Red Canary has unveiled a new suite of expert AI agents that combine the speed and scalability of agentic AI with the quality and consistency of standard operating procedures derived from Red Canary’s security operators, bringing a new layer of AI-powered automation to threat detection, investigation, and response. Built to reduce manual, repetitive work, these agents mark a significant step toward a more efficient, intelligent, and resilient SOC that remediates incidents more quickly.
Red Canary AI agents have already successfully completed more than 2.5 million investigations across endpoint, identity, cloud, and SIEM environments. These AI agents work side-by-side with Red Canary detection engineers, who oversee, develop, and continuously update a library of behavioural analytics for both emerging and known threats, significantly accelerating investigation times. As a result, many customers have seen investigation times drop from over 20 minutes to under three minutes while maintaining an unmatched 99.6% customer-validated true positive rate.
Most AI agents rely on basic autonomy without the training data or expert procedures needed to perform consistently, leading to uneven quality and reliability. Red Canary AI agents are built from the ground up to be enterprise-grade.
Trained on over 10 years of operational data and shaped by millions of real-world investigations, they execute Tier 2 analyst workflows, gathering context, enriching alerts, and recommending actions with high quality and speed. The result is a layer of automation that cuts noise, accelerates triage and helps security teams stay ahead of evolving threats without adding complexity or risk.
“Automation remains core to how Red Canary finds more threats and stops them faster,” said Red Canary CEO Brian Beyer. “On its own, agentic AI is powerful. But when it’s trained on more than a decade of labelled data from our detection engineers and threat hunters and grounded in proven standard operating procedures, it becomes truly transformational.”
“These AI agents accelerate investigations with speed and consistency, freeing our experts to focus on unique and novel investigations and giving customers more time to act on what matters, confident that nothing critical gets missed,” he said.
AI agents are already live and supporting customers today, helping reduce noise, respond faster, and get expert analysis for every threat. Highlights include:
-
SOC analyst and detection engineering agents: A suite of endpoint, cloud, SIEM, and identity-focused AI agents that automate Tier 1/Tier 2 investigation and detection workflows for a specific system (e.g., Microsoft Defender for Endpoint, CrowdStrike Falcon Identity Protection platform, AWS GuardDuty, and Microsoft Sentinel), delivering high-quality root cause analysis and remediation.
-
Response and remediation agents: Provides specific, actionable response and remediation tactics alongside hardening steps to reduce future risk.
-
Threat intelligence agents: Compares batches of threats against known intelligence profiles and surfaces emerging trends with supporting analysis to speed intelligence operations.
-
User baselining and analysis agents: Proactively identifies user-related risks by comparing real-time user behaviour to historical patterns and proactively escalating suspicious anomalies.
Examples of Red Canary’s AI agents in action include:
-
Salesforce authentication details compromised by malware: Red Canary’s Identity Investigation agents for Okta Workforce Identity and User Baselining & Analysis agent flagged a suspicious Salesforce login that the customer’s other tools missed, added critical context, and revealed that the login originated from a high-risk IP. Red Canary’s team quickly validated the threat and alerted the customer, who immediately reset the user’s password. The incident was contained within minutes, preventing potential compromise and minimising impact.
-
Compromised account identified and contained: Red Canary’s SIEM Investigation agent for Microsoft Sentinel and Identity Investigation agent for Microsoft Entra ID pinpointed a suspicious application name and proxy infrastructure accessed by a user logging in from an unusual ISP and geography. Within minutes a Red Canary detection engineer validated that a user’s access token had been compromised and engaged the customer’s security operations team for response.
