The Microsoft Defender Portfolio Overview
The Microsoft Defender brand encompasses eight distinct products in 2026, each addressing a different attack surface within the XDR framework. Understanding what each product does — and which surfaces it protects — is the foundation for an accurate standalone-versus-bundle cost comparison.
| Defender Product | What It Protects | Standalone Price Est. |
|---|---|---|
| Defender for Endpoint P1 | Windows/macOS/Linux/mobile endpoints (next-gen protection, basic EDR) | ~$3.30/user/month |
| Defender for Endpoint P2 | Endpoints (full EDR, advanced hunting, TVM, AIR) | ~$5.20/user/month |
| Defender for Office 365 P1 | Email + M365 apps (safe links, safe attachments, anti-phishing) | ~$2.00/user/month |
| Defender for Office 365 P2 | Email security + Threat Explorer + AIR + Attack Simulator | ~$5.00/user/month |
| Defender for Identity | On-premises Active Directory (identity threat detection, lateral movement) | ~$5.50/user/month |
| Defender for Cloud Apps | SaaS applications (Shadow IT, CASB, session control) | ~$3.50/user/month |
| Defender for Cloud | Azure, AWS, GCP workloads (CSPM, CWPP — Azure-billed) | Resource-based (Azure) |
| Microsoft Sentinel | SIEM/SOAR (log ingestion, analytics, automation) | ~$2.46/GB ingested or commitment tiers |
Defender for Cloud and Microsoft Sentinel are Azure-based services billed separately from M365 user licences, regardless of whether the organisation has M365 E3, E5, or any other plan. The remaining six products (Endpoint, Office 365, Identity, Cloud Apps) are per-user products licensed through M365 plans or standalone subscriptions.
Which Plans Include Which Defender Products
Microsoft includes Defender products at different levels across its M365 plan tiers. The inclusion matrix below covers the primary enterprise plans:
| Defender Product | M365 E3 | M365 E5 | M365 E5 Security (add-on) |
|---|---|---|---|
| Defender for Endpoint P1 | ✓ Included | ✓ Included (P2) | ✓ Included (P2) |
| Defender for Endpoint P2 | ✗ Not included | ✓ Included | ✓ Included |
| Defender for Office 365 P1 | ✓ Included | ✓ Included (P2) | ✓ Included (P2) |
| Defender for Office 365 P2 | ✗ Not included | ✓ Included | ✓ Included |
| Defender for Identity | ✗ Not included | ✓ Included | ✓ Included |
| Defender for Cloud Apps | Partial (Cloud App Discovery only) | ✓ Full CASB included | ✓ Full CASB included |
| Entra ID P2 | ✗ (P1 only) | ✓ Included | ✓ Included |
| Microsoft Sentinel 90-day | ✗ Not included | ✓ 90-day free data retention | ✗ Not included |
The critical insight from this matrix is that M365 E3 provides meaningful baseline security — Defender for Endpoint P1 and Defender for Office 365 P1 — but lacks the EDR depth (Defender for Endpoint P2), identity threat detection (Defender for Identity), full CASB capability (Defender for Cloud Apps), and Entra ID P2 risk-based conditional access that the E5 tier provides.
Defender for Endpoint P1 vs P2: What's Different
The P1/P2 distinction is the most commercially impactful Defender licensing decision for most enterprises. Defender for Endpoint P1, included in M365 E3, provides next-generation protection (antivirus, attack surface reduction rules, controlled folder access), device inventory, and basic investigation capabilities. It is a fully functional endpoint protection product — but it lacks the advanced threat hunting and automated investigation capabilities that security operations teams depend on for incident response.
Defender for Endpoint P2 adds the full EDR capability: Endpoint Detection and Response with historical query up to 6 months, advanced threat hunting using Kusto Query Language (KQL) across endpoint telemetry, automated investigation and remediation that automatically resolves alerts without analyst intervention, threat and vulnerability management with asset risk scoring and remediation prioritisation, and device risk score integration with Entra ID conditional access (blocking risky devices from accessing corporate resources).
Decision framework: Organisations with a functioning Security Operations Centre (SOC) that actively triages endpoint alerts need Defender for Endpoint P2 — the historical query, automated investigation, and advanced hunting capabilities are the difference between a reactive and a proactive security posture. Organisations without a SOC that are primarily using endpoint protection for malware prevention and compliance reporting may find that Defender for Endpoint P1 is sufficient, with threat hunting and complex investigation delegated to a managed security service provider (MSSP).
The most common security overspend we see is purchasing Defender for Endpoint P2 (or M365 E5) for the full user population when only 20–30% of users — those with privileged access or high-sensitivity data — genuinely need the advanced EDR capability. Right-sizing the P2 population can reduce the incremental security spend by 50–60%.
The E5 Bundle Breakeven Analysis
The M365 E5 bundle becomes better value than M365 E3 plus standalone Defender add-ons when the organisation genuinely needs three or more of the E5-exclusive security capabilities. The breakeven calculation for a 2,000-seat organisation on M365 E3 ($36/user/month) looks like this:
| Security Addition | Standalone Add-On Cost | Cumulative E3 + Add-On Total |
|---|---|---|
| Baseline: M365 E3 | — | $36.00/user/month |
| + Defender for Endpoint P2 | +$5.20 | $41.20/user/month |
| + Defender for Office 365 P2 | +$5.00 | $46.20/user/month |
| + Defender for Identity | +$5.50 | $51.70/user/month |
| + Entra ID P2 | +$9.00 | $60.70/user/month |
| M365 E5 (all of the above + Purview E5 + Sentinel 90-day) | — | $57.00/user/month |
The crossover occurs at three security add-ons: E3 + Defender for Endpoint P2 + Defender for Office 365 P2 + Defender for Identity already costs $51.70 versus $57.00 for E5 — and E5 additionally includes Entra ID P2, full Defender for Cloud Apps, Purview E5 Compliance, and Microsoft Sentinel 90-day free data retention. For organisations genuinely using all four of these security capabilities, E5 is the cost-optimal choice.
The crossover does not occur for organisations that need only one or two Defender add-ons. An E3 organisation adding only Defender for Endpoint P2 ($41.20 total) is clearly better served by the standalone add-on than by upgrading to E5 ($57.00).
The E5 Security Add-On as Middle Ground
The M365 E5 Security add-on (~$12/user/month on top of M365 E3) provides Defender for Endpoint P2, Defender for Office 365 P2, Defender for Identity, full Defender for Cloud Apps, and Entra ID P2 — without the Purview E5 Compliance capabilities that are included in full E5. This makes E3 + E5 Security (~$48/user/month) the appropriate choice for organisations whose primary requirement is security capability expansion without the compliance additions.
Comparing E3 + E5 Security (~$48) versus E3 + standalone security products (Endpoint P2 + O365 P2 + Identity = ~$51.70) shows that the E5 Security add-on is more cost-effective than purchasing those three products standalone — and additionally includes Entra ID P2 and full Defender for Cloud Apps. For most enterprise security-focused buyers, E3 + E5 Security is the correct licensing approach unless compliance capabilities are also required, at which point the full E5 bundle becomes relevant.
Displacing Third-Party Security Tools
For organisations on M365 E5 or E5 Security, the cost case for consolidating third-party security tools onto the Microsoft Defender stack is materially strong. The most common displacement scenarios include:
CrowdStrike or SentinelOne for Defender for Endpoint P2: Enterprise EDR platforms typically cost $8–$15/user/year (~$0.67–$1.25/user/month) as standalone subscriptions, and some commercial licences include MDR services at higher price points. For organisations already on M365 E5 or E5 Security (where Defender for Endpoint P2 is already included and paid for), the incremental cost of continuing with a third-party EDR is the third-party licence cost only — with no offsetting Microsoft pricing benefit. The elimination saving is real and typically $100K–$400K annually for mid-enterprise populations.
Proofpoint or Mimecast for Defender for Office 365 P2: Email security gateway solutions typically cost $3–$8/user/month for enterprise licences. Defender for Office 365 P2, included in E5 and E5 Security, provides equivalent functionality for the majority of enterprise use cases (there are specific scenarios — complex email routing, advanced inbound gateway features — where third-party email security retains an advantage). The consolidation to Defender for Office 365 P2 from a $5/user/month third-party solution saves the full third-party cost with no meaningful security capability reduction for most deployments.
For the full framework on Microsoft estate optimisation and third-party tool consolidation strategy, see the reduce Microsoft spend guide and the Microsoft security licensing E5 guide.
Negotiation Strategy for Security Buyers
Security licensing decisions are among the most commercially sensitive in the Microsoft relationship because they often involve budget from the CISO/security function rather than the IT procurement function — two groups with different commercial priorities and different leverage awareness.
The key negotiation principle for security buyers is to present the E5 Security or full E5 upgrade decision as a strategic Microsoft relationship decision, not a line-item security product purchase. Framing the conversation as "we are consolidating our security stack onto Microsoft's XDR platform, displacing $X in third-party security spend" positions the buyer as a platform growth story — which generates more pricing flexibility from Microsoft's account team than a pure add-on request.
E5 Security add-on pricing of $12/user/month is negotiable at enterprise scale. Organisations above 2,000 seats in competitive renewal situations have achieved E5 Security add-on pricing of $9–$10/user/month. As with all Microsoft negotiations, the earlier the commercial conversation begins (9–12 months before EA anniversary), the more pricing flexibility is available. See the full EA negotiation guide and download the Microsoft EA Guide for the detailed framework.