What Is Agentic AI? Autonomy, Risks, and the SOC

In November 2025, Anthropic reported a cyber-espionage campaign in which a Chinese state-sponsored group used an AI model to run 80 to 90 percent of the operation on its own: reconnaissance, vulnerability discovery, exploit development, credential harvesting, and data extraction across roughly thirty targets. Humans stepped in only at four to six decision points per campaign. The model did the rest, firing thousands of requests at peak.

That is agentic AI doing the work an analyst usually does, except it never gets tired and it does not wait for instructions between steps. The same property that makes it an attacker's force multiplier is why vendors are now wiring it into the SOC to triage alerts. Both sides of that coin are new, and most of the framing around them is still vendor marketing rather than settled doctrine.

This guide defines agentic AI precisely, separates it from generative AI and chat assistants, and then takes the security angle a defender needs: where agentic AI helps a SOC, and where it becomes an attack surface and a threat in its own right. It flags what is established (OWASP has shipped a threat taxonomy) versus what is still vendor framing (most "autonomous SOC" claims). It is written for blue teams: SOC analysts, detection engineers, and DFIR responders being asked to both use these systems and defend them.

What is agentic AI?

Agentic AI is a class of AI system that pursues a goal by planning a sequence of steps, calling tools to act on each step, observing the result, and adjusting, all with limited human direction. The defining trait is not that it generates text. It is that it takes actions in a loop until a goal is met.

Four capabilities separate an agent from a model that just answers:

• Autonomy. It executes multi-step tasks without a human approving each step. You give it a goal, not a script.
• Planning and reasoning. It decomposes a goal into subtasks, decides an order, and re-plans when a step fails or the environment changes.
• Tool use. It calls external functions: querying a database, hitting an API, running a script, searching the web, invoking another agent. This is how it acts on the world instead of only describing it.
• Memory. It keeps short-term context within a task and, in many designs, long-term memory across sessions, so it can carry state and learn from prior runs.

Underneath, most current agentic systems are built on a large language model as the reasoning engine, wrapped in an orchestration layer that gives it the tool-calling, memory, and planning loop. Multi-agent designs split a job across several specialized agents that coordinate. None of this requires a new kind of model. It requires giving an existing model the ability to act and the autonomy to keep acting.

That last point is the whole security story. A model that writes text can produce a wrong or malicious answer. An agent that holds credentials and calls APIs can take a wrong or malicious action, and then take the next one without anyone looking.

Agentic AI vs. generative AI vs. AI assistants

These three get used interchangeably in marketing, which is exactly why a defender needs the distinction clear before assessing risk. The risk scales with how much the system can do on its own.

Generative AI is the base layer: give it a prompt, get content. An AI assistant, or copilot, wraps a generative model in a turn-by-turn chat where a human stays in the loop and approves or rejects each response. Agentic AI removes the human from each step. You hand it an objective, and it runs the perceive-plan-act loop until it decides the objective is met.

The practical line for a defender: a generative model can say the wrong thing, and an assistant can say the wrong thing that a human then acts on, but an agent can do the wrong thing directly, because it holds the tools and the authority to act. Threat modeling has to follow the autonomy.

Where agentic AI is genuinely emerging vs. hype

Be honest about maturity, because the marketing is far ahead of the deployments. Gartner predicts that by 2028 at least 15 percent of day-to-day work decisions will be made autonomously by agentic AI, up from essentially zero in 2024, and that a third of enterprise applications will include it. The same analysts also predict that more than 40 percent of agentic AI projects will be canceled by the end of 2027, citing cost, unclear value, and inadequate risk controls. Both predictions are real and they describe the same thing: a category that is early, oversold, and moving fast.

For a SOC, the useful takeaway is not the forecast. It is that agents are arriving in your environment whether or not your security program planned for them, the same way shadow SaaS did, and that a meaningful share of early projects will fail in ways that leave half-built, over-permissioned agents behind. Plan for the reality, not the slide.

Agentic AI in the SOC

The pitch is straightforward. A SOC drowns in alerts, most of them false positives, and triage is repetitive multi-step work: pull the alert, gather context from a dozen tools, decide if it is real, escalate or close. That is exactly the kind of bounded, tool-heavy task an agent can run. This is the legitimate, shipping side of the category, and it is worth separating from the autonomous-SOC marketing.

The clearest production example is Microsoft's Security Copilot agents. In March 2025 Microsoft shipped an autonomous triage agent for user-reported phishing that classifies submissions, closes the false positives, and escalates only the real threats, and at Ignite in November 2025 it extended autonomous triage to identity and cloud alerts and added a multi-step investigation agent across Defender and Sentinel telemetry. The pattern is the same one a tier-1 analyst runs, handed to an agent: triage, enrich, decide, escalate.

Realistic near-term SOC uses, where the task is bounded and the cost of a wrong move is contained:

• Alert triage and enrichment. Gather context across tools, score an alert, and close or escalate. This is the highest-value, lowest-risk use because the agent's output is a recommendation a human still gates.
• Investigation support. Run the first pass of an investigation: pull related events, build a timeline, surface the entities involved, so the analyst starts from a brief instead of a blank screen.
• Response actions through guardrails. Tie an agent into a SOAR workflow so it can execute contained actions, isolate a host, disable an account, with the playbook defining hard limits on what it may touch.

Two cautions a practitioner should hold. First, an agent that can close alerts can close real ones; tuning that optimizes for fewer escalations can quietly raise your false-negative rate, so the agent's decisions need the same detection-quality review you give a rule. Second, a fully autonomous SOC is not here. What is shipping is agents doing bounded sub-tasks under human oversight. Treat "autonomous SOC" claims as roadmap, not product, and ask exactly which decisions the agent makes without a human.

Agentic AI as an attack surface

Turn the autonomy around and you have a new class of target. An agent holds credentials, calls tools, and acts on inputs it reads, which means an attacker who can influence those inputs can influence those actions. The established reference here is OWASP, which in 2025 moved agentic risk from theory into named, ranked categories rather than leaving it to vendor framing.

Two OWASP anchors matter. First, excessive agency (LLM06 in the 2025 OWASP Top 10 for LLM Applications): the risk created when an agent is given more functionality, permissions, or autonomy than its task requires, so that a wrong or manipulated model output turns into a damaging action. The three root causes OWASP names are excessive functionality, excessive permissions, and excessive autonomy. Second, in December 2025 the OWASP GenAI Security Project released a dedicated OWASP Top 10 for Agentic Applications, the ASI list, built specifically for the agentic threat surface.

The ASI Top 10 names the categories a defender should threat-model against:

The mechanism behind most of these is prompt injection, which OWASP keeps at the top of its LLM list. An LLM takes instructions and data through the same channel, so an attacker can hide commands inside content the agent is asked to process. Indirect prompt injection is the dangerous form for agents: the agent summarizes a web page, reads a document, or processes an email that carries hidden instructions, and treats them as its own orders. Combine that with excessive agency, an agent with broad tool access and no human gate, and a poisoned document becomes an executed action. Memory poisoning (ASI06) makes it durable: taint the agent's long-term memory once and it steers later runs without a fresh injection.

For a blue team, the defensive principles are recognizable from least-privilege and zero-trust work, applied to a non-human actor: scope each agent's tools and permissions to the minimum its task needs, keep a human gate on high-impact actions, treat every external input the agent reads as untrusted, log every tool call and decision as an auditable trail, and isolate agents so one compromised agent cannot pivot through the rest. An agent is a privileged identity that also makes decisions, and it deserves the monitoring you give any privileged identity, plus monitoring of the decisions themselves.

Agentic AI as a threat: autonomous attacks

The other direction is agentic AI in the attacker's hands, and this stopped being hypothetical in 2025. The Anthropic case in the opening is the clearest documented example: a state-sponsored group jailbroke a model and used it to run the bulk of an espionage campaign, with the AI handling reconnaissance, exploit development, credential harvesting, and exfiltration across roughly thirty targets while humans intervened only at a handful of decision points. The model issued thousands of requests at machine speed.

What changes for a defender is tempo and scale, not the fundamental tactics. The techniques are still the ones in MITRE ATT&CK; an agent runs reconnaissance, exploitation, and lateral movement the same way a human operator does. The difference is that an agent can run them continuously, in parallel, across many targets, and adapt between steps without waiting for an operator. The asymmetry that has always favored attackers, they need one way in and you have to cover everything, gets worse when the attacker can probe at scale without scaling a team.

This does not call for a new detection paradigm so much as it raises the value of the one you have. Behavioral detection, anomaly analysis, and tight egress control matter more when the adversary is faster and cheaper to operate. The defensive answer is partly to meet automation with automation: a SOC running agentic triage and well-tuned automation responds at a tempo closer to the attack's. Be cautious about the stronger claims, though. Vendor "AI versus AI" framing outruns what is demonstrated, and the documented autonomous campaigns still required human setup, jailbreaking, and direction at key points. The threat is real and growing; it is not yet the fully autonomous adversary the marketing implies.

Securing and monitoring agentic AI

Defending agentic AI splits into two jobs: securing the agents you build or buy, and getting visibility into the ones already running. The first is a design problem, the second is a detection problem, and the detection problem is the one most SOCs are unprepared for because their existing tools have no sensor pointed at agent behavior.

Endpoint and network tools see an agent as ordinary traffic. A prompt is an HTTPS request; an agent calling an API looks like a service account doing its job. The semantic layer, what the agent was told, what it decided, which tool it invoked and why, is invisible to EDR and SIEM as they are normally deployed. That gap is the reason the AI detection and response (AIDR) category exists: monitoring aimed at the AI layer itself, the prompts, agents, and tool calls that the rest of the stack treats as opaque.

A practical monitoring baseline for agents in your environment:

• Inventory. Know which agents exist, who owns them, what tools and data each can reach. Unknown agents are the agentic version of shadow IT.
• Log the decisions, not just the traffic. Capture each agent's prompts, tool calls, and outputs as an auditable trail. You cannot investigate an action you cannot reconstruct.
• Watch the tool calls. An agent invoking a tool outside its normal pattern, or at abnormal volume, is the agentic equivalent of anomalous process behavior, and it is where goal hijack and tool misuse show up.
• Gate high-impact actions. Keep a human approval step on anything destructive or irreversible, regardless of how confident the agent is.

None of this is exotic. It is least privilege, logging, anomaly detection, and human-in-the-loop, applied to a new kind of actor. The hard part is that the actor reasons and acts on its own, so the monitoring has to cover the reasoning and the action, not just the packets.

The bottom line

Agentic AI is the step past generative AI: a system that does not just produce output but plans, uses tools, and acts toward a goal with limited human direction. Autonomy, planning, tool use, and memory are what separate it from a chatbot, and they are also exactly what makes it a security problem. An agent that can act can take a wrong or manipulated action, and then take the next one unsupervised.

For a defender, hold the two sides apart and keep them honest. Agentic AI in the SOC is real but bounded: agents triage and investigate under human oversight, and the fully autonomous SOC is roadmap, not product. Agentic AI as a threat is also real: OWASP has shipped named risk categories, prompt injection and excessive agency are the mechanisms to model against, and 2025 produced the first documented mostly-autonomous attack campaign. The fundamentals that answer it, least privilege, logging, anomaly detection, human-in-the-loop, monitoring of the AI layer, are not new. What is new is the actor they have to be applied to: one that reasons and acts on its own.