Adversaries now exploit vulnerabilities an average of seven days before a patch ships, according to M-Trends 2026. That means your vulnerability window doesn't start when a patch is issued—it starts weeks earlier.
I've seen enough SOCs drowning in alerts to appreciate the scale of this. The 2026 Verizon Data Breach Investigations Report found only 26% of vulnerabilities on the CISA KEV list had been fully remediated across 13,000 organizations. The median time to patch after detection? 43 days. You can't close that gap with manual triage.
Three Autonomous Agents for Three Defense Stages
Google Security Operations just shipped three Gemini-native agents that operate at machine speed across detection, response, and hunting. Together with the previously announced AI Threat Defense framework, they aim to shrink the mean time to respond from minutes to seconds—and claims a 70% reduction in breach risks and costs.
Detection Engineering Agent: Closing Coverage Gaps Before Exploits Hit
Available in preview, the Detection Engineering agent ingests intelligence from Google Threat Intelligence, Mandiant attack pattern reports, red/purple team output, autonomous malware analysis, and open-source detection repos. It then automatically translates new exploitation patterns into custom YARA-L rules for your environment, validated with synthetic events.
Google ran the agent against the recent Axios supply chain attack (UNC1069). The agent mapped the campaign into behavioral threat detection opportunities, simulated the attack chain with synthetic UDM logs, and exposed blind spots: Google's existing rules caught the middle execution phases (renamed PowerShell and macOS background shells) but missed the initial NPM postinstall dropper and the final C2 exit. The agent wrote new rules to close both ends of the kill chain.
Triage and Investigation Agent: 5M Alerts Investigated in 60 Seconds Each
This agent is generally available and already handling real workload. Google reports it has investigated over 5 million alerts, turning what used to be a 30-minute manual analysis into 60 seconds with Gemini. It autonomously gathers evidence, provides verdicts with explanations, and can close false positives or escalate high-priority threats.
The real power comes from combining these AI agents with deterministic enterprise playbooks. Agentic automation (preview) lets analysts stay in control of critical actions while AI handles the grunt work—gathering evidence, reasoning through complex alerts, and executing remediation workflows.
Threat Hunting Agent: Proactive Retroactive Scans at Petabyte Scale
Even autonomous detections miss stealthy adversaries and zero-days. The Threat Hunting agent (preview) scours petabytes of enterprise telemetry—including historical logs—for subtle anomalies. It shifts the SOC posture from purely reactive to deeply proactive, hunting for novel attack patterns that bypass frontline controls.
Google's bet is that by integrating these three agents into a single operational fabric, organizations can maintain resilient defense even when primary controls fail. The agents don't just react; they continuously audit coverage and autonomously plug holes. That's the only way to stay ahead when exploitation happens before the patch is released.
Source: Detecting and containing AI-powered threats with Google Security Operations agents
Domain: cloud.google.com
Comments load interactively on the live page.