Intezer Launches SOC Operating Layer for AI Agents
The protocol integration provides frontier AI models with direct access to normalized forensic data to accelerate cybersecurity triage.
- By Jesse Jacobs
- Jun 22, 2026
A new software framework aims to help enterprise organizations integrate generative artificial intelligence into their security operations centers.
Intezer announced a redesigned Model Context Protocol server developed to supply autonomous tools with structured security context. The integration provides frontier AI assistants, including Anthropic Claude, OpenAI Codex and Cursor, with direct access to forensic data gathered from the automated triage of network alerts.
Plugging generative AI platforms directly into raw security detection feeds often yields inconsistent and unreliable outcomes, while building custom data pipelines remains cost-prohibitive for many enterprises. The new operating layer is designed to act as a system of record, collecting and normalizing data across various security layers before the information reaches the AI workspace.
The system ingests alerts from endpoint detection and response, network detection and response, security information and event management, identity, cloud and email security platforms. It then executes forensic analysis to deliver automated verdicts. According to company data, the autonomous layer handles the initial volume to scale down data feeds, allowing connected AI models to inherit historical context when executing response actions or generating incident reports.
By routing data through a unified protocol layer rather than individual tool connectors, security teams can use the connected AI models to write automated tuning rules for false positives, cross-reference user login histories during anomalous travel alerts and sweep enterprise networks for newly discovered threat indicators.
The integration architecture is currently available to existing customers, allowing organizations to maintain localized ownership of case histories, triage logic and internal detection rules within their own network instances.