Agent Builder is available now GA. Get started with an Elastic Cloud Trial, and check out the documentation for Agent Builder here.
Every developer, site reliability engineer (SRE), or analyst who has tried to use an AI coding agent with a specialized platform has hit the same wall. You ask the agent to write a query, configure an alert, or investigate something, and it gets close but not right. Elastic has an advantage here: over a decade of documentation, blog posts, and community answers means AI agents already know Elastic better than most data platforms. But that depth comes with noise. Deprecated APIs sit alongside current ones. Outdated patterns rank as highly as best practices. The agent confidently reproduces an approach that worked three versions ago, because in its training data, it did. The result is a correction tax: users manually feed documentation into context, fix hallucinated syntax, and work around the agent instead of with it. Worse, advanced capabilities go unused entirely, not because users don't need them, but because the agent doesn't know they exist.
That's why we’re open-sourcing Elastic Agent Skills: native platform expertise for Elasticsearch, Kibana, Elastic Observability, and Elastic Security. Drop them into the agent runtime you already use, and improve your agent from being a ‘generalist’ that guesses at a lot of syntax to giving it expertise, such as being able to use many of the architectural standards as Elastic’s own engineering teams. This initial technical preview release focuses on skills with maximum compatibility for Elastic Cloud Serverless, but will evolve quickly to include improved support for older stack releases.
In addition, Elastic is solving this problem from both sides. For agents on the Elastic platform, Elastic Agent Builder (now generally available) lets you create and chat with AI agents that inherit your data's access controls, use built-in search and analysis tools, and work in context alongside your dashboards, alerts, and investigations. We're working hard to ensure amazing Agentic experiences in the Elastic platform. But not every agent lives inside Elastic. Your team already uses Cursor, Claude Code, or other runtimes, and those agents need to get Elastic right, too. That's where Agent Skills come in.
Why agents struggle with specialized platforms
Large language models (LLMs) are remarkably capable generalists. They can write Python, explain Kubernetes manifests, and refactor React components because their training data is rich with examples. But when it comes to platform-specific work, the kind that involves proprietary query languages, deep API surfaces, and domain-specific best practices, they fall short in predictable ways.
For Elasticsearch, the gap shows up concretely:
- Elasticsearch Query Language (ES|QL) is new territory. LLMs are trained heavily on SQL, but ES|QL is a piped query language with different syntax, different functions, and different semantics. Agents frequently write queries that look plausible but don't parse. They confuse
WHEREwith| WHERE, invent functions that don't exist, and miss the pipe-based composition model entirely. - API surfaces are wide and deep. Elasticsearch, Kibana, and Elastic Security expose hundreds of APIs across search, ingestion, alerting, detection rules, case management, dashboards, and more. An agent armed with nothing but general training data has to guess which endpoint to call, what the request body looks like, and how to handle the response. It guesses wrong often enough to erode trust.
- Best practices aren't in the training data. When should you use
semantic_textversus a custom embedding pipeline? How should you structure an ingest pipeline for a 10GB CSV? What's the right detection rule syntax for a MITRE ATT&CK technique? General-purpose agents don't have curated, reliably structured Elastic-specific knowledge loaded by default. They'd have to go find it, and even if they did, raw docs don't always encode the judgment calls and best practices that skilled practitioners carry.
The result: Developers spend more time fixing agent output than they would have spent writing the code themselves. That's not the experience anyone signed up for.
Agent Skills: Platform knowledge, packaged for agents
npx skills add elastic/agent-skills
Agent Skills are self-contained directories of instructions, scripts, and reference material that agent runtimes can load dynamically. When a skill is active, the agent has access to the right context at the right time: query syntax, API patterns, validation logic, worked examples, so it can complete tasks correctly on the first try.
Each skill follows the open agentskills.io specification: a folder with a SKILL.md file containing metadata and structured instructions. No proprietary format, no lock-in. Skills work across agent runtimes, including Cursor, Claude Code, GitHub Copilot, Windsurf, Gemini CLI, Cline, Codex, and many more.
What's in the initial v0.1.0 release
The first set of skills spans five areas of the Elastic Stack:
- Interacting with Elasticsearch APIs (search, indexing, cluster management)
- Building and managing Kibana content such as dashboards, alerts, connectors, and more
- Domain expertise for Elastic Observability
- Domain expertise for Elastic Security
- Making effective agents in Agent Builder
Skills are composable
Skills aren't monolithic. They're modular by design. Your agent loads only the skills relevant to the task at hand. Working on an ES|QL query? The ES|QL skill activates. Need to build a dashboard from those results? The dashboards skill picks up. Assessing the health of your application? The service health skill comes into play. Investigating a security alert? The triage skill chains into case management and response skills as the investigation progresses.
This composability means that you don't need a single, massive prompt that tries to cover everything. Each skill carries exactly the context its domain requires, nothing more, nothing less.
For developers building search and AI applications
If you're loading data into Elasticsearch, writing queries, or migrating indices, skills reduce the cycle of generating code, hitting errors, and searching docs for what went wrong.
Ask your agent to load a CSV file, and it uses a streaming ingestion tool that handles backpressure and infers mappings from the data. It’s not a hand-rolled _bulk loop that runs out of memory on the first large file. Ask it to query with ES|QL, and it discovers your actual index names and field schemas, then writes valid piped queries with correct syntax, appropriate aggregations, and version-aware feature selection, not a SQL-flavored guess that requires three rounds of debugging. Ask it to reindex across clusters, and it follows the full operational workflow: creates the destination with explicit mappings, tunes settings for throughput, runs the job async, and restores production settings when it finishes, not a bare _reindex call that skips half the steps an experienced operator would follow.
Instead of an agent that gives you a plausible starting point you have to fix, you get one that encodes the operational discipline that makes the output actually work.
Example impacts of using Elastic Agent Skills
| Eval | What the skill changed |
|---|---|
| es-audit-query-failed-logins | Used the audit log query patterns from the skill instead of generic search |
| es-authz-role-mapping-ldap | Emitted the correct role mapping API call structure |
| esql-basic-query | Wrote ES|QL pipe syntax over Query DSL |
| esql-error-handling | Schema first instead of guessing field names |
| esql-schema-discovery | Never guessed an index name |
| es-ingest-csv-with-infer | Used --infer-mappings alone, avoided combining with --source-format csv which causes an empty index |
| es-ingest-json-file | Used robust ingestion approach capable of handling large files |
| es-reindex-local-async | Created destination index first with replicas: 0 and refresh_interval: "-1", then async reindex. Baseline skipped any prep |
| es-security-403-privileges | Followed the skill's diagnostic workflow for privilege errors instead of generic advice |
For security teams
Security teams repeat the same operational workflows daily: triaging alerts, tuning detection rules, managing cases. Agent Skills encode that procedural knowledge so your AI agent can execute these workflows correctly, calling the right APIs in the right order with the right field names. For a hands-on walkthrough that takes you from zero to a fully populated Elastic Security environment without leaving your IDE, see Get started with Elastic Security from your AI agent.
For observability and operations teams
The new Agent Skills for Elastic Observability reduce the operational toil of instrumenting complex systems, managing SLOs, sifting through complex data, and assessing service health. Embedding native Elastic expertise directly into AI agents allows teams to execute complex observability workflows using simple natural language. This empowers SREs and Ops teams to resolve incidents faster and maintain reliable systems more easily. Learn more in this blog.
Open source, open spec, community-driven
We're releasing Agent Skills under the Apache 2.0 license because we believe that agent knowledge should be open. The agentskills.io specification that skills follow is an open standard, not an Elastic proprietary format. We want skills to be a community effort, not a walled garden.
Part of a bigger picture
Agent Skills is one piece of a broader initiative to make Elasticsearch the most agent-friendly data platform available. For agents that live on the Elasticsearch platform, Agent Builder goes further by inheriting your data's access controls and permissions, providing built-in and custom tools for search and analysis, and letting users interact with agents in context alongside their dashboards, alerts, and investigations. Finally, support for skills is coming soon to Agent Builder, allowing developer flexibility to leverage Elastic Agent Skills as well as skills from any other source to enable secure, context enhanced chat and automation on the Elasticsearch platform.
For agents that live everywhere else, we're investing in the open ecosystem:
- Model Context Protocol (MCP) server expansion: Extending the MCP endpoint in Agent Builder with more tools beyond the current search, ES|QL, and index operations.
- Authentication improvements: Making it easier for agents to connect securely, with the goal of eliminating manual API key copy-paste.
- LLM-readable documentation: Publishing
llms.txtandAGENTS.mdfiles so agents can discover and understand Elastic APIs on their own. - A command line interface (CLI) for agent workflows: Command-line tooling that makes connection management and common operations agent-friendly.
Skills are the layer you can use today. The rest is coming.
Get started
Before you get started: AI coding agents operate with real credentials, real shell access, and often the full permissions of the user running them. When those agents are pointed at security workflows, the stakes are higher: you're handing an automated system access to detection logic, response actions, and sensitive telemetry. Every organization's risk profile is different. Before enabling AI-driven security workflows, evaluate what data the agent can access, what actions it can take, and what happens if it behaves unexpectedly.
Install Elastic Agent Skills into your agent runtime:
npx skills add elastic/agent-skills
This auto-detects your installed agent runtimes and places skills in the correct configuration directory. From there, your agent picks them up automatically.
You can also browse the skills catalog directly and install individual skills manually by copying the skill folder into your agent's configuration directory.
Don't have an Elasticsearch cluster yet? Start an Elastic Cloud free trial. It takes about a minute to get a fully configured environment.
Explore the project:
관련 콘텐츠
2026년 3월 10일
SearchClaw: Bring Elasticsearch to OpenClaw with composable skills
Give your local AI agent access to Elasticsearch data using OpenClaw, composable skills, and agents, no custom code required.
2026년 3월 6일
Build task-aware agents with an expanded model catalog on Elastic Inference Service (EIS)
Elastic Inference Service (EIS) expands its managed model catalog, enabling teams to build production-ready agents with flexible model choice across retrieval, generation, and reasoning, without managing GPUs or infrastructure.
2026년 3월 9일
Building effective database retrieval tools for context engineering
Best practices for writing database retrieval tools for context engineering. Learn how to design and evaluate agent tools for interacting with Elasticsearch data.
2026년 3월 5일
Does MCP make search obsolete? Not even close
Explore why search engines and indexed search remain the foundation for scalable, accurate, enterprise-grade AI, even in the age of MCP, federated search, and large context windows.
2026년 3월 3일
Using subagents and Elastic Agent Builder to bring business context into code planning
Learn about subagents, how to ensure they have the right information, and how to create a specialized subagent that connects Claude Code to your Elasticsearch data.