Executive Summary
- Google has released a public preview of its AI-powered Alert Triage and Investigation agent for its security operations platform.
- The agent automates the initial analysis of security alerts, distinguishing real threats from false positives to save analysts’ time.
- It uses dynamic investigation plans based on Mandiant expertise, enriches data with threat intelligence, and analyzes system processes.
- The feature is now available for Google Security Operations Enterprise and Enterprise Plus users, with general availability planned for 2026.
Google has announced the public preview of its new Alert Triage and Investigation agent, an artificial intelligence tool integrated directly into its Google Security Operations platform. The agent is designed to help security teams more effectively process and prioritize cybersecurity alerts by automating initial investigations.
The technology represents a key step toward what Google calls an “Agentic SOC,” a security operations center where intelligent agents handle routine tasks. Instead of manual review, the agent autonomously examines each alert, gathers contextual information, and determines whether it represents a genuine threat or a false positive. This allows human analysts to concentrate on the most critical and complex security incidents.
How the Agent Operates
When an alert is generated, the agent initiates a dynamic investigation plan modeled on best practices from Mandiant experts. It executes a series of analytical steps, including running searches, enriching data with Google Threat Intelligence, analyzing potentially obfuscated commands, and reconstructing process trees to understand the full scope of an event.
Upon completion, the agent assesses the alert’s validity and assigns a confidence score. Google stated that the system is built for explainability, providing analysts with a clear record of the investigation steps and data sources used to reach its conclusions. According to the company, feedback from private preview participants, including financial services firms and major retailers, indicated substantial time savings in their security workflows.
Availability and Future Plans
The public preview is now available for all eligible Google Security Operations Enterprise and Enterprise Plus customers to opt into. Following enrollment, the agent will begin processing alerts automatically. Google plans to move the agent to general availability in 2026, with further enhancements planned for its investigation capabilities and workflow integration.