Red Canary AI agents cut security investigation times by 90%

Red Canary has unveiled a suite of AI agents designed to perform Tier 2 security investigations with the speed and precision of seasoned analysts. These agents have already conducted over 2.5 million investigations, slashing average investigation times by 90%. Trained on a decade of operational data, the agents excel at contextual gathering, alert enrichment, and recommending actions for identified threats, aiming to reduce alert noise and help security teams manage evolving risks without added complexity.

Automating Manual Security Tasks

The AI agents specialize in every phase of detection, investigation, and response, covering roles such as:

• SOC analyst
• Detection engineering
• Threat intelligence
• User analysis

They automate both Tier 1 and Tier 2 tasks across environments like cloud, identity, SIEM, and endpoint systems, enabling faster root cause analysis and remediation. A dedicated threat intelligence agent compares threats against known profiles, identifying new trends and enhancing intelligence operations.

Efficiency and Impact

Red Canary reports that customers have reduced investigation times from over 20 minutes to under three minutes on average, with a 99.6% customer-validated true positive rate. The system is enterprise-grade, trained on 10 years of real-world data, and continuously overseen by security operators to ensure reliability.

"Several years ago, we introduced automation to replace repetitive Tier 1 work," said Brian Beyer, CEO and Co-founder of Red Canary. "Now, by combining the best of agentic AI with AI agents equipped with years of frontline experience, we're accelerating Tier 2 investigations with the speed of automation and the judgment of experienced analysts. This allows our detection engineers to focus on Tier 3-level analysis, delivering deeper insights for customers."

Practical Use Cases

1. Anomalous Login Detection: A user behavior analysis agent flagged a suspicious Salesforce login missed by other tools. A reputation analysis agent added context by linking the login to a high-risk IP. Red Canary validated the threat, enabling the customer to reset passwords and contain the breach within minutes.

2. Compromised Account Response: Agents detected a compromised account through alert enrichment and user behavior analysis, identifying suspicious app and proxy activity from an unfamiliar ISP and location. A Red Canary engineer confirmed the compromise, prompting a swift response from the customer’s security team.

Agent Capabilities

The AI suite includes specialized agents for:

• Microsoft Defender for Endpoint
• Crowdstrike Falcon Identity Protection
• AWS GuardDuty
• Microsoft Sentinel

These agents deliver consistent procedures for their respective environments. A response and remediation agent provides actionable steps to address incidents and harden systems, while a user baselining and analysis agent flags deviations by comparing real-time behavior to historical patterns.

Human Oversight Remains Key

Red Canary emphasizes that its agents are not fully autonomous—their outputs are reviewed by experienced detection engineers to balance automation with human judgment. This approach reflects the broader trend in cybersecurity of leveraging AI to reduce manual workloads, speed up response times, and support overburdened security teams.

Red Canary’s focus remains on reducing noise, accelerating triage, and delivering expert analysis for every threat faced by its clients.