Closing the Agent Behavioral Baseline Gap: The Latest SOC Tools from CrowdStrike, Cisco, and Palo Alto Networks at RSAC 2026

The Changing Landscape of AI Security

CrowdStrike CEO George Kurtz recently emphasized in his keynote at RSA Conference 2026 that the fastest recorded adversary breakout time has decreased to just 27 seconds. The average breakout time has also significantly reduced to 29 minutes, down from 48 minutes in 2024. This highlights the critical window of time defenders have to respond before a threat spreads. CrowdStrike sensors now detect over 1,800 distinct AI applications running on enterprise endpoints, totaling nearly 160 million unique application instances. Each of these applications generates detection events, identity events, and data access logs that are crucial for security operations.

A study by Cisco revealed that 85% of surveyed enterprise customers are currently running AI agent pilots. However, only 5% have successfully moved these agents into production. This gap exists because security teams struggle to address fundamental questions related to AI agents, such as their authorized actions and accountability in case of errors.

Etay Maor, VP of Threat Intelligence at Cato Networks, expressed concerns about the increasing security complexity associated with AI solutions. He highlighted the trend of using multiple point solutions for AI, which could potentially lead to greater security challenges in the future.

The Challenge of Distinguishing Agents from Humans

In most security logging configurations, activities initiated by AI agents appear identical to those initiated by humans. Distinguishing between the two requires detailed analysis of the process tree to identify the source of each action. Without this level of endpoint visibility, compromised agents could execute authorized actions without triggering any alerts, posing a significant security risk.

During his keynote, Kurtz mentioned ClawHavoc, a supply chain attack on an AI agent ecosystem targeting ClawHub, a public skills registry. This attack highlighted the vulnerabilities in AI agent systems and the need for enhanced security measures to prevent similar incidents in the future.

Two Approaches to Agentic SOC Architectures

Approach A: Cisco and Splunk have introduced specialized AI agents for Splunk Enterprise Security, focusing on various aspects of threat detection and response. These agents aim to streamline security operations and improve the overall effectiveness of SOC teams.

Approach B: CrowdStrike has integrated advanced analytics into its data ingestion pipeline, offering real-time threat detection and enrichment capabilities. This approach enhances the efficiency of security operations by detecting threats before they reach the analyst’s queue.

CrowdStrike has also introduced Falcon Data Security for the Agentic Enterprise, which applies data loss prevention measures to agents’ access at runtime. This helps in identifying and mitigating potential security risks associated with AI agents.

The Evolution of AI Security Ecosystem

CrowdStrike has opened its platform to external AI providers through Charlotte AI AgentWorks, allowing customers to develop custom security agents using frontier AI models. This initiative aims to enhance the capabilities of AI security solutions and address evolving threats in the cybersecurity landscape.

Other companies, such as Palo Alto Networks and Intel, have also introduced innovative AI security solutions to address the growing challenges of securing AI ecosystems. These solutions leverage advanced technologies to detect and respond to threats at machine speed, ensuring the integrity of AI systems.

Closing the Gap in AI Security

Despite the advancements in AI security solutions, there are still critical gaps that need to be addressed. None of the vendors have implemented an agent behavioral baseline, which is essential for identifying abnormal agent behavior in enterprise environments. Security leaders must prioritize building this baseline to enhance the effectiveness of their security operations.

It is crucial for organizations to assess their current SOC platforms and ensure that they can differentiate between agent and human activity. Implementing robust security measures and conducting regular testing of AI agent supply chains are essential steps to mitigate security risks associated with AI technologies.

Key Choice for Security Leaders

1. Inventory every agent on your endpoints: Identify all AI applications and agents running on enterprise devices to establish a baseline for security monitoring.
2. Differentiate agent from human activity: Ensure that your security tools can distinguish between AI agent and human-initiated actions to improve threat detection.
3. Match architectural approach to your SIEM: Select a security architecture that aligns with your current SIEM platform to streamline security operations.
4. Build an agent behavioral baseline: Define authorized actions for AI agents and establish detection rules for abnormal behavior.
5. Pressure-test your agent supply chain: Conduct thorough testing of AI agents to identify and mitigate potential security vulnerabilities.

The evolution of AI security presents both challenges and opportunities for organizations. By implementing proactive security measures and leveraging advanced technologies, businesses can enhance their cybersecurity posture and protect their AI ecosystems from emerging threats.