Microsoft Defender Threat Intelligence (MDTI), the rebranded RiskIQ platform acquired in 2021 for $500 million, provides one of the world's largest internet infrastructure intelligence datasets — covering passive DNS, WHOIS records, SSL certificate chains, web component tracking, and Microsoft's proprietary threat actor profiles built from trillions of security signals processed daily. For organisations running a Microsoft-centric security stack, MDTI represents threat intelligence that is effectively free at the M365 E5 tier — and often goes unused. Understanding the licensing model determines whether you are paying twice for threat intelligence you already own or correctly maximising an asset embedded in your existing Microsoft spend.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →MDTI Licensing Tiers: Free vs Premium
| Capability | MDTI Free | MDTI Premium |
|---|---|---|
| Indicator lookups (IP, domain, URL, hash) | Limited (10/day) | Unlimited bulk lookup |
| Threat intelligence articles | Sample access (3–5 articles) | Full library (2,000+ articles) |
| Threat actor profiles | Public summaries only | Full MSTIC actor profiles with TTPs |
| Infrastructure data (PDNS, WHOIS, certs) | Basic (rate-limited) | Full dataset access |
| Reputation scoring | ✗ | ✓ (Microsoft-scored) |
| API access | ✗ | ✓ (REST API) |
| Microsoft Sentinel connector | ✗ | ✓ |
| Defender XDR integration | Limited context cards | Full enrichment in incidents |
| Export (CSV, STIX) | ✗ | ✓ |
| Intel profiles (new) | Limited | Full (including geopolitical context) |
What Licences Include MDTI Premium?
| Licence | MDTI Premium Included? | Notes |
|---|---|---|
| Microsoft 365 E5 | ✓ | Per-user licence; all E5 users get MDTI access |
| Microsoft 365 E5 Security Add-On | ✓ | Included in the security bundle |
| Microsoft Defender XDR (standalone) | ✓ | XDR bundle includes MDTI |
| Microsoft 365 E3 | ✗ (free tier only) | Requires standalone MDTI add-on |
| Microsoft Sentinel standalone | ✗ (free tier only) | Connector available but requires MDTI premium |
| MDTI standalone add-on | ✓ | ~$2/user/month for qualifying analysts |
For organisations on M365 E5, MDTI premium is already included and should be activated for the security operations team immediately. We consistently find that 60–70% of E5 customers have not activated MDTI access despite owning the licence — this represents $24/analyst/year in paid capability sitting unused. The MDTI portal (ti.defender.microsoft.com) requires only role assignment in the Microsoft Security portal to activate.
MDTI as a Threat Intelligence Platform: What It Covers Well
Infrastructure Intelligence (MDTI's Strongest Capability)
MDTI originated as RiskIQ's internet scan infrastructure and remains one of the most comprehensive infrastructure intelligence datasets available commercially. Core capabilities include passive DNS records (historical and current IP-to-domain mappings), WHOIS registrant data and change history, SSL certificate tracking (including Let's Encrypt certificate registration patterns used by threat actors), and web component tracking (JavaScript libraries, jQuery versions, hosting infrastructure fingerprinting). For SOC teams investigating phishing infrastructure, C2 server attribution, and domain spoofing campaigns, MDTI's infrastructure pivot capability is genuinely world-class.
Microsoft Threat Intelligence Articles
Microsoft's Threat Intelligence Center (MSTIC) produces detailed actor profiles and campaign analyses. MDTI premium provides the full article library including Microsoft's proprietary threat actor naming convention (Midnight Blizzard, Volt Typhoon, Scattered Spider) with complete TTPs, IOCs, and mitigation guidance mapped to MITRE ATT&CK. For organisations whose threat model includes nation-state and advanced persistent threat actors, this intelligence is directly actionable in Sentinel detection rules.
Practical limitation: MDTI's coverage is strongest for infrastructure targeting Windows and Microsoft cloud services. Coverage of Linux-targeted threats, mobile malware ecosystems, and macOS-specific threat actor activity is comparatively thin. If your environment is mixed-OS or cloud-native non-Microsoft, supplement MDTI with a specialist platform focused on your specific threat landscape.
Microsoft Sentinel Integration: The MDTI Data Connector
The MDTI data connector for Microsoft Sentinel ingests threat intelligence indicators directly into the ThreatIntelligenceIndicator table. Configuration requires MDTI premium access and Sentinel workspace owner permissions. Key integration points:
- Indicator ingestion: Microsoft's threat intelligence indicators (IPs, domains, URLs, file hashes) are automatically enriched against Sentinel log data, generating TI-correlated alerts without manual analyst intervention
- Analytics rule templates: Microsoft provides Sentinel analytics rule templates that match ingested MDTI indicators against SecurityEvent, AzureActivity, and custom log tables
- Threat Intelligence workbook: Pre-built Sentinel workbook provides coverage metrics (how many MDTI indicators matched events in the past 30 days)
- Ingestion cost: MDTI indicator ingestion adds to Sentinel daily data volume. A typical MDTI feed ingests 50,000–150,000 indicators per day, adding approximately 50–150 MB/day to Sentinel ingestion costs (approximately $2.50–$7.50/day at $0.50/GB list price for non-M365 data)
The net financial picture: if you have M365 E5 (includes MDTI premium at no incremental cost) and Microsoft Sentinel, the only incremental cost of enabling MDTI integration is the Sentinel ingestion cost for TI indicators. At $2.50–$7.50/day, the annual cost is $915–$2,738 — a fraction of what standalone commercial TI platforms charge.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →MDTI vs Commercial Threat Intelligence Platforms
| Platform | Approximate Price | Strength | Gap vs MDTI |
|---|---|---|---|
| MDTI Premium (E5 included) | $0 incremental (with E5) | Microsoft infrastructure; MSTIC actor profiles | Narrow APT coverage outside Microsoft ecosystem |
| Recorded Future | $30,000–$150,000+/year | Breadth — 7+ intelligence categories | Expensive; MDTI infrastructure data often superior |
| Mandiant Advantage | $20,000–$80,000+/year | Incident response-informed intelligence; FireEye lineage | Best for post-breach context; MDTI better for pre-attack infrastructure |
| Intel 471 | $15,000–$60,000+/year | Underground forum monitoring; cybercriminal actor intelligence | MDTI does not cover criminal underground ecosystems |
| Crowdstrike Falcon X | Included in higher Falcon tiers | Endpoint-correlated intelligence | Weaker infrastructure pivot; good if already on Crowdstrike |
The rational approach for M365 E5 organisations: use MDTI as the primary TI source and evaluate whether a specialist supplement is required based on your specific threat model. Organisations whose primary threats are nation-state infrastructure attacks, credential theft campaigns, and Microsoft-targeting malware are well-served by MDTI alone. Organisations with specific criminal underground monitoring requirements, dark web brand protection needs, or heavy OT/ICS threat exposure should evaluate specialist platforms.
EA Negotiation: Maximising MDTI Value
For organisations on M365 E3 that are considering upgrading to E5 partly for threat intelligence capabilities, the MDTI value case strengthens the E5 ROI argument. Quantify what your current TI platform costs ($15,000–$60,000/year) and frame the E5 upgrade as replacing that spend while adding Defender for Endpoint P2, Defender for Identity, Cloud App Security, and Purview compliance tools. This reframing shifts the E5 upgrade conversation from "expensive security bundle" to "consolidation that eliminates a third-party contract."
For organisations already on E5 that are paying separately for Recorded Future or similar TI platforms, use the MDTI premium inclusion as justification to reduce or eliminate the third-party TI contract. Present this to Microsoft as evidence of consolidation value — Microsoft's commercial team may offer additional concessions on adjacent EA line items when you demonstrate willingness to go deeper into the Microsoft security stack.
📄 Free Guide: Microsoft Identity & Zero Trust Licensing Guide
Covers MDTI, Security Copilot, Sentinel, Defender XDR, and the complete Microsoft security licensing framework.
Download Free Guide →Related Microsoft Security Intelligence Guides
- Microsoft Identity & Zero Trust Licensing: Complete Guide
- Microsoft Sentinel Licensing & Cost Optimisation
- Microsoft 365 Defender Licensing Comparison 2026
- Microsoft Security Copilot Licensing Guide
- Microsoft Defender XDR Complete Licensing Guide
- Microsoft Sentinel Cost Optimisation Guide
- How to Rationalise Your Microsoft Security Spend