Agentic AI for Higher Ed: How University of Montana Reduces Security Noise and Builds the Next Generation of Cyber Talent
Overview
The University of Montana secures a complex environment: a highly open email ecosystem, thousands of users, and a small security team responsible for protecting sensitive data across GLBA, HIPAA, and FERPA. UM needed a way to reduce noise, improve consistency in phishing investigations, and free analysts to focus on higher-impact work.
At the same time, UM plays a leading role in Montana’s cybersecurity workforce development efforts. The university sought tools that could strengthen operations and provide students with hands-on experience in modern, AI-enabled security investigations.
Embed’s agentic security platform now helps UM streamline phishing triage, bring consistency to investigations, and create a real-world training environment for emerging cybersecurity professionals.
The Leadership Perspective
Q: What makes UM’s security environment uniquely challenging?
Jonathan: The email filtering at UM is much less strict than in regulated institutions. In healthcare or finance, very few people can email me directly, but in higher ed, we’re a very public organization. We receive emails from everyone.
That openness, combined with UM’s lean team structure, creates significant operational pressure: “We have a small security team that handles traditional security operations. Three full-time staff supporting an entire university is not a lot.”
And unlike many higher-ed environments, UM also has a broad compliance scope: “Because universities process student loans, we fall under GLBA just like banks do. We’re also a HIPAA-covered institution. I’m the GLBA compliance person for the university, and I’m also the HIPAA security officer.”
Q: What led you to consider agentic AI for your SOC?
Jonathan: IT leadership has embraced that we have to force multiply our staff, and our relationship with Embed is a key part of that. Right now, AI is an accelerator rather than an autonomous system. From a SecOps standpoint, we’re using AI to help us make decisions. We’re not at the point where we’re handing over everything to the AI agent to lock accounts or take action, but it accelerates the manual work my analysts don’t have the bandwidth to keep up with.
Q: Transparency seems to be a critical factor. Why?
Jonathan: The transparency of how Embed drives recommendations is important because it builds trust. Before we automate anything, we need confidence across the organization. And when I talk with leaders across the university, I have to explain why we take certain security actions. It can’t be ‘because IT said so.’ Transparency matters.
Q: How has Embed improved phishing analysis and reduced noise?
Jonathan: When users report an email as phishing, Embed processes it first and tells us whether it’s valid, doing a much better and more consistent job than any of my staff could, and a better job than Microsoft does on its own. It is a great base to build correlation and context. If somebody reports a phishing link, we know if they clicked on it. And because we use SentinelOne, we can see if there’s suspicious activity on that device. We’re able to tie things together that we couldn’t before.
Q: UM is well known for its cybersecurity internship pipeline. How did Embed support that mission?
Jonathan: It was a two-way interaction. Students got a lot of experience out of it, but they were also providing feedback to Embed within the portal. We’re aligned with the state on cybersecurity workforce development. Giving students real tools and real data is essential so that by the time they graduate, they really do know what they’re doing. Embed gave them a hands-on look at how agentic AI makes recommendations.
Q: How does the University of Montana support CyberMontana’s workforce development mission?
Jonathan: CyberMontana is a quasi-independent center that is part of the university, funded by the state legislature specifically to help underserved public entities within the state. They have their own SOC that is a hands-on learning opportunity for future talent. Previously, we had used Embed with the student security analysts in my Information Security Office at UM where they were doing internships, which was very successful. The next step for us is to move Embed up the workforce development lifecycle, getting it into the CyberMontana student SOC hands before they move to the Information Security Office.
The Technical Perspective
Q: How did Embed’s transparency help new analysts and students learn faster?
Jace: Being able to see each indicator, the link, the image, and the suspicious cues was extremely helpful. Even if something wasn’t obvious at first, the breakdown made it clear why it was suspicious. For people who had never been in a security office, those tools helped them understand what they were looking at.
Q: What stands out most about working with Embed?
Jace: The partnership is valuable because they’ve been here before, and they understand what we go through as security analysts. It gives us confidence knowing the expertise behind the platform.
Closing Thoughts
In a higher education environment defined by openness, limited resources, and growing risk, Embed gives the University of Montana a practical way to modernize security operations without losing trust or transparency. The result is a SOC that not only works more efficiently but also serves as a training ground for future analysts, proving that strong security and workforce development can go hand in hand.
