In this interview from RSAC 2026 in San Francisco, Scott Woodgate, general manager of threat protection at Microsoft, joins theCUBE Research's Christophe Bertrand to discuss how AI agents are transforming security operations from overwhelmed alert triage into strategic, scalable threat defense. Woodgate frames the challenge in stark terms: Microsoft processes more than 100 trillion threat intelligence signals daily while the industry faces four million unfilled cybersecurity positions. He details how purpose-built agents — starting with a phishing triage agent that is 6.5 times faster than human analysts with a 77% accuracy increase — are closing that gap, with one customer reclaiming 200 hours per month. Microsoft has now extended that capability into a broader alert triage agent covering cloud and identity signals, freeing teams to focus on higher-value work.
The conversation also explores the next phase of this evolution: semi-autonomous agents capable of ingesting threat intelligence, proactively hunting for exposure across an organization's environment and recommending remediation — all under human oversight. Woodgate draws a direct parallel to the transition from on-premises to cloud security, where the scope of practitioners' roles broadened rather than disappeared. He highlights Microsoft Sentinel's open platform model, which enables partners such as Illumio to build on its data lake and reach enterprise scale, and underscores the importance of global threat intelligence sharing as a cornerstone of collective defense. With Security Copilot now included in ME5 licenses and rolling out across the customer base, Woodgate provides a practical roadmap for security teams ready to upskill and embrace agent-orchestrated operations.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for RSAC 2026 Conference
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC 2026 Conference.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to RSAC 2026 Conference
Please sign in with LinkedIn to continue to RSAC 2026 Conference. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Scott Woodgate, Microsoft
At RSA Conference 2026 Scott Woodgate of Microsoft, general manager, threat protection, joins Christophe Bertrand of theCUBE Research and SiliconANGLE for a discussion on the use of artificial intelligence, AI, in security operations, SecOps and threat intelligence, TI. Woodgate outlines Microsoft's approach to integrating AI-driven agents into SecOps workflows and highlights key technologies such as Security Copilot, Sentinel, Copilot and Defender.
The conversation covers phishing triage agents, security alert triage agents and TI briefing agents, and examines how agents augment SecOps teams to improve security operations center productivity and accelerate threat response. Topics also include measurable efficiency gains, semi-autonomous remediation and the role of humans in the loop as agents evolve.
Woodgate reports that the phishing triage agent is 6.5× faster and delivers a 77% accuracy improvement. They note customers report hundreds of hours saved, with one citing a 200-hour monthly reduction. They also highlight Security Copilot inclusion for E5 and ME5 customers and emphasize the need to retain human oversight while extending automation and orchestration.
In this interview from RSAC 2026 in San Francisco, Scott Woodgate, general manager of threat protection at Microsoft, joins theCUBE Research's Christophe Bertrand to discuss how AI agents are transforming security operations from overwhelmed alert triage into strategic, scalable threat defense. Woodgate frames the challenge in stark terms: Microsoft processes more than 100 trillion threat intelligence signals daily while the industry faces four million unfilled cybersecurity positions. He details how purpose-built agents — starting with a phishing triage agen...Read more
exploreKeep Exploring
How are you and your organization addressing the escalating cyber threat landscape and helping security operations centers (SOC) and SecOps teams manage the increased volume of attacks (for example, using tools like Microsoft Sentinel, Copilot, and Defender)?add
How can agents (automation/AI) be used to improve the effectiveness of small cybersecurity teams and help address the current skills shortage?add
What are the most popular agents used in security operations (SecOps), and how does a phishing triage agent work and impact operational efficiency?add
How can organizations ensure semi-autonomous security agents remain under human control, and are people and processes ready to decide what actions those agents should take?add
>> Welcome back to TheCUBE RSAC 2026 in San Francisco. I'm Christophe Bertrand, principal analyst at TheCUBE Research, and I am joined today by Scott Woodgate, who's the GM threat protection or threat... Is it threat protection? Threat protection, not management, at Microsoft. But I guess protection and management, well, probably about the same. So, Scott, tell us about yourself. Tell us what you do. It's a big title. It's a big job. It's Microsoft. Tell us more.
Scott Woodgate
>> Sure. Well, firstly, Christophe, thank you for having me on the show. And yeah, absolutely. We're focused on, as you say, threat protection, which is ensuring that our customers are in the strongest possible position to mitigate threats. And as you know, the cyber threat landscape has continued to escalate with the number of password attacks going up to 7,000 per second as an example. And in fact, Microsoft gets more than a hundred trillion. Can you imagine that? A hundred trillion threat intelligence signals every single day. So what do you do when you're in the SOC to really prevent that? And the SOC itself is challenged because the number of humans that they have. I mean, all of you that are out there working as SecOps analysts, you know your jobs are very busy, and you wish there was three more of you in your roles. And so I spend a lot of time thinking about how to help the SecOps teams with tools such as Microsoft Sentinel and Copilot and sometimes Defender. And then how do agents as we go through this transformative stage really accelerate the effectiveness of everybody?
Christophe Bertrand
>> Right. And big brand names that everybody's heard. And I said management thinking it's really a management issue. And let's talk about that because surprisingly, this is supposed to be a cybersecurity event. AI is everywhere.
Scott Woodgate
>> Of course.
Christophe Bertrand
>> And of course we're talking about AI and AI agents. And I think the real conversation is, and the risks that some people have raised is, okay, well, is AI going to replace me? Whereas it actually turns out AI agents can really, really help you with a lot of tasks and make you a lot more efficient. So how does that play out in the security operations teams? What about all of the type of tests that can be happening? What about the blue team, red teams? How does that all play out? How do you leverage agents to be your friends, not your enemy?
Scott Woodgate
>> Exactly. So firstly, in cybersecurity, it may be different than some other spaces. There's four million open jobs right now. So I spent a lot of time this week at RSA talking to CISOs, and they're all about how do I take the small number of people that I have and improve their overall effectiveness? And it's not that their people aren't doing their very best, it's that the tooling that they have is the tooling they have today. And so agents provide a real opportunity to take automation to the next level and fundamentally upskill the roles that people have so that that employment gap actually can be filled by the partnership between people and agents. And so we do a lot thinking about the, what are the, I call them the tier one tasks, but what are the simpler tasks that are actually a lot of the time that security teams spend doing? They spend a lot of time triaging alerts, phishing around, so to speak, not to use a pun, to find the actual real phishing from the spam and the bulk. That's one thing they do in emails. And that is a job that is very important, but also agents can do for you so that you can then, and we can come into this a little bit later, upskill into the next level of things that you need to do.
Christophe Bertrand
>> Right. So let's talk about how you at Microsoft use agents in a context of cybersecurity. I mean, I'm a Microsoft user. I use a lot of platforms. Obviously I've seen significant changes as just a PC user. Definitely a lot of other changes have happened across the board, across the offerings and the stack. But give us maybe a summary of also what you've announced recently with this event, because there are some significant things you're doing, building on existing previous announcements and products and solutions, but also announcing very interesting new capabilities that I believe will be very critical to what you just described, which is expanding the ability for humans to be more efficient in the face of hundreds of trillions of threats.
Scott Woodgate
>> That's exactly right. Yeah. I mean, if I take you quickly on the journey and then to the announcements, I don't know, it feels like about three years ago we announced Security Copilot as the first generative AI. A lot has changed since then as we think about the maturity of AI technologies, also our understanding of which tasks are better implemented through AI versus other things. If I could just hit that for the moment, there's really three agents that I think are the most popular three agents in SecOps. The first one is a phishing triage agent. And this phishing triage agent, once again, users don't know the difference between spam and bulk and phishing. They're all annoying or they're all security threats according to users, but actually only one of them is a security threat, that's phishing. And with these new LLMs, agents are very efficient at reading context in emails and also learning from guidance that security teams will give them. And so we built a phishing triage agent that is in controlled tests, 6.5 times faster than people on finding this work, 77% increase in accuracy and more importantly saves hundreds of hours. I have one customer who saved 200 hours a month in their security operations team by implementing, just because the queue of things that they had to focus on is now focused on what is real phishing. So we've got a lot of value from that. And we've just, as an announcement, as one of many, extended that phishing triage agent to be more of a security alert triage agent. And so it covers now cloud security alerts. What's the low value ones? We'll manage them for you. What's the low value identity alerts? We'll manage them for you. Once again, so you can focus on things that add a whole lot more value than that.
Christophe Bertrand
>> Right. So I think this is critical because we've conducted research at a key research, and one of the questions we asked was, how many alerts do you disregard? And the number I can remember the exact number was essentially very, very high.
Scott Woodgate
>> Extremely high.
Christophe Bertrand
>> Essentially most alerts are not deemed critical. They're excluded. And thinking, how do you know they're critical and not critical given that the enemy morphs and changes all the time? So you don't know what you don't know, and you're saying it's not critical. So I think there are some, there's a big gap. What you're doing is two things. Number one, what I'm hearing is there's a scalability question. Now you can literally handle the inbound volume of alerts making you actually more fit for purpose as an operations team, a security team, meaning you actually are doing your job. Finally, you have the ability to do your job at scale. I think that's really key. Secondly, what I'm also hearing is the significant operational efficiency happening with this. Now, I had a very good conversation with, I'm sure you know them, KnowBe4, great training outfit.
Scott Woodgate
>> Sure, of course.
Christophe Bertrand
>> Totally different space, but very close of course to the cybersecurity space. And of course this idea of training and leveraging agents to better train individuals, but also maybe retraining the workforce because that's the biggest issue we have right now. Cyber skills are lacking, there's too much to do, not enough time, not enough budget. So could it be that instead of this myth, which I think is a myth that agents will take away your job, agents in the context of cyber security in general terms are actually going to help you do your job and do a better job and augment your visibility to management, to leadership, to business, because now you can become more of a partner in the face of the mounting risk we still see from cyber attackers. So I'd really like to get your take on that.
Scott Woodgate
>> Yeah. I mean, I think that's very much the case. In fact, I'll give you another example of an agent that we have that addresses one of the most common questions that the security team or CISOs get. An executive, maybe it's the CEO, someone in the C-suite looked on the interwebs and found the latest threat and then comes to you and says, "Is this a problem for us?" That's a super common scenario. And so we built a TI briefing agent that's also actionable. And so it's for old school people like me, it's like your daily newspaper of here's all of the very relevant threats, hyper relevant to my industry, my region. So it's really framed in the context of my world. And that information is interesting, but once you find something that might be problematic or maybe what your CEO asked, then you can go into the exposure section of this agent, and that will actually tell you, am I exposed? Is there a CVE that's being exploited as a result of that? And do I have, for example, a container issue? And is there a container CVE? And then where are the Linux based machines? And then all the way down to how do I patch it? And so that cycle sometimes takes a while to navigate a series of tools, and the agent can help you just click through and find that very, very quickly and then remediate it and report back up to your CEO that life is safe. Now that's where we are today. If you dial forward in a not very long period of time, those agents are going to start becoming semi-autonomous and actually doing some of that work on your behalf, which is really the next exciting part of this evolution, still under your control, but taking more action.
Christophe Bertrand
>> Well, as you said, you qualified it's still under your control. So a lot of times we talk about AI in the loop. Now it's really human in the loop really in a sense. So what do you mean by under your control? Obviously agents talking to each other, there is at some point a decision point that has to happen. How do we know that individuals, that the people, the processes are actually ready for that? Because it feels to me like the acceleration of innovation has been such that things are changing so quickly. I wonder to what extent people in this case can catch up and understand that it is their responsibility now to, instead of trying to survive the day with all the alerts to actually now make some pretty important decisions about what to let happen or not happen when before maybe they were never exposed to those types of decisions.
Scott Woodgate
>> Correct. I mean, I could go from a couple, I'll take one angle and I'll maybe do a second one in a minute, but if I think of the security teams today, there's lots of doing, and a fair amount of that doing is on lower value tasks. They're actually extremely valuable because if the security team doesn't do it, nobody does it. But in the scheme of things, the security team wish they had more time for hunting and other things. And so the agents now, when they become semi-autonomous, can go do that work. In fact, the flow I just described, an agent should be able to look at your threat intelligence that affects your organization and then go hunt and see if you are affected and then actually proactively fix the posture. But we're not ready in most cases to say, "Yes, agent, just go do that and take control of my whole organization." And for good reasons in terms of verifiability of agents and the just trust that people have in technology needs to grow over time. And so there's going to be a role for SecOps, which is orchestrating or traffic controlling all of these agents. And so as an agent comes up and says, "I found this TI, do you want me to do this with it?" Or, "I wanted to fix your posture. Do you want me to do this?" And so there's going to be this new role that it's a little bit like the transition actually between on premises security and cloud security, which I'm old, so I was part of where the scope of people's roles changed in a broader sense, and they therefore could do higher value tasks because they were no longer doing the on premises network storage and so forth, but now they could have a broader scope of orchestrating across things. And so the role was a far more interesting role. It was just different than the prior role. And we're going through the same evolution. And frankly, there'll be some people who see that and caught onto it and make the transition over. And I hope it isn't like cloud security where actually it took a bunch of a new generation of people to recognize the opportunity to go do this. So if you're already currently doing this, there's some good lessons from the transition to cloud security where actually getting out and using these things and seeing how they can help you upskill and up level your game and be more valuable is really important. Because once again, in this space, it really isn't about my job, it's about my effectiveness.
Christophe Bertrand
>> That makes perfect sense. The one thing that I find fascinating is I think a lot of organizations are really ahead of their skis. They're letting agents roam maybe a little too free. Whereas when you think about the space of cybersecurity and the application to what is really hyper automation, for lack of a better term, becoming more intelligent, more autonomous, I see a lot of, to your point, a lot of analogies with how cloud evolved.
Scott Woodgate
>> Exactly that.
Christophe Bertrand
>> I remember you'd get walked out of the room if you said cloud in a briefing with the financial industry years ago. Now if you don't say AI, you probably get walked out of the room the same way. So things have changed drastically. If you take a step back, I've asked a lot of people this question. There's always this conversation around regulations and what should the government do? The White House published some recommendations. The previous administration did too, different, but the same in some areas. Then you have Europe as well, which loves regulations, but it's not necessarily enforcing or implementing as much as we think quite yet. Obviously you're a big global organization, you get to see a world of threats. What do you think about this public, private partnership government? What do you hope for in how maybe the... Because it's a security and a national security issue in many cases. What do you hope for in terms of what the government can do to help organizations and maybe individuals be more aware and be more in control?
Scott Woodgate
>> Yeah. I mean, so firstly, I would say security is a team sport with our partners, but also as you say, with government institutions and Microsoft as a global company takes in all types of inputs from different countries and the different regulations and absolutely respects whatever regulations exist in whatever countries. In terms of preference, I think I've seen some good examples actually in the US recently of, "Hey, this isn't particularly secure. You should know about it." And so the role of advocacy where things are not secure and driving change on that, I think is an important role that governments can have with their folks. I would say that some things it's really helpful to be globalized. So for example, the threat intelligence knowledge base, if you're in a particular country and all you knew was the threat intelligence within your country, you aren't probably set up for the threats that often come from countries that are not yours. And so this notion of collective defense or global sharing of threat intelligence is actually a critical piece for us to stay ahead of attackers because they don't respect our state boundaries, if you like, or others. So collaboration in that sense is really important. And yet different people will have different views on governance of data and where it needs to be. And at Microsoft, we're in a beautiful place of having many data centers around the world. And so if you want your data center here and your data here, we give you many of those choices that others maybe build on top of us sometimes to do.
Christophe Bertrand
>> Yeah. And you're right, pretty amorphous global threat in a sense and you don't really know what's going to hit you from where. And having this global knowledge and maybe some better standards globally is certainly not a bad idea. Although I do like a private initiative as well and innovation, so it's really striking that balance.
Scott Woodgate
>> I mean, as Microsoft, I mean, we work with partners all the time who are doing things that are leading edge, that are really exciting. And that's what I love about us having an open ecosystem. In fact, we built Sentinel as a platform so that even if your customer isn't using our SaaS products, you as a vendor can go ahead and build on our data lake, use our graph and our primitives, and then get access to our customer base and scale. And so we've seen companies like Illumio and others get scale with large customers. In fact, I was listening to one this morning who was talking about this exact scenario because they could partner with us on the platform.
Christophe Bertrand
>> Well, scale matters in the end, that's for sure.
Scott Woodgate
>> A hundred percent.
Christophe Bertrand
>> Right. So in closing, what recommendations do you have for our viewers? What should they do next?
Scott Woodgate
>> Yeah. I mean, if your organization owns E5, ME5, then recently we announced that Security Copilot is included actually, and we've been rolling that out for the last several months. And we have about three more months to complete that rollout, in which case every customer with ME5 will now have a significant allocation to use Security Copilot. And what that means is you can go get your triage agent or security triage agent or phishing triage agent and turn it on, your TI briefing agent and turn it on. If you're an identity admin, your conditional access optimization engine and turn it on. And so there's a very broad base of the population once we've finished the rollout in three months, if you haven't already got it, that actually has access to the technology for no additional costs. And so then it's just a matter of getting and rolling up your sleeves, actually using it, understanding the value, and then taking yourself on the career journey to continue to differentiate as you move forward.
Christophe Bertrand
>> Well, you heard it here. Roll up your sleeves, get it for free, right?
Scott Woodgate
>> Included, yes.
Christophe Bertrand
>> Included and try it out and learn from it. Well, thank you so much. This has been a great conversation. Thank you for your time.
Scott Woodgate
>> Thank you, Christophe. I appreciate you.
Christophe Bertrand
>> And to our viewers, thank you very much. We'll be right back RSAC 2026 in San Francisco.
Christophe Bertrand