ChannelLife New Zealand - Industry insider news for technology resellers
New Zealand
Jon ramsey
#
Cloud Security
#
SOCs
#
AI Security

Exclusive: Google Cloud on the road to autonomous SecOps

Sat, 25th Apr 2026 (Today)
Author image
By Sean Mitchell, Publisher

Google Cloud has released three agentic AI capabilities for its security operations platform at its Next 2026 conference. Automating core analyst tasks including threat detection engineering, threat hunting, and third-party context gathering. Eventually this path is heading Google toward an autonomous security operations centre (SOC).

Detection reimagined

The detection engineering agent is designed to close the gap between raw threat intelligence and a customer's configured defences. The agent examines a customer's SecOps deployment, assesses whether existing rules would catch a newly identified threat, and - where gaps exist - generates and installs new detection rules automatically. It then produces synthetic logs to validate that those rules are functioning correctly.

"We take what it learns from what a threat is doing, and the Detection Engineering Agent then looks at a customer's deployment of SecOps to see if they can detect that threat. If they can't, it will generate rules to be able to do the detections, add the rules to SecOps, and then it'll generate synthetic logs that will play through the system to be able to validate that those rules are active," said Jon Ramsey, VP and GM, Google Cloud Security.

Previously, that workflow was handled manually by detection engineers working through intelligence feeds, writing rules, and continuously refining them to manage the balance between true and false positives. "What used to take a day or two or three, now takes 30 minutes," said Ramsey.

Hunting and context

The second agent the Threat Hunting Agent uses the same threat intelligence to proactively search customer log data for signs that a threat has already established a presence in the environment. "We take the same intelligence and we create a plan; in that plan are searches, to be able to go and look in the customers' logs to see if there's any presence of that threat, and then bring that forward as an alert to our customers," said Ramsey.

Logs are currently the primary data source for the agent, though Ramsey indicated that in an agentic world with MCP, options for deeper data access are extensive.

The third capability is the Third-party Context Agent. During an investigation, this agent automatically retrieves contextual information about entities - such as user accounts - from external systems including Workday and ServiceNow, pulling in details such as last login time and location. Previously, analysts would either manually log in to retrieve that data, or rely on pre-built automation scripts. "Now the agent can make a decision on what it thinks it needs based on what it sees in the alert and in the investigation, and go grab it on behalf of the analyst," said Ramsey.

All three agents are currently in preview, with general availability expected for all SecOps customers.

Wiz integration

Less than a month after the Wiz acquisition closed, Ramsey confirmed that integration work is already under way. Wiz, which operates in the exposure management space, had already built integrations with SecOps prior to the acquisition. "When an analyst is looking at an alert, they can go and look and see, is there an exposure somewhere that leads to an asset in the customer environment, and if it does, then I need to take the reaction to it very, very quickly," said Ramsey, adding that Wiz provides critical context for analysts making decisions on next steps.

Building trustworthy agents

On the internal development side, Ramsey confirmed the widely-cited Google statistic that 75% of the company's code is now AI-generated. But building the agents themselves, he said, is less about writing code than about what the team internally calls "hill climbing" - iterative quality tuning to make agents reliable enough to release.

"A quarter of that time was writing code, and three quarters of it was hill climbing," said Ramsey, referring specifically to the triage and investigation agent. "The last mile is the steepest part of the hill, the hardest to climb. And so it gets progressively harder as the quality bar goes up."

Mandiant Threat Defence - Google Cloud's managed security service, which provides threat hunting and SecOps augmentation for customers who lack in-house capability - also serves as an incubation environment for new agentic capabilities. Partners operating within the Google Unified Security (GUS) ecosystem have tight integrations with SecOps via Content Hub, enabling customers to onboard third-party data feeds with a single click.

The cybersecurity talent shortage remains a persistent challenge. "The cybersecurity space - we still need more capable engineers. We still need more capable operators, researchers, incident responders," said Ramsey.

Google Cloud's SecOps engineering teams are distributed globally, with personnel in the US, Spain, Israel, and India, partly reflecting the geographic footprint inherited through acquisitions.

"It's a fun time to be in security," said Ramsey.

Jon Ramsey, VP and GM, Google Cloud Security, Google Cloud
Related stories
Commvault extends Clumio support to Google Cloud Storage
Commvault brings cloud resilience tools to Google Cloud
Elastic ties security platform to Google's air-gapped cloud
From scramble to certainty: rethinking tax time for Kiwi small businesses
CrowdStrike launches AI security coalition with partners

Top stories

Vodafone & Google Cloud launch AI & security tools
Infosecurity Europe adds AI summit amid cyber defence shift
Valeo expands Google Cloud tie-up with Gemini rollout
Kingston expands industrial memory & SSD range in APAC
Turning security into a story: How managed service providers use reporting to drive retention and revenue