Welcome to our quarterly look at the latest innovations within Google Security Operations. In Q1 2026, we focused on enhancing AI-driven automation, expanding our global footprint, and providing granular control over data management and compliance.
The Agentic SOC
AI remains a core strategic pillar, with several key updates reaching preview status to help analysts respond faster and more effectively.
Agentic Automation (Public Preview):
This enhancement facilitates the integration of AI-driven capabilities into both new and existing playbooks by merging AI agent steps with deterministic automation. This hybrid approach ensures analysts remain in control of critical actions while progressively adopting advanced AI. With this release, organizations can utilize the Triage and Investigation Agent, leveraging its outputs—such as verdict and confidence levels—within subsequent playbook steps to automate decision-making, remediation workflows, or alert closures. Learn more
SecOps Labs for Enterprise (Public Preview, Enterprise and Enterprise+):
This dedicated sandbox allows for early testing of features. Run Google SecOps Gemini and other intelligence experiments without disrupting your existing production systems—and benefit from their output Learn more
SecOps OneMCP (Public Preview):
SecOps OneMCP enables 1P and 3P AI Agents to interact with Google SecOps to seamlessly orchestrate Enterprise Defense. It allows agents to perform actions like listing cases, retrieving UDM events, and managing detection rules through AI Agents. Learn more
Emerging Threat Center (GA):
The Emerging Threat Center in SecOps helps customers immediately determine if their environment is impacted by new critical intelligence published by GTI, transforming the starting point for threat hunting workflows into a proactive, curated journey. As new Campaigns are published, Gemini processes the reports, determines detection coverage, and suggests new rules to add to Curated Detections. With GA, customers can expect expanded feed filtering, MITRE ATT&CK Matrix visualization, enhanced Entity Context Panels, and improved GTI IoC Categories Learn more | Blog
Triage and Investigation Agent (TINA) (GA):
TINA enables SecOps users to respond to SecOps alerts faster, by providing a disposition of True Positive or False Positive for alerts, backed by a summary of the alert and a step-by-step explanation of the autonomous investigation that it performs using best practices from Mandiant within an average 60-70 seconds. With GA, customers will see updates to the UI to increased usability, improved tooling and SecOps integrations, along with enhanced administration controls. Learn More
Compliance & Data Sovereignty
As high-compliance teams face increasing regulatory pressure, we are providing more robust tools to protect sensitive data.
EKM with CMEK Support (GA):
Google SecOps is now "Cloud EKM ready," allowing customers to hold their own encryption keys. This ensures sensitive data remains protected even if external key connections drop, as the system is designed to handle high-compliance requirements without sacrificing fragility. Learn more
Data Management and Enterprise Readiness
Efficiency and autonomy in data lifecycle management are critical for enterprise-scale operations.
GA Launch of v2 Feeds:
v2 feeds now use Storage Transfer Service (STS) which accelerates the ingestion of large volumes of data across object and file storage systems like Amazon S3 and Azure Blob Storage into Google SecOps. Learn more
Self-Serviced Tenant Wipeout (GA):
Customers now have full autonomy to initiate the deprovisioning of their SecOps tenants. This process includes a secure "Soft Delete" with a 12-day grace period before a permanent "Hard Delete" occurs. Learn more
Unified Feature RBAC (GA):
This launch consolidates access management by transitioning legacy SOAR Permission Groups into Google Cloud IAM, providing a single pane of glass for feature-level control for Google SecOps. Learn more.
Data Ingestion Burst Limits:
We have updated documentation to clarify operational "speed limits" based on a customer's purchased annual volume. Learn more
Intel-Led Proactive Security Outcomes
Our detection engineering updates focus on visibility and granular control over rule execution.
Rule Observability Updates (GA):
New metadata is now attached to all detection and alert objects, helping analysts understand if an alert was caused by a primary rule run or a "rule replay". Learn more
Unified Rule Management (Open Private Preview):
This update provides a single dashboard to browse and manage both custom and curated rules. Analysts can now view curated YARA-L text, toggle individual rule statuses, and perform advanced searches by MITRE techniques. Learn more
Global Regional Expansion
We continue to expand our global availability to meet residency commitments.
South Africa, Indonesia, South Korea and Taiwan Launch:
Google SecOps is now live in 18 regions worldwide with the addition of Indonesia and South Africa, supporting growth opportunities and local compliance needs in these markets. Learn more
Enhanced Data Management Capabilities
We’ve introduced features to accelerate data onboarding and improve logging visibility.
Direct Ingestion for Model Armor Logs (GA):
Organizations can now ingest logs from Google Cloud Model Armor to secure the "AI-human" interface, monitoring for prompt injection and sensitive data leakage. Learn more
Auto Extraction (GA):
This feature allows users to instantly use structured log data (JSON and XML) in search and rules without waiting for a prebuilt parser. Learn more
Share SOAR Logs to Cloud Logging (GA):
Enabled by default in version 6.3.71, this provides visibility by sharing SOAR logs directly into a customer's Google Cloud Logging project. Learn more
Content Hub & Documentation
Playbooks & Blocks Tab (Public Preview):
This new tab provides a centralized library of expert-curated, ready-to-use response workflows and reusable blocks. Customers can now discover, preview, and deploy high-quality automation in seconds—significantly accelerating incident response and ensuring operational consistency.
Unified Search (Public Preview):
A single, powerful search interface that allows you to discover Content Packs, Detection Rules, Response Integrations, and Dashboards simultaneously. No more jumping between tabs to find related assets; now you can surface everything you need to investigate or deploy in a single query.
Unified Sourcing (Public Preview):
Aimed at accelerating contribution efforts, this update standardizes content labeling across the Content Hub. By clearly distinguishing between Google-authored, Partner, and Community-driven assets, analysts gain immediate visibility into the origin and official support status of the content they deploy.
Response Integration Rollback (Public Preview):
Practitioners can now revert to previous snapshots of commercial response integrations, encouraging the adoption of new functionalities with mitigated risk. Learn more
Data Export Documentation Revamp:
We consolidated documentation to improve navigation and user-friendliness for data export journeys. Learn more
YARA-L Documentation Enhancements:
We've completely overhauled our YARA-L and Data Export documentation to make it more intuitive, user-journey focused, and easier to navigate. Learn more
Playbooks & Blocks Tab (Public Preview):
Located in the Content Hub, this tab provides a centralized library of expert-curated workflows and reusable blocks, significantly accelerating incident response times. Learn more
