Azure Defender: Major diff between CSPM or CWP Plan ?

Question

Azure Defender: Major diff between CSPM or CWP Plan ?

$@chin 330

What is the main difference between the CSPM and CWP Defender plans?

Can both plans be enabled within a subscription? If so, will enabling both result in double charges, or will they only incur a charge for one of the plans?

currently have the CWP plan for all resources, but under recommendations or security posture, it still shows "no risk calculated" or "not evaluated". which could be the concern.

0 comments

3 answers

Your answer

Answer 1

Marcin Policht 86,615 MVP Volunteer Moderator

There is no possibility of "double charges" taking place, because these plans do not overlap in regard to the functionality they offer.

There is no "server plan" under CSPM - that's CWP

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Marcin Policht 86,615 Reputation points MVP Volunteer Moderator

2025-03-24T22:42:58.97+00:00
You seem to be missing the difference between the core capabilities and roles of Cloud Workload Protection (CWP) and Cloud Security Posture Management (CSPM).

CWP (Cloud Workload Protection) focuses on protecting workloads, such as VMs, containers, databases, and Kubernetes clusters, by offering real-time threat detection, vulnerability management, and security monitoring for workloads running in the cloud.

CSPM (Cloud Security Posture Management) is designed to continuously assess cloud configurations, compliance, and security posture across various cloud services (e.g., storage, networking, and identity management). It provides recommendations to harden security configurations and prevent misconfigurations.

These are complementary - not equivalent.

In addition, CSPM does not only cover specific services but it provides broad security assessments across the cloud environment, detecting misconfigurations and compliance issues in services like storage accounts, virtual machines, identity, and networking.

CWP is not a superset of CSPM. While CWP focuses on workload protection (e.g., VMs, containers, and databases) with runtime security, CSPM focuses on proactive posture management.

Both are necessary for full cloud security - CSPM prevents misconfigurations, while CWP actively protects workloads from threats.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Arko 4,180 Moderator

Hello $@chin, I can see a similar question was answered on the MS QnA forum. Kindly check that once. Both plans can be enabled within a subscription and are billed separately based on the resources they protect. Enabling both does not result in double charges; instead, you pay for each service individually according to its pricing model.

CSPM: Focuses on identifying misconfigurations, compliance risks, and security posture weaknesses across cloud environments as rightly mentioned by Marcin. It offers security assessments and recommendations but does not provide runtime protection.

CWP: Provides runtime protection for workloads such as VMs, containers, AKS clusters, databases, and more. It includes threat detection, vulnerability assessments, and attack prevention for specific resources.

Regarding the issue of security posture showing "no risk calculated" or "not evaluated," as Marcin has correctly highlighted that this is likely because CSPM is not enabled. CSPM is responsible for assessing security posture; without it, these evaluations won't occur. To address this, you should enable the CSPM Defender Plan in addition to CWP.

Hope the suggestions and the QnA link provided were helpful. Thank you.

$@chin 330 Reputation points

2025-03-20T14:46:54.2433333+00:00

Hi @Marcin Policht / Arko

Is there any Microsoft documentation that explains how enabling both plans won't result in double charges?
For example, if a server plan is already enabled under CWP, will enabling CSPM again lead to additional costs for the server (resource) ?
Arko 4,180 Reputation points Moderator

2025-03-21T17:00:45.5933333+00:00

Enabling both the Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) plans in Microsoft Defender for Cloud does not result in double charges. Each plan addresses different aspects of cloud security and is billed separately based on the resources they protect. Therefore, if a server is already covered under the CWP plan, enabling CSPM will not lead to additional charges for that server. Each service is billed according to its specific pricing model, and their functionalities do not overlap in a way that would cause double billing. While there is no exact documentation that directly addresses or confirms "no double billing when both plans are enabled". For accurate pricing behavior, the most reliable source would be https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/. Thank you for highlighting this $@chin. I will request for a document updation to clarify such points under the common question sections under- https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-servers.
$@chin 330 Reputation points

2025-03-24T13:26:50.12+00:00

Hi Arko / @Marcin Policht ,

CWP also offers features like recommendations and vulnerability assessments for the environment, VMs, databases, etc.

On the other hand, CSPM seems to cover only specific services, which, from what I can see, are already included in CWP.

Answer 3

The main difference between CSPM (Cloud Security Posture Management) and CWP (Cloud Workload Protection) in Microsoft Defender for Cloud is:

CSPM Defender Plan focuses on identifying misconfigurations, compliance risks, and security posture weaknesses across cloud environments (Azure, AWS, GCP). It does not provide runtime protection but offers security assessments and recommendations.
CWP Defender Plan provides runtime protection for workloads like VMs, containers, Kubernetes, databases, and more. It offers threat detection, vulnerability assessment, and attack prevention for specific resources.

Can both plans be enabled? Will there be double charges?
Yes, both plans can be enabled within a subscription, as they serve different purposes. However:

They are billed separately based on the resources they protect.
There is no double charge for enabling both plans, but you will pay for each service individually based on its pricing model.

Why is security posture showing "no risk calculated" or "not evaluated"?
If you only have the CWP plan enabled and security posture is not being evaluated, it’s likely because:

CSPM Defender is not enabled – Security posture is assessed by CSPM, not CWP.
Insufficient permissions – Ensure the necessary Reader or Security Reader role is assigned to Defender for Cloud.
Data collection or policy settings are misconfigured – Check the Defender for Cloud settings to ensure security assessments are running.
Recent onboarding – If you recently enabled Defender for Cloud, it might take time for risk assessments to generate.

If you need security posture evaluation, enable the CSPM Defender Plan in addition to CWP.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

Azure Defender: Major diff between CSPM or CWP Plan ?

3 answers

Your answer