In 500 BC, the ancient Greek philosopher, Heraclitus, said βThe only constant in life is change.ββ―Fast forward to 2025, with the backdrop of AI transforming the way we work and the way we live, at a torrid pace, that saying is more pronounced than itβs ever been!
At ServiceNow weβre building the AI platform for business transformation. Weβre the last to accept the status quo and the first to change it. Our Security Business Unit is embracing the seismic change coming with AI. Welcoming it. And seeing it as an opportunity to invent new ways to fundamentally shift the way our customers run their security operations.
Just like fellow defenders in the cybersecurity ecosystem are investing effort and energy into injecting AI into multi-layered defense mechanisms, the adversaries are investing energy leveraging AI into their offensive arsenal. Deepfakes are on the rise and were used by malicious actors in one case to embezzle $25 million dollars by impersonating a companyβs CFO. Phishing campaigns generated with AI are more convincing and receive higher click-rates. New malware strains with AI are easier and faster to create than before. Reconnaissance and password cracking are easier to conduct now by malicious actors thanks to AI.
So how do we as defenders combat these evolving threats? In our view, a key pillar of your defense strategy must include AI. Weβre pleased to announce that new AI Agents are now available in both Now Assist for Security Incident Response (SIR) and Now Assist for Vulnerability Response (VR). Their objective is simple: Helping your teams become better, faster, and stronger at responding to security incidents and newly published vulnerabilities. Letβs dive in and learn more about these Agents.
β
(1) Resolve Security Incidents (Agentic Workflow in SIR)
Security Analysts can resolve security incidents seamlessly by talking to our AI agents in natural language. The AI agent provides a summary of the security incident and the resolution steps that have been taken so far. The Agent then proceeds to generate a resolution plan based on the data that are available for the past similar security incidents and the KBs/Runbooks in the system. At this stage, you can interact with the agent and suggest changes to the resolution plan as required.
The agent proceeds with execution of each step in the resolution plan, in a human-supervised manner. Analysts are in control every step of the way. We have a team of agents at your disposal to perform various actions such as email generation, INC / CHG / PRB creation, Response task creation, Observable analysis and summarization (threat look up, enrichment), Blocking of Observables, Email Search and Delete (Exchange Online).
Analysts can provide feedback throughout the incident resolution wherever required. The last step involves closing the incident after the investigation is complete. The workflow relies on the existing Security Incident Wrap Up generator to close the security incident by generating the post incident analysis, closure notes and close codes. The entire investigation journey is simplified and taken care of by the agents thus improving the efficiency metrics such as MTTR, MTTC for the SOC.
(2) Analyze Security Operations Metrics (Agentic Workflow in SIR)
This agentic workflow is designed for SOC Managers, who often build their own dashboards to track high-level metrics like average resolution time. But that number alone lacks context. Questions like βWhich incident types are taking longer to resolve?β or βAre specific outliers skewing the data?β still require time-consuming manual analysis. Instead of digging through incident records and filtering data themselves, SOC Managers can now rely on the Security Operations Metrics Analysis agentic workflow to do the heavy lifting.
This AI-powered use case proactively identifies inefficiencies in MTTR and other SOC metrics by detecting patterns, flagging bottlenecks, and surfacing outliers based on incident type, priority, analyst performance, and alert source. It goes beyond static reports, delivering contextual explanations and targeted recommendations. The result: reduced manual effort, faster insights, and data-driven decisions that improve analyst performance and overall SOC effectiveness.
(3) AI-to-AI: Microsoft Security Co-pilot and ServiceNow SIR
In todayβs rapidly evolving threat landscape, organizations need cutting-edge security solutions that combine AI-driven intelligence with automated response capabilities. The integration between ServiceNow Security Incident Response (SIR) and Microsoft Security Copilot redefines security operations, enabling dynamic decision-making, real-time insights, and autonomous response capabilities. This integration enables bi-direction AI to AI communication between ServiceNow Security Incident Response and Microsoft Security Copilot. You would be able to directly talk to Microsoft Security Copilot from ServiceNow by typing in your queries at the Now Assist Panel.
This version supports querying threat intelligence information from Microsoft Defender Threat Intelligence. You could ask for the reputation of an observable, gather details about the domain names, read through the latest published threat articles, and so on.
Similarly, you would be able to understand more context about a security incident when working on Microsoft products. You get the summary of the security incident and correlation insights about an observables/user/device. Additionally, you would also be able to directly query the CMDB device tables and the user tables from ServiceNow when working in Microsoft.
(4) Assess Vulnerability Exposure (Agentic Workflow in VR)
This agentic workflow is designed for Vulnerability Analysts and Managers who need real-time visibility into their organizationβs exposure to high-risk threats. Today, evaluating exposure to the CISA Known Exploited Vulnerabilities (KEV) catalog often requires cross-referencing external threat feeds with internal asset dataβa process thatβs both manual and slow. The βAssess Vulnerability Exposureβ agentic workflow automates this effort by continuously identifying newly listed CISA vulnerabilities present in your environment and assessing their impact on critical configuration items (CI) and business services.
This AI-driven workflow surfaces affected assets tied to known CVEs, highlights potential business impact, and enables proactive risk management. It also allows teams to create watch topics to monitor remediation progress, helping ensure timely response to the most urgent threats.
(5) Analyze Vulnerability Remediation Status (Agentic Workflow in VR)
Staying on top of vulnerability remediation SLAs is a constant challenge for VM teamsβespecially when trying to understand which deadlines are being missed, where, and why. The βAnalyze Vulnerability Remediation Statusβ agentic workflow gives Vulnerability Managers a smarter way to stay ahead. Instead of pulling static reports and manually slicing the data, this workflow continuously monitors SLA compliance and highlights areas falling behind.
With built-in analysis by severity, assignment group, and CI class, it makes it easy to uncover trends, pinpoint bottlenecks, and drive accountability across teams. This workflow provides the clarity needed to take focused, corrective actionβand keep remediation efforts on track.
Closing Thought: The Ball is Now in Your Court
To learn more about these AI Agents in SecOps and deploy them in your environment, please refer to the ServiceNow Store links here:
The ball is now in your court. Are you ready to LEVEL UP your security operations program? Are you ready to become an industry leader in AI security? Are you ready to modernize your personal cybersecurity skills and make 2025 a year to remember? Because the AI security train has left the station, and is moving fast.
The best news of all is that with ServiceNow you have a VIP pass in the front seat - Weβve assembled a world-class AI security team that is 100% in your corner! ππͺ
All the best on your deployment journey,
The SecOps AI Product Team
