CrowdStrike, Cisco and Palo Alto Networks all shipped agentic SOC tools at RSAC 2026 — the agent behavioral baseline gap survived all three

At the RSA Conference 2026, CrowdStrike CEO George Kurtz revealed that the fastest adversary breakout time is now only 27 seconds, while the average time has decreased to 29 minutes from 48 minutes in 2024. This is the critical window defenders have before threats can spread. CrowdStrike sensors now monitor over 1,800 distinct AI applications across enterprise endpoints, capturing nearly 160 million unique application instances. Each instance produces detection and identity events, as well as data access logs, which enter SIEM systems designed for human-speed workflows.

According to Cisco, 85% of enterprise customers surveyed have initiated AI agent pilots, but only 5% have transitioned to production, as noted by Cisco President and Chief Product Officer Jeetu Patel in his RSAC blog post. The significant gap is due to security teams struggling with basic questions posed by agents, such as which agents are active, their permissions, and accountability when issues arise.

“The primary threat is security complexity, which is also emerging in AI,” said Etay Maor, VP of Threat Intelligence at Cato Networks, during RSAC 2026. Maor, a 16-year conference attendee, noted, “We’re adopting multiple point solutions for AI, leading to a new wave of security complexity.”

Agents look identical to humans in your logs

In many default logging setups, activities initiated by agents appear similar to those initiated by humans. “It’s indistinguishable when an agent runs Louis’s web browser versus Louis himself,” said Elia Zaitsev, CTO of CrowdStrike, in an exclusive interview at RSAC 2026. Differentiating requires examining the process tree. “I can trace the process tree to determine if this Chrome process was launched by Louis on the desktop or by his Claude Cowork or ChatGPT application, indicating agent control.”

Without this visibility at the endpoint level, compromised agents executing authorized API calls with valid credentials trigger no alerts. The test of this exploit surface is ongoing. In his keynote, Kurtz discussed ClawHavoc, the first significant supply chain attack on an AI agent ecosystem, targeting ClawHub, OpenClaw’s public skills registry. A February audit by Koi Security found 341 malicious skills out of 2,857; Antiy CERT’s follow-up analysis identified 1,184 compromised packages historically. ClawHub now hosts 13,000 skills. These infected skills contained backdoors, reverse shells, and credential harvesters; some erased their own memory post-installation and could remain dormant before activation. “The frontier AI creators will not secure themselves,” Kurtz stated. “The frontier labs are following the same playbook. They’re building it. They’re not securing it.”

Two agentic SOC architectures, one shared blind spot

Approach A: AI agents inside the SIEM. Cisco and Splunk have introduced six specialized AI agents for Splunk Enterprise Security: Detection Builder, Triage, Guided Response, Standard Operating Procedures (SOP), Malware Threat Reversing, and Automation Builder. Currently, Malware Threat Reversing is available in Splunk Attack Analyzer, and Detection Studio is available as a unified workspace; the other five agents are in alpha or prerelease until June 2026. Exposure Analytics and Federated Search follow the same timeline. Cisco’s DefenseClaw framework scans OpenClaw skills and MCP servers before deployment, while new Duo IAM capabilities extend zero trust to agents with verified identities and time-bound permissions.

“The biggest barrier to widespread adoption in enterprises for business-critical tasks is establishing sufficient trust,” Patel told VentureBeat. “The difference between delegating and trusted delegating is that one can lead to bankruptcy, and the other to market dominance.”

Approach B: Upstream pipeline detection. CrowdStrike has integrated analytics into the data ingestion pipeline, incorporating its Onum acquisition into Falcon’s ingestion system for real-time analytics, detection, and enrichment before events reach analysts. Falcon Next-Gen SIEM now natively ingests Microsoft Defender for Endpoint telemetry, eliminating the need for additional sensors for Defender users. CrowdStrike also introduced federated search across third-party data stores, and a Query Translation Agent that converts legacy Splunk queries to ease SIEM migration.

Falcon Data Security for the Agentic Enterprise applies cross-domain data loss prevention to data agents’ runtime access. CrowdStrike’s adversary-informed cloud risk prioritization links agent activity in cloud workloads to the same detection pipeline. Agentic MDR through Falcon Complete provides managed detection at machine speed for teams unable to build this capability internally.

“The agentic SOC is about keeping up,” said Zaitsev. “There’s no conceivable way to do it without agentic assistance.”

CrowdStrike has opened its platform to external AI providers through Charlotte AI AgentWorks, announced at RSAC 2026, allowing customers to build custom security agents on Falcon using frontier AI models. Launch partners include Accenture, Anthropic, AWS, Deloitte, Kroll, NVIDIA, OpenAI, Salesforce, and Telefónica Tech. IBM validated buyer demand through a collaboration integrating Charlotte AI with its Autonomous Threat Operations Machine for coordinated, machine-speed investigation and containment.

The ecosystem contenders. Palo Alto Networks, in a pre-RSAC briefing with VentureBeat, outlined Prisma AIRS 3.0, extending its AI security platform to agents with artifact scanning, agent red teaming, and a runtime that catches memory poisoning and excessive permissions. The company introduced an agentic identity provider for agent discovery and credential validation. Once Palo Alto Networks finalizes its acquisition of Koi, it will add agentic endpoint security. Cortex delivers agentic security orchestration across its customer base.

Intel announced that CrowdStrike’s Falcon platform is being optimized for Intel-powered AI PCs, using neural processing units and silicon-level telemetry to detect agent behavior. Kurtz described AIDR, AI Detection and Response, as the next step beyond EDR, tracking agent-speed activity across endpoints, SaaS, cloud, and AI pipelines. He projected that “humans will have 90 agents working for them on average” as adoption increases, without specifying a timeline.

The gap no vendor closed

The matrix highlights an overlooked issue not addressed in the keynotes: no vendor has delivered an agent behavioral baseline. Both approaches automate triage and enhance detection, yet neither defines normal agent behavior in an enterprise setting.

Microsoft Sentinel and Security Copilot users represent a third architecture not formally introduced at RSAC, but CISOs in Microsoft-heavy environments should evaluate whether Sentinel’s native agent telemetry ingestion and Copilot’s automated triage address the identified gaps.

Maor warned that vendors are repeating a familiar pattern he has observed for 16 years. “I hope we don’t repeat the cycle,” he told VentureBeat. “It doesn’t seem like we’ve learned from the past.”

Zaitsev’s advice was straightforward: “You already know what to do. You’ve known it for years. It’s time to act.”

Five things to do Monday morning

These steps apply regardless of your SOC platform. None require replacing existing tools. Begin with visibility, then add controls as agent volume increases.

1. Inventory every agent on your endpoints. CrowdStrike detects 1,800 AI applications across enterprise devices. Cisco’s Duo Identity Intelligence discovers agentic identities. Palo Alto Networks’ agentic IDP catalogs agents and associates them with human owners. If you use a different platform, start with an EDR query for known agent directories and binaries. Policies can’t be set for unknown agents.

2. Determine whether your SOC stack can differentiate agent from human activity. CrowdStrike’s Falcon sensor and AIDR do this through process tree lineage. Palo Alto Networks’ agent runtime detects memory poisoning at execution. If your tools lack this capability, your triage rules rely on incorrect behavioral models.

3. Match the architectural approach to your current SIEM. Splunk users gain agent capabilities through Approach A. Teams considering migration get pipeline detection with Splunk query translation and native Defender ingestion through Approach B. Palo Alto Networks’ Cortex offers a third option. Microsoft Sentinel, Google Chronicle, Elastic, or other platform users should see if their SIEM can handle agent-specific telemetry at this level.

4. Build an agent behavioral baseline before your next board meeting. No vendor provides one. Define authorized agent actions: which APIs, data stores, actions, and times. Create detection rules for anything outside these parameters.

5. Pressure-test your agent supply chain. Cisco’s DefenseClaw and Explorer Edition scan and red-team agents pre-deployment. CrowdStrike’s runtime detection catches compromised agents post-deployment. Both layers are essential. Kurtz stated in his keynote that ClawHavoc compromised over a thousand ClawHub skills with self-erasing malware. If your playbook doesn’t cover an authorized agent performing unauthorized actions at machine speed, revise it.

The SOC was originally designed to protect humans using machines. Now it must protect machines using machines. The response window has been reduced from 48 minutes to 27 seconds. Any agent triggering an alert is now suspect, not just a sensor. The choices security leaders make in the next 90 days will determine if their SOC adapts to this new reality or gets overwhelmed by it.