Google Unveils Public Preview Of Its New Alert Triage And Investigation Agent For Security Operations

Google has launched a public preview of its innovative Alert Triage and Investigation agent, a smart AI tool built right into Google Security Operations (SecOps).

This agent aims to ease the heavy workload on security teams by automatically handling routine alert checks, letting analysts focus on real threats.

Drawing from the company’s “Agentic SOC” vision where AI agents automate workflows this preview marks a significant step toward smarter security operations.

It’s designed for enterprise users and uses Mandiant’s expert practices to make quick, reliable decisions on alerts.

The agent tackles a common pain point: alert overload. Security operations centers (SOCs) often drown in notifications from SIEM systems, many of which turn out to be benign.

Instead of manual digging, the agent steps in to triage and investigate autonomously.

It starts by scanning alerts for indicators of compromise (IoCs), entities like user accounts or devices, and tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework.

Early customer tests, including those from financial firms and large retailers, show it cuts investigation time by summarizing data and running complex queries without human input.

One analyst noted that it builds trust through clear explanations, helping determine whether an alert needs to be escalated.

Key Features and Technical Workflow

At its core, the agent follows a structured, dynamic process inspired by Mandiant’s frontline analysis.

Upon receiving an alert from Google SecOps’ detection engine covering native alerts but not those from SOAR connectors it creates an investigation plan.

This plan adapts based on initial data gathering, prioritizing high-risk elements.

Technical highlights include dynamic search queries using YARA-L, a rule-based language for malware detection.

The agent crafts and runs these queries to pull relevant events from your environment, then summarizes results in plain language showing the exact query, search intent, and findings.

For threat context, it enriches IoCs with Google Threat Intelligence, pulling data from Mandiant experts, VirusTotal crowdsourcing, and Google’s global visibility.

This links alerts to broader campaigns, like APT group activities, with verifiable source links.

Other tools shine in depth: Command line analysis decodes obfuscated scripts (e.g., Base64-encoded payloads) to explain their intent and impact.

Process tree reconstruction builds a visual map of related activities by querying child processes and telemetry data, thereby revealing attack chains.

At the end, it delivers a verdict True Positive (escalate for human review) or False Positive (dismiss) with a confidence score based on evidence strength.

Everything is explainable: the agent lists steps, sources, and reasoning, avoiding black-box AI pitfalls.

Powered by Google’s tech stack, it leverages Gemini AI models via Vertex AI for natural language processing and decision-making.

Mandiant’s knowledge is baked in for accuracy. At the same time, ongoing evaluation compares agent verdicts with those of human experts using “golden datasets” and auto-evaluators.

Getting Started and Future Outlook

Eligible SecOps Enterprise or Enterprise Plus users can easily opt in: Click the Gemini icon, go to investigations, and enable it.

Alerts trigger automatically or manually via a “Run Investigation” button. Feedback via in-app thumbs helps refine it.

Google plans general availability in 2026, expanding tools and SecOps integrations.

This agent not only speeds triage but empowers SOCs to handle more threats efficiently, blending AI smarts with human oversight.