The platform your AI and your SOC actually agree on

Vendor-mandated AI that hides its logic is a liability, not a feature. Elastic's AI runs on your data, not beside it. Model-agnostic, transparent, and auditable across every stage of the SOC lifecycle.

Start free trial

The AI basics worth knowing

These two terms get used loosely. Here's exactly what they mean.

  • What is an agent?

    An agent is a system built around a large language model (LLM) that plans and acts, not just answers. It calls tools, connects to services, and loops until the task is done.

    For example: Create custom agents with Elastic Agent Builder that use tools, connect to services via MCP, and use reasoning to plan each step.

  • What are skills?

    Skills are a packaged, reusable set of instructions that teaches an agent how to do something specific.

    For example: Cursor and Claude Code use SKILL.md files.

PREBUILT ELASTIC SKILLS

One agent, all the skills you need

One agent, Elastic AI Agent. Modular skills. No sprawl. Configure it for your role and work from a single interface — whether you're triaging alerts, hunting threats, or managing incident response.

  • TRIAGE, INVESTIGATION, AND RESPONSE

    Alert analysis

    Investigates a specific alert or triage queue. Fetches alert context, finds related alerts by shared entities, correlates with Elastic Security Labs threat intelligence, and recommends a disposition with severity assessment.

  • UEBA

    Entity analytics

    Finds and profiles hosts, users, and services across your environment. Analyzes risk scores, asset criticality, and historical behavior to surface the entities that need attention first.

  • PROACTIVE DEFENSE

    Threat hunting

    Runs hypothesis-driven hunts using iterative ES|QL exploration. Covers IOC search, anomaly identification, behavioral baseline comparison, and lateral movement tracking — mapped to MITRE ATT&CK.

  • BEHAVIORAL ANALYSIS

    Anomaly detection

    Surfaces behavior flagged by ML jobs — abnormal access patterns, unexpected logins, lateral movement, suspicious domains, and large data transfers — without manual log review.

  • DETECTION ENGINEERING

    Detection rule edit

    Builds and edits detection rules from natural language. Describe the threat and the agent configures severity, MITRE ATT&CK mappings, schedule, query, and index patterns. Review, adjust, deploy.

  • ENDPOINT HEALTH

    Automatic troubleshooting

    Diagnoses endpoints not reporting, policy failures, enrollment problems, and incompatible antivirus for Elastic Defend. Queries endpoint data and returns structured findings with remediation steps.

Two modes, one platform

Skills run automatically via Elastic Workflows and can be invoked on-demand via chat through Elastic Agent Builder. The analyst stays in control.

  • AUTOMATIC · VIA WORKFLOWS

    Always-on automation

    Skills run automatically via Elastic Workflows. Triage scores every alert. Hunt runs continuously. No analyst action required — the system learns and adapts.

  • ON-DEMAND · AGENT BUILDER UI

    Chat-driven intelligence

    Any skill can be invoked through Elastic Agent Builder. Ask the Threat Hunt skill to investigate a suspicious IP. Ask Detection Engineering to write a rule. The analyst drives, AI executes.

You're in good company

See how companies like yours use Elastic Security's AI features.

  • Customer spotlight

    Proficio achieved 60% growth with Elastic, using AI agents to cut investigation time by 34% and unlock $1 million in projected savings over three years.

    Learn more

  • Customer spotlight

    Airtel improved cyber posture with Elastic’s AI capabilities, boosting SOC efficiency by 40% and accelerating investigations by 30%.

    Learn more

  • Customer spotlight

    AHEAD cut triage time by 73% and automated 92% of resolutions with Elastic Security, holding MTTR under seven minutes for industry-leading response.

    Learn more

Model-agnostic by design

Use any model — on-premises or hosted by any major cloud provider. Your region, your cloud, your infrastructure.

OpenAI | Anthropic | Amazon | Google | Elastic Managed

Don't see your model? The Open Inference API connects to any OpenAI‑compatible provider.

Frequently asked questions

What's the difference between an agent and a skill?

An agent plans and acts — it decides what to do next, calls tools, and loops until the task is done. A skill is what it knows how to do. In Elastic Security, one agent, the Elastic AI Agent, can run all available skills: alert analysis, entity analytics, threat hunting, anomaly detection, detection rule editing, automatic troubleshooting, and more as the catalog grows.

What is the AI black-box tax?

It's the cost of trusting AI you can't see into — vendor-mandated models with no transparency, no model choice, and no way to validate decisions made on your behalf. When AI is making security decisions about triage, investigation, and response, and you can't audit its logic, that's not automation. That's risk.

How does Elastic avoid the AI black-box tax?

Elastic is model-agnostic — bring your own LLM or run one on-premises for air-gapped environments. Every AI decision is transparent and auditable: see the prompts, inspect the queries, edit the workflows. Elastic Security Labs threat intelligence feeds directly into the skills, so you know exactly what the agent is reasoning from. No hidden logic, no vendor lock-in.

How does Elastic Security use AI for threat detection?

Elastic Security uses agentic AI to detect, investigate, and respond — not just flag. When an alert fires, the agent fetches context, correlates related alerts by shared entities, queries Elastic Security Labs threat intelligence, and recommends a disposition. Analysts get a finished case, not a queue of raw alerts.

Can I customize the AI skills or build my own?

Yes. Elastic's built-in security skills are composable and can invoke each other. You can also build custom skills in Agent Builder — package your own instructions and give the agent capabilities specific to your environment. Open detection rules, open schema, and a public MCP server mean no lock-in.

Is the analyst still in control of AI-driven investigations?

Always. The agent investigates, correlates, and stages a response — the analyst reviews and approves. Elastic's agentic security operations model puts humans at the top of the loop, not out of it. Every AI decision is transparent and auditable.

Leading the future of security

See why Elastic was named a Leader in the Forrester Wave™: Security Analytics Platforms, Q2 2025.

Download the report