According to Gartner forecasts, by the end of 2026, 40% of enterprise applications will integrate task-specific AI agents, compared to less than 5% in 2025.
In this scenario, one of the most promising areas is cybersecurity. Not only because cyber security is by nature a highly operational domain, but also because it perfectly lends itself to a multi-agent logic.
Multi-agent architectures: the latest frontier of automation
Multi-agent architectures are the most mature step AI has taken so far within enterprise processes. More than a sequence of technologies, this journey can be interpreted as a progressive increase in operational autonomy.
Automation of individual tasks
In an initial phase, AI was used to improve specific functions, such as pattern recognition and data analysis, without directly intervening in processes.
Advanced decision support
With the introduction of more advanced models, AI began supporting complex activities such as information interpretation, synthesis, and content generation, assisting operators within workflows.
Multi-agent operational autonomy
The next step is represented by systems capable not only of supporting, but also of acting. No longer a single central engine, but a network of specialized agents that collaborate, coordinate, and contribute dynamically to process execution.
This latest evolution addresses a structural limitation of monolithic models. A single system tends to be difficult to control, test, and govern, especially in complex contexts. In a multi-agent architecture, instead, each system is responsible for a specific function, such as data collection, analysis, enrichment, and decision support, operating within defined boundaries. As a result, the system becomes more efficient, transparent, and easier to govern, as well as more scalable over time.
A key characteristic of an AI Agent is its ability to exchange information and activate sequentially or in parallel according to orchestrated workflows. The result is a modular system in which each component can be updated, replaced, or controlled independently, without a potential single point of fragility.
AI agents, the new bet in cybersecurity
Agentic architectures are attracting strong interest in the cybersecurity world because they address a structural tension: on one side, the continuous increase in threats, attack surfaces, and the complexity of IT environments; on the other, the difficulty for security teams to manage growing volumes of alerts and operational activities with limited resources.
The limits of the traditional approach
The operational model of Security Operations Centers (SOC) is based on a combination of advanced tools (SIEM, EDR…), well-defined processes, and multiple activities directly assigned to analysts, including event correlation, context enrichment, and validation of alerts generated by threat prevention platforms.
Automation exists and relies on rules, operational playbooks, and dedicated tools such as SOAR platforms, but it is largely deterministic and limited to known scenarios. Automating remediation or mitigation actions requires a very high level of trust, which is generally not yet assigned to machines except in typical and obvious cases. Consequently, a significant part of operations and decision-making remains in the hands of analysts, especially in ambiguous or high-impact situations.
When volume and complexity increase, this generates bottlenecks and highlights scalability limitations: the system holds up as long as the team grows, but struggles to sustain increasingly rapid dynamics and threats that, leveraging the same AI, become more frequent, numerous, and sophisticated.
Multi-agent architectures: making security sustainable without losing control
Multi-agent architectures offer an approach closer to the real nature of security operations, which are by definition iterative and multi-step. Dividing work among specialized agents enables more efficient management of activities such as data collection, correlation, analysis, and response, reducing operational bottlenecks.
For companies, the key point is that agentic architectures are not designed to improve threat detection, an area where mature and highly effective tools have existed for a long time. Their value instead lies in making the entire security operating model sustainable.
Multi-agent architectures make it possible to increase decision speed, automate repetitive activities, and free up human expertise, allowing it to focus on the most complex cases.
How a multi-agent system works: a 4-step workflow
The core element of a multi-agent system is the workflow, namely the dynamic operational flow that can be adapted based on what emerges throughout the process. It is therefore a flow that evolves in real time under the control of a supervisor, activating different agents depending on the situation. Each organization can model this workflow according to its own needs, but some key steps can be identified.
- The process starts with a security event such as an alert generated by an endpoint or a cloud environment. This is a decisive phase, but also one of the most critical: according to analysts, the main inefficiencies are concentrated here, due to the high volume of alerts and the difficulty of quickly distinguishing what is relevant from what is not. In this phase, the system can make and execute decisions, but only in the most obvious cases. The objective is to transform a chaotic flow of signals into a manageable set of relevant events.
- Orchestration then comes into play as the coordination point of the system: it analyzes the nature of the event and activates, case by case, the most suitable agents. If the issue concerns an endpoint, for example, the sequence of activities on the device is reconstructed; if instead it involves the network, traffic, connections, and possible anomalous external communications are analyzed. The difference compared to traditional flows is that these checks can occur in parallel, reducing analysis times and aligning them with the needs of modern cybersecurity.
- The results then converge into a synthesis and planning phase, where the platform builds a view of the incident: what happened, how it developed, what the possible cause may be, and what actions are available. At this point, the system may assign a risk score and a reliability level, which are key elements in deciding the system’s degree of autonomy.
- The response is therefore managed differently depending on the case. Low-impact actions can be executed automatically, while more critical actions always require a human-in-the-loop step to ensure control and proper accountability.
The role of the analyst in agentic security
As in many business domains, multi-agent architectures are not intended to bypass analysts or, more generally, SOC professionals, but they inevitably end up transforming their work and redefining their contribution within the operating model.
After all, cybersecurity is a suitable domain for relieving professionals from repetitive activities, since a significant part of their time is absorbed by alert triage, data collection and correlation, and report compilation. With agentic automation, these activities can be handled by the system, freeing up the cognitive resources needed to address more sophisticated threats.
This change translates into assigning professionals at least four responsibilities:
-
Validation of decisions
The first, already mentioned, is undoubtedly decision validation: the system autonomously decides only the obvious cases and relies on well-defined rules. In the vast majority of cases, the system performs risk scoring and provides justified recommendations, engaging the analyst to confirm or reject the proposed actions. As mentioned, the human-in-the-loop approach remains essential to ensure control and accountability. -
Management of complex cases
When the system detects ambiguities or potentially high impacts, the case is immediately escalated to the analyst. In this context, the analyst’s role is not only interpretative, but also supervisory: validating hypotheses, deciding which additional investigations to activate, and directing the agents’ work by requesting further analysis or limiting their scope. In practice, the analyst takes ownership of the case end-to-end, leveraging agents as operational assistants to accelerate checks and build a solid assessment. -
Configuration and continuous improvement
The third area is more strategic: system configuration and continuous improvement. Analysts contribute to defining playbooks and escalation criteria. In other words, they do not simply use the system, but actively participate in its evolution. -
Training and tuning of agents
The analyst contributes to improving the system through operational feedback, error correction, and response optimization. Their role becomes similar to that of a trainer, helping agents progressively become more effective.
This shift also impacts the required skills, as the analyst increasingly becomes a figure oriented toward security governance rather than operational execution. They must be able to interpret complex contexts, rapidly assess risk, and make informed decisions based on (even) partial evidence.
Kirey: innovation and expertise to address sophisticated threats
At Kirey, we help companies build a solid and sustainable security model. Our approach is not based solely on the provision of tools, specialized expertise, and managed services, but also on a strong orientation toward innovation, a key element in keeping pace with increasingly advanced attacker strategies.
We operate on the frontier of innovation also in the cyber domain, a frontier that today increasingly coincides with automation and advanced models such as multi-agent architectures. Despite this trend, in our vision, the journey is governed, controlled, and made reliable through the experience and specialized expertise of our professionals.
Contact us to discover how we can support your organization in building a security model capable of addressing today’s and tomorrow’s challenges.
