CrowdStrike, Cisco and Palo Alto Networks all shipped agentic SOC tools at RSAC 2026 — the agent behavioral baseline gap survived all three

11 2 minutes read

CrowdStrike CEO George Kurtz made a significant revelation during his keynote at the RSA Conference 2026, stating that the fastest recorded adversary breakout time has decreased to a mere 27 seconds. This statistic underscores the critical importance of swift response times for defenders in the face of evolving cyber threats. The average breakout time has also seen a notable decrease from 48 minutes in 2024 to 29 minutes in 2026. This shrinking window of time highlights the urgency for security teams to react effectively before a threat can spread.

In a groundbreaking development, CrowdStrike sensors have identified over 1,800 distinct AI applications operating on enterprise endpoints, totaling nearly 160 million unique application instances. These AI applications generate detection events, identity events, and data access logs that feed into SIEM systems designed for human-speed workflows.

Cisco’s research revealed that 85% of surveyed enterprise customers are currently running AI agent pilots, yet only 5% have transitioned these agents into production. This significant gap underscores the challenges faced by security teams in managing AI agents effectively. The inability to differentiate between agent-initiated and human-initiated activities poses a major hurdle for security operations.

Etay Maor, VP of Threat Intelligence at Cato Networks, emphasized the growing complexity of security threats, particularly in the realm of AI. The proliferation of multiple point solutions for AI applications is contributing to a new wave of security challenges, further complicating the cybersecurity landscape.

One of the key challenges highlighted at the conference is the difficulty in distinguishing between agent and human activity in security logs. Without a deep level of endpoint visibility, compromised agents can execute malicious actions with valid credentials, potentially going undetected. George Kurtz highlighted ClawHavoc, a supply chain attack targeting the AI agent ecosystem, as a prime example of the risks posed by compromised agents.

Two distinct approaches to agentic SOC architectures were discussed at the conference. Approach A involves integrating AI agents within the SIEM infrastructure, while Approach B focuses on upstream pipeline detection to enhance threat detection and response capabilities. Both approaches aim to address the growing complexity of cybersecurity threats posed by AI agents.

Despite the advancements in AI security technologies, a critical gap remains in the lack of an agent behavioral baseline. None of the vendors showcased at the conference have addressed this fundamental need, leaving a significant blind spot in the ability to detect and respond to anomalous agent behavior effectively.

In conclusion, the RSA Conference 2026 shed light on the evolving cybersecurity landscape and the challenges posed by AI agents. Security leaders are urged to take proactive steps to enhance their defense mechanisms, including conducting thorough inventories of AI agents, implementing systems to differentiate between agent and human activity, and building robust agent supply chain security measures. The decisions made in the coming months will determine the resilience of SOC operations in the face of rapidly evolving threats.