Elastic Security bets on native Workflows, data-centric approach

Elastic is making the case that security is a data problem and that it can leverage its Elastic Workflows to bring automation directly into its Elastic Security offering.

The argument, timed for the RSA Conference 2026, comes as enterprises are trying to secure AI agents and similar workloads. The issue for customers is that they have to navigate platformization pitches as well as cybersecurity's alphabet soup of acronyms such as XDR (Extended Detection and Response) and SIEM (Security Information and Event Management).

"We have exactly one product. It's called Elastic Security," said Mike Paquette, Sr. Director Product Management, Security at Elastic, speaking on a briefing with Constellation Research. "We think security is a data problem."

According to Paquette, Elasticsearch and Elastic Workflows power all the AI capabilities used for security use cases. Elastic Security combines the capabilities of Agent Builder, Attack Discovery and Workflows all grounded in Elasticsearch data.

Elastic isn't necessarily looking to upend cybersecurity's platformization argument as much as lean into it. Elastic Security's argument is that it can consolidate SIM, SOAR and endpoint security on a data centric platform with better returns. "A typical customer is paying for a SIM (Security Information Management), a SOAR (Security Orchestration, Automation, and Response) product, and endpoint security," said Paquette. "What we do is consolidate those vendors."

Here's a look at the Elastic Security news.

Elastic Workflows adds native automation to Elastic Security. In a blog post, Elastic said that Elastic Workflows, which is in technical preview, will add automation to Elastic Security without the "automation tax," which typically revolves around adding a separate SOAR tool. Workflows within Elastic Security has access to alerts, cases and investigation data.

According to Elastic, Workflows within Elastic Security means enterprises don't have to integrate and move data between platforms. Workflows also connects to external systems that feed security operations.

Key points include:

Elastic Workflows combines scripted automation and AI reasoning with security playbooks.

• Workflows integration with Elastic Agent Builder can be used to create custom AI agents for security including isolating a host, analyzing threat intelligence, escalating an incident or updating a case.
• Elastic Security is built on Elasticsearch so can leverage context from security data.
• Elastic said Workflows within Elastic Security work cross-platform and can orchestrate with non-Elastic SOAR platforms.

Elastic Security XDR eliminates per-endpoint fees. Elastic Security XDR is a unified layer with a single console designed to leverage endpoint telemetry directly into your SIEM. Elastic said the approach lowers storage costs. The company added that it pulls raw telemetry from CrowdStrike, SentinelOne and Microsoft Defender.

• Elastic sees early traction with Agent Builder, context play, hybrid architecture
• Elastic's Agent Builder is generally available, Elastic Workflows in tech preview
• Welcome to the context chorus: There’s no AI without context

The company also made the case that Elastic Security can be the heart of an SOC because of its approach. "While others are security companies trying to retrofit data onto their platforms, Elastic was born for data and evolved by world-class security experts to solve the scale and complexity of modern threats," said Elastic in a post.

In addition, Elastic said Elastic Security is model agnostic, integrated and architected for data.

This security as a data problem has been a recurring theme in recent weeks from CXOs, notably at the Constellation Research Futures Forum. CEOs cited the ability to build foundational models on security logs and the need to organize data properly to spot anomalies as core security themes.

The upshot is that cybersecurity may see a number of new entrants working from a data-native approach. If security truly is a data problem, the roster of vendors is going to expand.