Microsoft Defender XDR is the integrated suite of five Defender products. Defender for Endpoint P1 lists at $2.50 per user per month, P2 at $5.20. Defender for Office 365 P1 at $2.00, P2 at $5.00. Defender for Identity at $5.50. Defender for Cloud Apps at $5.00. Defender for Cloud at $15 per server per month for the CSPM plan, plus per-resource workload protection tiers. The standalone stack lists at $23.20 per user per month plus server-side workload fees. Microsoft 365 E5 bundles four of the five user-facing products inside the $21 premium over E3.
This page is the 2026 reference for the five Defender products: per-component list price, what each plan delivers, the standalone-versus-bundle math, the integration value of Defender XDR, and the four levers that move realised cost. Built from Microsoft's Product Terms (May 2026), the Defender service descriptions, and advisor-led Defender commercial reviews during 2024 to 2026.
The five Defender components
Defender XDR is a brand, not a SKU. It is the orchestration of five separately licensed Defender products into a unified incident view, with shared signals across endpoints, email, identity, SaaS apps, and cloud workloads. Each component is independently purchased.
| Component | Plan | List price | Metric |
|---|---|---|---|
| Defender for Endpoint | Plan 1 (P1) | $2.50 per user per month | Per user, 5 devices |
| Defender for Endpoint | Plan 2 (P2) | $5.20 per user per month | Per user, 5 devices |
| Defender for Endpoint | Server (per OS instance) | $5.00 per server per month | Per Windows or Linux server |
| Defender for Office 365 | Plan 1 | $2.00 per user per month | Per mailbox |
| Defender for Office 365 | Plan 2 | $5.00 per user per month | Per mailbox |
| Defender for Identity | Standalone | $5.50 per user per month | Per Entra ID user |
| Defender for Cloud Apps | Standalone | $5.00 per user per month | Per Entra ID user |
| Defender for Cloud (CSPM) | Defender CSPM | $15 per billable resource per month | Per Azure / AWS / GCP resource |
| Defender for Servers (Defender for Cloud workload) | Plan 2 | $15 per server per month | Per server (Azure, AWS, GCP, hybrid) |
| Defender for Storage | Storage | $0.02 per 10K transactions + $0.10 per resource per month | Per storage account |
| Defender for SQL | SQL | $15 per server per month | Per SQL Server instance |
| Defender for Containers | Containers | $7 per vCore per month | Per Kubernetes vCore |
| Defender for API | API | $0.75 per million API calls | Per managed API call |
Defender for Endpoint P1 vs P2
Defender for Endpoint Plan 1 at $2.50 per user per month delivers next-generation antimalware, attack surface reduction rules, device-based Conditional Access, and centralised management. P1 is the renamed Microsoft Defender for Business product for SMB plus the enterprise SKU. P1 covers the EDR-lite use case where the organisation needs anti-malware plus basic threat detection.
Plan 2 at $5.20 per user per month adds endpoint detection and response (EDR with rich timeline and forensic data), automated investigation and remediation, threat and vulnerability management (TVM), advanced hunting (90 days of raw event data accessible through Kusto), Microsoft Threat Experts (on-demand consultation, separately enabled), and Microsoft Secure Score for Devices. P2 is the SOC-grade tier. Any environment with an active security operations function should hold P2.
The $2.70 P1-to-P2 increment for 25,000 seats is $810,000 per year. That number is rarely paid as a delta. Most enterprises buy P2 inside Microsoft 365 E5 ($21 premium over E3 includes P2). The standalone P2 calculation is most relevant for organisations on Office 365 E3 plus EMS, where Defender is added separately.
Defender for Endpoint Server is licensed separately at $5.00 per server per month. The user-based licence does not cover server endpoints. A 1,500-server estate lists at $90,000 per year in Defender for Endpoint Server, on top of the user-side seat licence cost.
Defender for Office 365 P1 vs P2
Defender for Office 365 Plan 1 at $2.00 per user per month delivers Safe Links (URL scanning and time-of-click protection), Safe Attachments (sandbox detonation), anti-phishing rules with impersonation protection, and quarantine policies with user-driven release. P1 is the entry tier and is included in Microsoft 365 Business Premium.
Plan 2 at $5.00 per user per month adds Threat Explorer and Real-time Detections (post-delivery threat hunting on email), Automated Investigation and Response (AIR for email), Attack Simulation Training (security awareness via simulated phishing), and Campaign Views and Threat Trackers. P2 is the SOC-grade tier and is bundled in Office 365 E5 and Microsoft 365 E5.
The largest hidden cost in Defender for Office 365 is the Attack Simulation Training quota. Each P2 seat includes one simulation per year. Organisations running quarterly simulations (a common security awareness cadence) consume the entitlement and incur add-on fees for additional simulations.
Defender for Identity
Defender for Identity at $5.50 per user per month is the on-premise Active Directory monitoring product (formerly Azure Advanced Threat Protection). It deploys sensors on domain controllers and consumes the AD authentication and event stream to detect lateral movement, Golden Ticket attacks, DCSync, Kerberoasting, and privilege escalation patterns specific to AD.
The product is only valuable when the organisation runs on-premise Active Directory at a meaningful scale. Cloud-only Entra ID tenants do not benefit. Hybrid identity estates (typical of mid-market and enterprise) extract the full value.
Defender for Identity is bundled in Microsoft 365 E5, EMS E5, and Microsoft 365 E5 Security. Standalone purchase is appropriate for organisations on Microsoft 365 E3 with active AD threat exposure and where the rest of the E5 bundle is not needed.
Defender for Cloud Apps
Defender for Cloud Apps at $5.00 per user per month is the CASB product. It delivers discovery of SaaS applications in use (Shadow IT inventory from firewall and proxy log analysis), session control and reverse proxy enforcement on sanctioned SaaS apps, conditional access app control, threat detection on SaaS user behaviour, and Microsoft Information Protection scanning of sanctioned-app content.
Microsoft 365 E3 includes Cloud App Discovery (the Shadow IT visibility component) at no additional cost. Microsoft 365 E5 includes the full Defender for Cloud Apps product including session control and reverse proxy. The $5 standalone option is for E3 organisations who need full CASB but do not want the rest of E5.
Reverse proxy scope: Defender for Cloud Apps session control supports a managed list of SaaS applications (currently around 50, including Salesforce, ServiceNow, Workday, GitHub, Slack, Box, and Dropbox). Applications outside the supported list cannot be session-controlled through Defender. Validate your sanctioned-app inventory against the supported list before committing to E5 on the CASB justification alone.
Defender for Cloud (CSPM and workloads)
Defender for Cloud is server-side workload protection plus cloud security posture management. It is structurally different from the user-side Defender products: pricing is per resource per month, not per user per month, and the bundle does not appear inside Microsoft 365 E5.
Defender CSPM at $15 per billable resource per month delivers continuous security posture assessment across Azure, AWS, and GCP, regulatory compliance reporting (CIS, NIST, PCI DSS, ISO 27001), attack path analysis, agentless vulnerability scanning, and DevOps security (GitHub, GitLab, ADO posture). Billable resources include virtual machines, storage accounts, SQL servers, Kubernetes clusters, and several others, with the per-resource rate moving by resource type.
Defender for Servers Plan 2 at $15 per server per month adds endpoint protection (Defender for Endpoint integration), file integrity monitoring, just-in-time VM access, adaptive application controls, vulnerability assessment, and 500 MB per day of free data ingestion to Log Analytics. Plan 1 at $7 per server per month covers the basic threat protection without the advanced features.
Defender for SQL ($15 per server per month), Defender for Storage ($10 per storage account per month plus $0.02 per 10K transactions), Defender for Containers ($7 per vCore per month), and Defender for App Service, Defender for Key Vault, Defender for Resource Manager, and Defender for DNS are each priced per the relevant resource metric.
Standalone stack vs Microsoft 365 E5
The full user-side Defender stack (Endpoint P2 + Office 365 P2 + Identity + Cloud Apps) lists at $20.70 per user per month standalone. Microsoft 365 E5 includes all four for the $21 premium over Microsoft 365 E3, plus Entra ID P2 ($3 incremental), Power BI Pro ($14 standalone), Teams Phone with Calling Plan ($8 standalone), and Purview P2 (eDiscovery + Records + Insider Risk).
| 25,000-seat estate | Standalone | Microsoft 365 E5 |
|---|---|---|
| Defender for Endpoint P2 | $5.20 x 25K x 12 = $1.56M | Included |
| Defender for Office 365 P2 | $5.00 x 25K x 12 = $1.50M | Included |
| Defender for Identity | $5.50 x 25K x 12 = $1.65M | Included |
| Defender for Cloud Apps | $5.00 x 25K x 12 = $1.50M | Included |
| Defender subtotal | $6.21M | Inside E5 premium |
| Microsoft 365 E3 base | $36 x 25K x 12 = $10.80M | $36 x 25K x 12 = $10.80M |
| Microsoft 365 E5 premium | $21 x 25K x 12 = $6.30M | |
| Total at list | $17.01M | $17.10M |
Standalone and bundled land within 0.5 percent of each other at full consumption. Microsoft 365 E5 wins decisively when at least three of the four user-side Defender components are in active use. Standalone wins when only one or two components are needed, because the bundle forces purchase of all four. Mixed estates (E5 on SOC seats, E3 plus targeted Defender add-ons on standard knowledge workers) often deliver 15 to 30 percent saving against full-E5 deployment.
2026 negotiation levers
Defender pricing inside an EA is typically discounted 8 to 20 percent against list depending on level. The negotiation levers that move realised cost.
First, Microsoft 365 E5 Security SKU. Microsoft offers a Microsoft 365 E5 Security add-on at $12 per user per month that delivers the four user-side Defender components plus Entra ID P2 and Purview P2 to organisations on Microsoft 365 E3. The E5 Security path is cheaper than upgrading to full E5 for organisations that do not need Power BI Pro, Teams Phone, or the rest of E5. The decision tree: if Power BI Pro + Teams Phone consumption is below 30 percent of seats, E3 + E5 Security beats full E5.
Second, Defender for Cloud commitment. Defender CSPM and workload SKUs participate in Azure consumption commitments. A $5M MACC covering production Azure consumption can absorb $400K to $800K of Defender for Cloud spend at the MACC-tier discount, materially reducing realised cost.
Third, term and renewal timing. Defender list prices typically reset at Microsoft fiscal year-end (June 30) and at the start of new EA versions. Renewing or expanding mid-year locks the current price for the term. Renewing into a new EA at fiscal year-end risks a 5 to 10 percent list price increase that compounds across the term.
For the broader security and Microsoft commercial framework see Microsoft Security Licensing, Sentinel pricing, Entra ID pricing, the Microsoft vendor hub, and our vendor audit defence service.