Defender for Cloud Architecture: CSPM vs CWPP
Understanding Defender for Cloud's licensing requires distinguishing between two distinct capability layers that are frequently conflated in procurement discussions.
Cloud Security Posture Management (CSPM) assesses the configuration of your cloud resources against security best practices, compliance standards, and organisational policies. It identifies misconfigurations, tracks your secure score, maps attack paths, and measures compliance against frameworks like NIST, CIS, PCI-DSS, and ISO 27001. CSPM is about visibility into your security posture — not active threat detection or response.
Cloud Workload Protection Platform (CWPP), provided through Defender for Cloud's workload protection plans, actively monitors running workloads for threats and anomalous behaviour. Defender for Servers, Defender for SQL, Defender for Containers, Defender for App Service, Defender for Storage, and Defender for Key Vault are each separate CWPP plans with separate pricing. These are not part of CSPM licensing — they are distinct cost items with per-resource pricing structures.
When this guide addresses CSPM licensing, it covers only the Foundational CSPM / Defender CSPM tier decision. CWPP plans are addressed separately in the Defender for Cloud workload protection guide.
Foundational CSPM: What Is Free and Who It Covers
Foundational CSPM is automatically enabled on every Azure subscription at no cost. There is no opt-in requirement — if you have Azure resources, Foundational CSPM is already providing some level of posture assessment. The coverage includes:
- Security recommendations — configuration best practice assessments across Azure compute, networking, storage, identity, data, and application services
- Secure Score — a percentage-based metric aggregating your current security posture against Microsoft's security controls framework
- Asset inventory — a unified view of all resources across connected Azure subscriptions with their associated security findings
- Basic regulatory compliance — Microsoft Cloud Security Benchmark (MCSB) assessment included at no cost; other compliance standards require Defender CSPM
- Azure Security Centre legacy integration — recommendations that were available in the old Azure Security Centre continue under Foundational CSPM
- Microsoft Defender for Cloud Apps integration — shadow IT discovery and cloud app security posture for connected SaaS applications (requires MDCA licence separately)
Foundational CSPM covers Azure only by default. Multicloud coverage — extending posture assessment to AWS and Google Cloud resources — requires either Defender CSPM (paid) or specific multicloud connector configuration. If your security posture remit includes AWS or GCP, Foundational CSPM alone does not cover those environments.
Defender CSPM: Paid Tier Capabilities
Defender CSPM (the paid tier) extends Foundational CSPM with a defined set of advanced capabilities. The features that consistently drive the upgrade decision are:
| Capability | Foundational CSPM | Defender CSPM (Paid) | Commercial Significance |
|---|---|---|---|
| Security recommendations | ✓ Full Azure coverage | ✓ Enhanced with attack path context | Contextualisation improves remediation prioritisation |
| Secure Score | ✓ Standard | ✓ Enhanced with risk-based prioritisation | Risk-based scoring is more actionable than binary recommendation count |
| Attack path analysis | Not available | ✓ Graph-based attack path visualisation | High — shows how misconfigurations chain together to create exploitable paths |
| Cloud security explorer | Not available | ✓ Graph-based resource relationship queries | Moderate — useful for large, complex environments; limited value for small estates |
| Regulatory compliance frameworks | MCSB only | 30+ frameworks (NIST, CIS, PCI-DSS, ISO 27001, HIPAA, SOC 2, etc.) | Very high for regulated industries; moderate for unregulated environments |
| Governance rules | Not available | ✓ Assignment of remediation owners and timelines | High for organisations with distributed cloud ownership |
| Agentless vulnerability assessment | Not available | ✓ Agentless VM scanning (no agent deployment required) | High — eliminates coverage gaps from incomplete agent deployment |
| Multicloud coverage (AWS/GCP) | Limited connector only | ✓ Full multicloud posture and compliance | Essential for multi-cloud estates; irrelevant for Azure-only |
| DevOps security posture | Not available | ✓ GitHub, Azure DevOps, GitLab integration | Moderate — security posture for CI/CD pipeline configurations and IaC templates |
| Sensitive data discovery | Not available | ✓ Purview integration for data-aware posture | High for data-rich cloud environments with compliance requirements |
Defender CSPM Pricing: Understanding Billable Resources
Defender CSPM is priced at approximately £0.007 per billable resource per hour, which translates to approximately £5 per resource per month (720 hours × £0.007 = £5.04/month). The critical variable is billable resources — not all Azure resources are counted.
What counts as a billable resource
The billable resource definition includes virtual machines, Azure Kubernetes Service (AKS) nodes, Azure Arc-enabled servers, Azure App Service instances, SQL databases, storage accounts, and selected additional resource types. The precise count varies by your subscription configuration and the specific resource types you deploy.
What is explicitly not billable: resource groups, management groups, Azure Policy assignments, network interfaces, disks, and most Azure PaaS service instances beyond the specific types listed. The practical implication is that the billable resource count is typically 20–40% of the total resource count visible in your Azure portal.
Worked cost examples
| Organisation Profile | Approx. Billable Resources | Monthly Defender CSPM Cost | Annual Cost |
|---|---|---|---|
| Small enterprise (100 VMs, 5 AKS nodes, 20 SQL DBs) | ~125 resources | ~£630 | ~£7,560 |
| Mid-market (500 VMs, 20 AKS nodes, 50 SQL DBs) | ~570 resources | ~£2,873 | ~£34,476 |
| Large enterprise (2,000 VMs, 100 AKS nodes, 200 SQL DBs) | ~2,300 resources | ~£11,592 | ~£139,104 |
| Very large (5,000 VMs, 300 AKS nodes, 500 SQL DBs) | ~5,800 resources | ~£29,232 | ~£350,784 |
For large enterprises, Defender CSPM cost is not trivial. A 5,000-VM environment paying £350K/year for cloud security posture management requires a clear ROI case based on the specific capabilities that Foundational CSPM does not provide. At this scale, the upgrade decision should be driven by specific use cases — regulatory compliance frameworks, attack path analysis, agentless scanning — not by a general desire for "more security."
CWPP plans double-count resources. If you also enable Defender for Servers on your VMs, those VMs are billed separately under the Servers plan (~£5–10/server/month depending on the plan tier). Defender CSPM and Defender for Servers are separate costs — both apply to the same VM. In large-scale Defender for Servers deployments, the combined CSPM + CWPP billing can be substantial and requires pre-deployment modelling.
When Defender CSPM Is Justified
The upgrade decision should be driven by specific capability gaps in your current Foundational CSPM deployment, not by a general security posture improvement goal. These are the scenarios where Defender CSPM consistently delivers measurable value:
Scenario 1: Regulatory compliance requirements
If your organisation is subject to PCI-DSS, HIPAA, ISO 27001, SOC 2, NIST CSF, or equivalent standards, and you need continuous compliance posture visibility against those specific frameworks, Foundational CSPM (MCSB only) is insufficient. Defender CSPM's 30+ regulatory framework dashboards with evidence collection, compliance tracking, and remediation workflow are operationally necessary for audit-driven compliance programmes. This is the single strongest justification for Defender CSPM at enterprise scale.
Scenario 2: Large, complex estates with distributed ownership
In organisations with hundreds of developers deploying infrastructure across dozens of subscriptions, Foundational CSPM's recommendation list produces overwhelming noise without prioritisation. Defender CSPM's governance rules — which assign specific recommendations to specific owners with remediation timelines and escalation policies — transform posture management from a security team activity into a distributed accountability framework. For organisations with more than 500 billable resources and no dedicated remediation governance, this capability alone often justifies the upgrade.
Scenario 3: Multicloud estates
AWS or GCP resources are increasingly common in organisations that started with Azure. Foundational CSPM provides limited visibility into non-Azure resources. Defender CSPM extends full posture assessment, compliance framework coverage, and attack path analysis to AWS and GCP resources. For organisations with significant non-Azure cloud presence, Defender CSPM is the correct CSPM solution — not Foundational plus separate third-party tooling for other clouds.
Scenario 4: Attack path analysis for high-value environments
Attack path analysis — the graph-based visualisation of how misconfiguration chains could be exploited to reach high-value resources — is a qualitatively different security tool from point-in-time recommendation lists. For environments containing sensitive data, critical infrastructure, or high-value IP, attack path analysis helps security teams understand not just what is misconfigured but how those misconfigurations connect to create exploitable pathways. This is meaningful for large, interconnected environments; it is less valuable for simple, well-segmented estates.
When Foundational CSPM Is Sufficient
Foundational CSPM is genuinely sufficient in a defined set of scenarios that represent a substantial proportion of Azure deployments:
- Azure-only environments under 200 resources with a single team responsible for remediation — the recommendation list is manageable without governance rules
- Unregulated environments with no compliance framework obligations beyond MCSB — the regulatory compliance dashboards are not required
- Organisations already using Defender for Servers Plan 2 — which includes some CSPM-adjacent capabilities (vulnerability assessment, file integrity monitoring) that reduce the incremental value of Defender CSPM
- Environments with third-party CSPM tooling (Prisma Cloud, Orca Security, Wiz) already deployed — adding Defender CSPM creates duplicate coverage without proportional incremental value
Defender CSPM vs Third-Party CSPM Alternatives
For organisations evaluating whether Defender CSPM or a third-party CSPM solution is the right investment, the decision factors are well-defined.
| Dimension | Defender CSPM | Wiz | Prisma Cloud (Palo Alto) | Orca Security |
|---|---|---|---|---|
| Azure integration depth | Native / Strongest | Strong | Strong | Strong |
| AWS/GCP coverage | Good (via connectors) | Excellent (native) | Excellent (native) | Excellent (native) |
| Attack graph / path analysis | Good | Excellent (Security Graph) | Good | Good |
| Regulatory compliance coverage | 30+ frameworks | 40+ frameworks | 35+ frameworks | 25+ frameworks |
| DevOps / IaC security | Good (GitHub, ADO, GitLab) | Excellent | Excellent | Moderate |
| Azure MACC / EA integration | Counts toward MACC | Separate contract | Separate contract | Separate contract |
| Pricing model | Per billable resource/hour | Per billable resource (annual) | Credits-based | Per asset (annual) |
Defender CSPM's primary advantage is Azure integration depth and MACC consumption eligibility. Third-party CSPM platforms (particularly Wiz) provide stronger multicloud and DevOps security posture management, which matters in heavily AWS/GCP-weighted or highly DevOps-integrated environments. For Azure-majority organisations with regulatory compliance requirements, Defender CSPM is typically the cost-optimal choice. For genuinely multicloud environments, a third-party CSPM evaluation is commercially justified.
Modelling the right Defender for Cloud configuration for your Azure estate before your next EA renewal? We help enterprises structure Azure security licensing to match actual requirements.
Book a Security Licensing ReviewEA Negotiation for Defender for Cloud CSPM
Defender for Cloud is Azure-consumption-based, which means it qualifies as MACC-eligible spend. Unlike per-user licences that are negotiated as fixed line items, Defender CSPM cost is driven by resource count and runs as Azure consumption. The negotiation approach differs accordingly.
Position 1: Include projected Defender CSPM in MACC sizing
When negotiating your Azure MACC commitment, include a realistic projection of Defender CSPM consumption based on your billable resource count. This ensures your MACC commitment level accounts for security tooling cost, and it means Defender CSPM runs against your committed spend rather than as unexpected overage. MACC-covered Defender CSPM is billed at your committed rate, not list PAYG rate — which means your MACC discount applies.
Position 2: Use third-party CSPM as competitive leverage
Wiz and Prisma Cloud are actively competing for enterprise CSPM deployments. Microsoft's account teams are aware that losing CSPM to a third party reduces Azure consumption and MACC attainment — both of which they are commercially motivated to prevent. A credible Wiz or Prisma Cloud evaluation creates genuine leverage for Azure MACC pricing concessions, even if Defender CSPM is your preferred outcome. The competitive evaluation does not need to be a firm decision — it needs to demonstrate that the alternative is viable and under active consideration.
Position 3: Negotiate at resource count, not workload type
Defender CSPM billing is per billable resource, not per subscription or per workload. Before committing to Defender CSPM, run a resource inventory to identify your exact billable resource count using the Defender for Cloud cost estimate functionality. Build your cost model on actual billable resources rather than total resource count, and negotiate MACC sizing based on the resource count projection with a growth buffer rather than maximum theoretical scale.
Azure Security Licensing Review
Defender for Cloud, Sentinel, and Entra licensing decisions are increasingly significant cost items in large Azure deployments. We model the right configuration for your estate and negotiate the commercial structure with Microsoft. Independent — no Microsoft reseller interest in your decision.
Request a Security Licensing Review Download the Audit Defence PlaybookFrequently Asked Questions
Does Defender CSPM replace Defender for Servers?
No. They are complementary, not alternatives. Defender CSPM provides configuration posture and compliance assessment. Defender for Servers provides active threat detection, EDR integration (Defender for Endpoint), and vulnerability assessment for running server workloads. A comprehensive Azure security architecture typically includes both. Both are separately billable — they do not replace each other.
Can I enable Defender CSPM on selected subscriptions only?
Yes. Defender CSPM can be enabled on a per-subscription basis. You can enable it on production subscriptions containing regulated workloads while leaving development or low-sensitivity subscriptions on Foundational CSPM. This subscription-tiering approach is the correct cost management strategy for large Azure tenants with mixed-criticality environments.
Is Defender CSPM included in any E5 or security bundle?
No. Defender CSPM is an Azure consumption item and is not included in any M365 E5, E5 Security, E5 Compliance, or Defender XDR bundle. It is a standalone Azure service billed based on resource usage. Organisations that purchase M365 E5 for Defender products should not expect Defender CSPM to be covered — it requires separate Azure consumption budget.
Related Articles
- Microsoft Security Licensing: The Complete Enterprise Guide
- Microsoft E5 Security: Is the Bundle Worth It?
- Microsoft Sentinel Licensing: Plans, Pricing, and SIEM Investment
- Sentinel Cost Optimisation: Ingestion, Tiers, and What Drives the Bill
- Azure Cost Optimisation: The Enterprise Guide
- Azure MACC: Negotiating Your Cloud Commitment as Leverage
- How to Rationalise Your Microsoft Security Licensing Stack