ExtraHop boosts agentic SOC with richer network insight

ExtraHop has added new visibility and forensic capabilities to its network detection and response platform, aiming to provide more contextual data for security operations teams using autonomous AI agents.

The update targets organisations building what vendors and analysts call an "agentic SOC", where software agents handle parts of detection, triage, and response. ExtraHop is positioning network telemetry as a key source of context for these agents, particularly in environments where incomplete data can lead to missed threats or disruptive actions.

Security teams are increasing automation as attackers adopt AI-assisted techniques and alert volumes and incident workloads grow. Many organisations still struggle with fragmented visibility across identities, devices, applications, and cloud workloads, while network-level signals can provide a cross-cutting view of activity. ExtraHop's latest changes focus on identity correlation, Kubernetes monitoring, and new ways to query telemetry.

"The perceived advancement of the agentic SOC is an illusion for most, as a lack of high fidelity, contextual data silently undermines the system's efficacy and prevents enterprises from realizing any actual benefit from their agents," said Kanaiya Vasani, chief product officer at ExtraHop.

Identity context

The announcement includes new integrations with identity systems, which ExtraHop uses to combine identity attributes with network telemetry. New integrations cover Entra ID, Active Directory, and Okta.

The goal is to link user identity details with observed network activity-often difficult in large environments spanning on-premises and cloud systems. ExtraHop is adding enriched user data to dashboards, detections, and response actions, and says the additional context can help reduce mean time to response.

Security operations teams often rely on identity signals from directories and authentication platforms, and network signals from packet capture and flow data. When these sources remain separate, investigators may need manual work to determine which user account was tied to a device, session, or service at the time of suspicious activity. Correlating the data can also support investigations of identity-based attacks, such as account takeover and privileged-access misuse.

Kubernetes visibility

ExtraHop has also expanded coverage for Kubernetes environments, where containerised workloads and dynamic service-to-service communications can complicate monitoring. It says it now provides "full visibility" into Kubernetes environments running cloud-native applications and automated workflows.

According to ExtraHop, the platform captures and decrypts Kubernetes traffic and analyses resource metadata to produce integrated telemetry for SOC workflows. Kubernetes clusters often generate large volumes of east-west traffic inside the cluster, which can be difficult to observe with perimeter-focused tools or logging alone.

In many enterprises, Kubernetes supports modern application development alongside legacy infrastructure. This mix can create blind spots when monitoring tools do not share context across environments. NDR vendors have increasingly promoted coverage for cloud and container networks as customers shift more workloads into these architectures.

Query language

A third set of updates focuses on giving AI agents and automation tools better access to network intelligence. ExtraHop is introducing the ExtraHop Query Language (EQL), which it says enables selective queries across large volumes of telemetry.

ExtraHop says agents can consume enriched network metadata and detections through APIs and Model Context Protocol (MCP) servers. MCP is emerging as a way to connect AI models and agents to external tools and data sources through defined interfaces and permissions.

The emphasis on selective querying reflects a practical constraint in SOC automation: security data sets can be large and expensive to process. Automated agents also need clear boundaries around what they can access and how they can act. A query language and standard interfaces can help formalise access patterns while reducing reliance on ad hoc scripts and manual investigation.

IDC linked the changes to the broader challenge of making autonomous security operations dependable. "AI tools are only as good as the insights powering them and while creating the agentic SOC is a leading initiative for a number of enterprises, a lackluster source of data is holding them back from success," said Chris Kissel.

Kissel also pointed to gaps created by limited visibility into user identities and Kubernetes environments.

"ExtraHop is solving this by doubling down on context and further closing the visibility gaps impacted by unobserved Kubernetes environments and user identities. Having this level of insight is critical for organizations deploying AI agents and allows adoption of autonomous operations to continue without sacrificing the pace of innovation," he said.

ExtraHop sells network detection and response products that analyse network communications to identify anomalous activity and suspicious behaviour. The company describes deep protocol analysis as central to its approach, focused on extracting security-relevant detail from network traffic.

Vasani said the update is intended to make autonomous SOC tooling more dependable in complex environments.

"The network remains the immutable source of truth for the modern enterprise and ExtraHop unlocks that potential for the agentic SOC, driving agentic operations with robust and highly contextual insights. ExtraHop is providing holistic visibility into the most complex segments of the modern attack surface to help enterprises stop advanced threats with unprecedented speed and precision," he said.