Skip to content
AI & Innovation, Company & Community, Cyber Resilience & Data Security

Commvault and Microsoft: The Rise of AI Agents in ResOps

Introducing Commvault Security Investigation Agent, which can help analysts investigate potential threats.

Ritu Singh, Senior Product Manager, Commvault
Rich Vorwaller, Director, Product Management, Commvault

Key Takeaways

  • Security must scale like Agent Smith: In The Matrix, Agent Smith multiplied rapidly to overwhelm Neo. Security teams face a similar challenge today as threats and signals grow faster than analyst capacity. AI-enabled security agents help teams scale investigations without needing to scale headcount.
  • Correlating signals improves investigation confidence: The Commvault Security Investigation Agent correlates backup intelligence with security signals from platforms like Netskope, CrowdStrike, and Palo Alto Networks to determine whether threats discovered in backup data also impacted production systems.
  • Cyber resilience will become agent-driven: The Commvault Security Investigation Agent is the first step toward a future where specialized AI agents assist security teams with investigations, recovery decisions, and faster restore workflows.

Introduction

In The Matrix, there’s a moment that feels surprisingly relevant to today’s technology landscape. Agent Smith discovers he can duplicate himself. One becomes many, and suddenly Neo is surrounded by an army of identical agents operating simultaneously.

In many ways, that scene mirrors the world we’re entering today with agentic AI. Across industries, and especially in cybersecurity, we’re beginning to see the rise of specialized AI agents that can work independently, scale rapidly, and assist humans in ways that were previously impossible. But unlike Agent Smith’s relentless takeover, the goal of these agents isn’t domination. It’s defense.

Scaling while Breaking Down Silos

Security operations today face a fundamental scaling problem. The number of systems, signals, and security tools continues to grow, but the number of analysts does not.

Organizations now ingest telemetry from endpoint security platforms, network defenses, cloud monitoring tools, and identity protection systems. Each of these tools generates its own alerts and dashboards, often operating in isolation from one another. The result is an overwhelming amount of data spread across disconnected silos.

It’s tempting to assume the solution is simply hiring more analysts, but anyone who has managed large teams knows that adding people introduces its own challenges. As teams grow, communication becomes more complex, coordination slows down, and the efficiency of investigations often decreases.

What security teams really need is not just more people, but more intelligence and automation to help analysts move faster and see the bigger picture.

One of the most persistent silos in security operations has been the divide between backup systems and security tools. Traditionally, security teams monitor production environments through their security information and event management tools while backup environments operate in a separate console.

Backup data is often only examined after an incident occurs, when organizations are already deep in recovery mode. Yet attackers increasingly target backup systems precisely because they know they are critical to recovery.

Ransomware operators frequently encrypt production systems, attempt to corrupt backups, or leave malicious artifacts hidden inside protected datasets. This means that backup environments often contain valuable evidence of an attack, but that intelligence has historically been difficult for security teams to access and correlate with other signals.

The New Security Investigation Agent

Commvault’s new integration with Microsoft Sentinel and Microsoft Security Copilot is designed to close that gap. Through this integration, Commvault Cloud events can be streamed directly into the Sentinel Data Lake, bringing backup telemetry into the same analytical environment as endpoint, network, and cloud security signals.

Instead of existing in isolation, backup activity now can be analyzed alongside the broader security ecosystem. But the real power of this integration comes from the introduction of the Commvault Security Investigation Agent.

The Security Investigation Agent helps analysts investigate potential threats by correlating signals discovered in backup environments with signals coming from other security platforms. When an analyst provides the hostname of a server, the agent gathers security events generated by Commvault Threat Scan and Risk Analysis, including backup anomalies, encryption events that may indicate ransomware activity, malware detected inside protected datasets, and backups that contain sensitive data.

The agent then correlates those events with telemetry from other security tools organizations already rely on, such as Netskope, CrowdStrike, and Palo Alto Networks. By analyzing activity across these platforms together, the agent can help determine whether suspicious behavior identified in backup data also appears in production environments.

How Do You Get the Agent?

Let’s first walk you through how you can start with our first agent focused on security investigations. Then we’ll share how we plan to rapidly spawn new agents – just like Agent Smith – so customers can take control of investigations, recovery decisions, and restore operations, giving security and operations teams the intelligence they need to respond faster and recover with confidence.

Configure the Connector

Before we can enable the Commvault Security Investigation Agent, you will need to install and configure the Commvault Cloud connector.

  1. Installation: Instructions for how to install the Commvault Cloud Solution, along with permissions and pre-requisites, is here.

Screenshot: Installation details for the Commvault Cloud Data Connector in the Microsoft Sentinel Content Hub.

  1. Configuration: Once installed, configuration details are here.
 Use Commvault Security Investigation Agent

Once the Commvault Cloud connector is installed for you, you can use the new Security Investigation Agent.

  1. Go to https://securitycopilot.microsoft.com/agents.
  2. Search for “Commvault Security Investigation Agent.”
  3. Click on “Set up” Agent.
  4. Click on “Go to Agent.”
  5. Click on “Run” => “One time.”
  6. Provide the “Hostname” for the host you’d like help investigating, and click “Submit.”
    1. Note: Hostname is the name of the server that we want to check for events of Commvault and partners like Netskope, CrowdStrike and Palo Alto.
  7. The agent will run and you will get a detailed analysis and recommendations as a result.

Screenshot: The detailed analysis of the Commvault Security Investigation Agent being run on a host that is part of an investigation.

Conclusion

The Matrix may have dramatized the idea of multiplying agents, but it captured an important truth about scale. When Agent Smith multiplied, the dynamics of the fight changed entirely.

Cybersecurity is undergoing a similar shift. Attackers are increasingly leveraging automation and AI to scale their operations. The only way defenders can keep pace is by scaling their own capabilities through intelligent systems that augment human expertise.

With the integration between Commvault, Microsoft Sentinel, and Microsoft Security Copilot – and with the introduction of the Commvault Security Investigation Agent – we are beginning to see what that future looks like. It’s a world where security operations are no longer constrained by silos, where investigations move faster, and where AI-enabled agents work alongside analysts to strengthen cyber resilience across the entire environment.

Over the coming year, Commvault plans to introduce additional agents – just like Agent Smith multiplying in The Matrix – that can help security teams run Commvault Threat Scan, spin up Cleanroom environments for SOC analysts to safely investigate incidents, and accelerate recovery by identifying the safest data to restore.

We’re also excited to collaborate with Microsoft to enable customers to use Microsoft Foundry to build and extend their own agents, allowing them to tailor automation and investigations to their unique environments.

By combining Commvault’s deep cyber resilience capabilities with Microsoft’s AI and security ecosystem, we’re helping organizations move toward a future where intelligent agents help analysts investigate faster, break down silos, and strengthen resilience across the entire environment.

FAQs

Q: What are AI agents in security operations (SecOps/ResOps)?
A: AI agents are specialized, autonomous tools that assist security teams by analyzing data, correlating signals, and supporting investigations. They operate alongside human analysts to help accelerate decision-making and improve response times across complex environments.

Q: Why is scaling security operations such a challenge today?
A: Security teams face an explosion of alerts and data from multiple tools, while analyst headcount grows slowly. This imbalance creates bottlenecks, making it difficult to investigate threats efficiently without automation and intelligent assistance.

Q: How does the Commvault Security Investigation Agent improve threat investigations?
A: The agent correlates backup data with signals from security platforms like CrowdStrike, Netskope, and Palo Alto Networks. This combined view helps enable analysts to determine whether threats detected in backups also impacted production systems, increasing confidence in investigations.

Q: What problem does integrating backup data into security workflows solve?
A: Backup environments often contain critical evidence of attacks but have historically been siloed from security tools. Integrating this data helps enable teams to analyze threats holistically, uncover hidden risks, and make more informed recovery decisions.

Q: How can organizations start using the Commvault Security Investigation Agent?
A: Organizations need to install and configure the Commvault Cloud connector within Microsoft Sentinel. Once set up, the agent can be accessed through Microsoft Security Copilot to run investigations by simply providing a hostname.

Q: What does the future of AI agents in cyber resilience look like?
A: The future points toward multiple specialized agents helping handle investigations, recovery planning, and restore operations. These agents will help break down silos, accelerate response, and enable more resilient security operations across the entire environment.

Ritu Singh is Senior Product Manager and Rich Vorwaller is Director, Product Management, at Commvault.

Related Blogs

MCP 2.0 Explained: Securing AI Agents Before They Secure Themselves

Why AI Is Breaking Your Resilience Strategy (And What to Do About It)

Staying Resilient Against Lateral Access Exploits

Are You Ready for Data Leakage Loops?

Ransomware Trends for 2026: AI, Resilience, and MTCR

More related posts

Thumbnail_Blog-AI-Enabled-Resilience-2026

AI-Enabled Resilience Operations: From Insight to Action

Read more
Thumbnail_Blog-Strive-MCP-2026-2

MCP 2.0 Explained: Securing AI Agents Before They Secure Themselves

Read more
Thumbnail_Blog-SMMPA-Customer-2026

How SMMPA Strengthened Cyber Resilience with Cleanroom Recovery

Read more