Seattle is a gray, rainy city for most of the year, located in the far corner of the U.S., almost on the Canadian border. It lacks historical landmarks or renowned cultural institutions, and its main tourist attraction – the Space Needle – aspires to be the Eiffel Tower of the city but reaches only half its height. Yet, in this place hides one of the largest cyber intelligence centers in the world, perhaps the largest of them all.
This is what is called the “Digital Crimes Unit” (DCU) – a center that monitors all data traffic across the global network. It is operated by Microsoft, not the first company you might think of in the context of cybersecurity.
It’s worth getting used to the idea: Microsoft is reorganizing itself in order to take cybersecurity seriously, with a strong focus on defending against AI-based cyberattacks, which are a tangible and immediate threat.
At last week’s Ignite conference in San Francisco, Microsoft presented a comprehensive end-to-end cybersecurity showcase. It upgraded existing systems, introduced new ones, and developed a massive platform that sends customers this message: forget about old cybersecurity firms, new startups, and emerging threats – leave it to us. Every aspect, concern, and new need will be handled on our platform. Microsoft is not a company of technological breakthroughs. From the days of DOS and BASIC, through Windows, Excel, Word, and Internet Explorer, up to AI Copilot – Microsoft adopts ideas from others.
What the company does exceptionally well though is identifying the hottest technology sectors with the largest commercial potential and entering them with full force – sometimes in partnership with existing companies, sometimes at their expense. That’s how you become a company worth $3.5 trillion.
And all this sets the stage for the enormous trend Microsoft is focusing on now – AI system cybersecurity and defenses against AI-driven attacks.
The upheaval in business and economic worlds due to AI needs no explanation. What gets less attention is how many new risks, vulnerabilities, and weaknesses AI creates. Everyone talks now about AI agents and their huge business potential for companies.
According to Microsoft, 20% of corporate breaches occur via employee accounts. Their use of AI for legitimate purposes has led to an 80% increase in company data leaks. As always, the human factor is the problem
For cybersecurity experts, this primarily represents massive potential for data leaks and ransomware attacks on an unprecedented scale. Microsoft understands that giant companies want to use AI to increase sales and reduce workforce, and the only thing holding them back is fear of cyberattacks. Here lies a market opportunity that Microsoft is entering with full force.
8 View gallery
Well aware of the demand for defenses. Microsoft CEO Satya Nadella
(צילום: Charles Rex Arbogast, AP)
Sue Jackel, Corporate VP and head of Microsoft Security, responsible for a $20 billion budget derived from current cybersecurity operations, tells reporters that Microsoft currently faces the biggest challenges in the field: excessive data sharing and leaks, regulatory non-compliance, the surge of AI agents, and numerous vulnerabilities introduced by AI systems.
The greatest threat, according to Jackel, is company employees. In the past, we knew terms like “social engineering” and “phishing attacks”, which trick employees into revealing login credentials. In the AI era, these have become an even greater danger.
According to Microsoft, 20% of corporate breaches occur via employee accounts. Their use of AI for legitimate purposes has led to an 80% increase in company data leaks. As always, the human factor is the problem.
Microsoft’s answer is an end-to-end AI-powered cybersecurity platform focused on defending against AI. How is this done? First, through cyber threat intelligence that collects 100 trillion signals daily at the DCU center in Seattle.
Second, via the company’s new platform, which includes various systems handling different cybersecurity sectors: Defender, Entra, Purview, and Foundry Control Panel. Meanwhile, productivity tools like Microsoft 365 and Work IQ are integrated to improve efficiency.
Microsoft predicts that by 2028, companies will operate around 1.3 billion AI agents. Most organizations are still not equipped to monitor, secure, or manage these agents. Without proper management, AI agents could become shadow IT, both underutilized and a potential attack vector.
Announcements about the new direction have prompted critical responses online. “Nobody wants this”, wrote one user
Microsoft’s focus is not only on large enterprises. They want to reach all users, big and small. CEO Satya Nadella recently stated that the company’s new strategic direction is to turn Windows into an AI work environment. AI agents will operate within it, monitor our activity, perform tasks for us – summarizing documents, sending emails, searching for information, and organizing it.
Within the OS, new AI-agent-based features will soon assist users proactively, even if not requested. “These changes are the most significant architectural evolution in Windows since the introduction of the modern security model. Users can now describe the desired outcome, and the agents handle all required tasks”, said Pavan Davuluri, President of Windows and Devices at Microsoft.
At this point, Microsoft faces some customer skepticism. Announcements about the new direction have prompted critical responses online. Users were upset that Microsoft was not responding to requests for software tweaks but instead adding new AI features. “Nobody wants this”, wrote one user.
Yet, the new AI features may solve old problems users complained about through unprecedented AI performance – or they may prove useless. The answer will become clear over time.
Microsoft’s DCU is hidden inside an ordinary office building in the sprawling, verdant Microsoft campus in Redmond, near Seattle. But immediately at the entrance, you notice the difference: most employees are not allowed inside, and those who enter – guests and journalists – do so only with close escort by DCU staff.
Even after entering and viewing the data Microsoft chooses to present, it becomes clear that this is exactly what it seems: presentations, numbers, even simulations of cyberattacks, but none of the actual real-world operations of the center.
Visitors experience a sort of cybersecurity Disneyland, without access to the real world where aggressive cyberattacks occur continuously, massive ransoms are paid to criminals, and classified information is repeatedly leaked.
Government partners are not only American. “Collaborations even include our competitors, like Google and Amazon. We cooperate with them too”
Steve Masada, Senior Director at the DCU, says a private company like Microsoft lacks the enforcement tools of state cyber units or international authorities but has legal capabilities and many collaborations with government agencies that allow it not only to detect cyber threats but also to act against cybercrime.
“FBI, Homeland Security and intelligence officials visit here, you know, a couple of times a week”, he says. “Some of these agencies operate from here. It allows them to access data not available elsewhere.”
Government partners are not only American – enforcement agencies from the UK, Australia, and several European countries also visit frequently. “Collaborations even include our competitors, like Google and Amazon. We cooperate with them too”.
Tools developed at DCU allow identifying cybercriminals, their locations, and operational characteristics, tracking the infrastructure they use, following cryptocurrency transfers – and initiating actions to stop them. Other experts reverse-engineer malicious cyber applications to understand precisely how they work.
“Cybercrime continues to evolve”, says Masada. “Criminals get smarter, and it depends on us – the public-private sector – to work together and find the best way to stop cybercrime”.
He presents data showing that between 2000–2023, $1.1 billion in ransom payments were made to entities in Russia and Iran – but admits this is partial data: “Ransomware is likely the most underreported cybercrime. The real number is exponentially higher”.
In 2024, a single ransomware attack forced a company to pay $75 million to regain access to its systems. “You can understand the extreme impact on the company. You can also see why more cybercriminals are entering the game. It’s highly profitable”, he says.
Masada notes a blurring between financially motivated crimes and politically motivated ones: “Cybercriminals with economic motives cooperate with governments, sharing tools and techniques to serve both agendas”. Ahead of UK and U.S. elections, the center disrupted several state-backed attack networks targeting election integrity.
DCU’s data collection largely relies on closely monitoring data traffic via the customers it protects. Masada describes it as a task force of 34,000 full-time security engineers.
This global intelligence operation filters trillions of data points, monitoring those with risk characteristics. In such cases, sources and even attack infrastructure can be tracked as they are established.
Currently, the DCU tracks 1,500 active threat groups, 600,000 attacks daily, and 72 billion preventive actions per day. In some cases, when perpetrators are identified, Microsoft initiates arrest and prosecution actions. Another technique, called the “sinkhole”, leaves criminals’ IP addresses active in a protected system to track additional activity and apprehend further perpetrators.
A few days before Ignite, Microsoft published its semiannual “Secure Future Initiative” (SFI) report, now in its third edition, and highly valued within the company. The initiative began after Chinese actors breached company systems in 2023, prompting the U.S. Department of Homeland Security to conclude that Microsoft had “a chain of security failures” allowing attackers to access email accounts at 22 client organizations, including several federal agencies.
David Weston, Corporate VP for Enterprise and Operating System Security, told reporters: “I believe the SFI report is extremely important, mainly because customers turn to Microsoft based on trust. They need to trust how we operate and trust our security. For me, SFI demonstrates our commitment to putting cybersecurity first in everything we do, in both our products and all products our clients use, ensuring our systems evolve to stay one step ahead of attacks”.
Weston also oversees Microsoft’s “Red Teams”, which simulate attacks on systems to help company security managers better protect their organizations. “Red Teams simulate cyberattacks, identify weaknesses, and we have teams worldwide, including in Israel”.
Will these new systems replace human cybersecurity experts?
“We continue to suffer from a shortage of cybersecurity staff, especially in high-skill areas like we have in Herzliya. Since resources are limited, we want to make them available to everyone, and AI is a great way to do that – take human skills and expertise and train AI models accordingly”.
Is there business potential for AI agents replacing employees?
“I don’t think AI is a magic cure, but there are certainly areas where it works like magic. We and the team spend a lot of time identifying where it works well versus where it doesn’t. Will AI agents replace cybersecurity experts today? No. But can they save experts hours of repetitive tasks? Absolutely”.
What is the contribution of Israeli teams to your work?
“Israel has amazing cybersecurity startups. Whenever I’m in Israel, I’m always amazed by the level of innovation and customer-focused problem solving. It’s a combination of technical talent, entrepreneurship, and venture capital.
“The ecosystem is excellent. For Microsoft, we have outstanding talent we can recruit in Israel, and because of their presence, we can offer customers in Israel – including critical infrastructure – the ability to detect and respond to attacks”.
