Crowd Strike, Cisco and Palo Alto Networks all shipped agentic SOC tools at RSAC 2026 — and all three missed the same gap | Venture Beat
Overview
Crowd Strike, Cisco and Palo Alto Networks all shipped agentic SOC tools at RSAC 2026 — and all three missed the same gap
Crowd Strike CEO George Kurtz highlighted in his RSA Conference 2026 keynote that the fastest recorded adversary breakout time has dropped to 27 seconds. The average is now 29 minutes, down from 48 minutes in 2024. That is how much time defenders have before a threat spreads. Now Crowd Strike sensors detect more than 1,800 distinct AI applications running on enterprise endpoints, representing nearly 160 million unique application instances. Every one generates detection events, identity events, and data access logs flowing into SIEM systems architected for human-speed workflows.
Details
Cisco found that 85% of surveyed enterprise customers have AI agent pilots underway. Only 5% moved agents into production, according to Cisco President and Chief Product Officer Jeetu Patel in his RSAC blog post. That 80-point gap exists because security teams cannot answer the basic questions agents force. Which agents are running, what are they authorized to do, and who is accountable when one goes wrong.
“The number one threat is security complexity. But we’re running towards that direction in AI as well,” Etay Maor, VP of Threat Intelligence at Cato Networks, told Venture Beat at RSAC 2026. Maor has attended the conference for 16 consecutive years. “We’re going with multiple point solutions for AI. And now you’re creating the next wave of security complexity.”
In most default logging configurations, agent-initiated activity looks identical to human-initiated activity in security logs. “It looks indistinguishable if an agent runs Louis’s web browser versus if Louis runs his browser,” Elia Zaitsev, CTO of Crowd Strike, told Venture Beat in an exclusive interview at RSAC 2026. Distinguishing the two requires walking the process tree. “I can actually walk up that process tree and say, this Chrome process was launched by Louis from the desktop. This Chrome process was launched from Louis’s cloud Cowork or Chat GPT application. Thus, it’s agentically controlled.”
Without that depth of endpoint visibility, a compromised agent executing a sanctioned API call with valid credentials fires zero alerts. The exploit surface is already being tested. During his keynote, Kurtz described Claw Havoc, the first major supply chain attack on an AI agent ecosystem, targeting Claw Hub, Open Claw's public skills registry. Koi Security's February audit found 341 malicious skills out of 2,857; a follow-up analysis by Antiy CERT identified 1,184 compromised packages historically across the platform. Kurtz noted Claw Hub now hosts 13,000 skills in its registry. The infected skills contained backdoors, reverse shells, and credential harvesters; Kurtz said in his keynote that some erased their own memory after installation and could remain latent before activating. "The frontier AI creators will not secure itself," Kurtz said. "The frontier labs are following the same playbook. They're building it. They're not securing it."
Two agentic SOC architectures, one shared blind spot
Approach A: AI agents inside the SIEM. Cisco and Splunk announced six specialized AI agents for Splunk Enterprise Security: Detection Builder, Triage, Guided Response, Standard Operating Procedures (SOP), Malware Threat Reversing, and Automation Builder. Malware Threat Reversing is currently available in Splunk Attack Analyzer and Detection Studio is generally available as a unified workspace; the remaining five agents are in alpha or prerelease through June 2026. Exposure Analytics and Federated Search follow the same timeline. Upstream of the SOC, Cisco's Defense Claw framework scans Open Claw skills and MCP servers before deployment, while new Duo IAM capabilities extend zero trust to agents with verified identities and time-bound permissions.
“The biggest impediment to scaled adoption in enterprises for business-critical tasks is establishing a sufficient amount of trust,” Patel told Venture Beat. “Delegating and trusted delegating, the difference between those two, one leads to bankruptcy. The other leads to market dominance.”
Approach B: Upstream pipeline detection. Crowd Strike pushed analytics into the data ingestion pipeline itself, integrating its Onum acquisition natively into Falcon’s ingestion system for real-time analytics, detection, and enrichment before events reach the analyst’s queue. Falcon Next-Gen SIEM now ingests Microsoft Defender for Endpoint telemetry natively, so Defender shops do not need additional sensors. Crowd Strike also introduced federated search across third-party data stores and a Query Translation Agent that converts legacy Splunk queries to accelerate SIEM migration.
Falcon Data Security for the Agentic Enterprise applies cross-domain data loss prevention to data agents' access at runtime. Crowd Strike’s adversary-informed cloud risk prioritization connects agent activity in cloud workloads to the same detection pipeline. Agentic MDR through Falcon Complete adds machine-speed managed detection for teams that cannot build the capability internally.
“The agentic SOC is all about, how do we keep up?” Zaitsev said. “There’s almost no conceivable way they can do it if they don’t have their own agentic assistance.”
Crowd Strike opened its platform to external AI providers through Charlotte AI Agent Works, announced at RSAC 2026, letting customers build custom security agents on Falcon using frontier AI models. Launch partners include Accenture, Anthropic, AWS, Deloitte, Kroll, NVIDIA, Open AI, Salesforce, and Telefónica Tech. IBM validated buyer demand through a collaboration integrating Charlotte AI with its Autonomous Threat Operations Machine for coordinated, machine-speed investigation and containment.
The ecosystem contenders. Palo Alto Networks, in an exclusive pre-RSAC briefing with Venture Beat, outlined Prisma AIRS 3.0, extending its AI security platform to agents with artifact scanning, agent red teaming, and a runtime that catches memory poisoning and excessive permissions. The company introduced an agentic identity provider for agent discovery and credential validation. Once Palo Alto Networks closes its proposed acquisition of Koi, the company adds agentic endpoint security. Cortex delivers agentic security orchestration across its customer base.
Intel announced that Crowd Strike’s Falcon platform is being optimized for Intel-powered AI PCs, leveraging neural processing units and silicon-level telemetry to detect agent behavior on the device. Kurtz framed AIDR, AI Detection and Response, as the next category beyond EDR, tracking agent-speed activity across endpoints, Saa S, cloud, and AI pipelines. He said that “humans are going to have 90 agents that work for them on average” as adoption scales but did not specify a timeline.
Approach B: upstream pipeline detection (Crowd Strike)
Approach B: upstream pipeline detection (Crowd Strike)
Six AI agents handle triage, detection, and response inside Splunk ES
Six AI agents handle triage, detection, and response inside Splunk ES
Onum-powered pipeline detects and enriches threats before the analyst sees them
Onum-powered pipeline detects and enriches threats before the analyst sees them
Neither baselines normal agent behavior before flagging anomalies
Neither baselines normal agent behavior before flagging anomalies
Duo IAM tracks agent identities but does not differentiate agent from human activity in SOC telemetry
Duo IAM tracks agent identities but does not differentiate agent from human activity in SOC telemetry
Process tree lineage distinguishes at runtime. AIDR extends to agent-specific detection
Process tree lineage distinguishes at runtime. AIDR extends to agent-specific detection
No vendor’s announced capabilities include an out-of-the-box agent behavioral baseline
No vendor’s announced capabilities include an out-of-the-box agent behavioral baseline
Guided Response Agent executes containment at machine speed
Guided Response Agent executes containment at machine speed
In-pipeline detection reduces queue volume. Agentic MDR adds managed response
In-pipeline detection reduces queue volume. Agentic MDR adds managed response
Human-in-the-loop governance has not been reconciled with machine-speed response in either approach
Human-in-the-loop governance has not been reconciled with machine-speed response in either approach
Native Splunk integration preserves existing workflows
Native Splunk integration preserves existing workflows
Query Translation Agent converts Splunk queries. Native Defender ingestion lets Microsoft shops migrate
Query Translation Agent converts Splunk queries. Native Defender ingestion lets Microsoft shops migrate
Neither addresses teams running multiple SIEMs during migration
Neither addresses teams running multiple SIEMs during migration
Defense Claw scans skills and MCP servers pre-deployment. Explorer Edition red-teams agents
Defense Claw scans skills and MCP servers pre-deployment. Explorer Edition red-teams agents
EDR AI Runtime Protection catches compromised skills post-deployment. Charlotte AI Agent Works enables custom agents
EDR AI Runtime Protection catches compromised skills post-deployment. Charlotte AI Agent Works enables custom agents
Neither covers the full lifecycle. Pre-deployment scanning misses runtime exploits and vice versa
Neither covers the full lifecycle. Pre-deployment scanning misses runtime exploits and vice versa
The matrix makes one thing visible that the keynotes did not. No vendor shipped an agent behavioral baseline. Both approaches automate triage and accelerate detection. Based on Venture Beat's review of announced capabilities, neither defines what normal agent behavior looks like in a given enterprise environment.
Teams running Microsoft Sentinel and Copilot for Security represent a third architecture not formally announced as a competing approach at RSAC this week, but CISOs in Microsoft-heavy environments need to test whether Sentinel's native agent telemetry ingestion and Copilot's automated triage close the same gaps identified above.
Maor cautioned that the vendor response recycles a pattern he has tracked for 16 years. “I hope we don’t have to go through this whole cycle,” he told Venture Beat. “I hope we learned from the past. It doesn’t really look like it.”
Zaitsev’s advice was blunt. “You already know what to do. You’ve known what to do for five, ten, fifteen years. It’s time to finally go do it.”
These steps apply regardless of your SOC platform. None requires ripping and replacing current tools. Start with visibility, then layer in controls as agent volume grows.
Inventory every agent on your endpoints. Crowd Strike detects 1,800 AI applications across enterprise devices. Cisco’s Duo Identity Intelligence discovers agentic identities. Palo Alto Networks’ agentic IDP catalogs agents and maps them to human owners. If you run a different platform, start with an EDR query for known agent directories and binaries. You cannot set policy for agents you do not know exist.
Inventory every agent on your endpoints. Crowd Strike detects 1,800 AI applications across enterprise devices. Cisco’s Duo Identity Intelligence discovers agentic identities. Palo Alto Networks’ agentic IDP catalogs agents and maps them to human owners. If you run a different platform, start with an EDR query for known agent directories and binaries. You cannot set policy for agents you do not know exist.
Determine whether your SOC stack can differentiate agent from human activity. Crowd Strike’s Falcon sensor and AIDR do this through process tree lineage. Palo Alto Networks’ agent runtime catches memory poisoning at execution. If your tools cannot make this distinction, your triage rules are applying the wrong behavioral models.
Determine whether your SOC stack can differentiate agent from human activity. Crowd Strike’s Falcon sensor and AIDR do this through process tree lineage. Palo Alto Networks’ agent runtime catches memory poisoning at execution. If your tools cannot make this distinction, your triage rules are applying the wrong behavioral models.
Match the architectural approach to your current SIEM. Splunk shops gain agent capabilities through Approach A. Teams evaluating migration get pipeline detection with Splunk query translation and native Defender ingestion through Approach B. Palo Alto Networks’ Cortex delivers a third option. Teams on Microsoft Sentinel, Google Chronicle, Elastic, or other platforms should evaluate whether their SIEM can ingest agent-specific telemetry at this volume.
Match the architectural approach to your current SIEM. Splunk shops gain agent capabilities through Approach A. Teams evaluating migration get pipeline detection with Splunk query translation and native Defender ingestion through Approach B. Palo Alto Networks’ Cortex delivers a third option. Teams on Microsoft Sentinel, Google Chronicle, Elastic, or other platforms should evaluate whether their SIEM can ingest agent-specific telemetry at this volume.
Build an agent behavioral baseline before your next board meeting. No vendor ships one. Define what your agents are authorized to do: which APIs, which data stores, which actions, at which times. Create detection rules for anything outside that scope.
Build an agent behavioral baseline before your next board meeting. No vendor ships one. Define what your agents are authorized to do: which APIs, which data stores, which actions, at which times. Create detection rules for anything outside that scope.
Pressure-test your agent supply chain. Cisco’s Defense Claw and Explorer Edition scan and red-team agents before deployment. Crowd Strike’s runtime detection catches compromised agents post-deployment. Both layers are necessary. Kurtz said in his keynote that Claw Havoc compromised over a thousand Claw Hub skills with malware that erased its own memory after installation. If your playbook does not account for an authorized agent executing unauthorized actions at machine speed, rewrite it.
Pressure-test your agent supply chain. Cisco’s Defense Claw and Explorer Edition scan and red-team agents before deployment. Crowd Strike’s runtime detection catches compromised agents post-deployment. Both layers are necessary. Kurtz said in his keynote that Claw Havoc compromised over a thousand Claw Hub skills with malware that erased its own memory after installation. If your playbook does not account for an authorized agent executing unauthorized actions at machine speed, rewrite it.
The SOC was built to protect humans using machines. It now protects machines using machines. The response window shrank from 48 minutes to 27 seconds. Any agent generating an alert is now a suspect, not just a sensor. The decisions security leaders make in the next 90 days will determine whether their SOC operates in this new reality or gets buried under it.
Deep insights for enterprise AI, data, and security leaders
By submitting your email, you agree to our Terms and Privacy Notice.
Key Takeaways
-
Crowd Strike, Cisco and Palo Alto Networks all shipped agentic SOC tools at RSAC 2026 — and all three missed the same gap
-
Crowd Strike CEO George Kurtz highlighted in his RSA Conference 2026 keynote that the fastest recorded adversary breakout time has dropped to 27 seconds
-
Cisco found that 85% of surveyed enterprise customers have AI agent pilots underway
-
“The number one threat is security complexity
-
In most default logging configurations, agent-initiated activity looks identical to human-initiated activity in security logs
