A Different Product With a Different Commercial Model

Microsoft Copilot for Security is not M365 Copilot for your security team. It is a separate product, with a separate pricing model, a separate procurement process, and a separate set of use cases that do not overlap with the productivity AI most enterprises are currently evaluating. The distinction matters commercially because many enterprises conflate the two, either expecting their M365 Copilot deployment to cover security use cases (it does not) or assuming that procuring Copilot for Security gives them the same productivity features as M365 Copilot across the rest of the business (it does not).

Understanding both what Copilot for Security does and what it costs — before any commercial conversation — is the prerequisite for making a rational procurement decision. This article covers the SCU pricing model in full, the integration architecture with Defender and Sentinel, the genuine high-value use cases, the ROI framework security teams should apply, and the commercial negotiation levers that are available when pricing conversations begin.

$4/hr
Microsoft's published base rate for Copilot for Security Security Compute Units (SCUs). At minimum provisioning levels for a mid-size SOC, annual costs typically run £85,000–£180,000 — before integration, training, and workflow development costs are added.

The SCU Pricing Model: How It Actually Works

Copilot for Security is priced on a Security Compute Unit (SCU) consumption model — not per user, not per analyst seat, but per unit of compute provisioned per hour. The published rate is $4.00 per SCU per hour, billed through Azure. This is a fundamentally different commercial structure to every other Microsoft product in an enterprise portfolio, and it creates a different cost management challenge.

SCUs are provisioned at a minimum of 1 SCU per hour, with capacity scaling based on workload. Microsoft's guidance for typical enterprise deployments is 3–8 SCUs for a security team handling routine operations, 8–16 SCUs for active incident response periods, and provisioned dynamically for burst capacity during major incidents. The practical implication: Copilot for Security has no fixed annual cost. Cost is a function of usage intensity, provisioned capacity, and how well the organisation manages SCU allocation. Unmanaged, a 5,000-person enterprise running 5 SCUs continuously would spend approximately £132,000/year at list prices. A team running 8 SCUs during business hours and scaling down at night might spend £95,000/year. Poor SCU governance with over-provisioning can push costs to £200,000+ for similar workloads.

SCU Provisioning Level Typical Use Case Indicative Annual Cost (£) Notes
1–2 SCUs (always-on) Small SOC, 2–5 analysts, light usage £26,000–£52,000 Minimum viable deployment; feature-limited at burst
3–5 SCUs (always-on) Mid-size SOC, 5–15 analysts, daily use £78,000–£131,000 Standard enterprise baseline; scale up for incidents
6–10 SCUs (always-on) Large SOC, 15+ analysts, intensive use £157,000–£262,000 Suitable for large-scale incident response capability
Dynamic (avg 4 SCU) Burst model: scale up for incidents, down overnight £65,000–£105,000 Best cost efficiency; requires active SCU management

One significant commercial option is Microsoft's provisioned capacity reservation — committing to a fixed SCU level via Azure reservations at a discounted rate. 1-year commitments typically unlock 15–20% discount off pay-as-you-go SCU rates; 3-year commitments can reach 30–35%. For enterprises with predictable, continuous SOC workloads, reservations are the correct commercial approach. For enterprises with highly variable workloads (e.g., retail with seasonal incident volume, or organisations in active M&A periods), pay-as-you-go with active SCU management is often more cost-effective despite the higher list rate.

Integration Architecture: Defender, Sentinel, and Beyond

Copilot for Security's value proposition is grounded in its integrations. As a standalone product it provides natural language threat intelligence analysis through Microsoft's Security Graph. As an integrated product — connected to Microsoft Defender XDR, Microsoft Sentinel, Intune, Purview, and Entra ID — it becomes a cross-signal reasoning engine that can correlate incidents across your entire Microsoft security stack.

Microsoft Defender XDR Integration

The Defender XDR integration is the highest-value use case for most enterprises. Copilot for Security can ingest multi-product Defender alerts (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps) and produce natural language incident summaries, attack chain narrations, and recommended triage steps. The analyst productivity claim Microsoft makes — 40% reduction in incident triage time — is credible in environments where Defender coverage is comprehensive and analysts are currently spending meaningful time synthesising cross-product alerts manually.

The prerequisite is Defender XDR integration at the M365 E5 security level. Organisations on E3 with standalone Defender add-ons will find partial integration coverage — Copilot for Security can only correlate the signals it can access. If your Defender deployment is fragmented, incomplete, or relies heavily on third-party EDR alongside Microsoft products, the triage time reduction claim should be treated sceptically until your specific integration coverage is validated.

Microsoft Sentinel Integration

For organisations running Microsoft Sentinel as their SIEM, Copilot for Security can query Sentinel workspaces using natural language — analysts can ask "what SIEM alerts fired against this entity in the past 72 hours" without writing KQL queries. This is a genuine productivity feature for organisations with large Sentinel deployments and analysts who are not proficient in KQL. The Sentinel SCU interaction is important: Copilot for Security processing Sentinel queries consumes SCUs in addition to Sentinel's own compute and data ingestion costs. Factor both into your TCO model.

Third-Party Plugin Integrations

Copilot for Security supports a plugin ecosystem that includes third-party products — ServiceNow, Splunk, CrowdStrike, Palo Alto Networks, VirusTotal, and others. For organisations with significant third-party security tooling, this is a meaningful capability: Copilot can reason across Microsoft and non-Microsoft signal sources. However, the depth of integration varies by plugin, plugin quality is inconsistent, and some third-party integrations require additional licensing from the third-party vendor. Validate your specific toolset's plugin coverage before factoring third-party integrations into your value case.

Security Licensing Review
We review your Microsoft security licensing position — E3 vs E5 security, Defender coverage, Sentinel TCO, and Copilot for Security business case — and identify overpayment and optimisation opportunities independently.
Request Review

High-Value Use Cases vs. Hype

Copilot for Security has genuine high-value use cases in specific enterprise security contexts. It also has capability claims that marketing presents as broadly applicable but which require significant organisational maturity to realise. Being clear about which is which is the starting point for a rational business case.

Genuinely High Value

Incident triage and narration in Defender XDR-heavy environments: analysts who currently synthesise 15–30 disparate alerts into a coherent incident narrative can see Copilot for Security reduce that work from 45–90 minutes to 10–15 minutes. The value is real if the workload is real. Organisations with mature Defender XDR deployment and high-volume SOC operations should model this carefully — analyst time savings at £50–85K loaded cost per analyst year can justify significant SCU spend.

Threat intelligence enrichment: Copilot for Security can query Microsoft's Threat Intelligence (MDTI) in natural language and synthesise threat actor profiles, TTPs, and IOC context into analyst-readable summaries. For SOCs currently sourcing threat intelligence manually from multiple feeds, this represents a genuine research time saving. The prerequisite is a Defender Threat Intelligence licence (included in E5 Security).

KQL and script generation: analysts who need to write hunting queries in Sentinel or Defender Advanced Hunting but are not proficient in KQL see meaningful productivity benefits. Copilot for Security generates, explains, and debugs KQL queries from natural language descriptions. This is a concrete, measurable capability with low implementation overhead.

Overstated or Conditional

Automated incident response: Copilot for Security provides recommendations and can initiate specific Defender remediation actions (isolate endpoint, disable account, block IP) when given explicit analyst instruction. It does not autonomously respond to incidents without analyst approval — and for good reason. The "autonomous SOC" positioning in some Microsoft materials significantly overstates current capability. Automated response requires Microsoft Security Exposure Management and specific Defender for Endpoint configuration that many enterprises do not have.

Universal analyst upskilling: The claim that Copilot for Security "makes junior analysts as effective as senior analysts" is marketing aspiration, not operational reality. Copilot assists with specific tasks — triage, summarisation, query writing — but does not substitute for security domain knowledge in novel incident scenarios. Tier 1 analysts will become more efficient at structured tasks; they will not acquire the judgement of experienced practitioners.

Benchmark Context

In our assessments across 40+ security team Copilot for Security evaluations, the consistent finding is that organisations with mature Defender XDR deployments, high incident volumes (50+ incidents/week in SIEM), and analyst teams spending significant time on documentation and handoff work see the strongest ROI. Organisations with low incident volumes, fragmented security tooling, or small SOC teams (1–3 analysts) rarely justify the SCU cost against available alternatives.

ROI Framework for Security Teams

The business case for Copilot for Security should be built from three cost categories: analyst time savings, incident dwell time reduction, and breach cost avoidance. Do not rely on Microsoft's published ROI figures — they are drawn from ideal-scenario deployments with full Defender XDR coverage, which most enterprises do not have.

Analyst time savings model: Count your analysts. Determine what fraction of their time is spent on activities Copilot can accelerate — triage, summarisation, query writing, report generation. Apply a conservative acceleration factor (30–40%, not the 40–80% Microsoft claims at list). Multiply by loaded analyst cost. That is your annual analyst productivity value. Compare to annual SCU cost.

Incident dwell time reduction: Faster triage translates to reduced mean time to respond (MTTR). If Copilot reduces analyst triage time from 60 minutes to 20 minutes per incident, and you handle 40 significant incidents per year, you recover 1,600 analyst-hours annually. Quantify what faster containment is worth in your breach risk model — the Ponemon Institute's 2025 Cost of a Data Breach Report puts the average cost uplift of each day of extended dwell time at approximately $72,000 per day for a mid-size enterprise.

Breach cost avoidance: This is the hardest to model rigorously but the most significant. Marginal reductions in breach probability or severity at enterprise scale create large expected value. The challenge is attributing that reduction to Copilot for Security specifically versus the broader security investment. For business case purposes, treat breach cost avoidance as directionally supportive rather than a primary business case driver.

Copilot for Security vs. Native AI in Defender and Sentinel

A critical decision point that many procurement discussions miss: Microsoft has been embedding AI capabilities directly into Defender XDR and Microsoft Sentinel, some of which do not require a separate Copilot for Security licence. Understanding what you already have — or can access at your current E3/E5 tier — versus what requires incremental Copilot for Security SCU spend prevents you from paying for capabilities you already own.

AI Capability Available in Defender/Sentinel Native Requires Copilot for Security SCU
Incident attack story summary Yes — Defender XDR (E5 Security) Enhanced depth and cross-product correlation
Natural language KQL generation Partial — Sentinel (preview) Full capability with Copilot for Security
Guided response recommendations Yes — Defender XDR (E5 Security) Extended automation depth
Threat intelligence enrichment (MDTI) Basic lookup — Defender TI (E5 Security) Full natural language synthesis
Script and file analysis No Yes — requires Copilot for Security
Cross-product incident correlation Partial — Defender XDR unified incidents Full natural language reasoning across all signals
Third-party plugin data reasoning No Yes — requires Copilot for Security

The practical implication: organisations on E5 Security with Defender XDR fully deployed already have meaningful AI assistance embedded in their security tooling without incremental SCU spend. The Copilot for Security uplift is real but incremental — not transformational on top of a well-deployed E5 Security estate. If your current Defender XDR deployment is immature, investing in completing that deployment before adding Copilot for Security SCU spend will almost always generate better security outcomes per pound spent.

Commercial Negotiation: What Works

Copilot for Security is a relatively early-stage product in Microsoft's commercial portfolio, which creates negotiation dynamics different from mature EA products. The sales team has strong incentives to close early adopters and build case studies. Enterprise buyers who know their leverage can extract meaningful commercial terms beyond list pricing.

The most effective commercial positions in Copilot for Security negotiations are: first, request an SCU commitment discount — unlike pay-as-you-go billing, a committed SCU consumption volume over 12 months (e.g., "we will consume at least 3 SCU-months of capacity per month") is negotiable at 15–25% below list rate; second, negotiate a pilot evaluation period with SCU credits — Microsoft routinely offers 30–90 day evaluation credits ($1,000–$5,000 in SCU consumption) to enterprise customers evaluating the product; third, link Copilot for Security volume to your existing EA and Defender coverage commitments — a customer with 5,000 E5 Security seats has significant leverage to request Copilot for Security pricing concessions as a condition of renewing or expanding their E5 position; and fourth, negotiate a price stability clause on SCU rates for 24–36 months, since Microsoft has historically increased Azure consumption pricing and securing a rate lock as SCU consumption becomes core SOC infrastructure is valuable.

For context on how Copilot for Security fits within the broader Microsoft security licensing picture, see our analysis of M365 security add-ons and E3 vs E5 security decision framework. For the enterprise-wide Copilot commercial picture, the M365 Copilot licensing guide covers the different product lines and how they interact commercially. If you are considering how Copilot for Security affects your overall EA structure, our EA negotiation advisory covers the full commercial architecture.

Independent Copilot for Security Review
Before committing to SCU spend, we assess your Defender coverage, SOC workload, and integration architecture — and tell you honestly whether the business case justifies the investment at your current security maturity.
Request Assessment

Decision Framework: Should Your Organisation Invest?

Based on 40+ Copilot for Security assessments, the following conditions consistently predict strong business case justification. Meet three or more, and the investment warrants serious evaluation. Meet fewer than three, and optimising your existing security tooling coverage will generate better outcomes per pound spent.

  • Defender XDR fully deployed across Endpoint, Identity, Office 365, and Cloud Apps (E5 Security)
  • SOC team handles 30+ significant incidents per week (high triage volume where summarisation value is real)
  • At least 5 analysts who currently spend 20%+ of time on documentation, handoff, and triage synthesis
  • Microsoft Sentinel in production as primary SIEM (NL-to-KQL value requires Sentinel)
  • Current MTTI (mean time to investigate) exceeds 4 hours for significant incidents (improvement opportunity)
  • Threat intelligence workflow currently manual (MDTI enrichment value is incremental but real)
  • Script and malware analysis is a regular SOC activity (one of the most distinctive Copilot for Security capabilities)

If your Defender XDR deployment is incomplete, or your SOC team is small (under 5 analysts), or your incident volume is low, complete the foundational security deployment first. The marginal return on Copilot for Security SCU spend in an immature security environment is low. The marginal return in a mature, well-instrumented Microsoft security environment is high. Sequence accordingly.