Elastic AI Agent, skills, and tools in Elastic Security

Starting in version 9.4, Elastic Security centers on a single default Elastic AI Agent that you extend with modular skills. Each skill packages domain-specific instructions, a curated set of tools, and context for a SOC workflow so you don't switch between separate agents for hunting, triage, or response.

You talk to the agent in natural language. The agent picks tools based on your request, the skills you turned on, and its instructions. You don't invoke tools directly.

Refer to Skills in Elastic Agent Builder and Agents for how to assign skills to an agent in the Kibana UI or via the Skills APIs.

In Elastic Stack 9.3 and earlier Elastic Agent Builder documentation, Elastic Security documented a separate Threat Hunting Agent built-in agent. That standalone agent is deprecated starting in 9.4. Threat hunting workflows now use the Elastic AI Agent with the Threat Hunting skill enabled. For migration guidance, refer to the Threat Hunting Agent section in the built-in agents reference.

Elastic AI Assistant is the legacy in-product assistant embedded across Elastic Security workflows. Elastic Agent Builder is the platform for configurable agents, tools, and skills. Skills and tools in Elastic Agent Builder replace the older split between broad capabilities and one-off workflows. For how skills relate to tools and prompts, refer to Skills in Elastic Agent Builder.

You can enable multiple skills for the agent. The agent decides which skill context and tools apply based on your request.

Yes. For supported deployment tiers and how to author your own skill, refer to Skills in Elastic Agent Builder and the Skill creation guidelines.

• Agent Builder for Elastic Security
• Security skills use cases
• Skills in Elastic Agent Builder
• Built-in skills reference
• Skill creation guidelines
• Built-in agents reference
• Tools in Elastic Agent Builder