Microsoft Solutions Partner — Security · 11,000+ engagements

Microsoft Defender for Cloud (CNAPP) Enterprise Guide (2026)

The unified Cloud-Native Application Protection Platform — CSPM, CWPP, and DevSecOps across Azure, AWS, and GCP. Eight Defender plans, Sentinel and pipeline integration, delivered by a senior-architect-led 29-year Microsoft Solutions Partner.

Book a Defender for Cloud briefing Call 888-381-9725

What is Microsoft Defender for Cloud and how do enterprises deploy it as a unified CNAPP across Azure, AWS, and GCP? Microsoft Defender for Cloud is the Microsoft Cloud-Native Application Protection Platform covering Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWPP), and DevSecOps shift-left across the eight Defender plans — Servers Plan 1 and 2, Containers, Databases, Storage, App Service, Key Vault plus Resource Manager and DNS, and APIs. Enterprises deploy it through a five-phase Assess, Activate, Shift Left, Compliance, Operate program that extends multi-cloud connectors into AWS and GCP at no connector fee, ships Microsoft Security DevOps into GitHub Advanced Security, Azure DevOps, and GitLab pipelines, and integrates the platform with Microsoft Sentinel and Defender XDR for unified SOC investigation.

Microsoft Defender for Cloud is the Microsoft CNAPP — Cloud Security Posture Management plus Cloud Workload Protection plus DevSecOps shift-left, unified across Azure, AWS, and GCP through eight Defender plans. The bundled value for Microsoft 365 E5 customers, the per-resource pricing parity across clouds, and the code-to-cloud lineage with GitHub Advanced Security make Defender for Cloud the path of least resistance for Microsoft-anchored enterprises. EPC Group delivers the full CNAPP under a fixed-fee five-phase accelerator between $200K and $700K.

Key Facts

Eight Defender for Cloud plans cover servers, containers, databases, storage, app services, APIs, Key Vault, Resource Manager, and DNS
Multi-cloud connectors for AWS and GCP are free; per-resource Defender plan pricing is consistent across Azure, AWS, GCP
Foundational CSPM (recommendations, regulatory dashboard, secure score, attack path analysis) is free across all three clouds
Defender for Servers Plan 2 includes 500 MB per server per day of free Microsoft Sentinel data ingestion
Microsoft Security DevOps integrates Defender for Cloud with GitHub Advanced Security, Azure DevOps, and GitLab pipelines
Code-to-cloud lineage links runtime container findings back to the originating pull request, commit, file, and engineer
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, 216+ M&A tenant consolidations
EPC Group five-phase CNAPP Accelerator delivers full activation in 10 to 18 weeks, fixed-fee $200K to $700K

CNAPP explained — CSPM plus CWPP plus DevSecOps, unified

A Cloud-Native Application Protection Platform is the convergence of three previously separate disciplines into a single product surface. Microsoft Defender for Cloud is the Microsoft CNAPP — and the distinction matters because pricing, deployment, and SOC operations differ across the three layers.

Cloud Security Posture Management (CSPM)

CSPM is the configuration-and-compliance layer. Foundational CSPM ships free across Azure, AWS, and GCP — Defender for Cloud secure score, regulatory compliance dashboard, recommendations, and Microsoft Cloud Security Benchmark. Defender CSPM paid tier layers attack path analysis, agentless code-to-cloud scanning, sensitive data classification, and external attack surface management on top.

Cloud Workload Protection (CWPP)

CWPP is the runtime detection-and-response layer for the workload itself — VMs, containers, databases, storage, app services, APIs. Defender for Servers Plan 2, Defender for Containers, Defender for Databases, Defender for Storage, Defender for App Service, Defender for APIs, Defender for Key Vault, Defender for Resource Manager, and Defender for DNS are the eight runtime plans that compose the CWPP tier.

DevSecOps (shift-left)

DevSecOps is the pre-merge code, IaC, and container image scanning layer. Microsoft Security DevOps integrates Defender for Cloud with GitHub Advanced Security, Azure DevOps, and GitLab pipelines, producing code-to-cloud lineage that ties a runtime container alert back to the originating pull request, commit, and engineer.

The eight Defender for Cloud plans — what each protects and what it costs

Defender for Cloud is one product surface composed of eight purchasable plans plus the free Foundational CSPM tier. Each plan is priced per resource and applies consistently across Azure, AWS, and GCP through the multi-cloud connectors. Understanding what each plan protects and what it actually costs is the first step toward a defensible CNAPP budget.

Defender for Servers — Plan 1

Protects: Windows and Linux virtual machines across Azure, AWS, GCP, and on-premises Arc-enrolled servers — the workload protection floor for any enterprise running compute outside the endpoint.

Microsoft Defender for Endpoint license entitlement bundled into the server SKU
Endpoint detection and response telemetry from every Plan 1 server fed into Defender XDR
Threat detection covering brute force, suspicious process execution, and outbound malicious traffic
Foundational vulnerability management with software inventory and CVE prioritization

Pricing: Approximately $5 per server per month (list price subject to Microsoft commercial change). Single price covers Azure, AWS, GCP, and Arc-enrolled servers regardless of which cloud the workload runs in.

Defender for Servers — Plan 2

Protects: The same Azure, AWS, GCP, and Arc-enrolled server estate — but with the full workload protection feature set most enterprises actually need for regulated industries.

Everything in Plan 1 plus file integrity monitoring (FIM) on Windows and Linux
Just-in-time VM access — block management ports by default, open on approved request only
Adaptive application controls and adaptive network hardening based on observed behavior
500 MB free Microsoft Sentinel data ingestion per machine per day — material economic offset
Defender Vulnerability Management premium signal — security baseline, software signatures, browser extensions

Pricing: Approximately $15 per server per month. For HIPAA, FFIEC, FedRAMP, CMMC, and PCI shops the FIM and JIT VM access capabilities make Plan 2 the practical floor rather than an upgrade.

Defender for Containers

Protects: Kubernetes clusters running anywhere — Azure Kubernetes Service, Amazon EKS, Google GKE, OpenShift, on-premises Arc-enabled Kubernetes — plus container registries and the container build pipeline.

Kubernetes data plane discovery, hardening recommendations, and runtime threat detection
Cluster-level node anomaly detection — privilege escalation, lateral movement, crypto-mining behavior
Container image vulnerability scanning at push time and continuously at runtime against ACR, ECR, GAR
Agentless container posture across multi-cloud — no daemonset required for posture-only coverage
Sensitive data discovery inside containers and Kubernetes secrets governance

Pricing: Approximately $7 per vCore per month for Kubernetes nodes plus per-image scanning. Multi-cloud connectors for AWS and GCP register clusters at no additional connector cost.

Defender for Databases

Protects: Azure SQL, SQL on Arc-enrolled VMs, SQL on AWS RDS, Azure Cosmos DB, Azure Database for PostgreSQL, MySQL, MariaDB, and the open-source relational database family — the data tier attackers actually want.

Anomalous query detection — SQL injection signatures, unusual data export volumes, suspicious logins
Vulnerability assessment continuously scanning SQL configurations against Microsoft best practices
Defender for Azure Cosmos DB detecting compromised access keys, mass data export, suspicious read patterns
Open-source relational DB threat detection covering PostgreSQL, MySQL, MariaDB across managed and self-hosted

Pricing: Approximately $15 per SQL vCore per month, $0.02 per 100 Cosmos DB request units, and per-instance pricing for open-source RDBMS. Cosmos DB pricing makes coverage economic for read-heavy multi-tenant applications.

Defender for Storage

Protects: Azure Blob, Azure Files, and Azure Data Lake Storage Gen2 — every storage account that holds customer data, regulated PHI/PII, source code, machine learning training data, or backup archives.

Malware scanning on upload with on-upload blocking option for Blob containers
Sensitive data discovery and classification at rest using Microsoft Purview signal
Anomaly detection covering data exfiltration patterns, suspicious external sharing, mass deletion
Activity monitoring detecting credential abuse and access from unusual geographies

Pricing: Per-storage-account flat fee plus per-GB malware scan and per-transaction overhead. EPC Group recommends enabling at the subscription level rather than per-account to avoid coverage gaps as DevOps teams create new accounts.

Defender for App Service

Protects: Azure App Service and Azure Functions — the platform-as-a-service tier hosting web apps, REST APIs, and event-driven workloads.

Detection of suspicious upload patterns, unusual outbound connections, and web shell uploads
Anti-malware analytics on App Service file system and detection of cryptocurrency mining processes
Vulnerability assessment for the underlying App Service plan configuration
Integration with Defender for APIs for full request-path coverage on Function and App Service APIs

Pricing: Per-App-Service-plan-instance monthly pricing. Material for organizations running customer-facing applications on App Service, especially those handling regulated payment, PHI, or PII traffic.

Defender for Key Vault, Resource Manager & DNS

Protects: The control plane and secret-vault layer of Azure — every Resource Manager API call, every Key Vault secret access, and every DNS resolution from an Azure resource.

Defender for Key Vault — detection of unusual key access patterns, secret exfiltration, and key enumeration
Defender for Resource Manager — detection of malicious tenant-wide operations, role assignment anomalies, and known attack frameworks (PowerZure, MicroBurst)
Defender for DNS — detection of data exfiltration over DNS, command-and-control traffic, and DGA patterns from Azure-resident workloads
Integration with Defender for Identity for cross-source correlation when ARM activity follows on-premises ticket attacks

Pricing: Per-resource pricing for Key Vault, per-subscription overhead for Resource Manager and DNS. The Resource Manager plan is the highest-leverage of the three — it is how attackers escalate after compromising a service principal.

Defender for APIs

Protects: Azure API Management published APIs and the full API surface protected by APIM — the API attack surface that has become the dominant breach vector for cloud-native applications.

API inventory and discovery — every endpoint exposed through APIM, sensitive data classification per endpoint
Threat detection — OWASP API Top 10 coverage including broken object level authorization, mass assignment, and rate limit bypass
Anomaly detection on traffic patterns, payload sizes, and access patterns per endpoint
Integration with Microsoft Purview for sensitive data classification flowing through the API surface

Pricing: Per-1,000-API-call pricing through APIM. The plan is the youngest of the eight (general availability 2024) and is the area where customers are most likely under-covered.

Defender for Cloud across Azure, AWS, and GCP

The differentiating Defender for Cloud capability is per-resource pricing parity across the three hyperscalers. The same Defender for Servers Plan 2 cost applies whether the VM is an Azure VM, an AWS EC2 instance, or a GCP Compute Engine VM. The same Defender for Containers per-vCore charge applies whether the Kubernetes cluster is AKS, EKS, or GKE. Multi-cloud connectors carry zero connector fee — the only charge is per-resource for the runtime plan.

Microsoft Azure

Native integration — no connector required; agentless posture and runtime protection from the platform layer
All eight Defender plans available at full feature parity across every subscription enrolled in the tenant
Azure Policy initiatives mapped to Defender for Cloud regulatory compliance dashboard
Defender for Resource Manager covers every ARM API call against the subscription with no additional agents

Amazon Web Services

AWS connector deploys CloudFormation stack into each account granting Defender for Cloud read access to AWS APIs
Defender for Servers Plan 1 and 2 cover EC2 instances at the same per-server pricing as Azure VMs
Defender for Containers covers Amazon EKS clusters and Elastic Container Registry image scanning
Defender for Databases covers SQL on RDS, plus extended coverage for Aurora and DynamoDB on roadmap
AWS Foundational Security Best Practices regulatory benchmark exposed inside the same Defender portal

Google Cloud Platform

GCP connector deploys Cloud Run jobs and grants read access via service accounts for posture and runtime coverage
Defender for Servers protection extending to Google Compute Engine VMs at parity Azure and AWS pricing
Defender for Containers covering Google Kubernetes Engine clusters and Google Artifact Registry scanning
CIS GCP Foundations Benchmark and Google Cloud Architecture Framework controls exposed in the regulatory dashboard
Single attack path analysis spanning the GCP estate alongside Azure and AWS chains

For the broader multi-cloud orchestration model in which Defender for Cloud sits as the CNAPP plane, see our Microsoft + AWS + GCP multi-cloud orchestration hub.

CNAPP + SIEM

The Defender for Cloud + Microsoft Sentinel integration story

Defender for Cloud and Microsoft Sentinel are the CNAPP and SIEM halves of the workload-protection investigation surface. Defender for Cloud generates the workload-level alerts, attack path findings, and regulatory compliance signal. Sentinel correlates that signal with non-Microsoft sources — firewall, identity provider, custom application logs — and orchestrates response through Logic Apps playbooks.

Native data connector

The Defender for Cloud Sentinel data connector ships incidents, alerts, and regulatory dashboard signal into the Sentinel Log Analytics workspace where they power analytics rules, workbooks, and hunting queries.

Free 500 MB per server

Defender for Servers Plan 2 includes 500 MB per server per day of free Sentinel data ingestion. For a 2,000-server estate that is 1 TB per day of free SIEM ingest, which materially offsets the Defender for Servers Plan 2 cost on the bill.

Defender XDR closure

The bi-directional Defender XDR + Sentinel + Defender for Cloud loop means an attack path that begins as a cloud workload misconfiguration ends in a Defender XDR incident with endpoint and identity correlation already attached.

For the dedicated Sentinel hub including KQL libraries and SOAR playbook patterns, see Microsoft Sentinel SIEM Enterprise Guide (2026).

DevSecOps integration — GitHub Advanced Security, Azure DevOps, GitLab

The DevSecOps integration is what turns Defender for Cloud from a CSPM-plus-CWPP platform into a true CNAPP. Three integration paths cover the dominant enterprise code-estate patterns.

GitHub Advanced Security integration — code-to-cloud lineage in one investigation

Microsoft Defender for Cloud integrates natively with GitHub Advanced Security through the Microsoft Security DevOps GitHub Action. EPC Group ships the action across the customer repository fleet with a standardized workflow that runs CodeQL, secret scanning, dependency review, IaC scanning (Terraform, Bicep, ARM, CloudFormation, Kubernetes manifests), and container image scanning as a single pre-merge gate. Findings flow into the Defender for Cloud DevOps Security blade alongside runtime posture, creating a single investigation surface that ties a Kubernetes runtime alert back to the exact pull request, commit, and engineer that introduced the vulnerable image. The code-to-cloud lineage is the single highest-leverage feature of the DevSecOps integration and is the differentiating capability against Wiz and Prisma Cloud for Microsoft-anchored enterprises.

Azure DevOps pipeline integration — same shift-left, native Azure Boards correlation

Azure DevOps pipelines integrate through the Microsoft Security DevOps Azure DevOps Extension, exposing the same SAST, IaC scanning, container scanning, and dependency check surface as the GitHub Action. EPC Group typically ships the extension as a YAML pipeline template that customer DevOps teams reference through the standard pipeline templates library. Findings correlate into the Defender for Cloud portal and back into Azure Boards work items, giving program managers a single defect-tracking system whether the alert originated in a runtime container or a pre-merge IaC scan. For Azure DevOps customers — typically the regulated enterprises who have not migrated to GitHub Enterprise Cloud — the Azure DevOps path is the preferred integration.

GitLab integration — multi-source code estates unified into one CNAPP

GitLab integration through the Defender for Cloud DevOps Security connector closes the loop for enterprises running mixed GitHub, Azure DevOps, and GitLab fleets — a common pattern after acquisitions or in enterprises where Microsoft platform standardization has reached cloud and security tooling but not source control. The connector inventories GitLab repositories, runs the Microsoft Security DevOps scanner family against the codebase, and surfaces findings inside the same Defender for Cloud blade as GitHub and Azure DevOps. EPC Group has deployed the mixed-source-control pattern across the M&A consolidation engagements where SecOps standardization happens before DevOps tooling consolidation. The result is unified CNAPP coverage regardless of code estate.

Plan-by-plan economics

Cost optimization — the four levers that move the Defender for Cloud bill

Defender for Cloud cost optimization is plan-specific and resource-specific. The four highest-leverage levers EPC Group works across every 70+ F500 CNAPP engagement are the difference between a defensible per-server CNAPP budget and one that triggers a board-level cost review.

Plan 1 vs Plan 2 server selection

Plan 2 is roughly 3x Plan 1 cost per server. Regulated workloads need Plan 2 for FIM and JIT VM access. Non-regulated dev and test workloads can sit on Plan 1. Subscription-level enablement with workload-tag-driven plan selection is the pattern that produces 25 to 40 percent annual savings.

Sentinel ingest offset capture

The 500 MB per Plan 2 server per day free Sentinel ingest is only valuable if the Sentinel data connector is actually wired up. EPC Group routinely finds the offset going unused because Sentinel was provisioned in a different workspace than the Plan 2 server estate writes to.

Container vCore right-sizing

Defender for Containers charges per-vCore on the Kubernetes node pool. Right-sizing node pools — preferring fewer large nodes over many small nodes for the same total vCPU — produces material per-vCore savings without reducing pod-level capacity.

Storage account aggregation

Defender for Storage charges a flat per-account fee plus per-transaction overhead. Consolidating sprawling per-team storage accounts into shared accounts with container-level access control reduces the flat-fee surface area without harming isolation.

Governance and compliance — CNAPP controls mapped to your regulatory reality

Defender for Cloud regulatory compliance dashboard ships HIPAA HITRUST, PCI-DSS 4.0, FedRAMP Moderate and High, CMMC Level 2, NIST CSF 2.0, ISO 27001, SOC 2, and the industry-specific benchmarks for financial services (FFIEC), retail (PCI-DSS), defense (CMMC, NIST SP 800-171), and life sciences (GxP) — all visible inside the same portal spanning Azure, AWS, and GCP resources. EPC Group extends the mapping into a documented control matrix auditors will accept, with assessment evidence, policy references, and exception workflows linked to every control claim. See our standards alignment library for the full mapping.

HIPAA

SOC 2

FedRAMP

FINRA

CMMC

GxP

The EPC Group Defender for Cloud CNAPP Accelerator — five phases, fixed fee

The accelerator anchors on The EPC Group Lifecycle — Assess, Activate, Shift Left, Compliance, Operate. Fixed-scope between $200,000 and $700,000 depending on tenant scale, multi-cloud breadth, pipeline integration scope, and managed-service tail. Senior-architect led, no offshore handoff.

Phase 1 — Assess

CNAPP posture and activation gap assessment in three weeks

Phase one is a fixed-fee assessment that inventories every Defender for Cloud plan the tenant has enabled, every Azure subscription and multi-cloud account connected, every workload type discoverable, and the current Defender for Cloud secure score baseline. EPC Group ships a costed activation roadmap, a risk-weighted backlog of coverage gaps, attack path analysis output, and a board-ready decision package.

Plan-by-plan inventory across all eight Defender for Cloud plans for every subscription and connected cloud account
Defender for Cloud secure score baseline plus regulatory compliance dashboard snapshot per industry framework
Attack path analysis output identifying the highest-leverage misconfiguration chains in the current estate
Costed activation backlog with per-plan annual cost projection and risk-weighted prioritization

Phase 2 — Activate

Multi-cloud connectors and per-plan rollout

Phase two activates the multi-cloud connectors for AWS and GCP, enables Foundational CSPM at no cost across all three clouds, then layers paid Defender plans onto the workload categories carrying regulated data. EPC Group sequences activation so each plan is reviewed against secure score uplift and per-resource cost projection before enforcement, and exception workflows are stood up before any policy goes live.

AWS connector deployed across in-scope accounts with CloudFormation stack provisioning
GCP connector deployed across in-scope projects with Cloud Run service account permissions
Defender for Servers Plan 2 enabled on Arc-enrolled and multi-cloud VMs running regulated workloads
Defender for Containers, SQL, Storage, APIs, and Key Vault enabled per the risk-weighted backlog

Phase 3 — Shift Left

DevSecOps integration into pipelines and Sentinel correlation

Phase three is the DevSecOps integration that separates a CSPM platform from a true CNAPP. EPC Group deploys Microsoft Security DevOps across GitHub Advanced Security, Azure DevOps, and GitLab estates as a pre-merge gate, configures code-to-cloud lineage so runtime findings link back to source commits, and integrates Defender for Cloud with Microsoft Sentinel for cross-source SOC investigation.

Microsoft Security DevOps GitHub Action shipped across repositories with standardized workflow YAML
Azure DevOps pipeline extension shipped as YAML template through standard templates library
GitHub Advanced Security purchased and configured for repositories under shift-left scope
Defender for Cloud bi-directional integration with Microsoft Sentinel through the native data connector

Phase 4 — Compliance

Regulatory benchmarks and auditor-ready control matrices

Phase four is the compliance translation. EPC Group enables the regulatory compliance dashboard for the customer-specific framework portfolio — HIPAA HITRUST for healthcare, PCI-DSS 4.0 for retail, FedRAMP Moderate or High for federal, CMMC Level 2 for defense contractors, FFIEC and SOX for financial services, GxP for life sciences — and translates the Defender for Cloud findings into auditor-ready control evidence aligned to the customer governance, risk, and compliance documentation.

Defender for Cloud regulatory compliance dashboard configured per industry framework portfolio
Auditor-ready control matrix linking every framework control to Defender for Cloud assessment evidence
Exception management workflows for accepted-risk findings with named owner, expiration, and review cadence
Continuous compliance posture reporting — monthly, quarterly, and on-demand for board governance

Phase 5 — Operate

24/7 managed CNAPP with senior-architect escalation

Phase five is steady-state operation. EPC Group provides managed CNAPP services — 24-by-seven monitoring of Defender for Cloud alert queue, attack path triage, secure score uplift engineering, pipeline gate exception adjudication, and platform health monitoring across the multi-cloud estate. Senior-architect escalation is the differentiator; tier one analysts triage, but every customer has named senior architects on call for the incidents and exception decisions that matter.

24/7 SOC monitoring of Defender for Cloud incident queue alongside Defender XDR
Monthly secure score uplift engineering sprints targeted at the highest-leverage findings
Quarterly attack path analysis reviews with customer architecture and engineering teams
Platform health monitoring covering connector health, ingestion rate, and per-plan license consumption

Why EPC Group leads enterprise Defender for Cloud CNAPP deployments

Years Microsoft consulting

70+

Fortune 500 clients

216+

M&A tenant consolidations

1.83 million

Users migrated

Microsoft Solutions Partner — six designations

Microsoft Solutions Partner with the Security designation plus Modern Work, Infrastructure, Data & AI, Digital & App Innovation, and Business Applications. Senior architects average two decades of Microsoft platform delivery experience.

Four-time Microsoft Press author

Founder Errin O’Connor has nearly three decades of Microsoft consulting leadership and is a four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations.

Fixed-fee CNAPP accelerators

Every Defender for Cloud engagement is fixed-fee with a costed roadmap and named senior architect on-record from kickoff through go-live. No T&M overruns, no offshore handoff, no junior-analyst-led production cutover.

Compliance-native

EPC Group is compliance-native across HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP. CNAPP deployments ship with auditor-ready control matrices, not generic Defender for Cloud screenshots.

Frequently asked questions — Microsoft Defender for Cloud CNAPP

What is the difference between Microsoft Defender XDR and Microsoft Defender for Cloud?

Microsoft Defender XDR is the unified Extended Detection and Response platform covering the user-facing security plane — Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, Defender for Office 365, and Entra ID Protection. Microsoft Defender for Cloud is the Cloud-Native Application Protection Platform (CNAPP) covering the workload plane — virtual machines, containers, databases, storage, app services, APIs, Key Vault, Resource Manager, and DNS across Azure, AWS, and GCP. Defender XDR protects how users access the cloud; Defender for Cloud protects the cloud workloads themselves. The two integrate bi-directionally inside the Microsoft Defender portal, so a SOC analyst sees both planes correlated in a single incident timeline. See our dedicated /microsoft-defender-xdr-enterprise-2026 hub for the XDR side of the story.

How does Microsoft Defender for Cloud compare to Wiz and Prisma Cloud?

Wiz and Palo Alto Prisma Cloud are the two dominant pure-play CNAPP vendors. Wiz leads on agentless posture, attack path analysis, and the modern graph-database interrogation experience that has redefined CSPM expectations since 2022. Prisma Cloud leads on multi-cloud breadth and on the depth of its cloud workload protection runtime agents. Microsoft Defender for Cloud catches up on agentless posture and attack path analysis through 2024 and 2025 product releases, and surpasses both on bundled value for Microsoft 365 E5 and Azure-heavy customers — the per-server pricing is materially below Wiz and Prisma Cloud list, and the Defender XDR integration delivers code-to-cloud lineage Wiz cannot match for Microsoft-source-control estates. For Azure-anchored enterprises, Defender for Cloud is the path of least resistance. For mixed AWS-anchored or GCP-anchored estates with mature DevSecOps practice, Wiz remains the strongest pure-play option.

How does Defender for Cloud compare to CrowdStrike Cloud Security and Lacework?

CrowdStrike Cloud Security extends the Falcon endpoint platform into CSPM and CWPP. The strength is identity-correlation across endpoint, identity, and cloud workload telemetry inside the Falcon graph — and the runtime protection benefits from the maturity of the Falcon agent. The weakness against Defender for Cloud is the cost stack for Microsoft-anchored enterprises (CrowdStrike Cloud Security adds licensing on top of E5 Defender entitlements the customer already owns) and the lighter native integration with Microsoft Sentinel. Lacework, acquired by Fortinet in 2024, leads on behavioral anomaly detection through its polygraph data platform but has slipped in DevSecOps integration breadth. Defender for Cloud wins on bundled value, on Sentinel integration, and on code-to-cloud lineage with GitHub Advanced Security. CrowdStrike wins where the customer is already deeply invested in Falcon and wants identity-correlated runtime protection as the priority.

How does Defender for Cloud actually work across AWS and GCP?

The AWS connector deploys a CloudFormation stack into each AWS account it covers, granting Defender for Cloud cross-account read access to the AWS APIs through an IAM role and writing security findings back. The GCP connector deploys a Cloud Run service plus a service account with read access across the project. Foundational CSPM — recommendations, regulatory compliance dashboards, secure score, attack path analysis — is free across all three clouds. Paid Defender plans (Servers, Containers, SQL, Storage, APIs) charge per resource regardless of which cloud the resource runs in, so an EC2 instance protected by Defender for Servers Plan 2 costs the same as an Azure VM. The result is a unified CNAPP posture and runtime view priced consistently across cloud providers, with no per-account connector fee on top.

What is the realistic annual cost of full Defender for Cloud activation?

A representative cost estimate for a mid-size enterprise with 2,000 servers, 200 SQL databases, 50 Kubernetes clusters, 500 storage accounts, and 20 App Service plans across Azure and AWS runs roughly $400,000 to $700,000 per year in Microsoft consumption charges depending on the specific Defender plans enabled and the regulatory scope driving Plan 2 versus Plan 1 selection. Defender for Servers Plan 2 typically dominates the bill (around 60 percent of total). The Microsoft Sentinel data ingestion offset of 500 MB per Plan 2 server per day is materially valuable — for a 2,000-server fleet, that is 1 TB per day of free Sentinel ingestion, which typically offsets a meaningful share of the Defender for Servers Plan 2 cost when measured against the equivalent Sentinel SIEM ingest line item.

How does the GitHub Advanced Security integration deliver code-to-cloud lineage in practice?

The Microsoft Security DevOps GitHub Action runs as a pre-merge workflow against every pull request, executing CodeQL static analysis, secret scanning, dependency review, IaC scanning across Terraform/Bicep/ARM/CloudFormation/Kubernetes manifests, and container image vulnerability scanning. Findings ship into the Defender for Cloud DevOps Security blade with the commit SHA, repository, and pull request number attached. When the same vulnerable image later triggers a runtime alert inside Defender for Containers, the Defender portal correlates the runtime finding back to the originating pull request — showing the SOC analyst the exact commit, file, line, and engineer that introduced the vulnerability. EPC Group considers code-to-cloud lineage the single highest-leverage capability of the DevSecOps integration and the differentiating capability against Wiz and Prisma Cloud for Microsoft-anchored enterprises with GitHub Enterprise Cloud as the source-of-truth code estate.

How does Defender for Cloud integrate with Microsoft Sentinel?

Defender for Cloud integrates with Microsoft Sentinel through the native Defender for Cloud data connector. Alerts flow into Sentinel as analytics rule incidents, regulatory compliance dashboard signal flows into Sentinel workbooks, and the underlying telemetry tables — SecurityAlert, SecurityIncident, SecurityRecommendation — ingest natively into the Log Analytics workspace. The bi-directional integration with Defender XDR closes the loop, so an attack path that begins as a cloud workload misconfiguration ends in a Defender XDR incident with the endpoint and identity correlation attached. See our /microsoft-sentinel-siem-enterprise-2026 hub for the Sentinel side of the integration story including KQL query libraries and SOAR playbook design patterns specific to CNAPP triage.

When does it make sense to layer a third-party CNAPP alongside Defender for Cloud?

For pure Microsoft-and-Azure-anchored enterprises, Defender for Cloud is the right CNAPP and the layering question is moot. For enterprises with material AWS or GCP investment plus an existing Wiz or Prisma Cloud subscription, the practical pattern is to keep the third-party CNAPP for non-Microsoft estate coverage during a migration period and consolidate onto Defender for Cloud as the Microsoft estate share grows past 60 percent of workloads. For enterprises with a mature security platform engineering function that values the Wiz attack path graph experience above all else, keeping Wiz alongside Defender for Cloud is a defensible architecture if the budget supports both. For the typical EPC Group F500 customer running Microsoft 365 E5 and a heavy Azure footprint, consolidation onto Defender for Cloud delivers material annual savings and avoids the integration drag of running two CNAPPs.

Continue exploring the EPC Group enterprise Microsoft library

Defender for Cloud is the workload-protection plane inside the broader Microsoft Cloud orchestration story. These hubs cover adjacent and complementary territory.

Microsoft Cloud Orchestrator

The end-to-end Microsoft cloud orchestration model under which CNAPP sits as the workload-protection plane.

Microsoft Defender XDR (2026)

The XDR side of the Microsoft Defender story — Endpoint, Identity, Cloud Apps, Office 365 — that integrates with CNAPP for unified investigation.

Microsoft Sentinel SIEM (2026)

The SIEM half of the Microsoft Defender platform — KQL libraries, SOAR playbooks, and CNAPP-correlated analytics rules.

Microsoft Entra ID (2026)

The identity plane that authenticates every workload Defender for Cloud protects, including Conditional Access and PIM patterns.

Microsoft + AWS + GCP multi-cloud orchestration

How Defender for Cloud extends multi-cloud posture and runtime protection across AWS and GCP at parity pricing.

Standards alignment library

NIST CSF 2.0, ISO 27001, HIPAA, FedRAMP, FINRA, CMMC, and GxP control mappings for Microsoft platforms.

Azure consulting services

The Azure platform engineering practice that delivers the substrate Defender for Cloud protects across subscriptions and landing zones.

Federal Microsoft consulting — FedRAMP and CMMC

Defender for Cloud inside GCC High, FedRAMP-aligned controls, and CMMC 2.0 readiness for defense contractors.

Unify your CNAPP onto Microsoft Defender for Cloud

Book a Defender for Cloud briefing with an EPC Group senior architect. Two-hour working session — plan inventory across Azure, AWS, GCP, secure score baseline, accelerator scoping. Zero obligation, board-ready output.

Book the briefing Call 888-381-9725

‌
‌
‌

‌
‌