Defender for Cloud: Where Per-Resource Pricing Creates Billing Surprises
Microsoft Defender for Cloud (formerly Azure Security Center / Azure Defender) is the only Microsoft security product priced on a per-resource model rather than per-user. This creates a fundamentally different cost management challenge: your bill grows as your Azure estate grows, and the growth is automatic unless you deliberately scope your Defender plan enablement. Organisations that enable Defender for Cloud plans at the subscription level without resource-level governance routinely discover that unplanned resource growth — test environments, development subscriptions, sandbox accounts — has doubled or tripled their expected Defender for Cloud monthly cost.
The average enterprise running 500+ Azure VMs with Defender for Servers Plan 2 enabled across all subscriptions is paying approximately $7,200–$11,000/month in Defender for Servers cost alone, before Defender for SQL, Defender for Storage, Defender for Containers, and other plan costs are added. Understanding the per-plan, per-resource cost model before enabling plans at scale is essential.
The Free Tier — What You Get Without Paying
Defender for Cloud's foundational Cloud Security Posture Management (CSPM) features are available at no cost on all Azure subscriptions. The free tier includes: continuous security assessment of Azure resources against the Microsoft Cloud Security Benchmark, Secure Score calculation and recommendations, regulatory compliance dashboards for standard frameworks (CIS, NIST, PCI DSS), and basic workload protection visibility.
For organisations at an early cloud security maturity stage, the free CSPM tier provides meaningful value — it surfaces misconfiguration risks and compliance gaps without any per-resource cost. The decision to enable paid Defender plans should be driven by specific security operations requirements, not default enablement at subscription creation.
Paid Defender Plans: What Each Covers and What It Costs
Each paid Defender plan covers a specific resource type and is priced per resource unit per month. Plans are enabled independently, allowing selective enablement by resource type and subscription scope.
| Defender Plan | Covers | Plan 1 Cost | Plan 2 Cost | Key P2 Additions |
|---|---|---|---|---|
| Defender for Servers | Azure VMs, Arc servers | ~$5/server/mo | ~$15/server/mo | MDE P2, Just-in-Time access, FIM, vulnerability mgmt |
| Defender for SQL | Azure SQL DBs, SQL Server on VMs | — | ~$15/server/mo | Anomaly detection, SQL ATP, audit |
| Defender for Storage | Azure Storage accounts | ~$10/storage/mo | — | Malware scanning, sensitive data threat detection |
| Defender for Containers | AKS clusters, registry images | — | ~$7/vCore/mo | Container runtime protection, registry scanning |
| Defender for App Service | App Service environments | — | ~$15/app/mo | Threat detection for web apps and APIs |
| Defender for Key Vault | Key Vault instances | — | ~$0.02/10K ops/mo | Anomalous access pattern detection |
| Defender CSPM (paid) | All Azure resources | Free tier | ~$0.007/resource/mo | Attack path analysis, data sensitivity, agentless scanning |
The most commercially significant plan for most enterprises is Defender for Servers. Plan 1 ($5/server/month) includes MDE Plan 1 integration for Windows/Linux machines and basic Defender for Cloud protections. Plan 2 ($15/server/month) adds MDE Plan 2 integration (full EDR), Just-in-Time (JIT) VM access, File Integrity Monitoring (FIM), Docker host hardening, and native vulnerability management via the Qualys-based scanner built into Defender for Endpoint.
The Plan 1 vs Plan 2 decision for Defender for Servers parallels the endpoint MDE Plan 1 vs Plan 2 decision: production servers handling sensitive workloads, domain controllers, database servers, and application servers in regulated environments warrant Plan 2. Development servers, test environments, non-production scale sets, and low-sensitivity workloads are adequately protected by Plan 1. Right-tiering at the server level can reduce Defender for Servers cost by 60–65% for the non-production portion of the estate.
Defender CSPM: The Paid Tier Decision
The paid Defender CSPM tier adds capabilities beyond the free tier that are valuable at higher cloud security maturity levels: attack path analysis (visually maps how an attacker could move through misconfigurations to high-value resources), agentless vulnerability scanning without deploying agents to each VM, sensitive data discovery integration with Microsoft Purview, and internet exposure analysis at the resource level.
At approximately $0.007/resource/month, paid CSPM adds up quickly for large Azure estates. A 2,000-resource Azure environment (VMs, storage accounts, databases, app services) costs approximately $14/month for paid CSPM — effectively negligible. A 50,000-resource enterprise Azure estate costs $350/month or $4,200/year. The decision is straightforward at this price point: if your security team actively uses attack path analysis and agentless scanning, paid CSPM at $0.007/resource is not a meaningful budget line. If your security operations are largely reactive and the advanced CSPM features go unused, there is no reason to upgrade from the free tier.
Multi-Cloud Coverage: AWS and GCP Costs
Defender for Cloud extends to AWS and Google Cloud Platform via Azure Arc-connected resources. For organisations with significant multi-cloud estates, this is a commercial consideration that requires explicit modelling. Defender for Servers Plan 2 on Arc-connected AWS EC2 instances costs the same $15/server/month as Azure VMs. If your AWS estate includes 300 EC2 instances, full Defender for Servers P2 coverage adds $54,000/year in Defender for Cloud cost that may not have been budgeted when the Azure-centric security review was conducted.
The scoping principle is the same for multi-cloud resources as for Azure: enable Defender plans selectively based on workload sensitivity, apply Plan 1 for non-production and low-sensitivity resources, and treat multi-cloud resource growth as a governance trigger for Defender plan scope review.
Preventing Uncontrolled Defender Cost Growth
Three governance controls prevent the most common Defender for Cloud billing surprises:
Azure Policy for Defender plan enablement. The default Azure Policy definition "Configure Microsoft Defender for Cloud plans" can be scoped to specific subscriptions or management groups, preventing automatic Defender plan enablement on newly created subscriptions. Without this governance control, new subscription creation automatically inherits the default Microsoft Defender free tier — but in environments where policy has been configured to auto-enable paid plans, new subscriptions inherit paid plans at creation. This is the most common source of unexpected Defender for Cloud cost growth.
Exclusion of non-production subscriptions from paid plans. Create a dedicated management group for development, test, and sandbox subscriptions with a policy assignment that explicitly sets Defender plans to the free tier. Production and pre-production subscriptions receive paid plan enablement through a separate management group policy assignment. This architectural separation is the foundation of cost-controlled Defender for Cloud deployment.
Monthly cost monitoring against resource inventory. Set Azure Cost Management alerts at the Defender for Cloud service category level at 80% and 100% of monthly budget. Cross-reference monthly Defender cost against the resource inventory report monthly — cost spikes relative to resource count indicate unplanned plan enablement or resource growth in subscriptions where paid plans are enabled. For more on Azure cost governance, see our guide to Azure FinOps for enterprises and our Azure Cost Management service.
4-Step Defender for Cloud Cost Optimization
Step 1: Audit current plan enablement across all subscriptions. Export the Defender for Cloud Plans report from the Azure portal for every subscription in your tenant. Identify which plans are enabled at Plan 1 vs Plan 2 vs free, and match this against your resource inventory by subscription to understand what you are paying for.
Step 2: Segment production vs non-production subscriptions. Implement management group separation for production and non-production if not already in place. Apply policy to restrict non-production subscriptions to free CSPM tier only.
Step 3: Right-tier Defender for Servers. For production subscriptions, segment servers by sensitivity: Plan 2 for DCs, database servers, and regulated-function application servers; Plan 1 for general application and web tier servers where JIT access and full EDR are not required.
Step 4: Review Defender plan value against security operations consumption. Conduct a quarterly review of which Defender plan alerts are being actioned by your security operations team. Plans generating alerts that go uninvestigated due to team capacity should be reviewed for scope reduction — the commercial cost of a Defender plan is only justified by the security value actually consumed. Contact our team via the assessment page for a Defender for Cloud cost benchmark against comparable Azure estates.