These proactive services build on existing Incident Response offerings to help organizations prevent, detect, respond to, and recover from cyber threats more effectively.

Public preview lets organizations test the AI prioritization against their threat landscape while Microsoft refines the model based on feedback and outcomes.

The prioritization applies to native, custom, and third-party alerts within Defender to speed up triage and boost analyst confidence.

An explainability feature shows the specific factors behind a score when an incident is selected, enhancing transparency, trust, and consistency in triage decisions.

The system uses the BM25 ranking algorithm to emphasize rare signals and unusual patterns, delivering a centralized incident queue with a summary pane that includes priority, influencing factors, key details, recommended actions, and related threats.

Signals are aggregated across Defender, Sentinel, and custom alerts to provide a unified priority assessment, ensuring consistency across tools and preventing gaps in logic.

Microsoft has launched an AI-powered incident prioritization in Defender to reduce alert fatigue by ranking incidents with a 0–100 priority score and providing explanations for the ranking, now available in public preview to help SOCs manage high alert volumes.

The prioritization model weighs attack disruption signals, threat analytics context, severity, MITRE ATT&CK techniques, asset criticality, and high-profile threats, color-coding incidents as red (top), orange (medium), and gray (low).

Each incident receives a 0–100 priority score derived from multiple risk factors beyond traditional severity, including automatic attack disruption signals, asset criticality, ransomware indicators, nation-state activity markers, and threat intel data.

Microsoft is expanding proactive incident response services—plan development, major-event support, cyber range simulations, advisory services, and M&A-related compromise assessments—to strengthen organizational resilience.

Overall, the AI-powered prioritization aims to make Defender a decision-making platform that helps analysts focus on the most critical threats and disrupt attacks earlier in the kill chain.

Microsoft frames effective prioritization as a force multiplier that accelerates triage and improves outcomes by focusing on high-impact incidents.