Episode 419 – Security and AI: Security Store, Security Copilot, and Agents
Episode Transcript
Welcome to episode 419 of the Microsoft Cloud IT Pro podcast recorded live from Workplace Ninjas US in December 2025.
This is a show about Microsoft three sixty five in Azure from the perspective of IT pros and end users, where we discuss a topic or recent news and how it relates to you.
In today's episode, John Joyner, an eighteen year MVP, senior director of technology at Corsica Technologies, and a security professional extraordinaire joins Ben.
They discuss some of the announcements from Microsoft Ignite focused around Microsoft security, as well as diving deep into the new security store, AI agents, security compute units or SCUs, and how Microsoft is making enterprise AI security more accessible and affordable than ever.
Another interview from Workplace Ninjas.
I have done more interviews here this week than I have for a while, so another one without my co host, without Scott.
But I'm joined instead by Jon Joyner, another Microsoft MVP.
I'm assuming in the security space given the nature of the conference and our topic today.
But do you wanna introduce yourself a little bit, John?
Tell us who you are, what you do.
Do you like long walks on the beach?
Yeah.
Hi, Ben.
Thanks for inviting me here today.
I am a eighteen year Microsoft MVP.
Oh, congratulations on that.
So usually, you're like adding up the, like, the five year year bugs.
Blue disk, like, everywhere.
It's an amazing thing that you plan on it happening when you're early in your career, but it can happen.
Right?
And I am dual awarded right now in cloud security Okay.
And Azure management.
Oh, okay.
So Right.
And I'm here talking about Defender for IoT.
It's the topic I'm presenting at here at Workplace Ninjas.
Okay.
Very cool.
We might have to do another follow-up episode on that because that is not something I know much about either.
Not our topic for today, but Okay.
Yeah.
No.
Yeah.
It's exciting.
Mental note.
Future episode.
Yes, sir.
So today, this is we're gonna talk about some of the announcements that came out of Microsoft Ignite.
There were some really, I think, really exciting and really cool announcements there, specifically around in the general realm of Security Copilot and some things like the security store and it being included in e fives now.
So we're gonna dive into that a little bit.
So security store.
Again, brand new at Ignite couple weeks ago.
Do you wanna tell us a little bit about, like, what is the Security Store?
How does this change some of the things even?
Diving to some of those things.
Yeah.
Security Store is a effort by Microsoft to surface in the work space used by security professionals, services and products that that those cybersecurity people will find useful.
Okay.
There's currently until we had the security store, there was basically Azure Marketplace.
And Azure Marketplace is as broad as can be.
And there's tens of thousands of things in there.
Okay?
Yep.
And Microsoft identified the primary of that marketplace.
We're not the cyber staff.
They were more like the contracting staff and the Okay.
FinOps people and that kind of and they so we imagine place where security specific offer available.
You define exactly.
So they've created the security store.
And the security store can be found in the Defender XDR portal.
Okay.
And also securitystore.microsoft.com.
Okay.
And So does that take you, like, if you go securitystore.microsoft.com, does it just take you into the security store in the security portal?
There there's a there's a public public portal.
Okay.
Requires no login.
Got it.
Nice.
Right?
Right.
So you can actually browse it and see some of these solutions that are available without even having a Yes.
Subscription or having to And I think I think broadening access is was a good thing.
Yeah.
So I think about this store is security Copilot aware.
Right?
Okay.
If you have security you have SCUs, security computes Yep.
Allocated to your so things may become available to her.
And this is also true in Defender XDR that if you have there's a new capability for remediations, like fix it fix it now buttons.
Right?
And the but they're only available if you Got it.
If you don't have security Copilot, the button links to just a learn article.
But if you have security Copilot, it links to shall I do it now.
Right?
Oh, is this Yeah.
This is all quite new.
And same with security store, you have SCUs, then you have a a different experience.
Okay.
Logged in and all those other Got it.
And the security store is divided into categories like tabs at the top, and the newest one is agents.
Okay?
Surprise.
Right?
We get more agents.
AI.
I'm like, I don't think we're how many tattoo it on my forehead or my wrist?
Yeah.
And so the agents is a place to buy, and some of them are free.
Okay.
Like, some of them are free and some of them you buy, and they are partner created and Microsoft created, and they are AI agents.
Okay.
Right?
And they do specific things.
And so the concept is that you're a security profession, you're in the portal, and you're investigating a thing or you're doing a thing, and you're having trouble.
It's taking a lot of time, a lot of friction.
And you're like, gosh.
I wish there was a way to automate this.
And, like, you do the right searching and go to the right places, you're gonna see the partner offer.
Click here to add this agent to your environment.
And it'll do the thing.
Okay.
And in in the store right now, some agents have no charge to install essentially.
Others have a monthly charge that is payable to partner that developed.
Okay.
It's a way for partners to start to monetize and share their IP as it relates to AI.
It's a very lucrative potential for partners, and it's a great way for Microsoft to to democratize access to AI.
To help you out.
And so these agents these agents are paid for when they run by consuming security comps.
Right?
Okay.
SCUs are the foundation for running SecurePilot.
And when you have SCUs in your environment and you activate a Security Copilot instance, you are basically standing up a runtime, almost a rep an LLM replica that is just for you and is tuned to security and may or may not have access to your private company things you may have given Security Copilot access.
So it's basically a copy of all the LLM goodness that you have just talking to BingChat.
Uh-huh.
But it also has this extra access to all of your stuff and access to all the threat and vulnerability stuff.
So it's expensive to stand up this thing because it it's private to you.
And Microsoft must allocate iron in its data center just for you.
And so it costs them, and they've come up with a way to pay for it, SC.
Got it.
And SCUs have been around for a year or so since Security Copilot came out, and early adopters, did find that expensive site Yeah.
To make it useful, to make it responsive twenty four seven, you had to run SCUs all the time.
And there was multiple tens of thousands of dollars buy in, just start using Oh, yeah.
It was wild.
And some companies that went all in, they have found satisfaction.
Many others said this is too much right now.
K?
And Microsoft recognized this.
They're a smart company.
Yep.
And they came up with this way using this agentic model.
And now SCUs went or rather, security agents, when they run, they tap into your SCU.
Okay.
And when you go to the security store today and you look at the offerings, they list how many SCUs or how many frac subs Okay.
When you run them.
And some of them consume point one SCU.
Oh, wow.
Yeah.
Yeah.
So we've gone we've gone from, like, I need to allocate a five digit check to run this thing to it's just a couple of dollars.
Okay.
Okay?
And if that agent task that runs in that one tenth of an SCU, if it saves my analyst an hour or a day, it's well worth the three the $3 for that.
Actually, they changed security comp unit purchase.
You know, like, basically buy a discounted package of, like, $4, and then when you go over it, $6 over 6.
So they have they've slightly changed it to make it slightly more Yeah.
If you can predict how much you're gonna use.
So they made it a little bit cheaper, but the model is yeah.
You can still run it $24.07.
You'll still use it as a replacement or augmentation asset for junior and middle level security engineers.
Uh-huh.
You can still do that.
Now there's this new way to consume to take advantage of the Microsoft cloud.
Okay.
And so these and the most popular agent right now as I stand is a phishing triage.
I Right?
Yes.
And I've heard a lot of people asking about that one and talking about one.
Fishing is the number one vector for ransomware.
Yep.
And so anything that mitigates that is very high value.
And the phishing triage agent, frankly, I have I solved either.
Okay.
But I I know that it basically responds real time to mitigate the consequences of a phishing.
A phishing.
Right.
And, you know, we can do this now with logic apps, with Yeah.
And I've tried to build some of those there.
Thank you.
It takes a little bit of work.
It does.
And, like, is mine better than yours?
Like, is am I missing something?
Did I spend enough dev time?
Am I thought of everything?
When when you do it your on your own, it's gonna work the best.
And for example, the phishing triage agent was developed with Microsoft centrally to support many security professionals, and it's probably the best.
Probably.
It is I can guarantee you it's better than mine because I hit that with my logic app.
Like, I would have somebody click on an email, and I'd be like, try to build the logic app.
It's like, oh, well, this one didn't go to a user.
This went to a group.
So the data that came into the logic app was different to Microsoft three sixty five group before the user got it, or went through distribution list, or I had a Microsoft three sixty five group in the distribution list.
So that JSON that came into Logic apps, it felt like it was different every time somebody clicked on a phishing link, and it I banged my head against the wall trying to account, to your point, every single scenario to make this logic app work the way I wanted to based on the incoming data when a phishing event happened.
Exactly.
And another way that these agents help, they don't require you to know.
And, like, I know KQL.
You probably know KQL.
Yep.
I can sit down and go, well, did, you know, filter a go pipe, like and I can answer questions like, has this happened before?
Has this combination of things happened before?
I can whip it out generally in KQL.
But I'm a professional.
I've studied a long time.
Yeah.
Even though that's for eighteen plus years, probably.
Still, I have to go go check it out, and I may make mistakes.
And so the first season of professional time is creating a complex query to answer an important question involving historical analysis compared to something happening today.
It's possible, but it's requires a senior person.
Yep.
And they still may need a little time.
Okay?
So if now, like, you can write an agent yourself or as a partner and write an agent for other cost that does that thing without requiring any KQL.
And it's not like in like, it's a crutch.
You're like, oh, I don't wanna learn KQL.
I'm gonna I'm gonna just talk to the LON.
But when you think about it, we can't depend on every security analyst being a crack QL Right.
Guy or gal.
Right?
It's a person dependent thing, but we need security analysts really bad.
There's a shortage.
Okay.
Right?
So if we can come up with a way to have these people just talk to the SIM Yep.
Why not?
Right.
Makes sense.
So there's there the Microsoft's approach to making AI more affordable and more approachable and more understandable.
Again, when we cons when we buy an agent, we know exactly what we do.
We know exactly what it's gonna cost.
It's a box.
Yeah.
Our risk is minimal.
Yeah.
Whereas, like, oh, I'm gonna buy a stack of SCUs, and I'm gonna assign my developer two weeks, and we'll hope that he or she comes up with something that works afterwards.
Right.
Remove remove that doubt, remove that cost.
It's a great thing.
So check I encourage everybody to check out SecurityScore.
Okay.
Do you feel overwhelmed by trying to manage your Office three sixty five environment?
Are you facing unexpected issues that disrupt your company's productivity?
Intelligink is here to help.
Much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running, Intelligent helps you with your Microsoft cloud environment because that's their expertise.
Intelligent keeps up with the latest updates in the Microsoft cloud to help keep your business running smoothly and ahead of the curve.
Whether you are a small organization with just a few users up to an organization of several thousand employees, they want to partner with you to implement and administer your Microsoft cloud technology.
Visit them at inteliginc.com/podcast.
That's intelligink.com/podcast for more information or to schedule a thirty minute call to get started with them today.
Remember, Intelligink focuses on the Microsoft cloud so you can focus on your business.
So I have a question with Security Store too.
Does this also provide any additional type of, like, third party integration?
Right.
Before with Security Copilot, you could go in and you could connect it to, like, Azure Firewalls and other services.
Does this also extend some of that, or is this really just focused on agents?
Well, the the agents can imagine.
Okay.
Imagine an Azure Logic app connect to a Security pilot prompt book of infinite Yep.
Density.
Like, anything you can imagine.
So it's not some partner or a company vendor, like, could write agents that makes their connection so much Got it.
And more meaningful.
And so a third party company that right now is just a a lonely connector in the 350 or 400 in the Sentinel catalog Yeah.
Can now become can stand out Okay.
And be more attractive and more usable because it's not just connecting to Sentinel the way Microsoft thought it best to connect connect the way you, the author of the software, will work best.
And you can put that into an agent, and then somebody get that agent in the security store and hit the button and maybe pay $2.02 s c two or three SCUs.
This is gonna be an expensive workflow.
It may cost $18 to run this workflow.
But when I'm done, I would have created optimized connectors, playbooks, workbooks, everything in my environment.
It's just gonna be aware of my environment.
Think about it.
I'd be able to Yeah.
Like, you know, creating a custom workbook right now.
Again, if if KQL Right.
You can do it, but it's It still takes some work.
Fifteen minutes on a good day for the simplest change, frankly, to crack open a workbook, find the widgets.
Oh, yeah.
Blah blah blah blah.
So imagine an agent reconfiguring the work, tailoring it just to your environment, knowing how many employees you have, what industry you work in, what your time zone is.
Right.
Like, all this stuff.
Asking all those questions and then building that knows these things because it lives you Yeah.
So so the it it yeah.
I think this I I haven't seen any of these yet.
There may be some in the store, but I think that in answer to your question, third parties will love this because it makes their stuff easier to consume and a better experience.
Yeah.
So when the SCUs, kinda talking about this came out at Ignite.
The announcement also came out with the SCUs now being included in Microsoft 55 e five, and like, I did the math, it comes up to like point four SCUs per month per e five user.
I'm assuming that these agents, going back to the fractional, you don't even have to go spin up a $4 a month SCU or a $6 a month SCU.
You're gonna be able to start leveraging the included SCUs to run these agents Yeah.
For a for a 1,000 employee organization Uh-huh.
400 SCUs will magically appear in your subscription every month.
Okay.
And if you don't use them, you lose them.
Yep.
And at the And if you don't use them or you lose them Yep.
And at the beginning of next month, you get another farm.
Get another farm.
And so in that scenario, if we have 400, you know, I was just talking this yesterday.
Imagine that point one Right.
SCU You can run a lot of things.
Times Yeah.
In one month.
And and, like, so can and you it won't over consume.
Like, when you try to run the four thousand first time, it'll say you're out of this.
You Not let you go above that.
Yeah.
I I think you can actually tell it.
Yeah.
Go ahead go ahead and supercharge me, They're assuming that they normally you know, for most customers, they're gonna say, don't stop when I exhaust them.
So in in this scenario where you only got 400 in a month, use them.
I mean, this is a boom because Right.
It's lost money.
If you don't go to a security store and you don't find an agent that's attractive to you and affordable to you, you are missing the boat.
Yeah.
And you are going to become at an ever pretty competitive disadvantage to other people in your industry that that are seeing the light.
Right?
Yep.
In in the security world, attacks are driven by AI.
60, I believe, 60% Is it really that high already?
Of ransomware attacks are AI driven.
Okay.
I didn't realize that that high of a percentage of the statistic I learned at the security b day at Unite.
Oh, okay.
And, like, if you're not using AI, counter the 62% of the bad guys in AI against you, you will lose.
It Yeah.
It is foregone.
So it's really important to be an early adopter, I think, in these times.
In that space.
Microsoft has made a way for TOW in the agentic AI world, assuming you have e five Yep.
And at no risk.
Right.
So the combination, all these announcements is fantastic.
It's cool.
And I know the other agent, I would say, that I've started using or seen used a lot is I like the conditional access optimization agent.
I actually logged into my tenant yesterday or today, and I had, like, new conditional access policies.
They label them.
It's like, this was a Microsoft conditional access optimization agent.
I had new ones in my tenant already for agents.
Like, also at Ignite, they announced conditional access for agents.
This conditional access optimization agent is already going into my tenant and identifying, oh, you need to create a new initial access policy to help protect your agents.
And it's that type of stuff that I feel like security professionals aren't always thinking of, I gotta go do this right away.
Do you have these agents running?
It's like it's helping those security professionals secure their environment.
Absolutely.
It's cool.
So some of the road map, you talked about like the store was kind of the start at Ignite, but some benefits or some of the things you see with this release around just Microsoft's AI strategy in general, their road map.
Yeah.
The road map is exciting to talk about.
Microsoft has a road map.
Every known aspect to AI world today.
Right?
They have at the at the extreme high end using AI foundry and with the with developers on staff, you can create virtual instrumentality of an imagine, own it, cleat.
So Microsoft has the tools for the big shops, big vision Yep.
To build AI solutions properly, safe with guardrails of governance.
So and and then in the middle end, they have Copilot, security copilot, office, etcetera.
So Yeah.
I heard a 192.
It's like a 192 copilots or something.
Well, they're The hope in this number goes down, like, who can tell?
Maybe it's a little I'd rather have a 190 copilots.
I don't know if that's the number.
I don't either.
Then then zero.
Right?
They are an approachable, double way in the Microsoft across the spectrum.
And then and now we have at the level h Right.
So so we have ways to consume and use AI at every step of the way, and we have ways to secure all that.
Okay?
You another, announcement at Ignite was Eviving, which is an agenda AI security agent.
Right?
So, like, how do I we can consume a third party agent, but how do we know that it's safe?
As such, he has an answer.
We have another little agent Another agent.
That just looks at the AI agent.
We have agents monitoring.
If we have an answer, we have an answer because a legitimate reason to slow down AI adoption in an enterprise is the lack of governance.
What are the agents doing?
Who's getting shadow agents sprawl?
Oh, yeah.
So how do Microsoft has one c five agent.
They have an answer to clear that.
And then somewhere in that in above that middle layer of the existing Copilots and the advanced layer of you riding a custom solution in Foundry.
We have we have the MCP server, Microsoft MP server, and you can cry you Microsoft has published guidance.
In fact, I think there's prefab solutions.
For example, MCP server for Sentinel.
Yeah.
I've played with the MCP server for Sentinel.
It's it's it's cool stuff.
And so the and you know that there's a Defender cloud MCP server offering that's very Oh, is there?
I don't know that I've seen that one yet.
Yeah.
It's Ignite was, like, blasting full of announcements.
So we have a security solution for the server and a security solution for the Genentech.
For the API.
And so not only have we created the entry ramps at all these different levels, but also really security and governance controls at all the levels too.
And, again, I'm just nobody has this.
Yeah.
Nobody has this.
And at a lot of companies, I think that AI road map and adoption is aspirational.
It's a desired goal, but, like, concrete adapted day and not unless you're in the Microsoft model, there's legitimate concerns.
So I I again, I think Oh, yeah.
There's an opportunity to gain a cut by diving into the AI world.
Stay ahead for the bad guys.
Stay ahead for the Yep.
Yeah.
And it is.
The governance, the controls, everything they're putting in place, from everything I've seen, far superior than what you're gonna get with some of the other third party AI services.
So Exactly.
Yeah.
That's awesome, John.
I'm thanks for walking through all of those.
I've there was so much at Ignite.
I've been able to digest some of it, looked at some of the headlines, but haven't had a chance to really dive into some of the security store, some of the security copilot stuff.
So appreciate it.
Anything else you wanna add to this security copilot, security store information that we've talked about so far before we wrap up and go find some more sessions?
Well, I just have one last little comment, which is the migration offender SDR portal for air all services.
Right?
Yeah.
I love this.
So this is a big deal.
It's very painful even for organizations that have invested heavily in Sentinel.
Yep.
And the other pieces of this resided outside the b.microsoft.com.
And my understanding is that Microsoft felt that they needed to do this both for marketing and on the marketing side as competitors, CrowdStrike Yep.
Have a single portal.
Okay.
And for some decision makers, that's that makes the decision.
Oh, 100%.
And so to be competitive with what customers expect, Microsoft is doing this consolidate.
But then under the covers, and this is where I personally come to Congress because I'm one who have been planting all of my seeds on the Azure portal side rather than this.
You don't like this as much as I do.
I came from the m three sixty five side.
So for me, it's like, oh, I finally get settled in with all my other Microsoft three sixty five security tools.
What the thing is that Sentinel lives in Azure subscription.
Yep.
And Defender SDR lives.
Right.
And another thing is that Sentinel works on a log analytics Yes.
Method.
You have a data lake or log analytics repository, you know, where your data is in, like like, the classics Splunk and Splunk enterprise cloud security.
You have a data reservoir that all your stuff works in, and then you run queries and stuff against it.
That's how Sentinel and log analytics work.
And that, Frank, has scaling limitations Yep.
And is not, again, keeping up with the latest best things they've done.
And so Defender XDR, number one, it lives in.
And number two, it runs off Microsoft resource graph rather than Azure login.
So for very large customers, scaling issues involving log analytics, having to decide what subscription, what region, what commitment model, all of these things were now abstracted from all of those because now all of our data stays in our tenant in Azure.
And then another reason, technically, is that the Sentinel model today depends on time queries.
Right?
Uh-huh.
It can go from one minute to one hour to one day.
Right.
It's not the real time alerting.
It's based on when you schedule your queries to run.
Correct.
And the but resource graph continuous.
It's always live.
And the behind the scenes, the threat action technology at Microsoft, they talk about security graph, which is different from Azure resource graph.
All the graphs.
Security graph is this recognition is that if I'm just looking at my firewall traffic and I'm just looking at my server sign on traffic and if I'm these silos information, and they may surface in a common investigation area, but there's still the data resides, like, places that have to be actively, you know, addressed.
Yep.
And resource graph or rather than Azure Microsoft security is not doesn't work that way pattern.
We're just looking for patterns because real security involved, like, a bad guy and a good guy.
Yeah.
A a protected destination and a hostile destination or a hostile behavior acting on a friendly so there there's always at least two components to every true security incident, and that Microsoft research security side is looking for those patterns.
So those got it.
Oh, it's looking for those patterns always, and that is much more meaningful than periodically searching stacks of data and looking for Right.
Relying on your KQ and then get going back to relying on your KQL queries to properly write them so that when they run, they're looking at the right information and all that.
Yeah.
So just Microsoft made the really competitive and real, incredible in the modern world where we can't we can't use the Splunk model anymore.
Yeah.
We need a new model.
Microsoft got one.
Very cool.
Well, awesome.
Thanks, John.
I appreciate it.
We'll get for those listening, we'll we'll get a bunch of links to these different announcements, different resources.
Any links you want to include, John, I'll get those from you.
If people wanna find you on social media or wherever you feel like being found, we can include those in the show notes.
Thank you very much.
Alright.
And we'll talk to you later.
Thank you, Ben.
Take care.
If you enjoyed the podcast, go leave us a five star rating in iTunes.
It helps to get the word out so more IT pros can learn about Office three sixty five and Azure.
If you have any questions you want us to address on the show, or feedback about the show, feel free to reach out via our website, Twitter, or Facebook.
Thanks again for listening, and have a great day.