The Total Economic Impact™ Of Microsoft Defender for Cloud

Cost Savings And Business Benefits Enabled By Defender for Cloud

A Forrester Total Economic Impact™ Study Commissioned By Microsoft, August 2024

As today’s enterprises optimize for hybrid and multicloud environments, they risk opening a multivariate attack surface to threat actors. Cloud workload security (CWS) plays an essential role in cloud adoption, cloud data, and threat protection. Savvy organizations leverage the business benefits of visibility as they migrate workloads and their security to the cloud.¹

Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) that embeds security across the entire application lifecycle, from development to runtime. Defender for Cloud provides a unified platform for Cloud Security Posture Management, DevOps security management, and cloud workload protections across multicloud and hybrid environments.

Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Microsoft Defender for Cloud.² The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Defender for Cloud on their organizations.

Return on investment (ROI)

99%

Net present value (NPV)

$4.25M

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed five representatives with experience using Defender for Cloud. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization that is a global, North America-based company facing mounting cybersecurity threats to its multicloud infrastructure.

Interviewees said that as their organizations grew, their consumption of cloud services and increased cloud-based collaboration with partners and third parties increased their attack surfaces. Their legacy CWS tools were inefficient and ineffective, and they drained resources’ abilities to proactively respond to a gamut of threats. This left the organizations’ cloud environments — including mission-critical apps and workloads related to the continuous integration and continuous delivery (CI/CD) lifecycle —vulnerable to costly breaches.

The interviewees said that after the investment in Defender for Cloud, their organizations reduced their risk and improved their security and compliance postures at scale. This helped the organizations keep pace with compliance requirements in a dynamically shifting regulatory climate with added context provided on their security postures compared to their peers based on Microsoft cloud security benchmarks.

At the same time, interviewees pointed out that Defender for Cloud helped their organizations better position themselves for secure, efficient software development and collaboration with third-party partners for purposes such as research and development. Interviewees discussed how this reduced development effort and improved time to value to develop secure products that enable business growth.

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

Ten percent license savings compared to legacy security infrastructure tools and more than 1,700 hours of security stack administration avoided due to multicloud consolidation. With Defender for Cloud, the composite organization eliminates licensing and management costs for five tools over three years as it protects more workloads. This yields more than $1 million in cost savings.
Thirty percent improvement in SecOps productivity from expanded visibility, context, and automations. As the composite organization expands the volume of workloads protected by Defender for Cloud, it streamlines redundant multicloud security policies, eliminates manual patching processes, and gains efficiencies through other automations and integrations into the Microsoft ecosystem. Over three years, these productivity savings total more than $5.6 million.
Fifty percent reduction in false positives and 30% decrease in the time to investigate and remediate threats. With Defender for Cloud, the composite organization avoids more than 36,000 hours of investigation and remediation, and it reallocates $796,000 of SecOps labor effort to proactive threat-hunting and other higher-value activities.
Ten percent reduction in incidents needing response that would not have been caught in the prior environment. With Microsoft Defender for Cloud, the composite organization captures and resolves a greater number of real incidents not caught by previous solutions, and it provides greater context and prioritization. This improved posture helps the composite avoid $292,000 in costs related to data breaches.
Fifteen percent reduction in audit compliance overhead and lower reliance on auditing services. With Microsoft Defender for Cloud, the composite organization decreases the cost to remain in compliance, which streamlines meeting schedules and avoids auditing fees. Over three years, the value of this improved compliance posture totals $857,000.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

Additional context and targeted guidance on security posture when leveraging Microsoft cloud security benchmarks.
A compressed, more secure development lifecycle giving way to DevSecOps efficiencies.
Less operational risk and improved visibility into the CI/CD.
Improved employee experience for SecOps team members.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

Microsoft Defender for Cloud fees for CNAPP and other workloads. The composite organization’s total fees to Microsoft for cloud native application protection platform and DevOps as well as subscription costs for Defender for Servers, Containers, Databases, Storage (and malware scanning), and APIs, as well as for Microsoft professional services come to $3.8 million over three years.
Internal and external implementation costs and maintenance overhead. The composite organization deploys workloads to Defender for Cloud in a phased approach during the three-year period, engaging external partner costs to support these deployments. Ongoing administration totals 855 hours over three years while implementation and maintenance costs $477,000.

The representative interviews and financial analysis found that a composite organization experiences benefits of $8.52 million over three years versus costs of $4.27 million, adding up to a net present value (NPV) of $4.25 million and an ROI of 99%.

Avoided potential costs related to data breaches

$292,000

“We are all looking for [more] speed and less risk, and … Microsoft is aligning themselves nicely with that. As you integrate any new solution, you are inevitably inviting the risk of a breach. So, having an extensible suite that is on the same platform helps to mollify that affect.”

Technical manager, B2B software

Key Statistics

Return on investment (ROI)

99%

Benefits PV

$8.52M

Net present value (NPV)

$4.25M

Avoided potential costs of a data breach

$292K

Benefits (Three-Year)

Multicloud and hybrid security infrastructure consolidation SecOps productivity gain Threat investigation and remediation acceleration Data breach-related cost reduction Audit compliance posture improvement

TEI Framework And Methodology

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Defender for Cloud.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Defender for Cloud can have on an organization.

Due Diligence

Interviewed Microsoft stakeholders and Forrester analysts to gather data relative to Defender for Cloud.
Interviews

Interviewed five representatives at organizations using Defender for Cloud to obtain data about costs, benefits, and risks.
Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.
Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Disclosures

Readers should be aware of the following:

This study is commissioned by Microsoft and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Defender for Cloud.

Microsoft reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Microsoft provided the customer names for the interviews but did not participate in the interviews. The scope of the cyber security practice within Forrester is founded in industry knowledge and survey information from global organizations, updated on an annual basis. Further information is available from Forrester Business Technographics or with a Forrester analyst.

Consulting Team:

Courtenay O’Connor

Marianne Friis

Drivers leading to the Defender for Cloud investment

Interviews

Role	Industry	Total FTEs	Percent of workloads on premises
Cyberdefense leader	Materials	20,000+	15%
Chief information security officer (CISO)	Technology	20,000+	NA
Technical manager	B2B software	5,000 to 19,999	>40% and shrinking
Senior director of IT operations	Healthcare	20,000+	20%
Chief technology officer (CTO)	Life sciences	1,000 to 4,999	5%

Key Challenges

Before using Defender for Cloud, interviewees’ organizations were stymied by multivariate risks lurking amidst complex hybrid and multicloud infrastructures. Interviewees described how their organizations’ cloud security blind spots compounded risk, exacerbated vulnerabilities, and lengthened dwell time when attacks successfully penetrated cloud workloads. They further noted how their organizations struggled with further challenges, including:

Multicloud and hybrid cloud security infrastructure complexity. Interviewees reported that as their organizations increased cloud consumption across providers, their infrastructure and security teams faced growing cloud complexity, excess technology and maintenance costs, and redundant tools. This complexity posed many challenges as cloud administrators were overwhelmed with risk prioritization vulnerabilities, configuration errors, and other posture issues across their organizations’ multicloud infrastructures.
- The senior director of IT operations in the healthcare industry shared how their organization’s legacy critical infrastructure left its mission-critical data and operational systems vulnerable to attack. This was due to the complexity of its deployment model layered against the weaknesses partners exposed to it and the highly sensitive and targeted nature of data exchanged. The interviewee said: “My organization’s critical infrastructure is anything related to patient health information … most importantly is what we call bidirectional or single-directional interfaces. Right now, we [have] probably about 4,000 physical virtualized servers at this point in time with lots of microservices, several data lakes, and structured data warehousing, as well. We probably have just under 2 petabytes on an ongoing basis daily, and we’re probably deploying several thousand containers.”
- The CTO at the life sciences company shared how the challenge of complexity caused configuration errors and other posture issues. Furthermore, they said cloud admins were burdened with repetitive tasks and unclear risk prioritization across multicloud infrastructure vulnerabilities: “There were constant, daily, weekly, and monthly sets of task points that we go through. We [had to verify] if the system was doing its job, then go back in to look at the status of the threat intelligence databases. We were doing the same thing across our entire grid.”

SecOps productivity drain. At the same time the interviewees’ organizations saw internal complexity of their security environments grow, so too did the risk of threats from external sources. Interviewees lamented how their security teams’ remit outpaced their capacity to address multiple increasingly complex and overlapping risks. These included but were not limited to runtime container risk, overprovisioning container privileges, malware, phishing and social engineering efforts, and shadow IT.
The CTO in the life sciences industry shared how their organization’s growing cloud network and greater complexity drove significant increases in security ticket volumes in the prior environment. The interviewee said that in two years, their organization’s high-priority security tickets increased by 130% while lower-priority security ticket volume increased more than 400%.
Because the organizations were unable to protect what they couldn’t see, interviewees described the inherent growing vulnerability of their critical infrastructures. The CTO in the life sciences industry shared how partner risk impacted their organization prior to using Defender for Cloud: “Typically, as with most organizations, our risk … tends to be our partners. We have a lot of healthcare organizations that tend to be further behind the curve in cybersecurity, and we have to look for residual damage. For example, they have their systems that are connecting to ours. Whoever [may have] hacked into them [may have executed] privilege escalation to get into their data that we’re maintaining.”
Threat investigation and remediation drag. Interviewees noted how the infrastructure complexity and lack of visibility resulted in high rates of threat false positives. With such limited, conflicting, or error-ridden data, SecOps teams faced unnecessary hurdles in their efforts to stop threat actors from gaining a foothold in their organizations. This lack of context related to threat investigations caused excessively high ticket volumes and investigation labor.
- The CTO at the life sciences company described how their organization was facing a large number of new threats compounding its threat investigation workloads: “Like most organizations, we get hit with stuff every day in terms of very low-, low-level risk points that are dealt with. … That’s a constant battle that we have.”
- The technical manager at the B2B software company indicated that their organization’s on-premises workloads suffered from even more complexity, saying: “People spent a lot of time trying to figure out [what] the problem was. … This was even more exacerbated when you had large, on-premises apps that, if something went down, you had to take the whole solution offline. It would take several hours to find it.”
Cost escalation related to data breaches. Interviewees shared how complexity associated with environments distributed across multicloud and on-premises caused dangerous and costly impacts when major data breaches occurred.³
- The CISO in the technology industry pointed to the attack surface and compliance quagmire that container misconfiguration posed to their organization. They indicated that these were the same types of misconfigurations that led to some of the largest data breaches in the past several years: “[A top] pain point is cloud and container compliance. … When the engineers deploy containers … the container workloads could be misconfigured, and they are exposed [to] a lot of recent breaches [with respect to runtime security of containers]. … You can imagine the damage that can happen, not even in 2 hours. If I can detect something in 20 minutes versus two days, [I can avoid] a lot of bad things [that come] with a [computer] worm or a Trojan [horse virus] in two days.”
- The CTO in the life sciences industry made the connection between cybersecurity and brand risk to their organization: “The aftermath of [a recent public security breach] is that CEOs around the world suddenly learned that it didn’t matter that they were running a successful company or business. [They learned] they can get fired. … That was a good wake-up call, even for our organization.”
Audit and compliance risk. The interviewees told Forrester their organizations had complex and often-overlapping compliance regimes, which could lead to noncompliance and many costly repercussions. The CTO in the life sciences industry shared how mission-critical it was for their organization to maintain these compliance requirements, despite the complexity and redundancy. They shared: “[When] you’re talking about anything healthcare related, it’s either high trust or HIPAA (Health Insurance Portability and Accountability Act). If you’re talking Europe, it’s GDPR (General Data Protection Regulation). [Then there’s] UK Health, [and] Canada has its own regulatory standards. There’s a myriad of standard points. Ironically, if you take a look at all the individual standards, 70% to 90% of them are the same.”

“If we are noncompliant with terms of our contracts, we cannot share data, and that means that our products are ineffective. The business does not work.”

CTO, life sciences

“The major pain points were lack of investigation and remediation capabilities due to lack of advanced [cloud security] technologies. We were not able to defend our environment against advanced and state-sponsored attacks with legacy tools and antivirus solutions. We could not investigate a breach and respond in a timely manner to meet SEC and federal guidelines.”

CISO, technology

Investment Objectives

The interviewees’ organizations searched for a far-reaching solution that could improve their cloud security administration, reduce the complexity involved with the number of tools and manual processes needed, and proactively mitigate the costs and impacts of a security breach. The organizations also sought to:

Simplify their cloud security environments. Interviewees noted that their organizations wanted to consolidate the tools, operational burden, and potential for error and misconfiguration by investing in a tool that would effectively manage multicloud security.
The senior director of IT operations in the healthcare industry shared that their organization had an imperative to invest in anything related to security posture monitoring, workload protection capabilities, and vulnerability scanning. In particular, their organization sought protection related to DevOps security management, cloud security posture, cloud workload protection, regulatory compliance, cyberattack path analysis, posture visibility, infrastructure as code, and code security guidance.
Refocus SecOps from a reactive to proactive security approach. Interviewees reported the desire to pivot from a reactive security stance to one that embraces the power of automation to enforce policies and replace multiple manually driven security processes.
The CISO in the technology industry shared that their organization had a security imperative to harden itself against potential data loss and breaches by leveraging all organizational technologies and operations. It sought to protect company assets on the network, including runtime protection of containers. They shared, “We are a security-conscious company, and it’s part of our overall cloud security and security strategy to have protection across the stack endpoints, Kubernetes, cloud, and so on.”
Reduce risk and associated costs of a data breach caused by an external attack. Interviewees discussed their organizations’ objectives to secure their multicloud or hybrid environments and attain Zero Trust principles in order to mitigate costly impacts of security breaches.
- The CTO in the life sciences industry shared: “Particularly if you want to go into a trustless environment, you need to have a structure point set up to deal with that, as well. To enhance your compliance, some of the big things [you need include] multifactor authentication.”
- The technical manager in the B2B software industry also noted that gaining adequate identity and access management capabilities was a principal investment objective. They said, “[A main investment driver was] to protect company assets [on the] network and make sure that we can avoid data loss and breaches using all the technologies and operations.”
- The CISO at the technology company shared how their organization was experiencing regular malware assaults that led to significant runtime container risk: “Once [every] six months, [we might see] runtime malware or malicious containers getting inserted into container registry. … [Your] container registry getting malware or a bad container can really create problem.”
Meet ever-stricter governance requirements. Layering redundant yet unignorable compliance requirements onto a complex infrastructure made governance an untenable objective for interviewees’ organizations.
The CTO in the life sciences industry shared: “The catalyst for [the Defender for Cloud] investment was really our governance. We had to maintain a certain level of governance for all of our structures. We had [two other cloud providers,] and we had Microsoft, [and we were] trying to have three separate organizations to do the governance structure for all that we were doing — not just for the cloud for ourselves, but also for clients, as well.”
Secure the code-to-cloud environment. When it came to their organizations’ software development environments, interviewees discussed the fundamental tension to reduce risk while achieving speed and scale in product delivery. Multiple interviewees noted that their organizations’ business models necessitated the protection of highly sensitive data and workloads to be shared bidirectionally across multiple partners.
SSThe cyberdefense leader at the materials company noted that their organization found particular value in Microsoft Defender for Cloud’s ability to improve cloud security posture and secure the application code before it gets provisioned to the cloud. They said: “[We get the most value out of] really looking at the policies and postures of the overall cloud piece and then using infrastructure as code for our cloud-native areas moving that through the Defender pipelines for continuous build [of] those areas.“

“We were hoping to address simplicity within the platform itself. How can we really simplify and free up IT operations around automation to do that?”

Senior director of IT operations, healthcare

“Per the NIST (National Institute of Standards and Technology) best practices and CIS benchmarks, we need to have certain hardening standards for our endpoints and for our containers."

CISO, technology

Why Microsoft Defender for Cloud?

The interviewees told Forrester that their organizations selected Microsoft Defender for Cloud for its product functionalities. Their goals were to improve their cloud security administration, reduce the complexity involved with the number of tools and manual processes they had, improve visibility with continuous monitoring and detection across multicloud and hybrid environments, and to help their organizations respond to threats in real time. Interviewees said other reasons their organizations invested in Microsoft Defender for Cloud include:

Simplicity of operation with consolidated cloud workload security tools for multicloud and hybrid environments. Interviewees told Forrester that Defender for Cloud’s cloud workload protection capabilities offer the far-reaching functionality their organizations needed to simplify their environments. They explained the platform offered the capabilities needed to effectively retire their redundant, ineffective, and costly legacy tools for things like cloud entitlement management and DevOps security.
The technical manager at the B2B software company shared, “A larger percentage of [our cloud workloads are in] Azure than [our other cloud services partner] simply because Azure keeps making improvements, and we keep putting more in the Azure cloud.”
Ease of use with integration and automation capabilities. Interviewees said that when investigating cloud workload protection solutions, Defender for Cloud outperformed competitors in how easy it was for users to manage. The bidirectional integrations with other vendor tools allowed interviewees’ organizations to eliminate wasteful processes and error-driven inconsistencies.
- The CISO in the technology industry said 90% of their organization’s Azure workloads are protected by the Microsoft Defender suite of products because the costs associated with licensing and ownership are low due to its ease of use, ease of configuration, and seamless integration with the Microsoft products already in use. They said: “It depends on the architecture. But, in most cases, if you are running [Kubernetes or an] underlying container platform, you are more likely to have success with Microsoft cloud apps or cloud security products.”
Multicloud visibility, which improves threat contextualization — particularly into the Microsoft environment. Interviewees pointed to the advantage of leveraging Defender for Cloud not only for their organizations’ Azure workloads, but also for other workloads as needed to augment cloud infrastructure visibility and governance.
Regarding what drove the selection of Defender for Cloud, the technical manager in the B2B software industry stated: “I think it was the comprehensive strategy that Microsoft has taken to establish itself as a cloud-native [application] protection platform (CNAPP). It also works on [two other cloud providers]. ... [Microsoft has] got it on-prem. It’s multicloud. So now they’ve been able to seize this opportunity to really build security in.”
Expansive governance and regulatory compliance capabilities. Interviewees noted that Microsoft provided strong insights into industrial benchmarks. The CTO in the life sciences industry highlighted that Microsoft was able to demonstrate how implementing the Microsoft Defender suite of products and other products from Microsoft fit into their organization’s compliance governance data requirements. They said: “[Microsoft] was adding bricks to their wall that they were going to build a better governance and regulatory compliance structure. And in addition to that, they could manage various aspects of vulnerability management and risk assessment.”
Speed and scale in achieving a secure code to cloud pipeline. Interviewees discussed how Defender for Cloud augmented a best-of-breed tool stack with faster cycles times. The technical manager in the B2B software industry shared, “[Microsoft] has been very thoughtful on what they’ve rolled out for their cloud products, whether it be storage or containers.”

“We found that Microsoft has much better coverage on the logs, traces, and metrics that are being produced internally that they can then utilize to help Defender understand what’s going on in your environment. ”

CTO, life sciences

Composite Organization

Description of composite. The global, $25 billion company based in North America spends 1% of its revenue on technology. It also employs 75,000 employees, of which 750 are developers and 150 are SecOps FTEs.

The composite organization faces mounting cybersecurity threats. In recent years, it investigated an average of 1,000 threats per week, growing 5% annually. These threats ranged from high-frequency, low-impact events such as phishing efforts to low-frequency, high-impact threats such as malware infections.

In its prior security technology environment, the composite organization deployed individualized tools to provide comprehensive cloud workload protection for various workloads. As part of a multivendor security stack, these workloads connected the organization’s distributed multicloud environment with a small, private data center.

Deployment characteristics. The composite increases the portion of its technology estate in the cloud from 50% of all workloads at the start of the investment period to 80% after three years. A further goal of this cloud transformation includes increasing overall cloud consumption, consolidating vendor tools and optimizing the multicloud security stack.

The composite also shifts more of the publicly hosted workloads to the Azure cloud with Defender for Cloud protection as the deployed configuration proves its value. This includes deploying Defender for Cloud protection to 25% of workloads hosted outside of Azure in Year 1. By Year 3, the composite organization increases the percent of non-Azure workloads in the cloud to the Defender for Cloud environment to 50% by the end of Year 3.

Key Assumptions

52,000 threats investigated annually
150 SecOps FTEs/billable users

Quantified benefit data as applied to the composite

Total Benefits

Ref.	Benefit	Year 1	Year 2	Year 3	Total	Present Value
Atr	Multicloud and hybrid security infrastructure consolidation	$329,670	$395,604	$527,472	$1,252,746	$1,022,943
Btr	SecOps productivity gain	$1,790,100	$2,148,120	$2,864,160	$6,802,380	$5,554,555
Ctr	Threat investigation and remediation acceleration	$243,100	$306,307	$428,830	$978,237	$796,332
Dtr	Data breach-related cost reduction	$94,068	$112,881	$150,508	$357,456	$291,885
Etr	Audit compliance posture improvement	$329,670	$341,604	$365,472	$1,036,746	$856,602
	Total benefits (risk-adjusted)	$2,786,608	$3,304,516	$4,336,441	$10,427,565	$8,522,317

Multicloud And Hybrid Security Infrastructure Consolidation

Evidence and data. Interviewees named the proliferation of multicloud security tools as a major source of complexity and risk in their organizations’ prior environments. Using Microsoft Defender for Cloud across multicloud and hybrid environments allowed their organizations to pull multiple levers of value across their cloud workload security stacks.

The cyberdefense leader in the materials industry shared that their organization experienced $1 million in license savings from consolidating its legacy security infrastructure. The interviewee explained that their organization had already consolidated tools from six cloud security vendors into the one Defender for Cloud instance with two more tools to be decommissioned in the future.
The same interviewee said that in addition to avoiding the direct, external costs related to product sprawl, their organization also avoided internal labor costs. The organization was able to reallocate the efforts of up to three FTEs who were previously tied up with administering and orchestrating a sprawling, multicloud security product stack. The cyberdefense leader noted the complex labor requirements needed to match the functionality of Defender for Cloud: “[Without Defender for Cloud,] it would be so much more complex. It would cost us double to maintain [our multicloud security stack].”
The technical manager in the B2B software industry indicated that their organization experienced savings from vendor consolidation and infrastructure avoidance: “We are seeing consolidation of some of the areas into Microsoft Azure and the Defender for Cloud ecosystem. That can bring you some hard cost savings. And then, certainly, if you are consolidating tools under the Microsoft umbrella, you are probably going to save engineering labor efforts on your site, as well. So, labor effort [can see] up to 10% savings because of consolidation.”
The CTO at the life sciences company reported that Defender for Cloud allowed their organization to be 30% more efficient with its cost controls: “We [can] consolidate servers and structures so that we’re efficiently utilizing CPU memory and storage with less assistance out there. … Through consolidation efforts, we can usually drop our cost for that same process by 20% to 30% because once we understand how and what it is utilizing, we can combine it with other structures to be more efficient.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In its prior environment, the composite organization’s cybersecurity software license and subscription costs totaled $6 million.⁴
The composite organization deploys 50% of cloud workloads to the Defender for Cloud environment. In years 2 and 3, the composite deploys an additional 20% of total workloads to the cloud for a total of 80% of all cloud workloads protected and addressable by Defender for Cloud by the end of Year 3.
As the composite organization deploys workloads to the cloud over the three-year period, it decommissions up to five legacy security tools and consolidates 10% of its cybersecurity tooling spend with Defender for Cloud.
Over three years, these savings amount to more than $1.1 million.
Forrester also assumes the following regarding savings from legacy security infrastructure and cybersecurity software management costs:
In its prior environment, the composite organization dedicated up to 15% of an FTE’s time to manage each legacy cybersecurity tool. Over three years, the composite organization avoids more than 1,700 hours of internal labor to manage multiple security tools.
The average fully burdened hourly rate for a SecOps resource is $85.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

The number of workloads protected by Microsoft Defender for Cloud.
The amount of internal labor and skill required to manage legacy security tools.
The fully burdened rates of SecOps resources.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.0 million.

5 tools to 1 tool

Cloud security tool consolidation

>1,700 hours

Security tools management time avoided

“Rather than running a script separately, we can daisy-chain them and cut down the amount of data we’re processing. … We’ve gone over 30% in terms of average reduction in costs and run rates for our [cloud computing] processes over time.”

CTO, life sciences

Multicloud And Hybrid Security Infrastructure Consolidation

Ref.	Metric	Source	Year 1	Year 2	Year 3
A1	Legacy multicloud and hybrid security software license and subscription costs in the prior environment	Composite	$6,000,000	$6,000,000	$6,000,000
A2	Percent of workloads protected and addressable by Defender for Cloud	Composite	50%	60%	80%
A3	Consolidation of legacy multicloud and hybrid security software licenses with Defender for Cloud	Interviews	10%	10%	10%
A4	Subtotal: License savings from consolidated legacy multicloud and hybrid security software tools with Defender for Cloud	A1A2A3	$300,000	$360,000	$480,000
A5	Total avoided internal labor time to manage legacy multicloud and hybrid security software tool licenses with Defender for Cloud (hours)	Composite	1,560	1,560	1,560
A6	Average fully burdened hourly rate for a SecOps resource (rounded)	TEI standard	$85	$85	$85
A7	Subtotal: Labor savings from managing consolidated legacy hybrid and multicloud cybersecurity tool with Defender for Cloud	A2A5A6	$66,300	$79,560	$106,080
At	Multicloud and hybrid security infrastructure consolidation	A4+A7	$366,300	$439,560	$586,080
	Risk adjustment	↓10%
Atr	Multicloud and hybrid security infrastructure consolidation (risk-adjusted)		$329,670	$395,604	$527,472
Three-year total: $1,252,746		Three-year present value: $1,022,943

SecOps Productivity Gain

Evidence and data. In addition to the labor saved from no longer managing sprawling legacy security stacks (see Benefit A) and beyond reactive threat mitigation (see Benefit C), interviewees revealed several ways in which Defender for Cloud instilled productivity improvements across their organizations compared to the prior environments.

The senior director of IT operations in the healthcare industry said their organization gained general and specific security operations efficiencies related to container security, especially around microservices cloud workloads. They said: “When it comes to Defender for Cloud, Microsoft has done a really good job simplifying how the platform works from an administration standpoint and looking at how we set up our tolerances, our tools, or any variances like that. It’s been well-received. ... I think the most benefit is the time savings in a simplification of administration, removing where things have to be done [by people].”
The technical manager in the B2B software industry shared the benefits of having Defender for Cloud in their organization, including up to 30% SecOps efficiencies depending on the activity: “[It is a] centralized platform for managing security policies or monitoring across different cloud services [and includes] some of the threat intelligence. It has continued to become more complex and sophisticated in terms of what it can do. We haven’t looked back in the last five years now [with] Microsoft [cloud security] products.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

The composite organization employs 150 FTEs on its SecOps team.
The composite deploys 50% of cloud workloads to the Defender for Cloud environment. In years 2 and 3, the composite deploys an additional 20% of total workloads to the cloud for a total of 80% of all cloud workloads protected and addressable by Defender for Cloud by the end of Year 3.
With Defender for Cloud’s enhanced visibility, automations, and data consolidation, SecOps resources boost productivity by 30% compared to in the prior environment.
The average fully burdened hourly rate for a SecOps resource is $85.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

The organization’s security culture and maturity.
The number of workloads protected by Microsoft Defender for Cloud.
The total number of security operations FTEs.
The fully burdened rates of SecOps resources.
The ability of SecOps resources to recapture productivity.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $5.6 million.

$5.6M

SecOps productivity improvement

“[With Defender for Cloud,] if the tools are configured properly, the [global] efficiencies in your SOC can probably be up to 30% for a fine-tuned environment.”

Technical manager, B2B software

SecOps Productivity Gain

Ref.	Metric	Source	Year 1	Year 2	Year 3
B1	Total SecOps FTEs	Composite	150	150	150
B2	Percent of workloads protected and addressable by Defender for Cloud	A2	50%	60%	80%
B3	SecOps productivity improvement from enhanced visibility	Interviews	30%	30%	30%
B4	Productivity recapture	TEI standard	50%	50%	50%
B5	Average fully burdened salary for a SecOps resource (rounded)	Composite	$176,800	$176,800	$176,800
Bt	SecOps productivity gain	B1B2B3B4B5	$1,989,000	$2,386,800	$3,182,400
	Risk adjustment	↓10%
Btr	SecOps productivity gain (risk-adjusted)		$1,790,100	$2,148,120	$2,864,160
Three-year total: $6,802,380		Three-year present value: $5,554,555

Threat Investigation And Remediation Acceleration

Evidence and data. With the Microsoft Defender for Cloud investment, interviewees’ organizations identified several levers through which the platform accelerated threat investigation and remediation labor.

Reduced false positives and associated investigation volumes. Interviewees said one of the main drivers of SecOps inefficiencies in their organizations’ prior environments was time wasted on investigations that were not related to true threats. This manifested throughout interviewees’ organizations both through excess volumes of false positives and unnecessarily lengthy timeframes to investigate their veracity.
- The senior director of IT operations in the healthcare industry reported significant reductions in false positives over several years due in large part from their deployment of Microsoft Defender for Cloud: “We have had a huge reduction [in false positives] over time compared to where we were five years ago…. Microsoft Defender for Cloud provides more detailed information for admins to take a more calculated approach at how to do things more tactically and strategically.”
- The technical manager in the B2B software industry said their organization had an average of 500 findings with false positives. Most were related to malware on endpoints/servers, viruses on email attachments, misuse of devices, invalid credentials, data loss and exfiltration, network intrusion attempts, and DNS attacks. The interviewee reported a 30% reduction in security false positives with Defender for Cloud: “Every time there’s a possible security event, it’s not an incident yet. …You have a 2-hour playbook drill, and you have to go down that rabbit hole [to find out]. And you probably just did something very similar to that the day before [or] that very morning. You’re just wasting your time, so you burn out your analyst. By having better real-time detection and this type of protection, you’re actually reducing the number of those rabbit holes you’re going down.”
Faster mean time to detect (MTTD) true security events. Interviewees also reported that Defender for Cloud helped their organizations to detect and identify true positives faster and more effectively than in their prior security environments.
- The technical manager in the B2B software industry described how their organization leveraged Defender for Cloud to detect anomalous behavior in storage accounts and authentication issues. They mentioned that the platform recognizes permissions, blocks unauthorized users, recognizes when authorized users are engaged in unauthorized activity, and has several other ways to detect and flag potential security events for investigation and resolution. They reported that their organization’s average MTTD for this type of security threat decreased by 75% with Defender for Cloud, dropping from 2 hours to 30 minutes.
- The interviewee indicated that a lack of visibility slowed identification stages of remediation in the prior environment. Because the team no longer needed to spend so much time trying to figure out what the problem was in the Defender for Cloud environment, it could focus on effective resolution. The technical manager said: “[The platform has] evolved to next-gen capabilities [with its function] to very closely trace one or two that triggered this within the host. That means time to detect is now also coupled with a much more accurate pinpoint of the actual misconfiguration. … Our reaction drill is now truncated significantly because we’re looking right at one or two causes of what happened.”
- The senior director of IT operations in the healthcare industry articulated how Defender for Cloud saved their organization from extensive threat assessment and remediation labor. In its prior environment, the organization isolated 100 findings per day for review. These investigations dealt with spam, malware, ransomware, phishing, denial of service, identity-based attacks, and insider threats. With Defender for Cloud, the organization gained security operations efficiencies related to container security, especially around microservices cloud workloads. They said: “When you start looking at threat vulnerability in different types of behaviors … that’s going to tie up an admin in a cybersecurity operation center for 10% to 20% of their time. … So, it’s that simplification, automation, and looking at the types of threats and events that have come up. It’s a data-driven platform using insights now, looking at tolerances related to Zero Trust and SaaS (software as a service). It pulls things more into focus to be able to do that successfully.”
Faster mean time to resolve (MTTR): Interviewees attributed efficiencies and gains in the entire threat resolution cycle to Defender for Cloud.
- The CTO in the life sciences industry described how Defender for Cloud provided SecOps resources with newfound capabilities such as the ability to track assets in environments, map out vulnerability structures in the environment, suggest remediation tactics, and analyze traffic deviant points to identify observability issues. The interviewee said: “We’ve had a 15% improvement in mean time to close cybersecurity tickets. This is something else that we’re happy with. It takes a look at our active directory structures and [based upon our policies,] it can go in there now and automatically assign ownership on governance, give grace periods, and actually mandate remediation time.”
- The senior director of IT operations in the healthcare industry reported a 25% decrease to their organization’s MTTR compared to in the prior environment. The organization attributed this not only to Defender for Cloud, but also to Microsoft ecosystem apps such as Teams, better automation and resolution tools, less reliance on FTEs with more use of tools to self-remediate, better policy management, the adoption of AI tools for better predictive analytics, and a more robust cybersecurity process in general. The interviewee told Forrester: “I would say, obviously, with the way Microsoft and some other tools that helped [us,] that has reduced meantime to ticket closure and investigations by up to 25%.”
- The cyberdefense leader in the materials industry reported early impacts from their organization’s Defender for Cloud adoption. They said, “We don’t have any [financial] metrics for it, but [Defender for Cloud] has to be saving us many hours associated with identifying attack paths.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

With Defender for Cloud, the composite improves its cloud security posture across the threat remediation cycle, which reduces the number of false positives compared to in the prior environment while also reducing the mean time to identify and remediate a true threat.
The composite previously investigated an average of 1,000 threats per week. With mounting attacks from a variety of vectors, the organization anticipates the volume of threats to increase by 5% each year, totaling more than 160,000 potential threats requiring investigation over three years.

In the prior environment, the composite organization determined more than 80,000 events were not threats, representing a false-positive rate of 50%.
These threats ranged from phishing efforts and malware infections to other threats and vulnerabilities. A small number of threats required 2 hours of investigation, and a very large number of smaller threats required 10 minutes of investigation. While there was a wide range, the average time to investigate threats in the prior environment was 15 minutes.
During the three-year period, the composite organization:
- Deploys 50% of cloud workloads to the Defender for Cloud environment. In years 2 and 3, the composite deploys an additional 20% of total workloads to the cloud for a total of 80% of all cloud workloads protected and addressable by Defender for Cloud by the end of Year 3.
- Reduces the volume of false positives by 50%, avoiding investigating more than 6,500 innocuous events over three years. This totals $555,000 of avoided investigation effort with Defender for Cloud.
- Decreases the average time to investigate threats from 15 minutes to 10.5 minutes, which is a 4.5 minute (30%) reduction with Defender for Cloud. This eliminates more than 10,000 hours of excess investigation effort into true positives.
- Accelerates the average time to remediate threats by 30% with Defender for Cloud. This allows the composite to avoid more than 2,600 hours of remediation effort.
- The average fully burdened hourly rate for a SecOps resource is $85.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit.

The organization’s security culture and maturity.
The number of workloads protected by Microsoft Defender for Cloud.
The current number of threats requiring investigation and remediation and the current false-positive rate.
The current mean time to investigate and remediate threats.
The fully burdened rates of SecOps resources.

Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $796,000.

Threat investigation and remediation acceleration

Ref.	Metric	Source	Year 1	Year 2	Year 3
C1	Prior number of threats requiring investigation	Interviews; 1,000/week +5% YOY	52,000	54,600	57,330
C2	False positive rate in the prior environment	Composite	50%	50%	50%
C3	Total number of false positives investigated in the prior environment	C1*C2	26,000	27,300	28,665
C4	Average hours to investigate threats in the prior environment	Interviews	0.25	0.25	0.25
C5	Average fully burdened hourly rate of a SecOps resource, rounded	B5/2,080	$85	$85	$85
C6	Percent of workloads protected and addressable by Defender for Cloud	A2	50%	60%	80%
C7	Reduction in threat false positives with Defender for Cloud	Interviews	50%	50%	50%
C8	Subtotal: Avoided threat investigation labor from reduced false positives with Defender for Cloud	C3C4C5C6C7	$138,125	$174,038	$243,653
C9	Total number of threats requiring investigation using Defender for Cloud	C1C6(1-C7)	13,000	16,380	22,932
C10	Decrease in time to investigate threats with Defender for Cloud	Interviews	30%	30%	30%
C11	Subtotal: Accelerated threat investigation effort from improved visibility with Defender for Cloud	C4C5C9*C10	$82,875	$104,423	$146,192
C12	Total number of investigated threats requiring remediation using Defender for Cloud	C9C2(1-C7)	3,250	4,095	5,733
C13	Average hours to remediate true threats in the prior environment	Composite	1	1	1
C14	Decrease in time to remediate threats with Defender for Cloud	Interviews	30%	30%	30%
C15	Subtotal: Accelerated threat remediation effort from improved visibility with Defender for Cloud	C4C5C12*C14	$82,875	$104,423	$146,192
Ct	Threat investigation and remediation acceleration	C8+C11+C15	$303,875	$382,884	$536,037
	Risk adjustment	↓20%
Ctr	Threat investigation and remediation acceleration (risk-adjusted)		$243,100	$306,307	$428,830
Three-year total: $978,237		Three-year present value: $796,332

50%

Reduction in threat false positives

30%

Decrease in MTTR threats

“[Defender for Cloud] just takes out the weird stuff happening on our network that ends up on the cybersecurity desk. We’ve already probably cut back about 60% of the workload, and a lot of that revolves around false positives, so I can get better data. The systems assess the data properly. ... I’m not even going to give it to the analyst. I’m going to auto-close.”

CTO, life sciences

Data Breach-Related Cost Reduction

Evidence and data. Interviewees said that prior to investing in Defender for Cloud, they and their organizations were ill-equipped to face a new era of cyberthreats. The organizations often deployed a layered approach with the best tools capturing the most workloads to secure against an increasingly hostile and unmanageable attack surface.

Multiple interviewees reported their organization’s best-of-breed approach served to increase its Azure cloud consumption and deploy more multicloud workloads to the Defender for Cloud environment.

The CISO in the technology industry told Forrester their organization’s greatest source of value from Defender for Cloud extends from runtime protection for containers. In the prior environment, the organization faced the daily vulnerabilities and threats of bad containers or malware infections to the container registry. Serious runtime risk to containers manifested twice per year. With Defender for Cloud, the organization gained the ability to conduct daily and weekly scans for container vulnerabilities, particularly those integrated with the CI/CD production pipeline.

The CISO in the technology industry also noted that their organization reaped further value from aspects of the Defender for Cloud instance in a multicloud context, with 35% of the organization’s non-Azure workloads covered by Defender. The interviewee indicated that Microsoft was capturing an additional 10% of real incidents requiring remediation and reported that these true incidents would not have been caught by other deployed solutions in the prior environment. They recounted hundreds of daily phishing attacks in the prior environment and said: “There are a lot of credential-based attacks and, again, the goal of these credential-based phishing attacks is to gain credentials and get into some of the large Kubernetes parts or container parts. … [Our] original business case for Defender for Cloud was to make the company more secure and reduce the attack surface.
The technical manager in the B2B software industry characterized their organization as having a best-of-breed approach, deploying an array of vendor cloud security tools. Their organization optimized cloud workloads across multiple partners, resulting in a larger portion of workloads deployed to the Azure environment and protected with Defender for Cloud. The interviewee further described how their organization expanded its Azure and Defender for Cloud environment as its use case was deployed, implemented, and adopted across the organization: “The more [our Azure and Defender for Cloud environments augment the entire stack,] the stickier and the more likely or the more viable it is for us to transition more to it, and the more predictable and reliable it is over time. ... We’re actually using more Azure today than we anticipated even two years ago. … We’re doing malware scanning, looking for sensitive data threats … [and] looking for any aberrations or anomalies. We’re leveraging what Microsoft has built into Defender for Cloud. [This] has threat-detection algorithms, [which resembles] its own form of DLP.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In the prior environment, the composite organization had an 89% likelihood of experiencing one or more breaches per year (held flat year over year for the purpose of this analysis), with 49% of breaches attributable to an external attack.⁵ The mean cumulative cost of data breaches in the prior environment was $5,065,000.⁶
The composite organization’s Defender for Cloud instance detects and remediates 10% of incidents that would have gone otherwise undetected by the other security tools in its stack. As such, with Defender for Cloud, the composite organization reduces the likelihood of a breach and associated costs related to a data breach by 10% above and beyond the other solutions it has in place.
The composite organization deploys 50% of cloud workloads to the Defender for Cloud environment. In years 2 and 3, the composite deploys an additional 20% of total workloads to the cloud for a total of 80% of all cloud workloads protected and addressable by Defender for Cloud by the end of Year 3.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit.

The organization’s security culture and maturity.
The number of workloads protected by Microsoft Defender for Cloud.
The likelihood and associated costs of security breaches per year.
The risk reduction from Microsoft Defender for Cloud given security policies and Microsoft Defender for Cloud usage improvements.

Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $292,000.

Data Breach-Related Cost Reduction

Ref.	Metric	Source	Year 1	Year 2	Year 3
D1	Likelihood of experiencing one or more breach per year	Forrester Research	89%	89%	89%
D2	Breaches attributable to source of attack	Forrester Research	49%	49%	49%
D3	Mean cumulative cost of data breaches	Forrester Research	$5,065,000	$5,065,000	$5,065,000
D4	Percent of workloads protected and addressable by Defender for Cloud	A2	50%	60%	80%
D5	Risk reduction with Defender for Cloud	Interviews	10%	10%	10%
Dt	Data breach-related cost reduction	D1D2D3D4D5	$110,668	$132,801	$177,068
	Risk adjustment	↓15%
Dtr	Data breach-related cost reduction (risk-adjusted)		$94,068	$112,881	$150,508
Three-year total: $357,456		Three-year present value: $291,885

10%

Incremental protection against data breaches

“Microsoft is capturing 10% of real incidents [not caught by other solutions deployed, thereby] reducing our attack surface by 10%.”

CISO, technology

Audit Compliance Posture Improvement

Evidence and data. Interviewees discussed how regular audits of their organizations’ compliance postures across multiple, repetitive compliance regimes put valuable resources toward efforts that were rarely designed for an effective compliance program. This complexity resulted in costly overhead, with significant portions of the audit and compliance workload dedicated to the level of rework necessitated from manually managing and correcting error-prone multicloud security policies.

Interviewees shared how Microsoft Defender for Cloud automated their organizations’ auditing and compliance efforts, which reduced the related workloads required from internal FTEs.

The CISO in the technology industry reported $300,000 in savings related to audit and compliance overhead and fees. They said: “If we have Microsoft Defender technology deployed and compliance management is able to pull the data, we can save costs on [auditing] because we can pull all the artifacts that are out of compliance using Microsoft Defender for Cloud. So that’s also a cost saving. If you don’t have Defender, you will have to pay more to [auditors]. For a typical contract of $300,000, you can probably save 5% on the audit regulatory compliance cost-saving with Defender for Cloud. If you don’t have Microsoft, that’s basically extra labor efforts you have to pay for.”
The same interviewee said that in addition to saving costs, their organization’s Defender for Cloud investment served to improve compliance with NIST standards: “CIS publishes all these standards, so you can do these implementations manually or you can do it automatically through Microsoft Defender.”
The CTO in the life sciences industry reported that in their organization’s prior environment, vulnerabilities in the authentication system and encryption services would trigger data-compliance issues and third-party notifications of hacking and cybersecurity incidents and trigger a class one incident for an analyst to review. With Defender for Cloud, the organization’s security response teams were equipped with better auto-classification systems for vulnerabilities, risks, and incidents as well as better data flows. The CTO said: “Automated weekly and monthly incident summarization also decreased the hours that auditors are spending to ensure compliance standards are being met [with] … a time savings estimated at 2 hours weekly. Weekly audit meeting length has decreased to typically a half hour, down from an hour. The organization attributed this in part to more concise information, better communication, and improved workflows enabled through Defender for Cloud.

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In the prior environment, the composite organization’s audit compliance overhead totaled $884,000 annually, which included five FTEs dedicated to enforcement and reporting across departments.
The average fully burdened annual salary for one of these FTEs is $176,800.
The composite organization deploys 50% of workloads to the Defender for Cloud environment. In years 2 and 3, the composite deploys an additional 20% of total workloads to the cloud for a total of 80% of all cloud workloads protected and addressable by Defender for Cloud by the end of Year 3.
The composite reduces its audit compliance overhead by 10% with Defender for Cloud.
The improved visibility results in a $300,000 annual reduction in audit costs from a streamlined and reduced workload associated with auditing internal and external and costs, including reduced rework and faster documentation retrieval.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

The organization’s security culture and maturity.
The organization’s audit compliance overhead or the number of resources tasked with compliance-related workflows.
The number of workloads protected by Microsoft Defender for Cloud.
The organization’s compliance regimes, the extent to which external auditors require documentation, and the level of findings resulting from regular compliance audits.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $857,000.

Audit Compliance Posture Improvement

Ref.	Metric	Source	Year 1	Year 2	Year 3
E1	Total FTEs dedicated to audit compliance efforts in the prior environment	Composite	5	5	5
E2	Average fully burdened salary for an FTE dedicated to audit compliance efforts (rounded)	B5	$176,800	$176,800	$176,800
E3	Percent of workloads protected and addressable by Defender for Cloud	A2	50%	60%	80%
E4	Reduction in audit compliance overhead with Defender for Cloud	Interviews	15%	15%	15%
E5	Subtotal: Reduced audit compliance overhead costs with Defender for Cloud	E1E2E3*E4	$66,300	$79,560	$106,080
E6	Subtotal: Savings from reduced auditing fees	Interviews	$300,000	$300,000	$300,000
Et	Audit compliance posture improvement	E5+E6	$366,300	$379,560	$406,080
	Risk adjustment	↓10%
Etr	Audit compliance posture improvement (risk-adjusted)		$329,670	$341,604	$365,472
Three-year total: $1,036,746		Three-year present value: $856,602

15%

Audit compliance posture improvement

“[Defender for Cloud] is capable of saving up to 5% of [my organization's] engineering overhead around [audit and compliance] meetings and collaboration.”

CISO, technology

Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not quantified for the analysis:

Additional context and targeted guidance on security posture when leveraging Microsoft cloud security benchmarks. Interviewees whose organizations leveraged Defender for Cloud’s security benchmarks system shared how it lends additional visibility and guidance regarding security posture.
The cyberdefense leader at the materials company noted: “[One] piece that we use quite heavily is [Microsoft’s cloud security benchmarks system]… It helps build [a standardized] dashboard and gamifies how to achieve more points and drive up our score. [It] gives us a measuring stick to know where … to focus.”
A compressed, more secure development lifecycle giving way to DevOps efficiencies. Interviewees whose organizations deployed the DevOps capabilities of Defender for Cloud indicated that developers were better equipped with advanced tooling to improve product security, delivery quality, and sometimes timelines. The technical manager in the B2B software industry noted how Microsoft curates an ecosystem of tools to support developers: “[Microsoft’s] container security, for example, has Kubernetes clusters [and] registries, [and] you could do workloads. So, it’s much more comprehensive for a container queue or CI/CD pipeline than we’ve ever had before. In fact, I think that’s one reason why Microsoft acquired GitHub, one reason why they’re using OpenAI, and [why] they’re trying with GitHub and code now to say: ‘Hey, you start to write the code. We’ll finish it for you.’”
Less operational risk and improved visibility into the CI/CD. The CISO at the technology company indicated that the DevSecOps capabilities in Defender for Cloud permitted more observability and visibility of the CI/CD pipeline. They said: “We [always] have a lot of vulnerabilities before going to pre-production. That is always part of our CI/CD implementation plan. So, we use [Defender for Cloud] to scan the CI/CD [and] our DevOps pipeline. … You’re getting more insight into your security stack.”
Improved employee experience for SecOps team members. Interviewees attributed additional value to their organizations’ abilities to use resources more effectively. The technical manager in the B2B software industry noted that Defender for Cloud helped their company to repurpose resources to higher-value activities, which had several positive impacts on the security team’s overall experience. They also found that the community and expertise gained through mastery of Defender for Cloud conferred a myriad of benefits to the organization as well as employees. This included increased motivation to pursue learning opportunities and take courses to obtain cloud certifications, which ultimately provided resources and a career path as the employee grows.
The technical manager shared: “Rather than burn out my analysts by [making them handle] all these threats, [I can leverage] that contextualization that’s provided. I would say that retention levels [have] increased probably fourfold. There’s a retention factor when you don’t burn out your people. That’s money in the bank. And you’re not going through the sunk cost of having to hire all those people and train them up again.”
Addressing operational risk and waste related to the CI/CD. Interviewees described how Defender for Cloud offers new ways to position their organizations for more secure development in their CI/CD pipelines. The cyberdefense leader in the materials industry indicated that their organization is working towards prioritizing critical security issues and infrastructure-as-code efforts, as well as shifting the security requirements earlier on in the development process. They told Forrester: “[Defender for Cloud] is absolutely helping us see into the build pipelines exactly where these vulnerabilities are. As they go through the pipeline to understand what the risk is, [they can ] hopefully work to avoid those risks before production.”

Up to 4x

Reduction in SecOps FTE turnover

“With technologies like [Defender for Cloud, security teams] can learn from one another. They grow with the product, and they’re more inclined to do that with the company that they’re in rather than … jumping to another company. Now, you’re truly augmenting and complementing your workforce with a cohort that can help them do their job [and] that’s learning, contextualizing, [and] improving over time."

Technical manager, B2B software

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement Defender for Cloud and later realize additional uses and business opportunities, including:

Improved revenue from secure CI/CD partner collaboration. Some interviewees shared how their organization’s operating business model necessitated a secure collaboration environment with an array of partners in order to research and develop new products to bring to market and serve their customers and stakeholders.
The senior director of IT operations in the healthcare industry discussed the business value of scaling up the number and types of secure, bidirectional interfaces to enable working in a more shared collaboration environment when all partners share high degrees of hybrid security. They talked about how the DevOps security capabilities available in Defender for Cloud environment potentially contributed to 15% to 20% of business growth from these R&D partnerships during the investment period. The interviewee told Forrester that a combination of factors contributed to this growth, including the number of instances, the data footprint, the workloads, and the role of new B2B relationships in generating new revenue streams. They said: “You have a lot of details related to big data on critical infrastructure, but managing contracts, relationships, collaboration, [and] that all still falls under your corporate infrastructure where Microsoft obviously has a good dominance with and a good set of tools.”
Synergies within the Microsoft ecosystem. The interviewees’ organizations tended to build out numerous Microsoft cloud workloads as part of their cloud estates. With that growth in Azure cloud consumption came the opportunity to leverage Microsoft tools and economies of scale in order to bend the curve in delivering on their companies’ automation and integration goals.
The senior director of IT operations in the healthcare industry said Defender for Cloud has the ability to seamlessly interact with other Microsoft security tools and Azure cloud operations, which simplified and automated interactions between applications. They said: “Defender for Cloud does a very good job at finding the sweet spot of not being overly aggressive with security posture management and allowing operations to run efficiently. If you look at other true security platforms … when you start looking at administrative hours, change management, and things like that, that’s where Microsoft really kind of separates itself with Microsoft workplace applications.”
Additional benefits and capabilities. Interviewees described other ways in which their organizations intend to flex into Microsoft’s advanced computing capabilities while taking advantages of the benefits and efficiencies conferred by the Microsoft ecosystem:
- The technical manager in the B2B software industry shared how Microsoft offered their organization the advantage to leverage economies at scale. This is unlike in the prior environment, where their team had to deal with bringing a best-of-breed approach together with legacy systems. They expressed: “Just the whole infrastructure part of that [can be] a nightmare, [whereas] a lot of those second- and third-order integration effects are going to be alleviated and already taken care of for you [with Microsoft].”
- The CTO at the life sciences company pointed out how Microsoft has advanced computing workloads related to artificial intelligence for scaling business growth and other objectives and quantum cybersecurity. They shared: “The first thing that Microsoft was talking to us about [when we considered investing in Defender for Cloud] was that we are building the structure point as fast as we can so that we can handle secrets and encryption for all these services. We are locked into Microsoft, Kubernetes, and Azure data platforms. That means that for data in rest and data in motion, I’m going to get my encryption standards in place.”

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).

15% to 20%

Improved revenue from secure partner R&D

“[Defender for Cloud] protects everything related to our B2B relationships on R&D projects. … As we’ve spun up a lot of bidirectional interfaces, we have become more focused on … relationships that have opened up all new workloads. We need to set up a [secure] cloud-hosting environment to be able to manage it effectively.”

Senior director of IT operations, healthcare

Quantified cost data as applied to the composite

Total Costs

Ref.	Cost	Initial	Year 1	Year 2	Year 3	Total	Present Value
Ftr	Microsoft Defender for Cloud fees	$0	$1,228,500	$1,351,350	$2,079,000	$4,658,850	$3,795,620
Gtr	Implementation and maintenance	$250,228	$126,143	$93,154	$47,124	$516,648	$477,294
	Total costs (risk-adjusted)	$250,228	$1,354,643	$1,444,504	$2,126,124	$5,175,498	$4,272,914

Microsoft Defender for Cloud Fees

Evidence and data. Interviewees’ organizations had a mix of the following Defender for Cloud products and cost drivers:

Defender Cloud Security Posture Management (CSPM), driven in part by the number of billable resources per month.
Defender for Servers, driven in part by the number of servers deployed.
Defender for Containers, driven in part by the number of virtual cores (vCores).
Defender for Databases, driven in part by the number of instances.
Defender for Storage, driven in part by the number of storage accounts.

Modeling and assumptions. Based on the interviews, Forrester estimates the following for the composite organization:

The composite’s total costs in Year 1 are $1.5 million.
As 20% more workloads are onboarded onto the Defender for Cloud environment in both years 2, and 3, the composite organization’s subscription costs increase to $1.65 million and $1.98 million, respectively.
Pricing may vary. Contact Microsoft for details.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this cost:

The number and configuration of workloads protected by Microsoft Defender for Cloud.
The number of billable resources for Microsoft Defender for Cloud.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3.8 million.

Microsoft Defender for Cloud Fees

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
F1	Microsoft Defender for Cloud subscription fees	Composite	$0	$1,170,000	$1,287,000	$1,980,000
Ft	Microsoft Defender for Cloud costs	F1	$0	$1,170,000	$1,287,000	$1,980,000
	Risk adjustment	↑5%
Ftr	Microsoft Defender for Cloud fees (risk-adjusted)		$0	$1,228,500	$1,351,350	$2,079,000
Three-year total: $4,658,850		Three-year present value: $3,795,620

Implementation And Maintenance

Evidence and data. Interviewees described various implementation and maintenance scenarios that correspond with their Defender for Cloud product deployments, including:

Implementation. Interviewees described deployment timeframes of three to six months for the initial Defender for Cloud environment.
- The CISO in the technology industry said their organization’s implementation timeframe lasted up to three months in six-week phases. Their organization opted to include 100 additional hours of Microsoft Professional Services to assist with mitigating the complexity of their organization’s deployment.
- The senior director of IT operations in healthcare shared that their organization took a particularly conservative approach to deployment, given the organization’s large size and broad physical and virtual presence compounded by the highly sensitive, critical nature of their cloud workloads. Regarding compliance, the interviewee cited the need to secure their organization for HIPAA compliance, patient health information and personal identifiable information (PII) protection, PCI compliance or any bill codes for card processing, and Sarbanes-Oxley compliance. They said: “[My organization’s] critical [cloud] infrastructure … is anything related to patient health information, laboratory information systems, instrument networks, electronic medical records, electronic healthcare records, and then also — most importantly — is what we call bidirectional or single directional interfaces. So, [that’s] referral laboratories, hospitals, doctors’ offices, [and] point of care facilities.”
  The interviewee said that as a result of the complexity and sensitivity surrounding these workloads, their large organization spent approximately six to nine months on a comprehensive implementation that involved 50 resources in the initial deployment process. Half of these resources were fully dedicated and the other half were at least 50% dedicated. Cloud security operations and networking operations teams were involved, and the organization also retained a third-party systems integrator.
Maintenance. Interviewees described various maintenance scenarios corresponding with their organizations’ Defender for Cloud product deployments.
- The technical manager at the B2B software organization said, “We have three-and-a-half full-time [workers] to help make sure these are all running properly in the background. [They’re] full-time dedicated.”
- The CTO in the life sciences industry estimated that their organization’s fully implemented and adopted Defender for Cloud instance required 15 hours of administration per month as part of a broader multicloud security maintenance routine.

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

During the initial period, the composite organization deploys four internal implementation resources to stand up the Microsoft Defender for Cloud environment. During this six-month timeframe, each implementation resource dedicates 520 hours for a total of 2,080 hours of implementation for the first deployment of cloud workloads to the Defender for Cloud environment.
The composite organization continues to deploy an additional 20% of cloud workloads to Defender in both years 2 and 3. With each successive implementation, fewer resources are needed, and less time is required of each resource. This totals 780 hours of implementation labor in Year 1, dropping to 416 hours in Year 2.
The average fully burdened hourly rate for an implementation resource is $85.
In Year 1, the composite organization engages a third-party deployment partner, which costs $50,000 in fees. This partner is engaged in years 2 and 3 for additional deployment efforts, which means the composite incurs additional costs of $25,000 and $20,000, respectively.
The composite organization dedicated up to four resources to maintaining the Defender for Cloud environment. Each resource dedicates approximately 10 minutes per day to maintenance for a total of 250 hours in Year 1. As more workloads are sent to the Defender for Cloud environment, the annual maintenance effort slightly scales to 275 hours in Year 2 and to 330 hours in Year 3.
The average fully burdened hourly rate for a SecOps resource is $85.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this cost.

The number of workloads protected by Microsoft Defender for Cloud.
The implementation requirements and skill sets available.
The total internal FTE effort required for ongoing management.
The fully burdened rates of implementation/SecOps resources.

Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $477,000.

Implementation And Maintenance

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
G1	Total implementation resources	Composite	4	3	2	0
G2	Total implementation labor time per internal resource (hours)	Composite	520	260	208	0
G3	Total implementation labor time (hours)	G2*G1	2,080	780	416	0
G4	Average fully burdened hourly rate for an implementation resource (rounded)	C5	$85	$85	$85	$85
G5	Subtotal: Internal implementation labor costs	G3*G4	$176,800	$66,300	$35,360	$0
G6	Total resources trained on Defender for Cloud	Composite	4	75	90	120
G7	Average time per resource (hours)	Interviews	2	2	2	2
G8	Subtotal: Internal training costs	Interviews	$680	$12,750	$15,300	$20,400
G9	Subtotal: External implementation cost	Interviews	$50,000	$25,000	$20,000	$0
G10	Percent of workloads protected and addressable by Defender for Cloud	A2	0%	50%	60%	80%
G11	Total resource time dedicated to maintaining the Defender for Cloud environment (hours)	Interviews	0	250	275	330
G12	Average fully burdened hourly rate for an implementation resource	Composite	$85	$85	$85	$85
G13	Subtotal: Maintenance costs	G10G11G12	$0	$10,625	$14,025	$22,440
Gt	Implementation and maintenance	G5+G9+G13	$227,480	$114,675	$84,685	$42,840
	Risk adjustment	↑10%
Gtr	Implementation and maintenance (risk-adjusted)		$250,228	$126,143	$93,154	$47,124
Three-year total: $516,648		Three-year present value: $477,294

Consolidated Three-Year Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Total costs Total benefits Cumulative net benefits

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

Cash Flow Analysis (Risk-Adjusted Estimates)

	Initial	Year 1	Year 2	Year 3	Total	Present Value
Total costs	($250,228)	($1,354,643)	($1,444,504)	($2,126,124)	($5,175,498)	($4,272,914)
Total benefits	$0	$2,786,608	$3,304,516	$4,336,441	$10,427,565	$8,522,317
Net benefits	($250,228)	$1,431,965	$1,860,013	$2,210,317	$5,252,067	$4,249,403
ROI						99%
Payback						<6 months

Appendix A: Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

Total Economic Impact Approach

Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

PRESENT VALUE (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
NET PRESENT VALUE (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
RETURN ON INVESTMENT (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
DISCOUNT RATE

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
PAYBACK PERIOD

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

Appendix B: ENDNOTES

¹ Forrester defines CWS as a suite of cloud workload security solutions that secure, detect, and respond to threats while governing and protecting cloud workloads at the cloud service provider console (using cloud security posture management and cloud infrastructure entitlement management capabilities), guest operating system (using cloud workload protection), container runtime and container orchestration layer (container protection), infrastructure-as-code (IaC) layer, and serverless functions. Source: The Cloud Workload Security Landscape, Q3 2023, Forrester Research, Inc., September 15, 2023.

² Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders. Unless otherwise noted, all dollar amounts in this study are in US dollars.

³ Forrester defines a breach as an incident resulting in the loss or compromise of data, accompanied by material remediation costs.

⁴ In 2022, the average enterprise dedicated 5.9% of its IT budget to cybersecurity (including personnel, hardware, software, and outsourcing). Source: Security Benchmarks And Recommendations For 2024, Forrester Research, Inc., February 20, 2024.

⁵ Forrester Technographics 2023. Forrester annually assesses cybersecurity metrics through interviews, surveys, and expertise in the field. Analyses are provided with information rooted with specific data sets most accurately applied to the situations that have been collected in the study.

⁶ Forrester Technographics 2023. Forrester annually assesses cybersecurity metrics through interviews, surveys, and expertise in the field. Analyses are provided with information rooted with specific data sets most accurately applied to the situations that have been collected in the study.

ABOUT FORRESTER CONSULTING

Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.

© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.

Cookie Settings

This website uses cookies to deliver functionality and enhance your experience. GDPR requires that we obtain your consent before activating these cookies. Please accept the use of cookies or review your cookie settings now.

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.

Executive Summary

Key Findings

Table Of Contents

Key Statistics

99%

$8.52M

$4.25M

$292K

Benefits (Three-Year)

TEI Framework And Methodology

Due Diligence

Interviews

Composite Organization

Financial Model Framework

Case Study

Disclosures

The Microsoft Defender for Cloud Customer Journey

Drivers leading to the Defender for Cloud investment

Interviews

Key Challenges

Investment Objectives

Why Microsoft Defender for Cloud?

Composite Organization

Key Assumptions

Analysis Of Benefits

Quantified benefit data as applied to the composite

Total Benefits

Multicloud And Hybrid Security Infrastructure Consolidation

Multicloud And Hybrid Security Infrastructure Consolidation

SecOps Productivity Gain

SecOps Productivity Gain

Threat Investigation And Remediation Acceleration

Threat investigation and remediation acceleration

Data Breach-Related Cost Reduction

Data Breach-Related Cost Reduction

Audit Compliance Posture Improvement

Audit Compliance Posture Improvement

Unquantified Benefits

Flexibility

Analysis Of Costs

Quantified cost data as applied to the composite

Total Costs

Microsoft Defender for Cloud Fees

Microsoft Defender for Cloud Fees

Implementation And Maintenance

Implementation And Maintenance

Financial Summary

Consolidated Three-Year Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Cash Flow Analysis (Risk-Adjusted Estimates)

Appendixes

Appendix A: Total Economic Impact

Total Economic Impact Approach

PRESENT VALUE (PV)

NET PRESENT VALUE (NPV)

RETURN ON INVESTMENT (ROI)

DISCOUNT RATE

PAYBACK PERIOD

Appendix B: ENDNOTES

ABOUT FORRESTER CONSULTING