When a new vulnerability hits the news, security teams often scramble to find out if they are at risk. The process of answering that question can take days or weeks, involving manual research, rule-writing, and testing. Google Security Operations wants to close that window with its new Emerging Threats Center, designed to help teams understand their exposure and detection coverage in near real time.
Emerging Threat Center feed view
Automating threat detection at scale
The new capability, now available to licensed customers, focuses on scaling detection engineering and operationalizing threat intelligence. It draws from Google Threat Intelligence and other sources within the company’s ecosystem to generate representative events and evaluate existing detections. When it identifies coverage gaps, it produces new detection rules for analysts to review and deploy.
Chris Corde, senior director of product management at Google Cloud, told Help Net Security that the goal is to help organizations move from reaction to anticipation. “The release of the Emerging Threats Center helps customers take a threat-centric view to protect themselves against real world activity, such as active exploits happening across the world,” Corde said. “Historically, answering the CISO’s question, ‘Are we impacted and prepared?’ was a manual, reactive process that left organizations vulnerable while analysts sifted through data. The Emerging Threats Center shifts this paradigm by operationalizing threat intelligence, moving teams from a traditional alert queue to a campaign-based view of high-risk events.”
The idea is to make it faster for organizations to see whether they are impacted by major threat campaigns and to confirm that detection measures are already in place. By reducing the time between intelligence collection and defensive action, the platform aims to shrink the window of potential exposure.
Moving beyond manual workflows
Google says many teams still rely on a slow, manual cycle to defend against emerging campaigns. Analysts must review reports, extract indicators of compromise, and then hand those to engineers who create and test detections. That process often leaves organizations behind the curve.
A recent study commissioned by Google found that 59% of IT and security leaders struggle to translate threat intelligence data into specific actions. The new center tackles that issue by filtering large volumes of threat data to identify which campaigns are most relevant to a particular environment.
Instead of starting with raw alerts, analysts now get a single view showing the threats that pose the greatest risk to their organization. This includes details about indicators present in their own data and the matching detection rules available. When a new zero-day appears, they can immediately see whether related activity exists in their telemetry and which rules can block it.
Corde explained that the system’s core utility lies in connecting frontline intelligence directly to each organization’s environment. “It instantly correlates frontline intelligence against your specific environment to provide definitive answers,” he said. “It scans 12 months of retrospective telemetry to identify if you have been affected by active threats, and validates your current defensive posture to ensure you are prepared. Powered by Gemini to automate detection engineering, it allows security teams to bypass the noise and immediately focus on the campaigns that pose the greatest risk.”
Understanding exposure and readiness
The platform focuses on answering two questions that drive any crisis response: how an organization is affected and how well it is prepared. To understand exposure, the system searches for indicators of compromise from the past year of telemetry and highlights any relevant detection matches. These results become the starting point for further investigation.
To evaluate readiness, it checks whether there are active detection rules tied to the new campaign. If no hits appear and the relevant detections are already in place, the system provides confidence that the environment is protected against that specific threat. This dual view of past and present helps teams confirm their exposure and their defensive posture.
How the detection engine works
Underneath the interface is an automated detection engineering system powered by Gemini models and AI agents. It begins by ingesting threat intelligence from multiple sources across Google’s security ecosystem. From that data, it extracts detection opportunities tied to a given campaign.
The system then generates synthetic event data that reflects the tactics, techniques, and procedures observed in the intelligence. These synthetic logs are used to test how well current detection rules perform against the new threat. When the system finds a gap, it creates a new rule and summarizes its logic for human analysts to review.
This mix of automation and expert oversight is meant to speed up the process of producing production-ready detection rules. What once took days can now be done in hours, giving analysts more time to focus on investigation and response rather than manual rule development.