New capabilities on display at RSA Conference 2026

Graylog, the AI-powered SIEM built for lean security teams, today announced advances in explainable AI and automated investigation workflows that help small-to-mid-sized security teams detect real threats faster, investigate with confidence, and cut the manual documentation work that consumes analyst time.

“Lean security teams don’t have the luxury of analyst bench depth or months of automation tuning,” said Andy Grolnick, CEO of Graylog. “Every capability we are showing at RSA is designed around the same principle: rapidly detect, decide, and document from one command center, so analysts spend time on real threats, not busy work.”

Graylog’s latest innovations deliver AI-driven threat prioritization, agentic AI workflows through its open MCP Server, and upcoming Spring 2026 release capabilities that automatically launch investigations when asset risk crosses defined thresholds.

AI and Automation Capabilities

Graylog is showcasing new AI and automation capabilities designed to help lean security teams prioritize threats, accelerate investigations, and reduce manual analyst work.

• Threat Prioritization Engine: Groups related alerts using entity context, asset criticality, vulnerability data, and threat campaign intelligence to surface what matters most and suppress what doesn’t.
• Context-Aware Incident Response: Automates evidence collection and workflow orchestration. AI Summarization turns gathered evidence into step-by-step response recommendations, reducing investigation time by up to 50 percent compared to manual methods.
• MCP Server - Conversational AI Across Security Environments: Connects any compatible LLM to Graylog’s security data using the Model Context Protocol. It enables queries such as:
  • “Show me assets that increased in risk score this week and are linked to open investigations,”
  • “Summarize the top MITRE ATT&CK® techniques in failed logins over the last 24 hours,” and
  • “Create an investigation for these three alerts and assign it to the SOC team.”

The MCP Server is available across all Graylog versions - Open, Enterprise, and Security - at no additional cost. Queries are scoped to each user’s licensed functionality and role-based access controls. These capabilities also enable a new class of agentic security workflows built on Graylog’s MCP Server.

Agentic AI Workflows: What Customers Are Building on the MCP Server

The MCP Server is designed to support agentic security workflows. Teams can build agents guided by Graylog’s published MSP tools, such as:

• A triage agent that correlates Graylog alerts with identity provider, EDR, and other security tool data and automatically triggers containment actions.
• A compliance agent that maps detection coverage against MITRE ATT&CK®, PCI, or NIST and generates a cross-tool compliance report.
• A false positive analyzer that reviews triggered events against historical patterns and returns tuning recommendations to sharpen detection quality over time.
• An event procedures agent that reads investigation evidence and generates dynamic, context-specific response steps, or hands them directly to a triage agent to execute.

All agents using Graylog’s MCP Server operate within Graylog’s existing role-based access controls for transparency, traceability, and compliance. The analyst stays in the loop, but only for decisions that require human judgment.

Preview: Graylog Security Spring 2026 release (v7.1)

Debuting May 2026, the Graylog Spring 2026 release introduces risk-triggered automated investigations. When an asset risk score exceeds a defined threshold, Graylog automatically opens a complete investigation, attaches all supporting signals, and generates AI-recommended next actions, without requiring an analyst to initiate the process. There is no separate automation platform or additional licensing. Every investigation is explainable, auditable, and traceable from trigger to resolution.

Visit Graylog in Booth S-3134 at #RSAC 2026 to see the new capabilities in action.

About Graylog

Graylog is the AI-powered SIEM and centralized log management platform that transforms noisy data into clear insights. It helps security and IT teams detect and investigate threats faster with explainable AI that summarizes dashboards, prioritizes risks, and automates workflows - without losing human control. Graylog is trusted by 60,000+ organizations worldwide.

Learn more at graylog.com or connect with us on Bluesky and LinkedIn.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260318328259/en/