surface anomalies and focus on creative investigation and adversary simulation.\\n * **SOC leadership** : from managing queues to orchestrating autonomy. Leaders define automation policies, oversee governance, and align AI actions with business risk.\\n\\n\\n\\nEach shift reflects a broader truth: in the agentic SOC, people don\u2019t do less\u2014they do more of what matters.\\n\\n## The agentic SOC journey\\n\\nThis is a significant change in how security teams operate, and it doesn\u2019t happen overnight. Based on our own experience, we\u2019ve outlined a maturity model that shows how organizations can progress toward an agentic SOC over time.\\n\\nOrganizations begin by establishing a trusted foundation that unifies security tooling, enables the deployment of autonomous defense and begins unifying security signal in earnest. From there, they introduce agents to take on bounded, high-volume work under human supervision, learning where automation adds leverage and where judgment still matters most. Over time, as confidence, governance, and operational discipline mature, agents expand from assisting individual workflows to coordinating broader security outcomes. At every stage, progress is measured not by how much work is automated, but by how effectively human expertise is amplified.\\n\\n\\n\\n### **SOC 1\u2014Unify your platform foundation**\\n\\nThe shift begins with a unified security platform that enables autonomous defense. Deterministic, policy-bound protections stop high confidence cyberthreats automatically\u2014removing urgency, reducing blast radius, and eliminating the constant context switching that slows human response. By integrating signals across identity, endpoints, and cloud, defenders gain a shared view of cyberattacks instead of stitching evidence together across tools. This foundation is what makes cross-domain action possible\u2014and separates experimental automation from production-ready operations.\\n\\n### **SOC 2\u2014Accelerate operations with generative AI and task agents**\\n\\nWith urgency reduced, generative AI changes how work flows through the SOC. Instead of pushing alerts forward, AI assembles context, synthesizes signals across domains, and produces coherent investigations. Repetitive, high-volume tasks like triage, correlation, and basic investigation are absorbed by the system, allowing analysts to focus on higher impact decisions. This stage establishes new operational patterns where humans and AI work together\u2014accelerating response while preserving judgment and accountability.\\n\\n### **SOC 3\u2014Deploy agentic automation**\\n\\nAs trust grows, agents move from assistance to action. Specialized agents autonomously orchestrate specific tasks\u2014containing compromised identities, isolating devices, or remediating reported phishing\u2014while humans shift into supervisory roles. Over time, agents help identify patterns, anticipate attack paths, and optimize defenses across the environment. Security teams spend less time managing queues and more time shaping posture, risk, and outcomes. These shifts compound across all three stages.\\n\\n## What comes next for the SOC evolution?\\n\\nWe believe the strongest agentic SOC models will begin with autonomous defense\u2014deterministic, policy\u2011bound actions that safely stop what is already known to be dangerous at machine speed. That foundation removes urgency, noise, and latency from security operations.\\n\\nAdditionally, agents and humans work differently. Agents assemble context, coordinate remediation, and optimize how the SOC operates. Humans provide intent, judgment, and accountability\u2014turning time saved into smarter, more strategic security outcomes.\\n\\nThis is the first of a series of posts that will explore what makes the agentic SOC model real: the platform foundations required to defend autonomously, the governance and trust mechanisms that keep autonomy safe, and the adoption journey organizations take to get there. Some organizations are already rebuilding their businesses around AI, a new class of Frontier Firms. Read more about how they\u2019re making their move toward the agentic SOC and access a foundational roadmap for this transformation in our new whitepaper, The agentic SOC: Your teammate for tomorrow, today.\\n\\nGet the new whitepaper to learn how to evolve your SOC with the agentic future\\n\\n## Learn more\\n\\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. \\n\\nThe post The agentic SOC\u2014Rethinking SecOps for the next decade appeared first on Microsoft Security Blog.”,”published”:”2026-04-09T19:00:00″,”modified”:”2026-04-09T19:00:00″,”type”:”mssecure”,”title”:”The agentic SOC\u2014Rethinking SecOps for the next decade”,”source”:””,”references”:””,”id”:”MSSECURE:F9CAFC1C42F3DA7232EEB0DD20981D9E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/09\/the-agentic-soc-rethinking-secops-for-the-next-decade\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-09T20:57:34″,”description”:”Every major shift in cyberattacker behavior over the past decade has followed a meaningful shift in how defenders operate. When security operation centers (SOCs) deployed…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-42731","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n