Transcript for "Meet Wiz's AI Agent Built for Cloud SOC Teams": Hello, everyone. Good morning, good evening, good afternoon from wherever you are tuning in from, and welcome to today's fifteen minute live demo on Wizz's SecOps AI agent with Tal. We are so excited for you to be joining us today, we appreciate you taking the time from your busy schedule to join us. If you do have questions throughout the demo, please feel free to throw them in the chat or in the q and a, and we will be do our best to get to them at the end of the demo. And with that, let's get started because we only have fifteen minutes. I don't wanna waste any more time. So I'm excited to pass it over to Tal who will jump right into the WizSecOps agent. Tal, all you. Okay. Thank you, Alex. Hope everyone can hear me okay. I'm gonna as much as I love sharing tabs, it's never, like, super easy. So okay. Seems like it worked. So hi, everyone. Thank you all so much for joining. My name is Tal. I am the product marketing manager working on WizDefend, our cloud threat detection and response product, working alongside a wonderful, wonderful team here at Wiz for all of your SecOps needs. Today, I'll be giving you guys a bit of an overview on how we actually utilize AI and AI agents within the Defend platform, a little bit about our SecOps AI agent, and also showcase in our environment what this actually looks like and where it can help your team. So just to kind of level set, we know that AI is top of mind for everyone all the time. But just to really reiterate, AI is everywhere. It's helping developers develop faster and helping change the world in so many ways. But as developers are becoming more productive, we've seen this introduce a new set of risks and much, much more risk within platforms and for security organizations. We also know that AI threats are here. We have a new there are new targets, faster speed, and much greater impact, which is especially difficult for SecOps organizations that may still be adjusting to the new cloud reality or may still be upscaling to actually catch and respond to cloud attacks. They have to respond even faster. So we see this new AI stack introducing new types of attack vectors, accelerating the weaponization of threats, and widening the blast radius, making life even more difficult and complicated for our SecOps practitioners. But we here at Wiz do feel pretty confident about our favorite word, context. We know that AI needs context and that defenders have it, especially defenders that use Wiz. So we know that context is really the secret to helping defenders defend against attackers, make sure that they can respond in a timely manner, and have all of the information they need to investigate and respond properly, efficiently, and quickly. So as a high level overview, we're gonna talk today about our SecOps agent, which is your in platform agent available for you to detect, investigate, and respond to active threats in real time. So as, again, our favorite word, context, our agent takes in context really from across your entire Wiz platform, your open issues, detections, cloud events, and any findings, malware findings, data findings, secret findings, your attack surface. Across all of your different Wiz tools, the agent takes in all of that great context to help actually generate its verdicts. It also is trained on our IR knowledge base. So for those of you who may or may not know, back around November, we launched a new incident response service and team at Wizz. We have a wonderful team of incident responders who have experience responding to hundreds of attacks in the cloud. And every time they actually respond to a new attack, notice something new in the environment, they write down their investigation scenarios and feed our knowledge base to ensure that the agent actually investigates scenarios as they would. What does the agent do with this knowledge base that's trained on in all of this data? When a threat is triggered when a threat is detected in your environment, it triggers our AI agent to run and generate a verdict. So it will generate a clear verdict for you on the actual severity of the threat and showcase to you its investigation process and the steps that it took to generate that verdict. It'll also give you its confidence level. How confident is it in the actual verdict that it generated? Again, it'll show you the step by step investigation process that it took and give you the opportunity to dive deeper into certain steps that you may be interested in. And, eventually, it will also recommend response actions based on its verdict. So the agent, aside from taking in knowledge from the IR knowledge base and across your entire environment, is powered by a couple of different subagents. Our code analysis subagent really taking this context, shifting it left, and taking an understanding of applications to inform its verdict. And from the right with our forensic sub agent, actually understanding the root cause analysis and using that information and analysis to generate a higher confidence and clearer verdict. And just as a quick overview, typically, we see customers and users deploying and using DEFEND within their workflows in any way that fits. We integrate extremely well into your workflows. But what we'll often see is teams actually doing their detection, investigation, and response within WizDefend using the SecOps agent. So actually going into the platform to do the investigation or, for example, porting in verdicts into a SIEM to conduct investigations, potentially even querying our Wizz MCP server for detections or for BlueAgent verdicts to inform and work through the rest of their workflows. But, again, we really see the benefit in actually conducting your investigation within the DEFEND platform given that the agent is embedded directly into the platform. So I'm gonna share a different tab because I have a couple of them. And let's go through and take a look at what this actually looks like in our platform. So for those of you guys that may be familiar with Wiz, we have our lens here. If we go into our threat detection and response lens, we see a bunch of different threats that have popped up in your environment over the past couple of days. We also have a column here for the verdict of the SecOps agent. So you'll see some some sample verdicts here, like planned action, security test, malicious. And let's actually click into this threat. So we have a threat. Fileless execution was detected. So we know that as Wiz, what we really love is making sure that you have a clear understanding of what's going on in your environment. And we get that through our AI powered story, our easy investigation graph, and our timeline. But the AI agent goes one step further and gives you a very clear high level overview of its interpretation of what's going on with this attack. So we see here that this threat was classified as malicious by the agent, that this threat represents a genuine malicious attack on an intentionally vulnerable container. While it was deployed for testing purposes with recredentials, our forensic analysis confirmed the execution of a malicious Python reverse shell, which distinguishes this incident from previous planned testing activities. This verdict was provided by the blue agent. If you see blue agent, that's another way to refer to the SecOps agent. But this was provided by our agent with high confidence. And we also have available for you here some thumbs up, thumbs down to help us continue to improve the agent and ensure that its investigations are accurate. And after going through the high level overview, you can actually step by step view the investigation process that this agent took. So we can see that the agent really worked through this like an actual IR analyst would. It identified a container it identified a container as a server with suspicious activity, discovered a clear attack change showing compromise followed by file less execution, and then actually went through the forensics and confirmed a malicious reverse shell payload in this fileless execution, which increased its suspicion and led it to actually classify this as a true malicious attack. And if you go through here, let's say you're curious about why it did this particular thing or you want to actually dive in deeper and say, search the detections that informed this, you can go in and look at where the agent pulled its information from and do even more triage. We think this is super powerful for our investigators because, again, we have the context that you need to actually actively, easily, and quickly respond to threats. This puts it all together in an easily identifiable, clear way requiring limited to no pivoting across different platforms, limited to no actual stitching together of information. Everything is available for you here and ready for you to either say, okay. Sounds great. I'll move on as if this threat was classified malicious or go through validate very, very easily the actual verdict on here. I think we have maybe a couple more minutes to work through another really fun example of a psych ops agent in the platform. Platform. If I can, again, find the correct tab. Let's go here. So something else interesting that I did wanna call out is if you go into our Lens, you may see a new and surprising exciting lens called AI security. If we go into this lens and we go to our dashboard, we can see this as your AI security lens. You can get an overview of your AI security issues by severity, your top AI risks, external exposure, AI with access to sensitive data, a ton of really great information about AI risk in your environment. And if we go to threats on here, we see this threat DNS query for a non crypto mining domain that was actually classified as a security test. This is kind of, like, a constant fun little competition we have going on between our demo team and our SecOps AI agent. I like to tell a demo team that our agent is so great that it catches them trying to do fun little security texts. So we always have to think about how are we gonna fool the agent and then teach the agent how we fooled it. So it's very interesting to run a demo environment environment and run a demo with a very, very smart agent. It's been a really interesting question. So what I think is really interesting here is that this threat was classified as a security test, but actually looking at the investigation process is even more interesting. So the agent really took together different elements of context and made a conclusion based off of them. So we looked at it identified similar cryptomining threats across the environment, connected that to the forensic analysis, which revealed an authorized security testing scenario, and actually went through the timeline and confirmed that this was an execution pattern. This is all information that we have access to, and we can generate detections from this information. But hard coding a detection like this is quite difficult. It's something that an actual, say, AI agent or person needs to have the context and the environment of and the actual thought to go look at these different pieces of context and link them together effectively to make a conclusion. And I think that this is super cool. I think it's a game changer. And, again, I think it's it's something that seems kinda small like, okay. This threat was classified as security test. But the way it actually went through and investigated and tied disparate pieces of information and context together to generate a conclusion, I think, is super cool, and it really showcases the power of the agent on our platform. We really see this as a force multiplier for psychos practitioners and, again, just helping psychos practitioners do their job better and faster with at least as little pivoting as possible. Okay. I only talked to you guys for about, like, maybe thirteen minutes. I do see some questions coming up in the chat. So I see a question from Gabriel Howard. When will the AI Sock agent be available? So this is actually available for you in your environment currently. Let me share my screen and show you how you can take a look. So if you go to your preview and migration hub, if you search in the bar and you go to the preview and migration hub, and if you search for sec oh, I'm excited. It should be actually, I may be wrong. It may just be turned on automatically for you. We are GA ing the SecOps agent in maybe three weeks. So they actually changed the name of the preview. But if you go here to preview hub and you search for automate threat investigation with the WizBlue agent, you can just click to enable up here, and it'll be available. And it will just show up in your environment. It'll show up on all of your threats, and you can enable it there. There is no additional cost to the Blue Agent at this point. Again, the agent will go GA in a couple of weeks, but you have access to the Blue Agent if you have access to defend, which means that you have access to threats in your environment. So I'll mark that as answered. How does the SecOps agent relate to Mika AI? That's a very interesting question. The SecOps agent and Mika AI, I think they all run on a very similar back end, but the SecOps agent is really specific to threat triage and investigation. Mika AI is still around and available for you to ask questions about the Wiz platform. The PsychOps AI agent is really built specifically for psych ops practitioners and those investigating, triaging, and responding to threats. Me take a look at what else we have that I can answer today. Is defending? I'm not sure if I understand some of the additional questions, but I think if there are any more specific, it seems like some product questions about getting detections from a SIM, false positive rates using Microsoft Defender for endpoint security. I think maybe that's best left to a follow-up with our product managers after this call. So I'll take a look if there's any more specific questions about the agent. And otherwise, I will leave you guys with this information. Again, please keep an eye on our Wiz platform. We released a blog about our SecOps agent maybe back in November where we announced it in public preview at Wisdom, our Wiz conference. We have a ton of information there about the agent. You can read more. And keep an eye out. We're gonna have some other very exciting announcements about AI and AI security that may answer some of the other questions that I see in the chat about more so, specifically, like, AI threat detection and response. But I do wanna be mindful of everyone's time given that this is supposed to be a fifteen minute demo. Alex, is there anything that I've missed in in my discussion so far? I know you're backstage. No. I think this was great. As Tal said, the Blue agent will be GA ing soon. Blue is the SecOps agent. So sorry. Apologies that we keep interchanging it. But Blue Agent is SecOps agent. They are the same thing. They're not different. So and then keep an eye out on some future announcements to come. Those will be coming out soon. But thank you all for joining. Again, we do wanna be mindful of the time. So, this this demo was being recorded, so we will be sharing the recording. You should have it probably tomorrow morning. And if you check out the docs in your in the where you guys were submitting the q and a in the chat, there is that blog that Tal was, referring to that talks about more about the AI agent specifically that was announced at Wisdom, back in November. With that, thank you all. We'll leave you guys to it, and I hope you guys have a great rest of your day. And for the questions that we didn't, weren't able to answer, we will be sharing that with our product team and get back to you guys. Thanks all. Bye. Thank you all so much. We really appreciate your time.