Microsoft Defender for... Everything?
Let's be honest. Microsoft doesn't have the best branding. I wasn't the biggest fan of Intune being renamed the generic Endpoint Manager. I'm curious how many results get hidden on Google because pretty much everyone searches for Intune despite the rebranding years ago?
It's enough to give someone, like me who works daily with Defender, a headache just trying to keep up. Honestly, how many times can a product be renamed and rebranded before it just becomes a dizzying blur?
I mean, just look at the current product listing for Defender....
25 products - TWENTY-FIVE - all with the word Defender in them!
That's insane!
Maybe Microsoft should hire a SEO-guy...
So I figured I'd sit down and just... write the thing. A no-nonsense guide to every Defender product, what it actually does, who needs it, and roughly what license gets you there. Because I guarantee you, half the people reading this have at least two Defender products confused with each other. I know I did for longer than I'd like to admit.
The convoluted history of Microsoft Defender
It started simple. Back in 2005, Windows Defender was just an anti-spyware program for Windows XP. That's it. Spyware. Remember when that was the big threat?
Then in 2009, Microsoft released Microsoft Security Essentials, a free antivirus for Windows. They folded it back into Windows Defender in 2012.
At some point they realized "hey, spyware isn't the only thing trying to ruin your day" and renamed it to Windows Defender Antivirus. Then in 2016 came the enterprise version, Windows Defender ATP (Advanced Threat Protection), because apparently regular threat protection wasn't cutting it. This was the big one. It started Windows-only, then expanded to macOS and Linux in 2019, and mobile in 2020.
And then... the branding department got involved. And here we are.
I've grouped everything by category below. For each product I'll tell you what it does, when you'd actually care about it, and what license tier it falls under. There's a reference table at the bottom if you just want the cheat sheet.
The Big Umbrella: Microsoft Defender XDR
(You might still see this called "Microsoft 365 Defender." They renamed it. Again. Because of course they did.)
This is the "all of it" product. Defender XDR wraps together Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps into one unified XDR portal at security.microsoft.com. That's the URL you'll live in.
You're not buying this separately. If you've got M365 E5 ($57/user/month) you've got everything. E3 gets you the basics but you'll need add-on licenses for the good parts. More on that under each product below.
In practice, this is the product most of my enterprise clients interact with daily. Before this existed you'd be checking the old Defender ATP portal, the Office 365 Security & Compliance Center, the Cloud App Security portal, and Azure ATP separately, trying to piece together what happened across four different tabs. The unified portal is genuinely the selling point.
Defender for Endpoint (MDE)
The one most people think of when they hear "Defender." Endpoint protection across Windows, Linux, macOS, iOS, and Android. Real-time protection, behavioral analysis, web content filtering, and threat hunting. If something weird is running on a device, this is what catches it.
I use this more than any other Defender product. There are two plans: Plan 1 (included in M365 E3) gives you next-gen protection and device control. Plan 2 (M365 E5 or standalone add-on) adds endpoint detection and response, threat hunting, and automated investigation. Plan 1 is fine for basic protection. Plan 2 is where it actually gets interesting.
One thing to be clear about: MDE doesn't deploy patches or manage your devices. That's Intune. MDE reports on security posture and config compliance, but it's not your device management tool. I've seen this confused more times than I can count.
Defender for Office 365 (MDO)
Phishing protection for your email and documents. Catches spear phishing, ransomware attachments, and BEC (business email compromise) attempts. Monitors for suspicious user behavior like someone suddenly forwarding all their email to an external address.
Licensing matters here. E3 gets you Exchange Online Protection (basic spam/malware filtering). MDO Plan 1 (E5 or add-on) adds Safe Links, Safe Attachments, and anti-phishing policies. Plan 2 adds threat investigation, automated response, and attack simulation training. The jump from EOP to Plan 1 is where most organizations see the real value. If you're still on E3 without the add-on, you're running with the bare minimum.
Defender for Cloud Apps (MDCA)
Used to be called Microsoft Cloud App Security (MCAS). Yes, they renamed this one too.
It's a CASB (Cloud Access Security Broker). Watches what your users are doing in cloud apps, not just Microsoft ones, but also Google Workspace, Salesforce, AWS, Dropbox, whatever. If someone's downloading 4,000 files from SharePoint on a Saturday morning, this is what flags it. Useful for catching data exfiltration and shadow IT. Included in M365 E5.
MDCA also powers Conditional Access App Control, which is a different beast: it's inline session proxying that lets you enforce real-time controls inside apps. Block downloads from unmanaged devices, prevent copy-paste of sensitive data, that kind of thing. If you're doing Conditional Access policies in Entra, this is the engine behind the "Use Conditional Access App Control" session control option.
This is one of the four pillars of the Defender XDR portal, so it feeds its alerts into the same unified incident view as Endpoint and Office 365.
Defender for Businesses
Basically MDE but packaged for SMBs. Simplified setup, wizard-based policies, lower licensing cost (comes with Microsoft 365 Business Premium). Designed for companies under 300 users that don't have a dedicated security team. If you're an MSP managing small clients, this is what Microsoft wants you to use. If you're an enterprise, skip this section.
Defender for Identity (MDI)
Watches your on-prem Active Directory for identity-based attacks. Pass-the-hash, pass-the-ticket, lateral movement, reconnaissance against AD. You install sensors on your domain controllers and it builds a behavioral baseline per account, then alerts when something deviates.
This is not the same as Azure AD Identity Protection (now Entra ID Protection), which handles cloud-side stuff like impossible travel detection and risky sign-ins. MDI is specifically about your on-prem AD. Different products, different signals, and yes, the naming makes this confusing. If you're running hybrid AD, you want both. They don't overlap. MDI is included in M365 E5, and it also comes with the standalone Enterprise Mobility + Security E5 license.
I've seen MDI catch lateral movement in client environments that would've gone unnoticed for weeks. It's one of the products I always push for in hybrid deployments.
Defender Vulnerability Management
Scans your systems and apps for known vulnerabilities, ranks them by severity, and tells you what to patch first. If you've used Qualys or Nessus, same idea, but built into the Microsoft ecosystem. The advantage over standalone scanners is the integration with Intune for remediation: it finds the vuln, Intune pushes the fix. Basic capabilities are included with MDE Plan 2. There's a standalone add-on if you want the full feature set without E5.
Microsoft Defender Threat Intelligence (MDTI)
Threat intel feeds. Active campaigns, known malicious IPs, attack techniques trending in the wild. You can hook it into your other Defender products to enrich alerts with context. There's a free tier with basic IOCs and a paid tier for the deeper stuff. It feels like this should've been a feature inside the Defender XDR portal rather than its own branded product, but that's Microsoft branding for you.
Defender for Cloud (and all its children)
Defender for Cloud is the umbrella for protecting Azure workloads (and some AWS/GCP). It's managed in the Azure portal (portal.azure.com), not in the Defender XDR portal. Different console, different licensing model. You pay per resource per hour, not per user. You enable "plans" for the Azure services you're running, and each plan has its own pricing. It can add up fast, so check the pricing calculator before you flip everything on.
The free tier gives you security recommendations and Secure Score. The paid plans add threat detection, vulnerability scanning, and advanced protections.
Defender for Servers
This is the one you'll actually spend time thinking about. Threat detection for Windows and Linux servers, whether they're Azure VMs, on-prem boxes, or even AWS instances you've connected through Azure Arc.
Plan 1 (~$5/server/month) gets you MDE integration and some basic protections. Plan 2 (~$15/server/month) adds vulnerability scanning, just-in-time VM access, file integrity monitoring, and adaptive application controls. Most clients I work with end up on Plan 2 because the JIT access alone justifies the cost. Not having your management ports open to the internet 24/7 is one of those things that sounds obvious but I still see it everywhere.
Defender for SQL
Vulnerability scanning and threat detection for Azure SQL databases and SQL servers on machines. Catches injection attempts, anomalous access patterns, and misconfigurations. Included with Defender for Cloud at the database-level pricing tier.
There's a separate plan for open-source databases too (MySQL, MariaDB, PostgreSQL on Azure). Same concept, same kind of monitoring. If you're already paying for Defender for SQL, adding the open-source coverage makes sense.
Defender for Containers
Security for AKS and Azure Container Instances. Scans container images in ACR for vulnerabilities, monitors runtime, watches network communications. If you're running Kubernetes in Azure, enable it. If you're not running containers, skip it.
The rest of the Cloud family
The remaining Defender for Cloud plans are mostly "enable it for the services you use" products. They matter, but the decision is binary: are you running this Azure service or not?
- Defender for Storage monitors your Azure Storage accounts and Data Lake for malware uploads, suspicious access, and data exfiltration. Enable it if you're storing data in blobs.
- Defender for App Service protects your Azure web apps. Minimal configuration. You either have web apps on App Service or you don't.
- Defender for Key Vault alerts you when something accesses your keys or secrets in unusual ways. A service principal that normally reads one key suddenly enumerating everything? That's the kind of thing it flags. Worth enabling since Key Vault holds your most sensitive material.
- Defender for Resource Manager watches the Azure control plane. Catches suspicious ARM operations like unexpected resource deployments or NSG rule changes. This is the one that would've helped the two times I've seen someone spin up crypto miners in a subscription nobody was watching.
- Defender for DNS used to be a separate plan, but Microsoft has deprecated it as a standalone toggle and rolled its capabilities into Defender for Servers. You'll still see it referenced in older docs.
Defender for IoT
This one's split into two very different audiences, and the split matters.
For end-user organizations
Factory floor full of PLCs and SCADA systems? Smart building with connected HVAC? Hospital with networked medical devices? This is the product. It discovers IoT and OT devices on your network, monitors them for threats, and lets you set security policies. The tricky thing with IoT security is that most of these devices can't run agents, so Defender for IoT works by monitoring network traffic instead. It's also one of the few Defender products that's not really about Azure at all. It's about your physical network. Licensed per device, pricing varies by commitment tier.
For device builders
Totally different audience. For manufacturers who want to scan firmware for vulnerabilities before shipping. Checks against the OWASP IoT Top 10. If you're not building IoT hardware, this isn't for you.
Windows Defender features (the built-in ones)
These come free with Windows. No extra licensing. You already have them.
Microsoft Defender Antivirus is the free AV that ships with every Windows install. It's actually gotten really good over the years, consistently scoring near the top in independent AV tests. Most home users and plenty of businesses just use this and nothing else. If you're paying for a third-party AV on top of this, you might want to ask why.
Windows Defender Firewall is the one you already know. It's the thing that pops up when you install a new app and asks if you want to allow it through. You can create custom rules for what traffic is allowed or blocked. It does the job.
Windows Defender Application Control (WDAC) lets you whitelist which applications are allowed to run. Kiosks, shared workstations, school labs, anywhere you don't trust users to not install garbage. Powerful, but honestly a pain to configure. You'll spend a lot of time in audit mode before you're confident enough to enforce. I've seen rollouts take months because one missed LOB app breaks someone's workflow.
Microsoft Defender Application Guard runs untrusted websites in an isolated Hyper-V container. Someone clicks a phishing link, the malicious site is sandboxed away from the OS. Sounds great on paper. In practice I don't see it deployed much because it requires Hyper-V enabled on the endpoint, it doesn't play nice with some VPN clients, and browser extensions don't carry over to the isolated session. Users complain, IT disables it.
Microsoft Defender SmartScreen is the reputation-based filter that warns you about malicious websites and downloads in Edge. That yellow warning screen you see when you try to download a sketchy .exe? That's SmartScreen. Runs quietly and rarely causes problems.
Where does Sentinel fit?
You'll notice I haven't mentioned Microsoft Sentinel. It's not technically a "Defender" product, but it comes up in every conversation about this stack, so it's worth a quick note.
Sentinel is Microsoft's cloud SIEM (Security Information and Event Management). All of the Defender products above generate alerts. Sentinel is where those alerts go if you want to correlate them with logs from non-Microsoft sources, build custom detections, or do long-term threat hunting across your whole environment. Defender XDR gives you a unified view across Microsoft products. Sentinel gives you a unified view across everything.
You don't need Sentinel to use Defender products. Plenty of organizations just use the Defender XDR portal and call it done. But if you've got a SOC and you're pulling in logs from firewalls, SaaS apps, on-prem systems, and you want one place to see it all, that's what Sentinel is for. It's billed on data ingestion volume, not per user, and it gets expensive fast at scale.
So which ones do you actually need?
Here's the short version.
If you're an M365 shop (which is most of you): the products that matter are Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. Those four make up the Defender XDR suite. If you're on E5, you already have all of them. If you're on E3, you've got basic endpoint protection (MDE Plan 1) and basic email filtering (EOP), and you're missing the stuff that actually catches the sophisticated attacks. Whether the E5 upgrade or individual add-ons make sense depends on your org size and risk tolerance, but at a minimum, get MDO Plan 1 for Safe Links and Safe Attachments. The phishing landscape is too bad to rely on EOP alone.
If you're running Azure workloads: Defender for Cloud is a separate purchase from your M365 licensing. The free tier gives you Secure Score and recommendations. For the paid plans, start with Defender for Servers (Plan 2 if you can afford it) and add the plans that match your workload. Running SQL? Add Defender for SQL. Running containers? Add that plan. Check the pricing calculator first because the per-resource billing adds up.
If you're an SMB under 300 users: Look at Microsoft 365 Business Premium. It includes Defender for Business, which is a simplified version of MDE with policies you can set up without a security team. It's good enough for most small organizations.
If you're evaluating Microsoft vs. third-party (CrowdStrike, Zscaler, etc.): The integration story is where Microsoft wins. Having endpoint, email, identity, and cloud app alerts in one incident view is genuinely valuable and hard to replicate with point solutions. Where third-party tools win is depth. CrowdStrike's EDR is better than MDE in isolation. Netskope and Zscaler have more mature SASE/CASB features than MDCA. The trade-off is: best-in-class per category, or everything talking to each other out of the box? If you're on E5, CrowdStrike is a hard sell to your CFO because you're already paying for endpoint protection whether you use it or not.
Common overlaps to watch for
A few places where organizations end up paying twice without realizing it:
- MDE + third-party AV/EDR. If you're on E5, you already have MDE Plan 2. Running CrowdStrike or SentinelOne on top of it means you're paying for two endpoint solutions. Either use MDE and drop the third-party, or use the third-party and accept you're leaving MDE on the table.
- MDI + Entra ID Protection. These are not the same thing and don't overlap. MDI watches on-prem AD. Entra ID Protection watches cloud identities. You probably want both if you're hybrid. This is one of the most common points of confusion.
- Defender for Servers + MDE licensing. Defender for Servers Plan 1 includes an MDE license for each covered server. If you're separately licensing MDE for those same machines, you're doubling up.
- MDCA + standalone CASB. If you're on E5, MDCA is included. If you're also paying for Netskope or Zscaler CASB, figure out which one you're actually using for policy enforcement and drop the other.
Quick reference table
| Product | What it protects | Included in | Managed from |
|---|---|---|---|
| Defender for Endpoint P1 | Devices (basic) | M365 E3 | security.microsoft.com |
| Defender for Endpoint P2 | Devices (EDR, hunting) | M365 E5 / add-on | security.microsoft.com |
| Defender for Office 365 P1 | Email (Safe Links/Attachments) | M365 E5 / add-on | security.microsoft.com |
| Defender for Office 365 P2 | Email (investigation, simulation) | M365 E5 | security.microsoft.com |
| Defender for Cloud Apps | Cloud app activity (CASB) | M365 E5 | security.microsoft.com |
| Defender for Identity | On-prem Active Directory | M365 E5 / EMS E5 | security.microsoft.com |
| Defender for Business | Devices (SMB simplified) | M365 Business Premium | security.microsoft.com |
| Vulnerability Management | Vuln scanning | MDE P2 (basic) / add-on | security.microsoft.com |
| Threat Intelligence | Threat intel feeds | Free tier / paid add-on | security.microsoft.com |
| Defender for Servers P1 | Servers (~$5/server/mo) | Defender for Cloud | portal.azure.com |
| Defender for Servers P2 | Servers + JIT, FIM (~$15/server/mo) | Defender for Cloud | portal.azure.com |
| Defender for SQL | Azure SQL / SQL on machines | Defender for Cloud | portal.azure.com |
| Defender for Containers | AKS, container images | Defender for Cloud | portal.azure.com |
| Defender for Storage | Azure Storage / Data Lake | Defender for Cloud | portal.azure.com |
| Defender for App Service | Azure web apps | Defender for Cloud | portal.azure.com |
| Defender for Key Vault | Keys and secrets | Defender for Cloud | portal.azure.com |
| Defender for Resource Manager | ARM control plane | Defender for Cloud | portal.azure.com |
| Defender for IoT | OT/IoT devices | Per-device licensing | portal.azure.com |
| Defender Antivirus | Windows endpoints | Windows (free) | Local / Intune |
| Defender Firewall | Network traffic | Windows (free) | Local / Intune / GPO |
| WDAC | App execution control | Windows (free) | Intune / GPO |
| Application Guard | Browser isolation | Windows (free) | Intune / GPO |
| SmartScreen | Malicious URLs/downloads | Windows (free) | Intune / GPO |
And if Microsoft renames any of these by the time you read this... well. I tried.
