Coming soon to the Microsoft Security Store
Lockbase EXposure Agent — executive exposure intelligence across the Microsoft security stack
Synthesize XSPM exposure, Defender vulnerability management, Entra identity risk, and behavioral signals into ranked, executive-ready exposure briefings — without manual correlation.
[ DESIGNED FOR ]
Designed for CISOs and security leaders who need cross-domain exposure visibility across Microsoft Defender XDR, Entra ID, Intune, and Microsoft Threat Intelligence — without manual correlation between consoles. LEX Agent converts fragmented Microsoft security telemetry into executive-grade exposure judgment.
> Three-paragraph technical brief. No marketing fluff. Read top to bottom — it walks the agent's job from input to output.
LEX Agent (Lockbase EXposure Agent) provides executive-level exposure intelligence by synthesizing four Microsoft data layers — Enterprise Exposure Graph (XSPM), Defender Threat & Vulnerability Management, Microsoft Secure Score, and behavioral activity patterns — into clear business-risk briefings. Its unified job is to convert fragmented Microsoft security telemetry into executive judgment a CISO can act on the same hour.
The agent operates across five operating modes: Executive Risk Ranking (top exposures by exploitability and business impact), Focus Validation (compare exposures to active incidents for SOC alignment), Finding Consolidation (identify compound risk from overlapping findings on the same asset), Patch Tuesday Triage (campaign exposure and deployment tracking), and Behavioral Risk Assessment (jump-box compliance, lateral movement, service-account misuse, credential attacks, local-admin overuse).
LEX Agent outputs executive briefings with ranked P1–P4 exposure tiers, affected hostnames, CVSS and EPSS scores, exploit status, recommended owners, and — when an analyst confirms — Microsoft Intune remediation tasks created and tracked through resolution. Every claim is source-labeled so the security leader can trace any exposure statement back to ExposureGraph, TVM, Entra, or Defender for Identity.
Joins CVEs to critical devices and VMs with asset criticality, exposure score, device role, and exploit status — the primary executive exposure view.
Surfaces zero-day, actively-exploited, verified-exploit, and exploit-kit CVEs with affected asset counts and blast-radius assessment.
Applies a P1–P4 prioritization matrix that considers exploitability, asset criticality, lateral-movement paths, and business impact — not just CVSS.
Correlates vulnerability posture with active Defender XDR incidents, Entra identity risk, and behavioral activity to surface compound exposures.
Detects direct Tier 0 access, lateral movement, service-account misuse, stale privileged accounts, brute force, and local-admin overuse via time-series analysis.
Creates Intune remediation tasks with LEX priority mapping, asset details, and due dates — and lists existing tasks to prevent duplicates.
A built-in library of investigation skills, categorized by attacker phase. Each category is a set of named capabilities the agent invokes inline — analysts never write the underlying queries by hand.
Critical-asset risk profiles, identity blast radius, permission graphs, and finding consolidation across the fleet.
e.g.
Critical-asset risk ranking
Ranks your most important assets by real-world exploitability — not just raw CVE counts.
Defender TVM, Patch Tuesday triage, Office and SQL exposure, and update-deployment tracking.
e.g.
Patch Tuesday triage
Turns a fresh batch of CVEs into a ranked list of what actually needs patching first in your fleet.
Tier 0 access, lateral movement, service-account misuse, brute force, and local-admin overuse.
e.g.
Tier 0 exposure check
Shows which devices are reaching your most critical identity infrastructure outside sanctioned admin paths.
Active incidents, identity risk, sign-in anomalies, and Entra context joined with posture data.
e.g.
Posture-to-incident join
Connects live incidents and risky users to the posture findings that explain how they got there.
Intune compliance, remediation-task creation, and write-capable hand-off.
e.g.
Remediation hand-off
Turns a confirmed finding into a prioritized Intune remediation task — with user confirmation before anything is written.
We walk through the complete catalog — every skill, live, against real telemetry — in a demo.
To deploy LEX Agent into your Microsoft Security Copilot workspace you'll need:
SecurityReader role minimum (queries) or Security Admin for remediation task creation Setup guide
Step-by-step deployment for Security Copilot and LEX Agent's integrations: Microsoft Defender XDR, Microsoft Defender for Identity, Microsoft Entra ID, Microsoft Intune, and more.
Contact us for early access →
Five operating modes
Executive Risk Ranking, Focus Validation, Finding Consolidation, Patch Tuesday Triage, and Behavioral Risk Assessment — worked examples for each.
Request the playbook →
Microsoft Security Store listing
Listing pending Microsoft Partner Center review.
Coming soon
LockBase Cyber support
Implementation help, custom hunting skills, or detection engineering services.
Email the team →