Security Posture Management
Defender for Cloud continuously evaluates your Azure resources against security benchmarks and provides a Secure Score that measures your overall posture.
- Secure Score: A percentage-based score reflecting how well your environment follows security best practices. Aim for 80% or higher.
- Recommendations: Prioritized list of configuration improvements with severity ratings and remediation steps
- Regulatory compliance: Dashboard showing compliance status against CIS, NIST, PCI DSS, ISO 27001, and custom frameworks
- Attack path analysis: Identifies vulnerable resource combinations that could be exploited by attackers
Workload Protection Plans
Defender plans provide advanced threat detection for specific resource types beyond the free CSPM capabilities.
| Plan | Protects | Key Capabilities |
|---|---|---|
| Defender for Servers | VMs and Arc-connected servers | Vulnerability scanning, file integrity monitoring, JIT access |
| Defender for Databases | SQL, PostgreSQL, MySQL, Cosmos DB | SQL injection detection, anomalous access alerts |
| Defender for Storage | Blob, File, Data Lake | Malware scanning, sensitive data detection |
| Defender for Containers | AKS, container registries | Image vulnerability scanning, runtime protection |
| Defender for Key Vault | Key Vault secrets | Unusual access patterns, suspicious operations |
Integration With Microsoft Sentinel
Connecting Defender for Cloud to Microsoft Sentinel creates a comprehensive security operations platform with SIEM and SOAR capabilities.
- Configure the Defender for Cloud data connector in Sentinel to stream all security alerts
- Create analytics rules to correlate Defender alerts with other data sources
- Build automated playbooks using Logic Apps for common incident response tasks
- Use Sentinel workbooks for security operations dashboards and reporting
For identity security configuration, see our Entra ID management guide. For broader Azure security, explore our Azure managed services.
Best Practices
Follow these configuration best practices for maximum security value.
- Enable Defender for Servers on all production VMs — the vulnerability assessment alone justifies the cost
- Apply the CIS Azure Benchmark as your baseline security policy
- Configure Just-in-Time VM access to eliminate standing RDP/SSH exposure
- Review Secure Score weekly and address critical recommendations promptly
- Use Azure Policy to enforce Defender for Cloud activation on new subscriptions
Frequently Asked Questions
Is Defender for Cloud free?
The Cloud Security Posture Management (CSPM) tier is free for all Azure subscriptions. Advanced workload protection plans (Defender for Servers, Databases, etc.) have per-resource hourly pricing.
What is the difference between Defender for Cloud and Microsoft Sentinel?
Defender for Cloud focuses on security posture management and workload protection for Azure resources. Microsoft Sentinel is a SIEM/SOAR platform that collects and analyzes security data from across your entire environment. They complement each other.
Does Defender for Cloud work with non-Azure resources?
Yes. Through Azure Arc, Defender for Cloud extends monitoring and protection to on-premises servers, AWS instances, and GCP VMs. Multi-cloud connectors are also available for native AWS and GCP security assessment.
How much does Defender for Cloud cost?
CSPM is free. Defender for Servers costs approximately $15/server/month for Plan 2. Defender for Databases varies by database type. Use the Azure pricing calculator for exact costs based on your resource count.
What Secure Score should I target?
Aim for 80% or higher. Most organizations start between 40-60%. Focus on critical and high-severity recommendations first, as they have the largest impact on both score and actual security posture.
