What is Microsoft Security Copilot?


The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft Security Copilot (Security Copilot) is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles.

Security Copilot provides a natural language, assistive copilot experience that helps support security professionals in end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management.

The solution leverages the full power of OpenAI architecture to generate a response to a user prompt by using security-specific plugins, including organization-specific information, authoritative sources, and global threat intelligence. By using plugins as data point sources, security professionals have wider visibility into threats and gain more context, and have the opportunity to extend the solution’s functionalities. For more about plugins, read Manage plugins.

Designed with integration in mind, Security Copilot seamlessly integrates with products in the Microsoft Security portfolio such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, as well as other third-party services such as ServiceNow.

​The primary focus of the Early Access Program is centered around:

  • Incident response

    Security Copilot can swiftly summarize information about an incident by enhancing incident details with context from data sources, assess its impact, and provide guidance to analysts on how to take remediation steps with guided suggestions.

  • ​Security posture management

    Security Copilot provides information on events that might expose organizations to a known threat. Analysts are provided prescriptive guidance on how to protect against those potential vulnerabilities.

  • Security reporting

    Security Copilot can generate ready-to-share executive summaries or reports on security investigations, publicly disclosed vulnerabilities, or threat actors and their campaigns.

How does Security Copilot work?

Microsoft Security Copilot capabilities can be accessed through the standalone experience as well as embedded experiences available in other Microsoft security products. The foundation language model and proprietary Microsoft technologies work together in an underlying system that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale.

  • Microsoft security solutions such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune integrate seamlessly with Security Copilot. There are some embedded experiences available in Microsoft security solutions that provide users with access to Security Copilot and prompting capabilities in the context of their work within those solutions.

  • Plugins from Microsoft and third-party security products are a means to extend and integrate services with Security Copilot. Plugins bring more context from event logs, alerts, incidents, and policies from both Microsoft security products as well as supported third-party solutions such as ServiceNow.

  • Security Copilot also has access to threat intelligence and authoritative content through plugins. These plugins can search across Microsoft Defender Threat Intelligence articles and intel profiles, Microsoft Defender XDR threat analytics reports, and vulnerability disclosure publications, among others.

    How Security Copilot works image

Here's an explanation of how Microsoft Security Copilot works:

  • User prompts from security products are sent to Security Copilot.

  • Security Copilot then pre-processes the input prompt through an approach called grounding, which improves the specificity of the prompt, to help you get answers that are relevant and actionable to your prompt. Security Copilot accesses plugins for pre-processing, then sends the modified prompt to the language model.

  • Security Copilot takes the response from the language model and post-processes it. This post-processing includes accessing plugins to gain contextualized information.

  • Security Copilot returns the response, where the user can review and assess the response.

Security Copilot iteratively processes and orchestrates these sophisticated services to help produce results that are relevant to your organization because they're contextually based on your organizational data.