Google announces new AI-powered security agent to combat AI-based attacks.
Google has announced a suite of agents to be integrated into Google Security Operations, stating that it will 'counter AI-driven cyberattacks with AI.' Google Security Operations, which supports enterprise security monitoring and investigation, will work in conjunction with Google AI Threat Defense to automate threat detection, investigation, and containment.
Detecting and containing AI-powered threats with Google Security Operations agents | Google Cloud Blog
Fight AI with AI: Google SecOps Detection Engineering Agent - YouTube
Even when vulnerabilities are found in a system, they cannot always be fixed immediately. On the other hand, attackers can use AI to speed up tasks such as creating fake emails, generating attack code, and changing communication destinations after an intrusion. With the increasing sophistication of AI, some are claiming that attacks can begin within hours of a vulnerability being disclosed.
Anthropic points out that the AI 'Claude Mythos Preview,' which has extremely high cyberattack capabilities, can develop attacks in hours from the publicly disclosed 'N-day' vulnerability, thus 'changing the common sense from N-day to N-hour' - GIGAZINE
According to Mandiant's M-Trends 2026, cited by Google, the 2025 survey showed that exploitation of vulnerabilities was the most common entry point for intrusions for the sixth consecutive year. Furthermore, the time it takes for attackers to exploit vulnerabilities has shortened, and there are cases where attacks occur before the vulnerabilities can be fixed. Security measures need to go beyond simply 'fixing vulnerabilities' and include mechanisms to 'detect and stop intrusions before they can be fixed.'
To combat AI threats, Google announced 'Google AI Threat Defense' in May 2026, an AI-powered security system that identifies, prioritizes, assists in remediation of vulnerabilities, and provides continuous monitoring.
Google announces 'Google AI Threat Defense,' an AI-powered autonomous cybersecurity service that automatically fixes vulnerabilities and monitors threats - GIGAZINE
Google has announced that several new AI agents will be added to Google Security Operations, Google Cloud's security operations platform, as part of AI Threat Defense.
The Detection Engineering agent is an agent that creates detection rules tailored to unpatched vulnerabilities and new attack patterns. It utilizes expertise from Google Threat Intelligence and Mandiant, malware analysis, open-source detection rules, and internal security data to help create rules suited to each company's environment. At the time of writing, it is available as a preview.
Simply creating detection rules is meaningless. The Detection Engineering agent uses simulated logs called synthetic events to verify whether the created rules can detect attacks as intended. This allows them to check which attacks can be detected and which are missed before an actual attack occurs.
The Triage and Investigation agent is an agent that autonomously investigates detected alerts. It combines logs from endpoints, the cloud, firewalls, identities, networks, and custom applications to compile an explanation of the attack sequence. The Triage and Investigation agent is generally available at the time of writing and has already investigated over 5 million alerts, reducing manual analysis that normally takes 30 minutes to just 60 seconds using Gemini.
Agentic automation is a system designed to support responses after an attack is detected. It combines evidence gathering and decision-making support by AI agents with pre-defined playbooks for the company, and is currently available in preview at the time of writing. It is explained that while analysts maintain control during critical operations, the containment and remediation process can be automated.
The Threat Hunting agent is an agent that searches past logs for attacks that slipped through normal alerts. At the time of writing, it is available as a preview. Zero-day attacks and inconspicuous intrusions may not be found using only fixed markers such as file names or IP addresses, but the Threat Hunting agent can examine large enterprise telemetry records, including historical logs, to look for unusual behavior and new attack patterns.
As an example of leveraging its new AI agent, Google cited an audit of a supply chain attack targeting the Axios npm package, a widely used package management ecosystem for JavaScript. When the Detection Engineering agent was given information about the attack campaign, it was found to have detected the intermediate stages of the attack, but missed the initial npm postinstall dropper and the final C2 communication. The Detection Engineering agent then identified the oversights and helped create YARA-L rules for use in Google Security Operations.
If AI increases the number of options available to attackers, then defenders will also need to use AI to write detection rules, interpret alerts, and dig through past logs. Google says that by combining Google AI Threat Defense and Google Security Operations, they can continuously provide defenses that outperform automated attackers.
Related Posts:
