Auckland Transport speeds incident response and reduces alert fatigue with Security Copilot agents

As New Zealand’s largest integrated transport agency, Auckland Transport is responsible for keeping the city moving by managing buses, ferries, rail, parking, cycling infrastructure, 200,000 streetlights, and more than 6,000 CCTV cameras. It is, to put it mildly, a lot to monitor. Indeed, with over 1.6 million residents depending on its network daily, the breadth of services makes Auckland unique among transport operators globally, and it creates an expansive and complex cybersecurity challenge. “We provide quick, safe, and easy journeys for all Aucklanders,” said Christophe Demoor, Auckland Transport’s General Manager of Technology Operations. “That means protecting critical infrastructure like traffic lights and CCTV as well as safeguarding customer data.” 

The stakes became very real in 2023, when Auckland was hit by a sophisticated ransomware attack. While no confidential data was stolen, the breach exposed gaps in visibility and control. “Two years ago, we were breached,” Demoor recalls. “That became a turning point. We invested in our internal SOC, aligned on Microsoft, and set a three-year improvement plan so we could protect a very wide and dynamic environment without slowing the city.” The result has been a more comprehensive set of tools to enhance security efforts, including Microsoft Security Copilot.

Modernizing security to reduce errors at scale

In the wake of the breach, Auckland made the decisive move to modernize its defenses by adopting Microsoft’s security ecosystem, including Microsoft Defender, Microsoft Sentinel, and later Microsoft Security Copilot. “We switched over to Microsoft because we saw it as a platform that was going to help us in the future,” explained Ron Ram, Auckland Transport’s Proactive Security Manager. “Microsoft came in and assisted us with the move from our older platform into this new Next Gen platform,” beginning a 90-day Security Copilot trial in early 2025.

Their analysts quickly realized the tool’s potential. They deployed Microsoft Defender and Sentinel, which then laid the groundwork for Security Copilot’s integration. This assured the team that alerts and data pipelines were already standardized before the AI layer got introduced. Demoor notes, “It took work to get here. It took playbooks and runbooks and time. We leaned on both Microsoft and internal teams to make the systems run smoothly.” He emphasizes that this “preparation matters as much as the tool.”

Once in place, Security Copilot quickly became a catalyst for change in the SOC. For junior analysts, it acted as both mentor and validator. “Security Copilot has helped junior analysts reconfirm their understanding via the recommendations in the incident pane and also by helping them mature in their cybersecurity journey,” Ram explains. This mentorship effect has shortened the ramp-up time for new hires and elevated consistency across incident reports.

In addition, for senior analysts, Security Copilot provides consistency and a “single pane of glass” view that replaces the inefficiency of toggling between multiple security tools. Ram adds, “Security Copilot has given us contextual AI insights into incidents, helping us triage faster and reduce alert fatigue.”

Streamlining analysis, reducing analyst fatigue with Security Copilot agents

The operational improvements have been significant. Security Copilot has streamlined incident triage by consolidating signals, summarizing external threat intelligence, and guiding analysts through investigative steps. This has reduced repetitive work and freed analysts to focus on more valuable activities like writing playbooks tailored to Auckland Transport’s unique environment. Demoor puts it this way: “Thanks to Security Copilot, repetitive tasks are reduced, enabling our analysts to concentrate on advanced troubleshooting and industry-specific use cases.”

The shift has also had a human impact. By reducing alert fatigue, Security Copilot has improved morale across the SOC. “Alert fatigue is an ongoing and real concern for security teams. Security Copilot provides analysts with the insights they need to resolve alerts quicker, increasing efficiency and ensuring fatigue does not set in,” Ram says.

More recently, Auckland Transport has also begun exploring Security Copilot agents, including the Threat Intelligence Briefing Agent, Phishing Triage Agent, and Conditional Access Optimization Agent. While still in early days, these capabilities promise to automate even more of the investigative legwork and accelerate response. Demoor explains the benefits this way: “We use agents in processing telemetry from sources incorporated throughout the Microsoft Security stack and use them to respond to alerts and incidents. The agents process a large amount of data and provide the results in a readable, actionable format. It really helps us avoid missing something due to human error.”

Auckland Transport’s broader cybersecurity strategy rests on five pillars: data security, supply chain resilience, human factors, architectural modernization, and identity security. Thanks to its level of integration and ease of use, Security Copilot supports all five by strengthening consistency, accelerating response, and freeing staff to focus on higher-value initiatives. Beyond the technology, the transformation has fostered a more confident, less fatigued team, ready to defend Auckland’s public infrastructure at scale as it commits to meeting its mission to keep Auckland safe and moving.