Cloud Security Posture Management (CSPM)

One of Microsoft Defender for Cloud's main pillars for cloud security is Cloud Security Posture Management (CSPM). CSPM provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation.

Defender for Cloud continually assesses your resources, subscriptions and organization for security issues. Defender for Cloud shows your security posture in secure score. The secure score is an aggregated score of the security findings that tells you your current security situation. The higher the score, the lower the identified risk level.


  • Foundational CSPM - None
  • Defender Cloud Security Posture Management (CSPM) - Agentless scanning requires the Subscription Owner to enable the plan. Anyone with a lower level of authorization can enable the Defender CSPM plan but the agentless scanner won't be enabled by default due to lack of permissions. Attack path analysis and security explorer won't be populated with vulnerabilities because the agentless scanner is disabled.

For commercial and national cloud coverage, review features supported in different Azure cloud environments.

Defender CSPM plan options

Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default on any subscription or account that has onboarded to Defender for Cloud. The foundational CSPM includes asset discovery, continuous assessment and security recommendations for posture hardening, compliance with Microsoft Cloud Security Benchmark (MCSB), and a Secure score which measure the current status of your organization's posture.

The optional Defender CSPM plan, provides advanced posture management capabilities such as Attack path analysis, Cloud security explorer, advanced threat hunting, security governance capabilities, and also tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region.

Plan pricing

Microsoft Defender CSPM protects across all your multicloud workloads, but billing only applies for Servers, Database, and Storage accounts at $5/billable resource/month. The underlying compute services for AKS are regarded as servers for billing purposes.


  • The Microsoft Defender CSPM plan protects across multicloud workloads. With Defender CSPM generally available (GA), the plan will remain free until billing starts on August 1, 2023. Billing will apply for Servers, Database, and Storage resources. Billable workloads will be VMs, Storage accounts, OSS DBs, SQL PaaS, & SQL servers on machines.‚Äč

  • This price includes free vulnerability assessments for 20 unique images per charged resource, whereby the count will be based on the previous month's consumption. Every subsequent scan will be charged at $0.29 per image digest. The majority of customers are not expected to incur any additional image scan charges. For subscriptions that are both under the Defender CSPM and Defender for Containers plans, free vulnerability assessment will be calculated based on free image scans provided via the Defender for Containers plan, as specified in the Microsoft Defender for Cloud pricing page.

Plan availability

Learn more about Defender CSPM pricing.

The following table summarizes each plan and their cloud availability.

Feature Foundational CSPM Defender CSPM Cloud availability
Security recommendations to fix misconfigurations and weaknesses Azure, AWS, GCP, on-premises
Asset inventory Azure, AWS, GCP, on-premises
Secure score Azure, AWS, GCP, on-premises
Data visualization and reporting with Azure Workbooks Azure, AWS, GCP, on-premises
Data exporting Azure, AWS, GCP, on-premises
Workflow automation Azure, AWS, GCP, on-premises
Tools for remediation Azure, AWS, GCP, on-premises
Microsoft Cloud Security Benchmark Azure, AWS, GCP
Governance - Azure, AWS, GCP, on-premises
Regulatory compliance - Azure, AWS, GCP, on-premises
Cloud security explorer - Azure, AWS, GCP
Attack path analysis - Azure, AWS, GCP
Agentless scanning for machines - Azure, AWS, GCP
Agentless discovery for Kubernetes - Azure
Container registries vulnerability assessment, including registry scanning - Azure
Data aware security posture - Azure, AWS, GCP
EASM insights in network exposure - Azure, AWS, GCP


If you have enabled Defender for DevOps, you will only gain cloud security graph and attack path analysis to the artifacts that arrive through those connectors.

To enable Governance for DevOps related recommendations, the Defender CSPM plan needs to be enabled on the Azure subscription that hosts the DevOps connector.

Next steps

Learn about Defender for Cloud's Defender plans.