Defender for Cloud (MDC)

Overview

What is MDC?

Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) that brings together Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWPP). It provides unified security management across Azure, AWS, GCP, and hybrid environments. strengthening security posture, protecting workloads, and enabling DevSecOps.

Capabilities

Core Capabilities

Cloud Security Posture Management

Continuous assessment with Microsoft Cloud Security Benchmark, regulatory compliance dashboard, Secure Score, and attack path analysis across multi-cloud environments.

Cloud Workload Protection

Protect servers, containers, databases, storage, App Service, Key Vault, DNS, Resource Manager, and more with dedicated protection plans.

Multi-Cloud Security

Native connectors for AWS and GCP provide unified visibility and protection. Extend posture management and threat detection to all your cloud environments.

DevSecOps Integration

Shift-left security with code scanning, IaC scanning, CI/CD pipeline protection, and container image vulnerability scanning before deployment.

Attack Path Analysis

Graph-based security analysis that identifies attack paths exposing critical resources. Prioritize remediation based on exploitability and business impact.

Agentless Scanning

Discover vulnerabilities, secrets, and malware across VMs, containers, and storage without deploying agents. Snapshot-based analysis with minimal performance impact.

Plans

Defender Plans

MDC offers specialized protection plans for different workload types. Enable the plans relevant to your environment.

🖥️ Defender for Servers

EDR, vulnerability assessment, and threat protection for Windows and Linux VMs.

🐳 Defender for Containers

Runtime protection, image scanning, and policy enforcement for Kubernetes and container registries.

🗄️ Defender for Databases

Threat detection for Azure SQL, PostgreSQL, MySQL, Cosmos DB, and open-source databases.

📦 Defender for Storage

Malware scanning, data sensitivity discovery, and anomaly detection for Azure Storage accounts.

🔑 Defender for Key Vault

Detect anomalous access patterns and potential threats to your Azure Key Vault secrets and keys.

🌐 Defender for App Service

Protect web applications and APIs hosted on Azure App Service from common attack vectors.

Hands-on Labs

Defender for Cloud Labs

Enterprise cloud security labs. enable Defender plans, implement CSPM, harden workloads, and secure multi-cloud environments from start to finish.

01

Beginner⏱ 60 min · 8 steps

Enable Defender for Servers Plan 2

Activate Defender for Servers across Azure subscriptions, configure auto-provisioning of the Azure Monitor Agent, review your initial Secure Score, resolve the top five security recommendations, and validate protection status on production VMs.

02

Intermediate⏱ 90 min · 12 steps

Implement Cloud Security Posture Management

Enable CSPM features, create custom security initiatives using Azure Policy, configure governance rules with owner assignments and deadlines, map controls to regulatory frameworks (CIS, NIST), and build a compliance dashboard for executive reporting.

03

Intermediate⏱ 100 min · 12 steps

Configure JIT VM Access & Adaptive Controls

Set up Just-in-Time VM access policies for management ports, configure adaptive application controls to allowlist approved software, enable file integrity monitoring for critical system files, and create workflow automations that auto-remediate security alerts.

04

Advanced⏱ 180 min · 22 steps

Secure a Multi-Cloud Environment (AWS + Azure)

Connect an AWS account to Defender for Cloud, deploy the Azure Arc agent on EC2 instances, extend CSPM coverage to AWS resources, configure cross-cloud security recommendations, create unified alerting rules, and build a multi-cloud security posture dashboard.

05

Advanced⏱ 120 min · 16 steps

AI Security Posture Management (DSPM for AI)

Enable AI security posture management in Defender for Cloud, discover Azure OpenAI and AI Services deployments, configure threat protection for AI workloads, and build AI security governance dashboards.

Scripts

MDC Scripts

Ready-to-run PowerShell scripts for lab simulations. View all scripts →

Script	Description	Level	Parameters
Deploy-MDCProtection.ps1	6-step Defender plans deployment, auto-provisioning, email alerts, Secure Score	Beginner	`-SubscriptionId`

Learn

MDC Resources

📘

MDC Documentation

Complete Defender for Cloud documentation

🎓

MDC Training

Introduction to Defender for Cloud on Microsoft Learn

📊

Secure Score

Understand and improve your cloud security posture

🔗

Multi-Cloud Setup

Connect AWS and GCP environments to Defender for Cloud

FAQ

Defender for Cloud FAQ

What is the difference between CSPM and CWPP?

These are the two pillars of Defender for Cloud, addressing different aspects of cloud security:

CSPM (Cloud Security Posture Management): Continuously assesses your cloud configuration against security best practices. It identifies misconfigurations like publicly accessible storage accounts, missing encryption, overly permissive network rules, and non-compliant resources. CSPM is preventative: it finds weaknesses before attackers do. The foundational CSPM tier is free; Defender CSPM (premium) adds attack path analysis, cloud security graph, agentless scanning, and governance rules.
CWPP (Cloud Workload Protection Platform): Provides runtime threat protection for workloads. Defender plans detect active threats against servers (file integrity monitoring, adaptive application controls, JIT access), containers (image scanning, runtime protection), databases (SQL threat detection, anomalous queries), storage (malware scanning, data exfiltration), and more.

Together: CSPM prevents breaches by hardening configuration; CWPP detects and responds to active attacks that target your workloads.

CSPM overview

Does Defender for Cloud support AWS and GCP?

Yes. Defender for Cloud provides native multi-cloud support across all three major clouds:

AWS integration: Native connector using AWS CloudFormation StackSets. Provides CSPM recommendations for AWS resources, CIS benchmark assessments, and optionally deploys Defender for Servers on EC2 instances via Azure Arc.
GCP integration: Native connector using GCP service accounts. Provides CSPM assessments for GCP resources, CIS benchmarks for GCP, and Defender for Servers on GCE instances via Azure Arc.
Unified view: All security recommendations, compliance assessments, and alerts from Azure, AWS, and GCP appear in a single Defender for Cloud dashboard with a unified Secure Score.
Regulatory compliance: Map multi-cloud resources against frameworks like CIS, NIST 800-53, PCI-DSS, and ISO 27001 across all three clouds simultaneously.

Multi-cloud CSPM is included in the free tier. Multi-cloud workload protection (Defender for Servers on AWS/GCP) requires the Defender for Servers plan and Azure Arc.

Multi-cloud security

What is Secure Score and how is it calculated?

Secure Score is a percentage metric representing your overall cloud security posture. It provides a prioritised action plan for improvement:

Calculation: Each security recommendation has a weight (max points). Your score = (points achieved / total possible points) × 100. Only recommendations for enabled resources count.
Controls: Recommendations are grouped into security controls (e.g., "Enable MFA", "Encrypt data in transit", "Restrict network access"). Completing all recommendations in a control awards bonus points.
Prioritisation: Recommendations are ranked by severity (Critical, High, Medium, Low), freshness score (how recently the resource became non-compliant), and potential impact on your score.
Exemptions: You can exempt specific resources with a documented business justification. Exempted resources don't affect your score but remain visible for audit.

Industry benchmark: organisations typically start at 30–40% and reach 70–80% within 6 months of active remediation. Focus on Critical and High recommendations first for maximum score improvement.

Secure Score

How does JIT VM Access work?

Just-in-Time (JIT) VM Access reduces the attack surface of your virtual machines by blocking management ports by default and opening them only when needed:

Default state: NSG rules block all inbound traffic on management ports (RDP 3389, SSH 22, WinRM 5985/5986, and custom ports you configure)
Access request: When an admin needs to connect, they request access through the Azure portal, API, or PowerShell. The request specifies the source IP, port, and duration (1–24 hours).
Approval: Requests can be auto-approved or require manual approval based on your policy configuration
Port opening: Upon approval, JIT automatically modifies the NSG to allow inbound traffic from the requester's IP for the specified duration only
Auto-close: When the duration expires, the NSG rule is automatically removed, closing the port
Audit trail: All JIT access requests are logged in Azure Activity Log for compliance and forensics

JIT reduces your exposed attack surface by 96–98% vs. always-open management ports. It is one of the highest-impact security improvements for IaaS environments.

JIT VM access

What Defender plans are available and how much do they cost?

Defender for Cloud offers individual plans that can be enabled independently per subscription:

Defender for Servers P1: MDE integration, network-level protection. ~$5/server/month
Defender for Servers P2: P1 + JIT access, file integrity monitoring, adaptive application controls, vulnerability assessment, agentless scanning. ~$15/server/month
Defender for Containers: Image scanning, runtime protection, admission control, Kubernetes audit. ~$7/vCore/month
Defender for SQL: Threat detection for Azure SQL, SQL on VMs, and SQL Managed Instance. ~$15/instance/month
Defender for Storage: Malware scanning, sensitive data detection, anomalous access patterns. ~$10/storage account/month
Defender for Key Vaults: Anomalous access detection. ~$0.02/10K transactions
Defender for App Service: Threat detection for web apps. ~$15/instance/month
Defender CSPM: Attack path analysis, cloud security graph, agentless scanning, governance. ~$5/server/month

The foundational CSPM (Secure Score, basic recommendations, Azure Security Benchmark) is free for all Azure subscriptions.

Defender for Cloud overview

What is attack path analysis?

Attack path analysis (Defender CSPM premium) uses a cloud security graph to identify exploitable paths from the internet to your critical assets:

Graph-based model: Maps all relationships between resources: VMs, storage, databases, identities, network configurations, and vulnerabilities
Attack simulation: Simulates how an attacker could chain multiple weaknesses: e.g., a publicly exposed VM with a known CVE that has access to a database containing sensitive data
Risk prioritisation: Ranks attack paths by exploitability and impact, helping you focus on the paths attackers are most likely to use
Remediation guidance: Shows exactly which resource to fix to break the attack path. often a single NSG rule change or permission removal eliminates an entire path

Attack path analysis shifts security from "fix all vulnerabilities" to "fix the vulnerabilities that actually matter". dramatically reducing remediation effort while improving security outcomes.

Attack path analysis

← Back to Defender XDR