Contents
- What Microsoft Security Copilot Actually Does
- Security Compute Units (SCUs): The Pricing Model
- What SCUs Actually Cost
- M365 Defender and Required Prerequisite Licences
- Embedded vs. Standalone Experience
- Enterprise Cost Scenarios
- Negotiation Tactics for Security Copilot
- Is Security Copilot Worth the Cost?
Microsoft Security Copilot is the first major enterprise security product priced entirely on compute capacity rather than per user or per seat. It's a genuinely different commercial model — and it creates cost management challenges that procurement and security leaders aren't prepared for. Security teams are used to per-seat pricing for endpoint, email, and identity products. Security Copilot introduces a GPU-capacity metering model that behaves more like cloud infrastructure than security software.
The product itself is compelling: an AI assistant for security operations that can summarise incidents, reverse-engineer malware, generate KQL queries, and guide analysts through complex investigation workflows. For stretched SOC teams, the productivity case is real. The commercial case is where organisations need independent analysis — which is what this guide provides.
We negotiate Microsoft contracts on a 25% gainshare basis. If there are savings available in your Security Copilot or Microsoft Defender licensing, you keep 75% of them.
What Microsoft Security Copilot Actually Does
Overpaying for Microsoft? We handle Microsoft EA, NCE, and Azure negotiation on a 25% gainshare basis — you keep 75% of every dollar saved. No retainer. No risk.
Get a free Microsoft savings estimate →Security Copilot is an AI layer on top of Microsoft's security product portfolio. It ingests signals from Microsoft Defender XDR, Microsoft Sentinel, Intune, Entra ID, and Purview — and applies GPT-4-class AI to help security analysts work faster and more effectively.
Key capabilities include: incident summarisation (take a complex multi-alert incident and produce an executive summary in seconds), threat intelligence enrichment (surface relevant threat intel against indicators automatically), KQL query generation (describe what you want to find in natural language, get the query), script and malware analysis (decode obfuscated PowerShell or analyse suspicious binaries), and guided investigation playbooks (step-by-step investigation support for analysts of any skill level).
The product integrates natively into the Microsoft Defender XDR portal ("embedded" experience) and also runs as a standalone portal. This distinction matters commercially, as we'll explain.
Security Compute Units (SCUs): The Pricing Model
Security Copilot is priced in Security Compute Units (SCUs) — a proprietary compute capacity metric that Microsoft defines as "one SCU = the compute needed to run one Security Copilot prompt per hour." You provision a number of SCUs, and that determines your concurrent processing capacity and speed.
The model is capacity-based, not consumption-based (at the base level). You pay for provisioned SCUs whether you use the capacity or not. You can scale SCUs up and down dynamically, and Microsoft bills per hour of provisioned capacity. This is fundamentally different from how security teams are used to procuring software — it's closer to reserving cloud compute than buying a security licence.
There is no free tier. There is no per-user licence option for full Security Copilot access. You must provision at least 1 SCU to use the product.
The SCU model in practice: 1 SCU supports roughly one analyst running concurrent prompts. A SOC with 5 analysts working simultaneously needs at minimum 5 SCUs. But Microsoft recommends starting at 3 SCUs even for individual analysts to ensure consistent response times. Most enterprise deployments start at 5–10 SCUs and scale based on actual usage patterns.
What SCUs Actually Cost
Security Copilot SCU pricing as of early 2026:
| Deployment Model | Price Per SCU/Hour | Min SCUs | Monthly Cost (10 SCUs) | Annual Cost (10 SCUs) |
|---|---|---|---|---|
| Pay-as-you-go (PAYG) | $4.00 | 1 | $2,928 | $35,136 |
| Annual reserved | ~$3.00 | 3 | $2,196 | $26,352 |
| Enterprise negotiated | $2.40–$2.80 | Custom | $1,752–$2,048 | $21,024–$24,576 |
Note: Monthly cost calculations assume 24/7 provisioning (730 hours/month). Many organisations provision Security Copilot only during active SOC hours (e.g., 12 hours/day × 5 days/week = 260 hours/month), which dramatically changes the cost profile. A 10-SCU deployment provisioned only during SOC hours: $4.00 × 10 × 260h = $10,400/month vs. $29,200/month for always-on. Dynamic provisioning based on actual SOC operating hours is one of the most impactful cost control measures available.
M365 Defender and Required Prerequisite Licences
Security Copilot is not a standalone product — it derives its value from integrating with Microsoft's security data sources. Most of those data sources require licences that are not included in Security Copilot's pricing. Before calculating Security Copilot TCO, you need to account for the prerequisite licences:
- Microsoft Defender XDR (P2): Required to use the primary Defender integration for endpoint, identity, and email signals. Included in Microsoft 365 E5 Security; available as a standalone add-on for ~$5.20/user/month.
- Microsoft Sentinel: Required for SIEM-based investigations via Security Copilot. Billed at $2.46–$2.96/GB/day for data ingestion, plus connector costs.
- Microsoft Entra ID P2: Required for identity-related investigations and Conditional Access insights. ~$9.00/user/month standalone, or included in M365 E5.
- Microsoft Purview: Required for data security and compliance investigations via Security Copilot. Various add-on tiers from $2/user/month.
Organisations that are already M365 E5 customers have most of these prerequisites covered. Organisations on M365 E3 will face significant additional licensing costs before Security Copilot delivers its full value — a factor that Microsoft's sales team frequently underemphasises.
Embedded vs. Standalone Experience
Security Copilot offers two interaction modes with different commercial implications:
Embedded experience: AI assistance within the existing Microsoft Defender XDR portal, Purview, and Entra ID consoles. Analysts don't leave their current tools — Copilot appears as a panel within the product. This is the most natural fit for existing workflows and typically generates lower SCU consumption because analysts use it for specific tasks rather than extended sessions.
Standalone portal: A dedicated Security Copilot interface where analysts can run extended investigations, create custom prompts, and use Promptbooks (pre-built investigation workflows). Broader in scope but generates higher SCU consumption per analyst session.
For most enterprise deployments, a hybrid approach — embedded for day-to-day triage and standalone for complex investigations — optimises both productivity value and SCU consumption. Right-sizing your SCU allocation requires understanding how your analysts will actually use the product before you commit to provisioned capacity.
Further Reading
- Microsoft Volume Licensing Service Center ↗
- Gartner Magic Quadrant for Unified Communications ↗
- IDC Microsoft 365 Market Analysis ↗
Is Your Security Copilot Deployment Commercially Optimised?
SCU provisioning strategy, Defender prerequisite licensing, and EA-level discounts are all negotiable. We build Security Copilot into broader Microsoft EA negotiations to ensure you're not paying PAYG rates for a multi-year security platform commitment. 25% gainshare — no savings, no fee.
Get Your Free Microsoft Security Assessment →Enterprise Cost Scenarios
Scenario 1: Mid-Size Enterprise SOC (15 analysts)
8 SCUs provisioned during SOC hours (8am–8pm, 5 days/week), 3 SCUs on-call overnight and weekends. Peak hours: 260h/month × 8 SCUs × $4.00 = $8,320. Off-peak: 470h/month × 3 SCUs × $4.00 = $5,640. Total: $13,960/month ($167,520/year) at PAYG. Annual reserved at $3.00/SCU: $12,390/month ($148,680/year). With enterprise negotiated $2.60/SCU rate: $9,474/month ($113,688/year) — a 32% reduction vs. PAYG.
Scenario 2: Enterprise with 24/7 SOC (50 analysts)
20 SCUs provisioned 24/7. 730h/month × 20 × $4.00 = $58,400/month ($700,800/year) PAYG. This is a significant budget line that warrants a private pricing agreement with Microsoft. At enterprise-negotiated $2.40/SCU with annual commit: $35,040/month ($420,480/year) — a $280,320/year reduction.
Negotiation Tactics for Security Copilot
Bundle Security Copilot into the M365 E5 Renewal
Security Copilot is most negotiable as part of a broader Microsoft 365 E5 renewal. If you're upgrading from E3 to E5 — which provides the Defender XDR prerequisites — the Security Copilot SCU pricing can be bundled into the overall negotiation. Microsoft will trade SCU discounts for committed seat count increases and multi-year EA terms.
Benchmark SCU Consumption Before Committing
Microsoft offers a trial period. Use it to benchmark actual SCU consumption per analyst per shift before committing to reserved capacity. The difference between over-provisioned and right-provisioned SCU counts can be 30–50% of your monthly spend. Don't commit to reserved pricing until you have real consumption data.
Dynamic Provisioning for Cost Control
Unlike most software licences, SCUs can be provisioned and de-provisioned dynamically. Building SCU scaling into your SOC operating model — scaling down outside business hours, scaling up during major incident response — can reduce your average monthly SCU cost by 40–60% compared to always-on provisioning without affecting operational capability during working hours.
Negotiate Reserved SCU Rates Through EA
The published annual reserved rate of approximately $3.00/SCU/hour is the starting point, not the floor. Enterprises with significant Microsoft security spend — particularly M365 E5 at large scale — can negotiate 15–25% below published reserved rates. The leverage: Security Copilot adoption data benefits Microsoft's go-to-market narrative, and large committed deployments are valuable to them.
Is Security Copilot Worth the Cost?
The ROI case for Security Copilot is real but needs honest analysis. Microsoft's internal data suggests Security Copilot reduces incident investigation time by 22–26% on average and reduces analyst onboarding time significantly for junior SOC staff. For an enterprise SOC paying $100K+ per analyst per year, a 22% productivity improvement across 15 analysts theoretically yields $330K/year in productivity value — potentially justifying $113–148K/year in Security Copilot licensing.
The honest caveat: productivity gains depend heavily on actual analyst adoption rates, use case fit, and whether your existing Defender and Sentinel investments provide quality signal data. Security Copilot is only as useful as the data it has access to. Organisations with fragmented security tooling (non-Microsoft SIEM, limited Defender coverage) will see less value than those deeply embedded in the Microsoft security stack.
The commercial analysis should be separated from the procurement decisions. You can negotiate the price regardless of the value you place on the product. We do this as part of Microsoft EA negotiations — ensuring that whatever you commit to is at the right price. 25% gainshare, zero risk.