Reader

The daily grind of sifting through endless alerts and repetitive tasks is burdening security teams. Too often, defenders struggle to keep up with evolving threats, but the rapid pace of AI advancement means it doesn’t have to be that way.

Today at the RSA Conference, as we introduce M-Trends 2025 and discuss how we’re boosting defenders, we’re also detailing our vision for how AI agents can help security operations.

Agentic AI promises a fundamental, tectonic shift for security teams, where intelligent agents work alongside human analysts to autonomously take on routine tasks, augment human decision-making, automate workflows and empower them to focus on what matters most: the complex investigations and strategic challenges that truly demand human expertise.

The agentic AI future

While assistive AI primarily aids human analyst actions, agentic AI goes further and can independently identify, reason through, and dynamically execute tasks to accomplish goals — all while keeping human analysts in the loop.

Our vision for this agentic future for security builds on the the tangible benefits our customers experience today with Gemini in Security Operations:

“No longer do we have our analysts having to write regular expressions that could take anywhere from 30 minutes to an hour. Gemini can do it within a matter of seconds,” said Hector Peña, senior information security director, Apex Fintech Solutions.

We believe that agentic AI will transform security operations. The agentic security operations center (SOC), powered by multiple connected and use-case driven agents, can execute semi-autonomous and autonomous security operations workflows on behalf of defenders.

The agentic SOC

We are rapidly building the tools for the agentic SOC with Gemini in Security. Earlier this month at Google Cloud Next, we introduced two new Gemini in Security agents:

1 alert triage agent — The alert triage agent in Google Security Operations autonomously performs dynamic investigations and provides a verdict.

In Google Security Operations, an alert triage agent performs dynamic investigations on behalf of users. Expected to preview for select customers in Q2 2025, this agent analyzes the context of each alert, gathers relevant information, and renders a verdict on the alert.

It also provides a fully transparent audit log of the agent’s evidence, reasoning and decision making. This always-on investigation agent will vastly reduce the manual workload of Tier 1 and Tier 2 analysts who otherwise are triaging and investigating hundreds of alerts per day.

2 malware analysis — The malware analysis agent in Google Threat Intelligence performs reverse engineering.

In Google Threat Intelligence, a malware analysis agent performs reverse engineering tasks to determine if a file is malicious. Expected to preview for select customers in Q2 2025, this agent analyzes potentially malicious code, including the ability to create and execute scripts for deobfuscation. The agent will summarize its work, and provide a final verdict.

Building on these investments, the agentic SOC is a connected, multi-agent system that works collaboratively with the human analyst to achieve exponential gains in efficiency. These intelligent agents are designed to fundamentally change security and threat management, working alongside analysts to automate common tasks and workflows, improve decision-making, and ultimately enable a greater focus on complex threats.

3 Agentic SOC — The agentic SOC will be a connected, multi-agent system that works collaboratively with human analysts.

To illustrate this vision in action, consider the following examples of how agentic collaboration could transform everyday security tasks with agents. At Google Cloud, we believe many critical SOC functions can be automated and orchestrated:

Data management: Ensures data quality and optimizes data pipelines.
Alert triage: Prioritizes and escalates alerts.
Investigation: Gathers evidence and provides verdicts on alerts, documents each analysis step, and determines the response mechanism.
Response: Remediates issues using hundreds of integrations,such as endpoint isolation.
Threat research: Bridges silos by analyzing and disseminating intelligence to other agents, such as the threat hunt agent.
Threat hunt: Proactively hunts for unknown threats in your environment with data from Google Threat Intelligence.
Malware analyst: Analyzes files at scale for potentially malicious attributes.
Exposure management: Proactively monitors internal and external sources for credential leaks, initial access brokers, and exploited vulnerabilities.
Detection engineering: Continuously analyzes threat profiles and can create, test, and fine-tune detection rules.

How the Google advantage helps agentic AI

Developing dependable and impactful agents for real-world security applications requires three key ingredients, all of which Google excels in:

We harness our deep reservoir of security data and expertise to provide guiding principles for the agents.
We integrate our cutting-edge AI research, and use mature agent development tools and frameworks to enable the creation of a reusable and scalable agentic system architecture.
Our ownership of the complete AI technology stack, from highly scalable and secure infrastructure to state-of-the-art models, provides a robust foundation for agentic AI development.

These advantages allow us to establish a well-defined framework for security agents, empowering AI to emulate human-level planning and reasoning, leading to superior performance in security tasks compared to general-purpose large language models.

This approach ensures high-quality and consistent results across security tasks and also facilitates the development of new agents through the modular composition of existing security capabilities – building a diverse garden of reusable, task-focused security agents.

Furthermore, agent interoperability, regardless of developer, boosts autonomy, productivity, and reduces long-term costs. Our open Agent2Agent (A2A) protocol, announced at Google Cloud Next, facilitates this, complementing the model context protocol (MCP) for standardized AI interaction with security applications and platforms.

To further advance interoperability, we are pleased to announce the open-sourcing of MCP servers for Google Unified Security, allowing users to build custom security workflows that use both Google Cloud and ecosystem tools. We are committed to an open ecosystem, envisioning a future where agents can collaborate dynamically across different products and vendors.

"We see an immediate opportunity to use MCP with Gemini to connect with our array of custom and commercial tools. It can help us make ad-hoc execution of data gathering, data enrichment, and communication easier for our analysts as they use the Google Security Operations platform," said Grant Steiner, principal cyber-intelligence analyst, Enablement Operations, Emerson.

Introducing SecOps Labs for AI

To help defenders as our AI work rapidly advances, and to give the community an opportunity to offer direct feedback, we’re excited to introduce SecOps Labs. This initiative offers customers early access to cutting-edge AI pilots in Google Security Operations, and is designed to foster collaboration with defenders through firsthand experience, valuable feedback, and direct influence on future Google Security Operations technologies.

Initial pilots showcase AI's potential to address key security challenges, such as:

Detection engineering: This pilot autonomously converts threat reports into detection rules and generates synthetic data for testing their effectiveness.
Response playbooks: This pilot recommends and generates automation playbooks for new alerts based on analysis of past incidents.
Data parsing: This pilot is a first step towards AI generated parsers starting with allowing users to update their parsers using natural language.

SecOps Labs is a collaborative space to refine AI capabilities, to ensure they address real-world security challenges and deliver tangible value, while enabling teams to experiment with the latest pre-production capabilities. Stay tuned for more in Q2 2025 to participate in shaping the future of agentic security operations with Google Cloud Security.

Meet us at RSAC to learn more

Excited about agentic AI and the impact it will have on security? Connect with our experts and see Google Cloud Security tech in action. Find us on the show floor at booth #N-6062 Moscone Center, North Hall, or at the Marriott Marquis to meet with our security experts and learn how you can make Google part of your security team.