How Does Microsoft’s New Security Copilot Agent Detect Hidden Threats?

Microsoft has recently launched the Security Copilot Dynamic Threat Detection Agent within Microsoft Defender. This new AI-powered tool is designed to help security teams detect hidden threats across Defender and Microsoft Sentinel environments.

What are the key advantages of the new Security Copilot Agent?

This Security Copilot Dynamic Threat Detection Agent comes with the ability to combine advanced AI with deep security insights. It leverages generative AI to continuously analyze telemetry from Microsoft Defender and Sentinel to discover hidden attack patterns and reduce false negatives, delivering clear context and actionable recommendations. This AI agent achieves over 85% accuracy across thousands of alerts and minimizes noise to help security teams focus on real threats.

Additionally, the Dynamic Threat Detection Agent enhances risk assessment through integrated threat intelligence and behavioral analytics to highlight suspicious activity. With zero-touch activation and seamless integration into existing Microsoft security tools, organizations can benefit from always-on protection without additional setup or complexity.

“Under the hood, the Dynamic Threat Detection Agent runs a five-step investigation loop at machine scale—starting from signals you already care about, building a rich activity timeline, testing hypotheses, and closing detection gaps with explainable, actionable alerts. This loop executes across thousands of parallel investigations, delivering detections in near–real time for your SOC,” Microsoft explained.

How does it work: The five-step investigation loop

The investigation process begins with incident prioritization, where the system continuously scans for high-risk events and critical assets. It then constructs detailed timelines by correlating alerts, anomalies, and intelligence to provide a complete picture of activity. This agent leverages automated hypothesis testing to explore potential attack scenarios (such as phishing or credential compromise) without manual intervention.

Once findings are confirmed, it delivers explainable alerts that include severity ratings, MITRE mappings, and clear remediation steps in natural language. Finally, the system uses feedback-driven learning to refine its detection logic based on analyst input to improve accuracy over time.

The agent is built with strong principles of security, governance, and scalability. Every alert is fully transparent, providing clear reasoning, context, and step-by-step remediation guidance to ensure trust and visibility for analysts. It also respects compliance requirements by operating within region-specific environments, maintaining data sovereignty for organizations.

Security, governance & scaling

The Dynamic Threat Detection Agent is built with strong principles of security, governance, and scalability. Each alert is fully transparent, which provides clear reasoning, context, and step-by-step remediation guidance to ensure trust and visibility for analysts. It also respects compliance requirements by operating within region-specific environments.

Currently, this Security Copilot Dynamic Threat Detection Agent is available in public preview at no additional cost for Security Copilot customers. Microsoft plans to make it generally available in mid-2026, with licensing under the Security Copilot consumption model and flexibility for administrators to disable or manage usage. This agent is also included with the Microsoft 365 E5 subscription.