Exabeam dropped a significant update to its Behavior Intelligence platform on July 1, 2026, arming security operations centers (SOCs) with new tools to detect and respond to the rapidly evolving threat landscape of agentic AI. The release adds native AI-agent detections, broadens enterprise AI telemetry ingestion, introduces OWASP-aligned security coverage for large language model (LLM) threats, and integrates support for Anthropic’s Claude. For Windows-heavy enterprises already wrestling with shadow AI usage and the creeping adoption of autonomous agents in business workflows, the update delivers sorely needed visibility.
Security teams have watched the AI revolution with growing unease. Microsoft’s Copilot, embedded across Windows 11, Office, and Azure, has been a productivity boon. But it has also opened a new attack surface—one where traditional endpoint detection and response (EDR) tools and even many SIEMs fall short. Exabeam’s move puts agentic AI behavior squarely in the crosshairs of its user and entity behavior analytics (UEBA) engine, promising to surface anomalies that other tools miss.
The Agentic AI Dilemma
Agentic AI refers to systems that don’t just generate text or answer questions—they take actions. An AI agent can read emails, schedule meetings, retrieve files from SharePoint, or even execute code in a sandboxed environment. When compromised through prompt injection, jailbreaking, or supply chain attacks on model plugins, these agents become powerful insider threats. They operate with legitimate credentials, follow typical usage patterns, and rarely trigger signature-based alerts.
Detection demands behavioral baselines. Exabeam has long excelled at building statistical profiles for users and devices, then flagging deviations. Applying that same approach to AI agents means learning what “normal” looks like for a specific agent—how often it accesses certain data, which APIs it calls, the volume of its outputs—and sounding the alarm when that baseline breaks. The July 1 update makes this a native capability, not a custom rule set that SOC engineers must build from scratch.
What’s New in the Update
Exabeam detailed four pillars of the expansion, each designed to close a specific gap in enterprise AI visibility.
AI-Agent Detection Engine
The new detection engine models the behavioral lifecycle of AI agents, including Microsoft Copilot, custom GPT-based assistants, and even third-party agents connecting to enterprise SaaS. It ingests agent-generated telemetry—API calls, authentication events, data access logs—and runs them through Exabeam’s SmartScore threat detection algorithms. The system can spot agents that suddenly escalate permissions, exfiltrate documents to untrusted URLs, or begin interacting with suspicious external models. By mapping these behaviors to known MITRE ATT&CK techniques and new agent-specific TTPs, Exabeam gives analysts a clear starting point for investigations.
Expanded Enterprise AI Telemetry
Visibility has been the Achilles’ heel of AI security. Most SOCs have no unified view of which AI tools employees use, what data flows into them, or what instructions agents receive. Exabeam now ingests telemetry from a broad set of enterprise AI sources: Microsoft Copilot for Windows and Microsoft 365, Azure OpenAI service logs, Amazon Bedrock, Google Vertex AI, and popular standalone tools like ChatGPT Enterprise and Anthropic’s API. This telemetry is normalized into Exabeam’s common information model alongside traditional Windows Event Logs, firewall data, and identity signals, creating a single pane of glass for human and machine behaviors. For Windows administrators, this means the same dashboard that tracks a user’s anomalous login from an unusual location can now also flag an agent that suddenly prods a hidden SharePoint folder it has never touched before.
OWASP-Aligned Coverage for LLM Threats
Exabeam has mapped its detection content to the OWASP Top 10 for LLM Applications, the closest thing the industry has to a standard threat taxonomy for generative AI. The alignment covers prompt injection, sensitive information disclosure, insecure output handling, excessive agency, and more. Each analytic gives analysts a direct reference to the relevant OWASP risk, simplifying compliance and board reporting. The company also shipped out-of-the-box correlation rules that combine OWASP-centric agent alerts with classic security events—for instance, tying a suspected prompt injection to a subsequent credential dump attempt on a domain controller.
Native Claude Integration
Anthropic’s Claude family of models gains first-class support in the Behavior Intelligence platform. Beyond basic log ingestion, Exabeam is tapping Claude as a force multiplier for SOC analysts. The integration can generate human-readable incident summaries from complex behavioral alerts, propose next steps based on historical playbook data, and even answer natural-language queries about ongoing investigations. While the AI-assisted analysis is not autonomous, it cuts the mean time to resolution by giving junior analysts expert-level guidance instantly. In demonstrations, Exabeam showed how a query like “Show me every time Agent-Compromised-X accessed customer PII in the last 48 hours and compare it to its pre-incident baseline” returned a ready-to-use report with timelines, outlier metrics, and containment recommendations.
Windows Enterprise Impact
For organizations standardized on Windows, the update plugs directly into existing security stacks. Exabeam supports out-of-the-box log collection for Windows 10, Windows 11, Windows Server 2022, and Server 2025, via the Windows Event Log channel, Sysmon, and even the Microsoft Defender for Endpoint API. The expanded AI telemetry adds a new category of watchpoints: Copilot activity logs from Windows desktops, Azure AD sign-ins associated with AI-driven automation accounts, and even prompt injection attempts captured by Microsoft’s built-in Content Safety filters.
Security teams that have deployed Microsoft Sentinel can federate Exabeam’s AI behavioral detections into their existing workflows. Exabeam’s REST API and bidirectional Sentinel connector let analysts pivot from a Sentinel incident into the Exabeam timeline view to see the full behavioral context, including AI agent actions, without leaving their primary console. This interoperability is critical for large Windows shops that have invested heavily in Microsoft’s security ecosystem but need additional behavioral depth.
A Closer Look at the Technology
Under the hood, Exabeam’s Behavior Intelligence platform runs on a graph-based data model where events from disparate sources are linked by user, device, and now agent. When an AI agent logs into Microsoft Graph to read a user’s mailbox, the platform creates a node for the agent, connects it to the user node, and starts building a behavioral baseline. The SmartScore engine then applies anomaly detection across multiple dimensions: temporal patterns, data access volume, entity relationships, and sequence of actions. A sudden change in any dimension triggers a risk score, which is aggregated across all linked entities.
The new AI-agent detections are pre-tuned to reduce false positives. Exabeam has curated them from months of pilot engagements with Fortune 500 customers, many running Windows-centric hybrid clouds. Early testers reported that the agent detection rules surfaced genuine risks—including a custom Copilot agent that started scraping HR databases after a developer accidentally committed an over-permissioned app registration to GitHub—without drowning SOCs in phantom alerts.
What This Means for SOC Analysts
The daily reality for most SOCs is reactive firefighting. AI agents add a layer of complexity that few teams are staffed or trained to handle. Exabeam’s update aims to flatten that learning curve. Key operational benefits include:
- Unified behavioral triage: Analysts no longer jump between an AI inventory tool, a cloud access security broker (CASB), and the SIEM to piece together an agent’s actions. Everything lands in a single timeline.
- OWASP-based compliance readiness: For organizations facing audits or insurance requirements around AI governance, the OWASP coverage map gives a clear, industry-accepted benchmark.
- Faster escalation with Claude summaries: Instead of reading through hundreds of raw log lines, analysts get a concise incident report that highlights the who, what, when, and suggested actions, speeding up handoffs to incident response teams.
- Reduced dwell time for agentic attacks: By catching behavioral anomalies early—often before the agent completes its malicious objective—Exabeam can cut dwell time from hours or days to minutes.
The Road Ahead
Exabeam’s roadmap, as hinted in the announcement briefings, includes deeper integration with agent identity frameworks and expanded coverage for multi-agent orchestration platforms. The company sees a near future where entire swarms of AI agents negotiate transactions, update codebases, and manage customer data autonomously. Securing those interactions will require real-time behavioral streaming and automated containment, capabilities Exabeam is already prototyping.
For now, the July 1 release marks a critical step toward treating AI agents as first-class entities in enterprise security, right alongside users, endpoints, and servers. Windows enterprise customers, in particular, gain immediate value from pre-built integrations with Microsoft’s AI ecosystem and a detection framework that makes agentic AI threats tangible and actionable. As agentic AI moves from experimental to operational, such behavioral intelligence will separate organizations that contain threats early from those that learn about breaches only after the damage is done.