Last week at Wizdom NYC, our first ever user conference, we introduced the Blue Agent to help your SOC accelerate cloud threat detection and response.
The Agent, now an integral part of the Wiz Defend experience, brings the power of AI and the context of the Wiz platform to threat investigation and response. Its mission is simple: investigate threats as they trigger, and empower your team to focus on what matters most. Trained on our Incident Response team’s expertise and powered by the full context of your cloud environment, the Agent lets your team focus on meaningful work instead of manual, pivot-heavy triage.
Meet your newest SOC teammate
When a new threat hits your environment, seconds matter. But for many teams, those seconds are lost to pivoting during triage - checking a new piece of information, gathering context, and chasing down loose ends. The Blue Agent takes on that work for you by automatically triaging every new threat in Wiz, collecting context from across your cloud environment and generating a transparent verdict in moments. The Agent’s investigation process is powered by two main sources of information: the full context of your environment from the Wiz platform, and our internal IR knowledge base. This knowledge base is maintained and constantly refined by our IR team, embedding their real-world investigation expertise directly into the agent's logic.
It’s not a black box. The Agent shows every step of its reasoning so analysts can validate conclusions, build trust, and act faster. With full access to Wiz tools, such as cloud events, detections, and risk analysis findings, it runs specialized investigations tailored to your environment. Each investigation step influences the next, ensuring that the investigation is tailored to each specific threat and mimicking a SOC analyst’s flow.
We have been seeing really interesting things out of the Blue Agent already. It is driving faster decision-making and dispositioning of alerts, especially in cases of anomalous behavior
Justin Lachesky, Director of Cyber Resilience at Redis
A day in the life: the Blue Agent at work
8:00 AM – A new threat emerges
A new threat appears in Wiz Defend. Before an analyst even opens it, the Blue Agent begins investigating — pulling related events, identifying behavioral patterns, and checking for potential blast radius. Because the Agent is trained on our IR knowledge base, it investigates your environment with the same approach our own IR experts use — applying their methods and insight to every incident.
8:03 AM – Investigation underway
It correlates runtime signals, network telemetry, and cloud context from across your entire environment, leveraging the deep visibility and knowledge that the Wiz product has of the cloud environment.
8:05 AM – Verdict delivered
The Agent flags the behavior as a planned action, providing a full summary of its reasoning. A SOC analyst can see exactly what the Agent analyzed, what its key findings were, the evidence pulled from across the platform to generate its conclusion, and the Agent’s confidence level in its verdict. This information and transparency ensures that trust is built between the Agent and the SOC analyst
8:10 AM – Analyst in the loop
The analyst reviews the verdict, validates the logic, and validates that this is a planned action — skipping hours of manual triage to deliver a verdict on this high severity alert.
Throughout the day, the agent continues to monitor, investigate, and explain every new or updated threat — ensuring threats are triaged and investigated with full transparency.
Transparent. Trustworthy. Always learning.
AI in the SOC only works when analysts can trust it. The Blue Agent was built for exactly that — clarity, not mystery. The Agent is always learning, continuously refining its investigation process based on both user feedback and our consistently updated IR team knowledge base. This ensures that the Agent’s methodology is always up to date based on the latest threat intelligence and IR techniques.
My favorite thing about the Blue Agent is how quickly it allows us as human analysts to understand why an alert happened, what it means, and contextualize it within our environment
Justin Lachesky, Director of Cyber Resilience at Redis
Why it matters
With the Blue Agent, security operations teams can:
Sharpen and accelerate response by prioritizing the alerts that have been verified and contextualized by the AI Agent, reducing MTTR and MTTA
Focus on high value and strategic work rather than burdensome and pivot-heavy investigation
Uplevel their team with baked-in cloud triage and investigation expertise
Scale the SOC without scaling headcount
The result is a faster, more efficient SOC — one where analysts can focus on investigation and strategic work, not low level triage efforts.
The future of the SOC, powered by Wiz
The Blue Agent is just the beginning of what’s possible when AI meets the full context of the Wiz platform. By pairing human expertise with transparent automation, Wiz is helping security teams everywhere move faster and defend smarter — all on one unified platform.
Learn more about AI on the Wiz platform by reading our most recent blog posts
