The Rise of Agentic AI in Cybersecurity: Questions Every Organization Should Ask Their Managed Security Providers
A strong cyber posture is no longer a strategic priority, it is not only a strategic competitive advantage, but a survival requirement. Cyberattacks are faster, more sophisticated, and more relentless than ever, yet many organisations are still relying on security models that cannot keep pace.
This is where Agentic AI is transforming security operations. By combining machine speed, adaptive intelligence, and autonomous action, it represents the next evolution in SecOps. But most organisations lack the internal resources, expertise, or 24/7 staffing to build and maintain such capability in-house. That’s why a modern Managed Detection and Response (MDR or MXDR) provider can act as a force multiplier, delivering advanced protection without the overhead of building it from scratch.
However, adopting Agentic AI isn’t as simple as flipping a switch. To unlock its full potential, you need a provider that knows how to operationalise it effectively. That starts with asking the right questions.
What Is Agentic AI?
Agentic AI goes beyond automation. Unlike deterministic AI, which follows pre-set scripts, Agentic AI can independently assess, decide, and act within defined guardrails. It is capable of conducting complex investigations and even initiating containment actions, while still keeping human expertise in the loop.
In Ontinue’s automation framework, this sits at the highest of three tiers:
- Deterministic Automation – Predefined, rules-based actions that execute the same way every time.
- AI-Assisted Analysis – AI augments human analysts, accelerating decision-making.
- Agentic AI Investigations – AI drives investigations end-to-end: dynamically gathering context, weighing options, and taking steps towards resolution.
It is this top tier that delivers true speed and scale, making the difference between a minor incident and a full-blown breach.
Cybersecurity Is a Speed Game
Cybersecurity today is a race against time. The faster you can detect, investigate, and respond, the less damage an attacker can cause. Even when paired with traditional AI, human-only workflows struggle to outpace adversaries.
Agentic AI shifts the equation. It continuously analyzes activity, detects deviations from expected behavior, and initiates responses to validated threats in real time. By automating large-scale investigative tasks, it enables human analysts to concentrate on strategic decisions and complex threat scenarios.
The result isn’t just closing the gap, it shifts the advantage back to defenders. In sectors such as healthcare, finance, or critical infrastructure, that can mean preventing costly downtime, data loss, or even safety risks.
The MDR Gap
While many MDR providers market themselves as “AI-powered”, few have advanced beyond basic automation or machine learning. Some may enrich alerts or summarise, which is useful, but limited to scripted tasks. They don’t dynamically investigate threats, weigh multiple response paths, or act autonomously in real time.
This highlights the MDR gap: the distance between what’s possible with modern AI and what most providers are actually delivering.
Closing this gap requires more than technology. Agentic AI must be embedded at the core of the SOC, enhancing detection, accelerating investigations, and automating remediation, while aligning with an organisation’s unique risk posture and compliance needs.
Why Choosing the Right Provider Matters
Not all MDRs/MXDRs have the same depth of expertise or integration with Agentic AI. Some only market the term, while others genuinely build their security frameworks around it. Vetting your provider is essential, and these are a few questions that can guide your conversation:
- What’s your track record with Agentic AI? How long have you been using it? Can you share real-world case studies where Agentic AI played a decisive role in threat containment or incident resolution?
- What does your team look like? Does the provider employ dedicated AI researchers, and how do they define and train AI guidelines? What level of AI engineering expertise supports their platform? Just as important, does their SOC team play a role in shaping and training the AI, ensuring it reasons and investigates like a human analyst?
- How do you assess and maintain a full understanding of our environment? Agentic AI is only as effective as the context it operates within. Ask how the provider maps and maintains visibility into your entire environment, from on-premises systems and cloud workloads to user behaviors and existing security controls. A provider that invests time in understanding your infrastructure and operational priorities will be far more effective in deploying AI-driven defenses that are accurate, relevant, and safe.
- How is Agentic AI integrated into your security framework? Is it part of every detection and response workflow, or just used in specific cases? Does it assist analysts, run investigations, or execute containment actions?
- What level of autonomy does it operate with? Some AI systems still require heavy human oversight; others can make and execute decisions within predefined limits. Understand where the provider sits on that spectrum and whether it aligns with your risk tolerance.
- How do you ensure accuracy and reliability? Ask about the safeguards against false positives or missed threats. This might include continuous model training, cross-validation with human analysts, and regular performance testing.
- What’s your typical detection-to-response time? Request real metrics, not just averages. The provider should be able to demonstrate how Agentic AI compresses that time compared to traditional methods.
- How do you address data privacy and compliance? Any AI-driven system must meet strict regulatory requirements. Ensure they can explain how your data is handled, stored, and protected.
- What training and support do you offer our team? The best results come when human and AI capabilities are aligned. Ask if the provider offers guidance, playbooks, and ongoing education for your staff to work effectively with Agentic
Agentic AI is not a future concept. It’s already reshaping how the best SOCs operate. By pairing machine autonomy with human expertise, it delivers speed, scale, and consistency in defending against modern threats.
That said, technology alone isn’t enough. Success lies in whether your provider has genuinely embedded Agentic AI into every stage of detection, investigation, and response. Asking the right questions now ensures you choose a partner capable of closing the MDR gap and delivering the proactive, adaptive defence your organisation needs.
In a world where cyberattacks evolve faster than ever, due diligence is no longer optional, it’s mission critical.
Craig Jones
Chief Security Officer
Craig Jones oversees Ontinue’s global network of Security Operations Centers (SOCs). His role includes managing and optimizing the teams responsible for security monitoring, incident response, and threat detection across the company’s four SOCs. Previously, Craig was the Vice President of Security Operations at Ontinue. Before joining Ontinue, Craig spent eight years at Sophos, where he rose to Senior Director of Global Security Operations. At Sophos, Craig was responsible for the operational aspects of the company’s worldwide security program, ensuring that the organization’s global security infrastructure was robust and scalable.
Craig is a well-regarded expert in the field of cybersecurity, holding certifications such as GCIH and CISSP. He is actively involved in the cybersecurity community, volunteering as director of BSides Cymru/Wales since 2019 and frequently speaking at industry events. His thought leadership covers topics like incident response, SOC automation, threat intelligence, and SIEM. Craig earned a bachelor’s degree in Information Technology from the University of South Wales.
