Cloud Security Posture Management (CSPM)
One of Microsoft Defender for Cloud's main pillars for cloud security is Cloud Security Posture Management (CSPM). CSPM provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation.
Defender for Cloud continually assesses your resources, subscriptions and organization for security issues. Defender for Cloud shows your security posture in secure score. The secure score is an aggregated score of the security findings that tells you your current security situation. The higher the score, the lower the identified risk level.
Prerequisites
- Foundational CSPM - None
- Defender Cloud Security Posture Management (CSPM) - Agentless scanning requires the Subscription Owner to enable the plan. Anyone with a lower level of authorization can enable the Defender CSPM plan but the agentless scanner won't be enabled by default due to lack of permissions. Attack path analysis and security explorer won't be populated with vulnerabilities because the agentless scanner is disabled.
For commercial and national cloud coverage, review features supported in different Azure cloud environments.
Defender CSPM plan options
Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default on any subscription or account that has onboarded to Defender for Cloud. The foundational CSPM includes asset discovery, continuous assessment and security recommendations for posture hardening, compliance with Microsoft Cloud Security Benchmark (MCSB), and a Secure score which measure the current status of your organization's posture.
The optional Defender CSPM plan, provides advanced posture management capabilities such as Attack path analysis, Cloud security explorer, advanced threat hunting, security governance capabilities, and also tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region.
Plan pricing
Note
The Microsoft Defender CSPM plan protects across multicloud workloads. With Defender CSPM generally available (GA), the plan will remain free until billing starts on August 1 2023. Billing will apply for compute, database, and storage resources. Billable workloads will be VMs, Storage Accounts, OSS DBs, and SQL PaaS & Servers on Machines. When billing starts, existing Microsoft Defender for Cloud customers will receive automatically applied discounts for Defender CSPM.
Microsoft Defender CSPM protects across all your multicloud workloads, but billing only applies for Servers, Databases and Storage accounts at $15/billable resource/month. The underlying compute services for AKS are regarded as servers for billing purposes.
Current Microsoft Defender for Cloud customers receive automatically applied discounts (5-25% discount per billed workload based on the highest applicable discount). If you have one of the following plans enabled, you will receive a discount. Refer to the following table:
| Current Defender for Cloud Customer | Automatic Discount | Defender CSPM Price |
|---|---|---|
| Defender for Servers P2 | 25% | $11.25/ Compute or Data workload / month |
| Defender for Containers | 10% | $13.50/ Compute or Data workload / month |
| Defender for DBs / Defender for Storage | 5% | $14.25/ Compute or Data workload / month |
Plan availability
Learn more about Defender CSPM pricing.
The following table summarizes each plan and their cloud availability.
| Feature | Foundational CSPM | Defender CSPM | Cloud availability |
|---|---|---|---|
| Security recommendations to fix misconfigurations and weaknesses | 
|
|
Azure, AWS, GCP, on-premises |
| Asset inventory |
|
|
Azure, AWS, GCP, on-premises |
| Secure score |
|
|
Azure, AWS, GCP, on-premises |
| Data visualization and reporting with Azure Workbooks |
|
|
Azure, AWS, GCP, on-premises |
| Data exporting |
|
|
Azure, AWS, GCP, on-premises |
| Workflow automation |
|
|
Azure, AWS, GCP, on-premises |
| Tools for remediation |
|
|
Azure, AWS, GCP, on-premises |
| Microsoft Cloud Security Benchmark |
|
|
Azure, AWS |
| Governance | - |
|
Azure, AWS, GCP, on-premises |
| Regulatory compliance | - |
|
Azure, AWS, GCP, on-premises |
| Cloud security explorer | - |
|
Azure, AWS |
| Attack path analysis | - |
|
Azure, AWS |
| Agentless scanning for machines | - |
|
Azure, AWS |
| Agentless discovery for Kubernetes | - |
|
Azure |
| Container registries vulnerability assessment, including registry scanning | - |
|
Azure |
| Data aware security posture | - |
|
Azure, AWS |
| EASM insights in network exposure | - |
|
Azure, AWS |
Note
If you have enabled Defender for DevOps, you will only gain cloud security graph and attack path analysis to the artifacts that arrive through those connectors.
To enable Governance for DevOps related recommendations, the Defender CSPM plan needs to be enabled on the Azure subscription that hosts the DevOps connector.
Next steps
Learn about Defender for Cloud's Defender plans.
Feedback
Submit and view feedback for