Microsoft Security Copilot Extends Security Team Capabilities And Reduces Risk


Spotlight Microsoft Security Copilot Extends Security Team Capabilities And Reduces Risk COMMISSIONED BY Microsoft, JUNE 2026 T B M K [CONTENT] [CONTENT] [CONTENT] Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying the Microsoft Security portfolio.¹ This abstract will focus on organizations’ use of Microsoft Security Copilot. Microsoft Security includes solutions across five product families designed to manage threat and data protection (including enterprise information management), compliance, and identity. The solutions integrate natively with one another to protect a company’s infrastructure and devices. The goals are to provide the necessary security without the added cost and effort of integration point security solutions and to centralize signals and management to improve overall security posture. Microsoft refers to this approach as the AI-first, end-to-end security platform. Microsoft Security Copilot is a generative AI-powered assistant for daily security and IT operations that enables teams to manage and protect at the speed and scale of AI. Microsoft Security Copilot integrates natively with Microsoft Defender, Entra, Intune, and Purview to help detect, investigate, and respond faster. Security Copilot agents bring AI directly into the flow of work, helping teams understand risk with greater context, investigate threats more efficiently, and take action sooner. In November 2025, Microsoft announced that Security Copilot would be included as a part of Microsoft 365 E5 licenses. Forrester interviewed 11 decision-makers and surveyed 362 customers with experience using Microsoft Security products, some of whom were using Security Copilot. Forrester conducted two additional interviews to gain a deeper understanding of how organizations could extend the benefits of their Microsoft Security investments with Security Copilot. The two in-depth interviews about Security Copilot included: The security operations center (SOC) manager for a government organization in APAC with more than 2,000 employees. An associate director on the security team at a global professional services firm with 50,000 employees. “Time, cost, and risk are the three factors where Security Copilot provides value. It will optimize your time. It will reduce your costs and reduce your risks.” SOC manager, government 8 to 10 hours Time saved per week per identity engineer at a professional services firm 50% Reduction in risk of a security incident for a government organization Investment Drivers For Microsoft Security Copilot The interviewees’ organizations adopted Security Copilot to optimize security staff efficiency, reduce investigation and response times, raise analysts’ baseline skills and consistency, and improve risk visibility and reporting. Challenges with interviewees’ legacy environments included: Limited security staff and growing alert volume. Interviewees faced a capacity gap: The volume and complexity of security signals kept increasing, while headcount and budget did not. This is a common market challenge: In Forrester’s 2026 Security Survey, respondents noted that “too many false positives” was the most significant IT security challenge for their organization, followed by an “understaffed security team.”² The SOC manager for the government organization explained that they ran an in-house SOC with a relatively small team and no 24/7 coverage, and the team faced challenges in after-hours threat response. He explained: “Our SOC is not 24/7, it is 7 to 7. One goal was to find a tool that could provide us with coverage when our engineers and analysts are off their shifts until the next morning.” The associate director at a professional services firm explained that they supported tens of thousands of users globally and that security events related to identity and sign-ins generated thousands of cases. They noted how their analyst team struggled to keep up with volume, saying, “The human ability to find everything has limitations and it depends on the number of resources you have.” Slow and manual investigation processes using many tools. Investigations required analysts to jump between multiple consoles, logs, and data sources, which was slow and error-prone. Manual approaches increased mean time to respond (MTTR), exacerbated analyst fatigue, and increased the risk of missing critical context. The interviewee at the professional services firm detailed a manual process in which identity and access logs were uploaded and correlated to device, IP, and user data, and said, “That process would take anywhere from 1 to 2 hours and involved a lot of clicking on multiple screens because logs existed in different places.” Effort-intensive reporting. The interviewees’ organizations leveraged reporting for key leadership decisions, budget allocation, and risk prioritization. Before using Security Copilot, manual reporting consumed senior staff time and delayed action. The government organization needed operational SOC reports, executive and board-level risk summaries, and ongoing threat intelligence relevant to government and regional risks. The professional services firm needed rapid visibility into risky users, policy gaps, and Zero Trust posture across dozens of conditional access and identity controls. Inconsistent analyst skills and risk of human error. Interviewees’ organizations had teams with mixed experience levels, from junior analysts to senior engineers. Overall, this led to false positives, unnecessary escalations, slower remediation, and burnout. In Forrester’s survey of 2,903 security decision-makers, 19% said that the “unavailability of security employees with the right skills” was the most significant challenge for their organization.³ The government organization wanted Security Copilot to help junior analysts perform higher-quality investigations without immediately escalating everything to senior staff. The professional services firm saw mistakes and delays increase later in the workday when engineers were fatigued and had to interpret complex logs manually. The associate director added: “If somebody is working for 8 or 9 hours, the first 3 hours you will see a lot of energy. By hour 8, you will see that person is more susceptible to making errors.” 60% to 70% Reduction in MTTR for the professional services firm “With Security Copilot, we can just ask questions in natural language [such as], ‘Show me all the risk for this user in the last 24 hours.’ I get that quickly and can make a decision within a few minutes. There’s not a lot of clicking, no searching, no setting up when you’re accessing logs. It’s so easy.” Associate director, professional services Security Copilot Features The interviewees’ organizations chose to deploy in Security Copilot for the following reasons: Security-specific, context-rich generative AI. Security Copilot is purpose-built for cybersecurity. It combines frontier LLM reasoning with a security-specific orchestration layer grounded in customer telemetry and global threat intelligence, enabling outputs that are contextual, explainable, and actionable within governed workflows. Deep integration across Microsoft and third-party security tools. Security Copilot works natively across the Microsoft Security portfolio (e.g., Microsoft Defender, Microsoft Sentinel, Entra, Intune, Purview, Defender for Cloud) and integrates with third-party tools through plugins. Security practitioners can easily pivot across signals, run natural language queries, summarize incidents, and remediate issues without switching tools. Agentic AI with human control. Security Copilot includes Microsoft-built AI agents that can autonomously triage alerts, generate threat intelligence briefings, optimize conditional access, remediate vulnerabilities, and more, while continuously learning from feedback. They operate within Microsoft’s Zero Trust framework and keep humans in control, providing transparency, reasoning, and the ability to approve or adjust outcomes. Additionally, organizations can leverage third-party partner agents and build their own agents. Assistive AI. Although agents can autonomously execute security tasks, Security Copilot also provides analysts with assistive AI capabilities designed to accelerate manual tasks. Key Results The results of the investment for the interviewees’ organizations include: Automated tasks, streamlined work, and saved security team time. Organizations using Security Copilot streamlined operations — reducing response time, accelerating incident remediation, and eliminating low-value manual tasks. Interviewees attributed this to Security Copilot’s ability to collect and deliver consolidated context from multiple tools. Security Copilot also allows security practitioners to navigate complex logs using natural language prompts, reducing effort involved in investigative work. At the government organization, initial analysis is also completely automated. Every new incident is summarized automatically, giving analysts immediate insight into scope, users, devices, and risk before manual investigation begins. The SOC manager estimated that they had reduced triage time by at least 30% and could ensure that the right staff was assigned to an issue in minutes. The professional services firm eliminated log hunting with the Threat Hunting Agent, and tasks that previously required deep log analysis are now delivered as summaries in minutes. The associate director stated that their identity engineers had eliminated 8 to 10 hours of manual ticket work per week per person, which could now be redeployed to other backlogged projects. “You indicated that adopting Microsoft Security solutions lowered IT labor and IT costs due to less security team effort at your organization. Which of the following efficiencies has your organization experienced as a result?” [CHART DIV CONTAINER] Fewer hours spent on incident detection Fewer hours spent on employee training Fewer hours spent on incident response Fewer hours spent on incident remediation Base: 33 global IT and security decision-makers at large enterprises using Microsoft Security Copilot as part of their end-to-end security solution across security, compliance, and identity Source: Microsoft Security Solutions Study, a commissioned study conducted by Forrester Consulting Improved reporting, decision-making, and security outcomes. Interviewees’ organizations used Security Copilot’s Threat Intelligence Briefing Agent to transform reporting from a fragmented and manual task into an automated and insights-driven process serving multiple audiences. Better, automated reporting allowed their organizations to communicate threats quickly and clearly at an executive level — enabling proactive actions that improved security outcomes. The government organization automated reporting by using Security Copilot to generate daily and weekly SOC reports that previously required analysts to pull data manually from multiple tools. Copilot also automatically summarizes technical security activities in high-level reports for the CISO and the board. The organization also leverages the Microsoft Threat Intelligence Briefing Agent for threat intelligence briefings, producing recurring reports tailored to government and region-specific threats. The SOC manager estimated that this eliminated hours of research and synthesis on their behalf and saved roughly 30% to 35% of their time. The professional services firm improved reporting with the Identity Risk Management Agent – by replacing log-heavy, script-driven reporting with query-based insights embedded into daily identity and security operations. Its analysts can now generate actionable reports with natural language prompts instead of manually creating reports or scripts. The firm also leverages Microsoft’s Conditional Access Optimization and DLP Triage agents to surface risky users, misconfigurations, and gaps in policies continuously and automatically, which previously took days or weeks. “You indicated that adopting Microsoft Security solutions improved security posture (including compliance and identity) at your organization. Which of the following has your organization experienced as a result?” [CHART DIV CONTAINER] Decreased risk of data breaches Fewer data breaches/incidents Better compliance with company and/or regulatory requirements Lower costs associated with data breaches/incidents Base: 41 global IT and security decision-makers at large enterprises using Microsoft Security Copilot as part of their end-to-end security solution across security, compliance, and identity Source: Microsoft Security Solutions Study, a commissioned study conducted by Forrester Consulting Upleveled staff and avoided hiring additional security resources. Forrester’s research shows that staffing and skill shortages are a key challenge for security leaders. Security Copilot helps organizations eliminate manual administrative work and streamline investigations, allowing them to achieve more with existing teams.⁴ Interviewees also noted that the ability to use natural language prompts enabled lower-level staff to perform higher-level tasks. The government organization avoided adding two headcounts to its team of nine, while the professional services firm avoided adding four resources to its team of 18 to 22. The SOC manager for the government organization highlighted that Copilot guides junior analyst through investigations, which reduces escalations and false positives while cutting investigation times. TOTAL ECONOMIC IMPACT ANALYSIS For more information on the broader Microsoft Security value story, download the full study: “The Total Economic Impact™ Of Microsoft Security,” a commissioned study conducted by Forrester Consulting on behalf of Microsoft, May 2026. Study Findings While the value story above is based on two interviews, Forrester interviewed 11 total representatives at organizations and surveyed 362 customers with experience using Microsoft Security and combined the results into a three-year financial analysis for a composite organization. Risk-adjusted present value (PV) quantified benefits for the composite organization include: • Improved security posture that reduces the likelihood of a breach by up to 30%. • Reduced annual technology spend by up to 23%. • Saved business users an average of 50 minutes per week. 124% Return on investment (ROI) $16.6 million Net present value (NPV) Appendix A Endnotes ¹ Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders. ² Source: Forrester’s Security Survey, 2026. ³ Ibid. ⁴ Ibid. [CONTENT] Disclosures Readers should be aware of the following: This study is commissioned by Microsoft and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis. Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Security Copilot. Microsoft reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study. Microsoft provided the customer names for the interviews but did not participate in the interviews.

[CONTENT]

Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying the Microsoft Security portfolio.¹ This abstract will focus on organizations’ use of Microsoft Security Copilot.

Microsoft Security includes solutions across five product families designed to manage threat and data protection (including enterprise information management), compliance, and identity. The solutions integrate natively with one another to protect a company’s infrastructure and devices. The goals are to provide the necessary security without the added cost and effort of integration point security solutions and to centralize signals and management to improve overall security posture. Microsoft refers to this approach as the AI-first, end-to-end security platform. Microsoft Security Copilot is a generative AI-powered assistant for daily security and IT operations that enables teams to manage and protect at the speed and scale of AI. Microsoft Security Copilot integrates natively with Microsoft Defender, Entra, Intune, and Purview to help detect, investigate, and respond faster. Security Copilot agents bring AI directly into the flow of work, helping teams understand risk with greater context, investigate threats more efficiently, and take action sooner. In November 2025, Microsoft announced that Security Copilot would be included as a part of Microsoft 365 E5 licenses.

Forrester interviewed 11 decision-makers and surveyed 362 customers with experience using Microsoft Security products, some of whom were using Security Copilot. Forrester conducted two additional interviews to gain a deeper understanding of how organizations could extend the benefits of their Microsoft Security investments with Security Copilot. The two in-depth interviews about Security Copilot included:

The security operations center (SOC) manager for a government organization in APAC with more than 2,000 employees.
An associate director on the security team at a global professional services firm with 50,000 employees.

“Time, cost, and risk are the three factors where Security Copilot provides value. It will optimize your time. It will reduce your costs and reduce your risks.”

SOC manager, government

8 to 10 hours

Time saved per week per identity engineer at a professional services firm

50%

Reduction in risk of a security incident for a government organization

Investment Drivers For Microsoft Security Copilot

The interviewees’ organizations adopted Security Copilot to optimize security staff efficiency, reduce investigation and response times, raise analysts’ baseline skills and consistency, and improve risk visibility and reporting. Challenges with interviewees’ legacy environments included:

Limited security staff and growing alert volume. Interviewees faced a capacity gap: The volume and complexity of security signals kept increasing, while headcount and budget did not. This is a common market challenge: In Forrester’s 2026 Security Survey, respondents noted that “too many false positives” was the most significant IT security challenge for their organization, followed by an “understaffed security team.”²
- The SOC manager for the government organization explained that they ran an in-house SOC with a relatively small team and no 24/7 coverage, and the team faced challenges in after-hours threat response. He explained: “Our SOC is not 24/7, it is 7 to 7. One goal was to find a tool that could provide us with coverage when our engineers and analysts are off their shifts until the next morning.”
- The associate director at a professional services firm explained that they supported tens of thousands of users globally and that security events related to identity and sign-ins generated thousands of cases. They noted how their analyst team struggled to keep up with volume, saying, “The human ability to find everything has limitations and it depends on the number of resources you have.”
Slow and manual investigation processes using many tools. Investigations required analysts to jump between multiple consoles, logs, and data sources, which was slow and error-prone. Manual approaches increased mean time to respond (MTTR), exacerbated analyst fatigue, and increased the risk of missing critical context. The interviewee at the professional services firm detailed a manual process in which identity and access logs were uploaded and correlated to device, IP, and user data, and said, “That process would take anywhere from 1 to 2 hours and involved a lot of clicking on multiple screens because logs existed in different places.”
Effort-intensive reporting. The interviewees’ organizations leveraged reporting for key leadership decisions, budget allocation, and risk prioritization. Before using Security Copilot, manual reporting consumed senior staff time and delayed action.
- The government organization needed operational SOC reports, executive and board-level risk summaries, and ongoing threat intelligence relevant to government and regional risks.
- The professional services firm needed rapid visibility into risky users, policy gaps, and Zero Trust posture across dozens of conditional access and identity controls.
Inconsistent analyst skills and risk of human error. Interviewees’ organizations had teams with mixed experience levels, from junior analysts to senior engineers. Overall, this led to false positives, unnecessary escalations, slower remediation, and burnout. In Forrester’s survey of 2,903 security decision-makers, 19% said that the “unavailability of security employees with the right skills” was the most significant challenge for their organization.³
- The government organization wanted Security Copilot to help junior analysts perform higher-quality investigations without immediately escalating everything to senior staff.
- The professional services firm saw mistakes and delays increase later in the workday when engineers were fatigued and had to interpret complex logs manually. The associate director added: “If somebody is working for 8 or 9 hours, the first 3 hours you will see a lot of energy. By hour 8, you will see that person is more susceptible to making errors.”

60% to 70%

Reduction in MTTR for the professional services firm

“With Security Copilot, we can just ask questions in natural language [such as], ‘Show me all the risk for this user in the last 24 hours.’ I get that quickly and can make a decision within a few minutes. There’s not a lot of clicking, no searching, no setting up when you’re accessing logs. It’s so easy.”

Associate director, professional services

Security Copilot Features

The interviewees’ organizations chose to deploy in Security Copilot for the following reasons:

Security-specific, context-rich generative AI. Security Copilot is purpose-built for cybersecurity. It combines frontier LLM reasoning with a security-specific orchestration layer grounded in customer telemetry and global threat intelligence, enabling outputs that are contextual, explainable, and actionable within governed workflows.
Deep integration across Microsoft and third-party security tools. Security Copilot works natively across the Microsoft Security portfolio (e.g., Microsoft Defender, Microsoft Sentinel, Entra, Intune, Purview, Defender for Cloud) and integrates with third-party tools through plugins. Security practitioners can easily pivot across signals, run natural language queries, summarize incidents, and remediate issues without switching tools.
Agentic AI with human control. Security Copilot includes Microsoft-built AI agents that can autonomously triage alerts, generate threat intelligence briefings, optimize conditional access, remediate vulnerabilities, and more, while continuously learning from feedback. They operate within Microsoft’s Zero Trust framework and keep humans in control, providing transparency, reasoning, and the ability to approve or adjust outcomes. Additionally, organizations can leverage third-party partner agents and build their own agents.
Assistive AI. Although agents can autonomously execute security tasks, Security Copilot also provides analysts with assistive AI capabilities designed to accelerate manual tasks.

Key Results

The results of the investment for the interviewees’ organizations include:

Automated tasks, streamlined work, and saved security team time. Organizations using Security Copilot streamlined operations — reducing response time, accelerating incident remediation, and eliminating low-value manual tasks. Interviewees attributed this to Security Copilot’s ability to collect and deliver consolidated context from multiple tools. Security Copilot also allows security practitioners to navigate complex logs using natural language prompts, reducing effort involved in investigative work.

At the government organization, initial analysis is also completely automated. Every new incident is summarized automatically, giving analysts immediate insight into scope, users, devices, and risk before manual investigation begins. The SOC manager estimated that they had reduced triage time by at least 30% and could ensure that the right staff was assigned to an issue in minutes.
The professional services firm eliminated log hunting with the Threat Hunting Agent, and tasks that previously required deep log analysis are now delivered as summaries in minutes. The associate director stated that their identity engineers had eliminated 8 to 10 hours of manual ticket work per week per person, which could now be redeployed to other backlogged projects.

“You indicated that adopting Microsoft Security solutions lowered IT labor and IT costs due to less security team effort at your organization. Which of the following efficiencies has your organization experienced as a result?”

[CHART DIV CONTAINER]

Fewer hours spent on incident detection Fewer hours spent on employee training Fewer hours spent on incident response Fewer hours spent on incident remediation

Base: 33 global IT and security decision-makers at large enterprises using Microsoft Security Copilot as part of their end-to-end security solution across security, compliance, and identity
Source: Microsoft Security Solutions Study, a commissioned study conducted by Forrester Consulting

Improved reporting, decision-making, and security outcomes. Interviewees’ organizations used Security Copilot’s Threat Intelligence Briefing Agent to transform reporting from a fragmented and manual task into an automated and insights-driven process serving multiple audiences. Better, automated reporting allowed their organizations to communicate threats quickly and clearly at an executive level — enabling proactive actions that improved security outcomes.

The government organization automated reporting by using Security Copilot to generate daily and weekly SOC reports that previously required analysts to pull data manually from multiple tools. Copilot also automatically summarizes technical security activities in high-level reports for the CISO and the board. The organization also leverages the Microsoft Threat Intelligence Briefing Agent for threat intelligence briefings, producing recurring reports tailored to government and region-specific threats. The SOC manager estimated that this eliminated hours of research and synthesis on their behalf and saved roughly 30% to 35% of their time.
The professional services firm improved reporting with the Identity Risk Management Agent – by replacing log-heavy, script-driven reporting with query-based insights embedded into daily identity and security operations. Its analysts can now generate actionable reports with natural language prompts instead of manually creating reports or scripts. The firm also leverages Microsoft’s Conditional Access Optimization and DLP Triage agents to surface risky users, misconfigurations, and gaps in policies continuously and automatically, which previously took days or weeks.

“You indicated that adopting Microsoft Security solutions improved security posture (including compliance and identity) at your organization. Which of the following has your organization experienced as a result?”

[CHART DIV CONTAINER]

Decreased risk of data breaches Fewer data breaches/incidents Better compliance with company and/or regulatory requirements Lower costs associated with data breaches/incidents

Base: 41 global IT and security decision-makers at large enterprises using Microsoft Security Copilot as part of their end-to-end security solution across security, compliance, and identity
Source: Microsoft Security Solutions Study, a commissioned study conducted by Forrester Consulting

Upleveled staff and avoided hiring additional security resources. Forrester’s research shows that staffing and skill shortages are a key challenge for security leaders. Security Copilot helps organizations eliminate manual administrative work and streamline investigations, allowing them to achieve more with existing teams.⁴ Interviewees also noted that the ability to use natural language prompts enabled lower-level staff to perform higher-level tasks.

The government organization avoided adding two headcounts to its team of nine, while the professional services firm avoided adding four resources to its team of 18 to 22.
The SOC manager for the government organization highlighted that Copilot guides junior analyst through investigations, which reduces escalations and false positives while cutting investigation times.

TOTAL ECONOMIC IMPACT ANALYSIS

For more information on the broader Microsoft Security value story, download the full study: “The Total Economic Impact™ Of Microsoft Security,” a commissioned study conducted by Forrester Consulting on behalf of Microsoft, May 2026.

Study Findings

While the value story above is based on two interviews, Forrester interviewed 11 total representatives at organizations and surveyed 362 customers with experience using Microsoft Security and combined the results into a three-year financial analysis for a composite organization. Risk-adjusted present value (PV) quantified benefits for the composite organization include:

• Improved security posture that reduces the likelihood of a breach by up to 30%.

• Reduced annual technology spend by up to 23%.

• Saved business users an average of 50 minutes per week.

124%

Return on investment (ROI)

$16.6 million

Net present value (NPV)

Appendix A

Endnotes

¹ Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

² Source: Forrester’s Security Survey, 2026.

³ Ibid.

⁴ Ibid.

Disclosures

Readers should be aware of the following:

This study is commissioned by Microsoft and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Security Copilot.

Microsoft reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Microsoft provided the customer names for the interviews but did not participate in the interviews.