Cloud Security Posture Management (CSPM)

One of Microsoft Defender for Cloud's main pillars for cloud security is Cloud Security Posture Management (CSPM). CSPM provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation.

Defender for Cloud continually assesses your resources, subscriptions and organization for security issues. Defender for Cloud shows your security posture in secure score. The secure score is an aggregated score of the security findings that tells you your current security situation. The higher the score, the lower the identified risk level.


  • Foundational CSPM - None
  • Defender Cloud Security Posture Management (CSPM) - Agentless scanning requires the Subscription Owner to enable the plan. Anyone with a lower level of authorization can enable the Defender CSPM plan but the agentless scanner won't be enabled by default due to lack of permissions. Attack path analysis and security explorer won't be populated with vulnerabilities because the agentless scanner is disabled.

For commercial and national cloud coverage, review features supported in different Azure cloud environments.

Defender CSPM plan options

Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default on any subscription or account that has onboarded to Defender for Cloud. The foundational CSPM includes asset discovery, continuous assessment and security recommendations for posture hardening, compliance with Microsoft Cloud Security Benchmark (MCSB), and a Secure score which measure the current status of your organization's posture.

The optional Defender CSPM plan, provides advanced posture management capabilities such as Attack path analysis, Cloud security explorer, advanced threat hunting, security governance capabilities, and also tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region.

Plan pricing


The Microsoft Defender CSPM plan protects across multicloud workloads. With Defender CSPM generally available (GA), the plan will remain free until billing starts on August 1 2023. Billing will apply for compute, database, and storage resources. Billable workloads will be VMs, Storage Accounts, OSS DBs, and SQL PaaS & Servers on Machines. When billing starts, existing Microsoft Defender for Cloud customers will receive automatically applied discounts for Defender CSPM. ‚Äč

Microsoft Defender CSPM protects across all your multicloud workloads, but billing only applies for Servers, Databases and Storage accounts at $15/billable resource/month. The underlying compute services for AKS are regarded as servers for billing purposes.

Current Microsoft Defender for Cloud customers receive automatically applied discounts (5-25% discount per billed workload based on the highest applicable discount). If you have one of the following plans enabled, you will receive a discount. Refer to the following table:

Current Defender for Cloud Customer Automatic Discount Defender CSPM Price
Defender for Servers P2 25% $11.25/ Compute or Data workload / month
Defender for Containers 10% $13.50/ Compute or Data workload / month
Defender for DBs / Defender for Storage 5% $14.25/ Compute or Data workload / month

Plan availability

Learn more about Defender CSPM pricing.

The following table summarizes each plan and their cloud availability.

Feature Foundational CSPM Defender CSPM Cloud availability
Security recommendations to fix misconfigurations and weaknesses Azure, AWS, GCP, on-premises
Asset inventory Azure, AWS, GCP, on-premises
Secure score Azure, AWS, GCP, on-premises
Data visualization and reporting with Azure Workbooks Azure, AWS, GCP, on-premises
Data exporting Azure, AWS, GCP, on-premises
Workflow automation Azure, AWS, GCP, on-premises
Tools for remediation Azure, AWS, GCP, on-premises
Microsoft Cloud Security Benchmark Azure, AWS
Governance - Azure, AWS, GCP, on-premises
Regulatory compliance - Azure, AWS, GCP, on-premises
Cloud security explorer - Azure, AWS
Attack path analysis - Azure, AWS
Agentless scanning for machines - Azure, AWS
Agentless discovery for Kubernetes - Azure
Container registries vulnerability assessment, including registry scanning - Azure
Data aware security posture - Azure, AWS
EASM insights in network exposure - Azure, AWS


If you have enabled Defender for DevOps, you will only gain cloud security graph and attack path analysis to the artifacts that arrive through those connectors.

To enable Governance for DevOps related recommendations, the Defender CSPM plan needs to be enabled on the Azure subscription that hosts the DevOps connector.

Next steps

Learn about Defender for Cloud's Defender plans.