Copilot for Security is Microsoft's most unusual AI product from a licensing perspective: it is priced by the hour, billed through Azure, and sits outside the per-seat EA model that governs the rest of the Microsoft 365 and Dynamics portfolio. Understanding Security Compute Units (SCUs), their relationship to analyst workflow patterns, and the integration requirements that determine real-world ROI is essential before committing any budget to this product.
Based on our work with security-focused organisations across financial services, healthcare, and critical infrastructure, the average Copilot for Security deployment underestimates annual SCU consumption by 40% and overestimates analyst time savings by 60%. This guide provides the data to plan and negotiate properly.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We have advised on Microsoft security licensing portfolios across 20+ regulated industry deployments.
View Advisory Services →Security Compute Unit (SCU) Pricing Mechanics
Copilot for Security is billed in Security Compute Units at $4.00 per SCU per hour (list price, 2026). SCUs are provisioned through an Azure subscription and can be scaled from 1 to 100 SCUs per capacity unit. Unlike traditional per-seat licensing, SCU consumption is shared across all users and workloads within the provisioned capacity — one 10-SCU provisioning serves the entire security team simultaneously.
What One SCU Actually Delivers
Microsoft does not publish a definitive throughput specification for SCUs. Based on production deployments and Microsoft field guidance, these are the empirical consumption patterns:
| Security Use Case | Typical SCU Consumption | Sessions Supported per Hour (10 SCU) | Cost per Session (10 SCU, list) |
|---|---|---|---|
| Incident triage and summarisation | 0.5–1.0 SCU/session | 10–20 concurrent | $2.00–$4.00 |
| Threat intelligence enrichment | 1.0–2.0 SCU/session | 5–10 concurrent | $4.00–$8.00 |
| Script analysis and reverse engineering | 2.0–4.0 SCU/session | 2–5 concurrent | $8.00–$16.00 |
| Guided investigation (multi-step) | 3.0–6.0 SCU/session | 1–3 concurrent | $12.00–$24.00 |
| KQL query generation | 0.5–1.5 SCU/session | 7–20 concurrent | $2.00–$6.00 |
| Vulnerability impact assessment | 1.0–3.0 SCU/session | 3–10 concurrent | $4.00–$12.00 |
A 10-analyst SOC operating during a typical business day (8 hours) at moderate load (50% active usage) requires approximately 4–8 SCUs to avoid queuing. At 8 SCUs × $4/hour × 8 hours × 22 working days = $5,632/month at list price. At EA-negotiated rates (15–20% discount at 100+ SCU-month volume), this reduces to approximately $4,500–$4,800/month.
Integration Requirements: What You Actually Need
Copilot for Security's value is directly proportional to the quality of security signal it can access. The integration landscape determines whether the AI produces actionable intelligence or generic security summaries.
| Integration | Licence Required | Signals Available | Impact Without Integration |
|---|---|---|---|
| Microsoft Defender XDR | M365 E5 or E5 Security add-on | Endpoint, email, identity, cloud app incidents | No incident context — AI operates on isolated alerts |
| Microsoft Sentinel | Pay-per-GB (separate Azure billing) | SIEM alerts, custom detection rules, workbooks | No cross-environment correlation |
| Microsoft Entra ID P2 | M365 E5 or AAD P2 add-on | Identity risk events, conditional access logs | Identity threat intelligence limited |
| Microsoft Intune (Suite) | M365 E5 or Intune add-on | Device compliance, patch state, MDM events | No device context in investigations |
| Microsoft Defender for Cloud | Defender for Cloud plans (per resource) | Azure workload protection, cloud security posture | No Azure-native threat signals |
| Microsoft Purview | M365 E5 Compliance or add-on | Data sensitivity labels, DLP policy violations | No data context in security incidents |
| Third-party SIEM (Splunk, QRadar) | Plugin licence (varies by vendor) | Cross-SIEM alert correlation | Hybrid environment blind spots remain |
The critical finding: organisations running M365 E3 (not E5) receive approximately 40% of the available integrations. The jump from E3 to E5 unlocks Defender XDR, Entra P2, and Purview compliance signals — the three highest-value integrations for Copilot for Security. Before purchasing SCUs, evaluate whether your E5 licensing position is the binding constraint, not the AI product itself.
Copilot for Security ROI Framework
Microsoft's own studies (2024 Early Access Programme) reported 26% faster threat analysis and 44% accuracy improvement in security task completion. Our independent analysis from deployments with structured before/after measurement produces more conservative but still compelling figures:
| Security Function | Measured Time Reduction | Annual Value (3-analyst SOC) | Conditions for Achieving This |
|---|---|---|---|
| Incident triage (Tier 1) | 18–28% reduction in mean time to triage | $28,000–$45,000/year | Defender XDR + Sentinel required; structured prompt templates |
| Threat intelligence enrichment | 35–50% reduction in enrichment time | $22,000–$35,000/year | TI API integrations configured; analyst workflow adaptation |
| Incident reporting | 40–60% reduction in report generation time | $15,000–$25,000/year | Report templates defined; Sentinel integration active |
| KQL query authoring | 30–45% reduction in query time for junior analysts | $12,000–$20,000/year | Sentinel workspace connected; Log Analytics access granted |
| Phishing triage | 60–75% reduction in manual analysis time | $18,000–$30,000/year | Defender for Office 365 P2 required for full email analysis |
Total measurable value for a well-implemented 3-analyst SOC: approximately $95,000–$155,000/year. Annual SCU cost at the 8 SCU × $4/hour model above: approximately $54,000–$68,000/year. Net ROI: $27,000–$101,000/year. This is a genuine business case — but only with structured measurement and the E5 security stack in place.
Licence and Organisational Prerequisites
Copilot for Security requires the following to function as described in Microsoft's sales materials:
An Azure subscription with owner or contributor access is required to provision SCU capacity. A Microsoft Entra (Azure AD) tenant with appropriate security reader/security operator RBAC roles must be configured. Microsoft recommends (but does not mandate) a Global Secure Access connector deployment for full network signal integration. Sentinel workspace is required for SIEM-level correlation — this adds $2–$4/GB/day ingestion cost depending on data tier selection, which can easily add $3,000–$15,000/month for mid-enterprise SOCs ingesting 10–50GB/day.
User Access Model
Copilot for Security does not require per-user licences. Any user with appropriate Azure RBAC permissions and Entra ID can access the platform, with consumption charged against the provisioned SCU capacity. The practical implication: an organisation with 5 Tier 1 analysts, 3 Tier 2 analysts, and 2 managers can all access Copilot for Security without incremental per-seat cost beyond the provisioned SCUs. This is materially different from the M365 Copilot per-seat model and represents a significant structural advantage for security team budget planning.
Evaluate Your Copilot for Security Business Case
Before committing to SCU capacity, get an independent assessment of your security integration readiness, analyst workflow design, and realistic ROI modelling based on 500+ comparable deployments.
Request a Consultation →EA Negotiation Strategies for Copilot for Security
Copilot for Security SCUs are MACC-eligible — they count toward Azure consumption commitments under an EA. This creates negotiation leverage that most organisations fail to use.
MACC Integration Strategy
If your organisation has an existing Azure MACC (Microsoft Azure Consumption Commitment), add Copilot for Security SCU spend to the MACC calculation. A 12-month SCU commitment at $60,000/year contributes to MACC draw-down and can unlock tier-based MACC discounts if you were close to the next volume threshold. We have seen organisations achieve an effective Copilot for Security discount of 20–25% by structuring the purchase as a MACC top-up rather than a standalone Azure purchase.
Bundle with Microsoft 365 E5 Security
The strongest Copilot for Security negotiation position combines: M365 E5 Security seat purchase (or upgrade from E3), Sentinel workspace MACC commitment, and Copilot for Security SCU annual commitment. Microsoft's security sellers have cross-product incentives — the bundle allows deal escalation to senior sales management with authority to approve additional discounts of 10–15% beyond standard EA rates.
Pilot-then-Scale Commit Structure
For organisations without a production SCU deployment, negotiate a 90-day pilot at 5 SCUs with an option to commit to 24 months at the negotiated rate if pilot ROI targets are met. This structure eliminates the risk of over-committing before you have measured actual SCU consumption against your analyst workflows. Microsoft will accept this structure for organisations with demonstrated Defender XDR deployments as evidence of serious security investment.
📄 Free Guide: Microsoft Security Licensing Guide
Complete enterprise guide to Microsoft Defender, Sentinel, Purview, and Copilot for Security licensing — with cost modelling templates and negotiation strategies.
Download Free Guide →Deployment Readiness Assessment
Before purchasing Copilot for Security, assess readiness across four dimensions. First, integration completeness: score 1 point for each of Defender XDR, Sentinel, Entra P2, Intune, and Defender for Cloud. A score below 3 indicates insufficient signal quality for ROI — fix the foundation first. Second, analyst workflow maturity: do analysts have structured runbooks for Tier 1 triage, threat enrichment, and incident reporting? Copilot for Security amplifies existing workflows; it does not create them from scratch. Third, SCU consumption modelling: complete the sessions-per-day × SCU-per-session calculation before purchasing capacity. Fourth, measurement baseline: capture current mean time to triage, time to investigate, and time to report before deployment — you will need these to demonstrate ROI to budget holders at the 12-month review.
Frequently Asked Questions
What is a Security Compute Unit (SCU)?
An SCU is the billing unit for Copilot for Security at $4/hour list price. One SCU supports approximately 10–30 security analyst prompts per hour depending on complexity. SCUs are provisioned through Azure and billed hourly, scalable from 1 to 100 units within 15-minute windows.
What Microsoft security licences are required?
No hard prerequisites exist for basic access, but full functionality requires Defender XDR (M365 E5 or E5 Security), Microsoft Sentinel (Azure, pay-per-GB), Entra ID P2 (M365 E5 or add-on), and Intune. Without E5 Security, approximately 60% of available integrations are unavailable, significantly reducing ROI.
How does pricing compare to hiring additional analysts?
At 4 SCUs per analyst-hour (typical active investigation configuration), Copilot for Security costs $16/analyst-hour in SCU consumption versus $75–$120/hour for a fully-loaded human analyst. The AI-assist cost is 13–21% of human analyst cost — but only delivers ROI when measurably reducing analyst hours or preventing incidents.
Can Copilot for Security be negotiated in an EA?
Yes — SCUs are MACC-eligible and can be included in EA amendments. Annual commitments at 100+ SCU/month scale have achieved 15–20% below list pricing, particularly when bundled with M365 E5 Security upgrades and Sentinel MACC commitments.
What integrations does Copilot for Security support?
Native integrations include Defender XDR, Sentinel, Intune, Entra ID, Defender for Cloud, and Purview. Third-party integrations (Splunk, Palo Alto, CrowdStrike) are available through plugins but require additional configuration.
Is it suitable for organisations without a mature SOC?
Copilot for Security delivers highest ROI with 2+ dedicated security analysts who can direct and validate AI outputs. Organisations without a structured SOC function should invest in Defender XDR and Sentinel foundations before adding AI-assist capabilities.
Related Microsoft Security & AI Licensing Guides
- Microsoft AI & Copilot Advanced: Complete Enterprise Guide →
- Microsoft Zero Trust Licensing Framework →
- Microsoft Defender for Endpoint P1 vs P2 Licensing →
- Rationalising Microsoft Security Licensing →
- Azure OpenAI Service Licensing and Pricing →
- Microsoft Copilot Studio Enterprise Deep-Dive →
- Microsoft Defender XDR Complete Licensing Guide →
- M365 Copilot Cost Optimisation Enterprise Guide →