Microsoft Security Copilot became generally available in April 2024 with a pricing model unlike any other Microsoft product: Security Compute Units (SCUs) at $4/hour, billed regardless of utilisation. For a security operations team managing 10,000+ endpoints, the promise of AI-accelerated incident triage and sub-hour threat investigation is compelling. The challenge is that the SCU model rewards high-utilisation SOC environments and penalises organisations that provision capacity that sits idle. Getting the SCU configuration right from day one determines whether Security Copilot is a $35,000/year productivity investment or a $280,000/year disappointment.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →How the SCU Pricing Model Works
Security Compute Units are provisioned capacity units that enable Security Copilot features across your Microsoft security estate. Unlike per-user pricing, SCUs are not tied to individual users — they are shared capacity available to any licensed user in your tenant. The key mechanics:
| Metric | Value | Notes |
|---|---|---|
| Price per SCU per hour | $4.00 | List price; EA discounts apply |
| Price per SCU per month (730 hours) | $2,920 | Provisioned continuously |
| Minimum SCU purchase | 1 SCU | Can scale up/down monthly |
| Billing model | Capacity-based (not per query) | Billed for provisioned time, not usage |
| Scaling | 1–100+ SCUs | Adjust capacity via Azure portal |
| Trial availability | 90-day trial (qualifying customers) | Via account team or Azure portal |
The practical implication: a 24/7 provisioned SCU costs $2,920/month regardless of whether analysts run 5 queries or 5,000. For SOC environments with active daily usage, this translates to negligible per-query cost. For environments that use Security Copilot only for weekly threat briefings, the effective per-query cost can be extraordinarily high.
How Many SCUs Does Your Organisation Need?
Microsoft provides guidance that 1 SCU supports approximately 10–15 simultaneous users for standard Copilot interactions. But real-world capacity requirements depend heavily on use case:
| Organisation Profile | Recommended SCUs | Monthly Cost (List) | Primary Use Cases |
|---|---|---|---|
| SMB SOC (1–3 analysts) | 1 SCU | $2,920 | Incident summarisation, script analysis |
| Mid-market (5–10 analysts, business hours only) | 2 SCUs | $5,840 | Incident triage, vulnerability prioritisation |
| Enterprise (10–30 analysts, 24/7 operations) | 4–6 SCUs | $11,680–$17,520 | Full SOC automation, KQL generation, threat hunting |
| Large enterprise (30+ analysts, automation workflows) | 8–16 SCUs | $23,360–$46,720 | Automated SOAR workflows, API integrations, Sentinel automation |
| MSSP (multi-tenant operations) | 10–40+ SCUs | $29,200+ | Multi-customer management, cross-tenant reporting |
Critical guidance: Start with 1–2 SCUs during the first 90 days. Monitor the utilisation metrics in the Security Copilot capacity settings. Throttling (queries queued rather than executed immediately) occurs when SCU capacity is insufficient for concurrent demand — if you see less than 5% throttling, you have provisioned correctly. Scale up only when sustained throttling appears during business-hours peaks.
Standalone vs Embedded Experience: What Changes?
Security Copilot has two distinct user experience modes, both requiring SCU provisioning:
Standalone Experience (securitycopilot.microsoft.com)
A dedicated portal for open-ended natural language security investigations. Analysts can query across all connected data sources, run custom playbooks, create reports, and perform complex threat analysis using a "promptbook" interface. This requires analysts to actively navigate to the Security Copilot portal — it is a purpose-built investigation environment.
Embedded Experiences (in-product)
Security Copilot capabilities surfaced directly within existing Microsoft security portals. Each requires the relevant product licence plus SCU provisioning:
- Defender XDR — Incident summarisation, guided response suggestions, alert investigation; requires Defender for Endpoint P2 or equivalent
- Microsoft Sentinel — Incident triage acceleration, KQL query generation, threat hunting; requires Microsoft Sentinel licence
- Entra ID (Entra admin centre) — Identity risk investigation, sign-in anomaly analysis; requires Entra ID P2
- Microsoft Intune — Device compliance policy analysis, vulnerability impact assessment; requires Intune P2 or equivalent
- Microsoft Purview — Data risk investigation, DLP policy recommendations; requires Purview E5 Compliance or Information Protection licences
- Defender for Cloud — Cloud posture recommendations, vulnerability prioritisation; requires Defender for Servers P2 or equivalent
Deployment reality: The embedded experiences are where organisations see the fastest ROI from Security Copilot. Incident summarisation in Defender XDR — compressing a 2-hour alert investigation to 12 minutes — is the most consistently cited value across deployments we have observed. The standalone portal delivers more depth but requires analyst workflow change management.
ROI Framework: When Security Copilot Pays for Itself
The ROI calculation for Security Copilot is straightforward when framed around analyst time-to-triage:
Scenario: 5-Person SOC, 2 SCUs, Mid-Market Enterprise
| Metric | Before Security Copilot | After Security Copilot |
|---|---|---|
| Security incidents per month | 150 | 150 |
| Average triage time per incident | 45 minutes | 12 minutes |
| Monthly analyst hours on triage | 112.5 hours | 30 hours |
| SOC analyst fully-loaded cost/hour | $95/hour | $95/hour |
| Monthly analyst triage cost | $10,688 | $2,850 |
| Security Copilot cost (2 SCUs list) | — | $5,840 |
| Net monthly saving | $1,998 |
At these parameters, Security Copilot breaks even at month 1 and generates approximately $24,000/year in SOC analyst efficiency gains. The ROI improves significantly at higher incident volumes — a 300-incident/month SOC generates $4,000+ monthly savings against the same $5,840 SCU cost.
The ROI case breaks down in two scenarios: organisations with fewer than 50 security incidents per month (too few incidents to justify the capacity cost) and organisations where incidents are handled by junior analysts without the skills to effectively prompt Security Copilot (tool adoption without capability change does not deliver savings).
EA Negotiation Tactics for Security Copilot
Tactic 1: Negotiate SCU Price, Not Just EA Overall Discounts
Security Copilot SCUs are Microsoft Azure-billed capacity, separate from the M365 EA billing pathway. Standard EA discounts may not automatically apply to Azure consumption. Explicitly negotiate a committed SCU rate as part of your Microsoft Azure consumption negotiation — a committed annual SCU spend of $70,000+ (2 SCUs × 12 months) qualifies as a Microsoft Azure Commit (MACC)-eligible workload and should be priced accordingly with a 15–25% discount off the $4/SCU/hour list rate.
Tactic 2: Pilot Commitment for Deployment Credits
Microsoft's Security team has a vested interest in Security Copilot adoption metrics. Offering a formal 90-day deployment commitment with named pilot users and a post-pilot case study exchange is often sufficient to secure $25,000–$50,000 in FastTrack deployment credits or Azure credits that offset the first year's SCU cost. This is not a standard programme — it requires negotiation with the Microsoft Security account specialist, not the standard account executive.
Tactic 3: Include SCUs in Security Spend Bundling
If you are also purchasing or renewing Defender for Endpoint P2, Microsoft Sentinel, or Entra Suite, negotiate the full security package as a single deal. Microsoft's security team has joint commercial authority to offer bundled discounts across the Azure-billed and M365-billed security portfolio. A $2M combined security spend including SCUs, Sentinel, and Defender products typically unlocks 18–22% blended discounts unavailable when each product is purchased separately.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →Prerequisite Licences: What You Need Before SCUs Matter
Security Copilot SCUs enable AI capabilities across Microsoft security products — but only for products you already have licences for. Provisioning SCUs without the underlying security products delivers no value. The required prerequisites by use case:
| Use Case | Required Licence | SCU Benefit |
|---|---|---|
| Incident investigation (endpoint) | Defender for Endpoint P2 | Incident summary, alert triage, guided response |
| Email security investigation | Defender for Office 365 P2 | Phishing analysis, campaign summarisation |
| Identity risk analysis | Entra ID P2 or Entra Suite | Sign-in risk investigation, compromised account playbooks |
| SIEM triage and hunting | Microsoft Sentinel | KQL generation, incident summarisation, playbook drafting |
| Cloud posture analysis | Defender for Cloud (Servers P2) | Recommendation prioritisation, vulnerability context |
| Device compliance analysis | Intune Suite or equivalent | Policy gap analysis, compliance risk assessment |
| Data risk investigation | Purview Information Protection | Sensitive data exposure, DLP incident triage |
📄 Free Guide: Microsoft Identity & Zero Trust Licensing Guide
Covers Security Copilot, Entra Suite, Zero Trust licensing strategy, and security EA negotiation framework.
Download Free Guide →Common Security Copilot Licensing Mistakes
Mistake 1: Over-provisioning SCUs at launch. The most common commercial mistake is provisioning 4–8 SCUs during the pilot phase to ensure performance, then forgetting to scale down after the pilot. Each SCU costs $2,920/month — two unused SCUs waste $5,840/month. Implement a monthly SCU review process and scale based on measured throttling data, not intuition.
Mistake 2: Billing Security Copilot through the EA rather than MACC. SCUs are an Azure consumption workload. Organisations that have MACC (Microsoft Azure Consumption Commitment) should apply SCU spend against their MACC commitment to maximise MACC burn-down rates. This is frequently overlooked when Security Copilot is provisioned separately from the Azure FinOps team.
Mistake 3: Expecting Security Copilot to work without analyst change management. A SOC team that receives Security Copilot without training on effective prompting will underutilise the tool and generate inflated per-query costs. Microsoft offers free promptbook training and adoption resources. Bake analyst training into the SCU negotiation as a commitment from Microsoft, not an optional extra.
Mistake 4: Treating embedded experiences as independent licences. The Security Copilot embedded experience in Sentinel, for example, does not require a separate "Sentinel Copilot" licence — it is the same SCU provisioning shared across all embedded experiences. Organisations that provision SCUs for Defender XDR and are then charged separately for Sentinel integration are being incorrectly billed.
Related Microsoft Security Licensing Guides
- Microsoft Identity & Zero Trust Licensing: Complete Guide
- Microsoft 365 Defender Licensing Comparison 2026
- Microsoft Defender XDR Complete Licensing Guide
- Microsoft Sentinel Licensing & Cost Guide
- Microsoft Entra Suite Complete Licensing Guide
- Copilot for M365 vs Copilot for Security: Licensing Guide
- Azure MACC Strategy for Security Copilot SCUs