Free Microsoft Courses on YouTube
June 17, 2025Microsoft Incident Response works hand-in-hand with insurers, brokers, and law firms
June 17, 2025
In the ever-evolving landscape of cybersecurity, speed and accuracy are paramount. At Microsoft, we’re continuously investing in ways to help analysts make informed decisions under pressure. One of the most powerful of these is Guided Response: a Copilot-powered capability in Microsoft Defender that walks analysts through step-by-step investigation and response flows. It provides context-aware recommendations tailored to each incident, enabling teams at all levels to respond with precision and scale.
Now, with the integration of TITAN recommendations, Guided Response is taking a leap forward. By bringing in real-time intelligence to prioritize and explain suggested actions, it enables analysts to surface, prioritize, and act on the most relevant threats with clarity and efficiency.
What is TITAN?
TITAN represents a new wave of innovation built on Microsoft threat intelligence capabilities, introducing a real-time, adaptive threat intelligence (TI) graph that integrates first and third-party telemetry from the unified security operations platform, Microsoft Defender for Threat Intelligence, Microsoft Defender for Experts, and customer feedback. This graph employs guilt-by-association techniques to propagate known TI labels to unknown neighboring entities (e.g., IP, file, email) at machine scale. By analyzing relationships between entities, TITAN can identify attacker infrastructure before they are leveraged in attacks, providing an invaluable window of opportunity to prevent harm.
By leveraging guilt-by-association methods, TITAN can swiftly identify hidden threat actor infrastructure through cross-organizational associations with known malicious entities within the TI graph. Specifically, we employ a semi-supervised label propagation technique that iteratively assigns reputation scores to nodes based on their neighbors’ scores, refining the graph’s score distribution until convergence. These high-confidence entity reputation scores empower the unified security operations platform to implement proactive containment and remediation actions via attack disruption.
A key advantage of our constantly evolving threat intelligence is that we can provide clear and explainable reputation scores for each entity by examining the neighboring entities that contribute to the overall score.
Why bring TITAN into Security Copilot Guided Response?
Security Copilot Guided Response already provides analysts with a curated set of recommendations. However, TITAN adds a new dimension: real-time, threat-intel-driven recommendations that are grounded in global telemetry and threat actor behavior.
This integration allows us to:
- Expand coverage to incidents that previously lacked actionable context.
- Prioritize recommendations with higher confidence.
- Surface targeted triage and remediation actions based on live threat infrastructure.
How it works
TITAN suggestions are now integrated into Guided Response as both triage and containment recommendations. When an incident contains an entity with known malicious threat intelligence from TITAN, we automatically generate a Guided Response recommendation. This ensures analysts receive prioritized guidance not only on how to triage the incident but also on how to contain specific entities such as:
- IP addresses
- IP ranges
- InternetMessageIds
- Email senders
These recommendations are currently presented as textual insights within Guided Response.
Real-world impact
In early testing, TITAN-powered triage recommendations have shown promising results:
- Increased model accuracy: TITAN’s integration helped boost Guided Response triage accuracy by 8%, with Machine Learning model accuracy rising from 55% to 76%.
- Improved analyst trust: By providing explainable, threat-intel-backed recommendations, analysts can now gain more confidence in the actions they take.
- Faster decision-making: TITAN’s real-time scoring and attribution reduce the time needed to investigate and respond to incidents.
Evolving Guided Response with threat intelligence
TITAN recommendations represent a major step forward in our mission to empower defenders. By combining the scale of Microsoft’s threat intelligence with the precision of Security Copilot’s Guided Response, we’re helping analysts move from reactive to proactive—faster, smarter, and with greater confidence.
Stay tuned for more updates as we continue to evolve this capability. And if you’re already using TITAN recs in your environment, we’d love to hear your feedback.
Learn more
Check out our resources to learn more about our new approach to AI-driven threat intelligence for Guided Response, and our recent security announcements:
- See TITAN in action in the session delivered at Ignite
- Read our blog and conference paper on the TITAN architecture, accepted to KDD 2025, the premier data-mining conference.