The Total Economic Impact™ Of Microsoft Security

Executive Summary

Companies of all sizes and industries are at increased risk of security breaches across multiple vectors — including external and internal actors — and compliance violations as they struggle with growing amounts of data and an ever-changing regulatory landscape. At the same time, risks continue to increase with the rise of AI as both a technology that companies use for business-value creation and IT security and a technology that bad actors use to exploit vulnerabilities. Some companies have found that integrating point solutions leads to security gaps and requires significant cost and effort to maintain and improve. This approach supports Zero Trust adoption by unifying identity, device, data, and threat signals into a single, AI-powered security platform, reducing complexity while improving protection across traditional and AI-driven workloads.

Microsoft Security includes solutions across five product families designed to manage threat and data protection (including SIEM), compliance, and identity. The solutions integrate natively with one another to protect a company’s infrastructure and devices. The goals are to provide the necessary security without the added cost and effort of integrating point security solutions and to centralize signals and management to improve overall security posture. Microsoft refers to this approach as the AI-first, end-to-end security platform.

Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Microsoft’s security solutions.¹ The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Microsoft Security on their organizations.

124%

Return on investment (ROI)

$16.6 million

Net present value (NPV)

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed 11 decision-makers and surveyed 362 customers with experience using Microsoft Security products. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization.

Interviewees said that prior to deploying a unified platform of Microsoft Security products, their organizations typically pieced together a handful of security point solutions from different vendors, including Microsoft. Prior solution selection was typical based on best-of-breed point solution selection, team tool preferences, and single point of failure avoidance by relying on one vendor. However, this approach left them with lapses in security, lack of adherence to internal compliance policies, and overworked security teams.

After the investment in Microsoft Security solutions, the interviewees’ and survey respondents’ organizations improved their overall security postures, accelerated their Zero Trust journeys, controlled technology spend by consolidating vendors and maximizing the value of their existing Microsoft 365 E5 licenses,² reduced security team efforts, and enabled business innovation.

“Which of the following do you feel your organization has realized due to Microsoft Security solutions?”

[CHART DIV CONTAINER]

Improved security posture (including compliance and identity) Lowered IT costs due to less security and IT team effort Increased customer satisfaction Improved business outcomes (including non-IT employee productivity) Increased employee satisfaction Reduced costs due to license/tool consolidation

Strongly agree

Agree

Base: 362 global IT and security decision-makers at large enterprises using Microsoft Security as their end-to-end security solution across security, compliance, and identity
Source: Microsoft Security Solutions Study, a commissioned study conducted by Forrester Consulting

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

Improved security posture that reduce likelihood of a breach by up to 30%. The composite organization reduces the likelihood of a breach from multiple threat vectors by deploying the full Microsoft Security portfolio: AI-powered threat protection from Microsoft Defender and Sentinel; data security, compliance, and privacy with Microsoft Purview; and management of human and non-human identities, applications, and devices with Microsoft Entra and Intune. The combined use of these solutions reduces both the likelihood of a successful breach and the impact of attacks that do occur. As a result, the magnitude and cost of successful incidents are reduced by up to 25%. Over the three-year analysis, this improved security posture is worth $1.7 million.
Reduced annual technology spend by up to 23%. Microsoft Security solutions are included in E5 licensing. By utilizing existing licenses, the composite organization can retire license and consumption costs for existing SIEM, endpoint management, identity, compliance, and threat detection solutions. The composite recognizes additional savings from professional services costs for its incumbent solutions. External technology cost savings total $11.6 million over three years.
Avoided increasing security, compliance, and helpdesk team headcount by up to 32%. The composite organization’s IT and security teams benefit from ease of integration, management, and remediation with Microsoft Security. Microsoft identity solutions also enable self-service options for end users, thereby reducing ticket volume, and the composite utilizes automation capabilities to further reduce workloads for internal users. The composite deploys existing IT labor to other high-value tasks within the organization that it otherwise would have to hire additional FTEs to complete. Over three years, improved internal productivity is valued at $1.7 million.
Business users saved an average of 50 minutes per week. Fewer successful breaches lead to less downtime for end users at the composite. Additionally, its employees benefit from easier single sign-on (SSO) and device onboarding. This improved productivity results in an average of 43 hours of additional work time per user over one year and is valued at $15.0 million total over three years.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

Supports Zero Trust. As organizations expand cloud and AI adoption, Zero Trust is essential to reduce risk by continuously verifying identities, enforcing least-privilege access, and assuming a breach. While Zero Trust is a strategic priority, limited resources and disparate systems can make holistic adoption difficult. By delivering integrated identity, device, data, and threat protections, Microsoft Security enables organizations to operationalize Zero Trust controls consistently without added cost or complexity, while extending these same principles to emerging AI and agentic workloads.
Streamlined processes to find and train talent. Microsoft Security builds off the widely adopted Microsoft portfolio, making it easier for the composite to find and train practitioners.
Improves employee experience. Microsoft Security reduces identity and access friction, improving the composite’s end-user experience.

Flexibility. The incremental future value of Microsoft AI investments stem from the composite’s use of:

Security Copilot. Microsoft Security Copilot is a generative AI-powered assistant for daily operations in security and IT that enables teams to manage and protect at the speed and scale of AI. Security Copilot agents bring AI directly into the flow of work, helping teams understand risk with greater context, investigate threats more efficiently, and take action sooner. Interest in Security Copilot increased following Microsoft’s November 2025 announcement that Security Copilot agents would be included with Microsoft 365 E5 licenses.

Agent 365. Agent 365 provides a forward‑looking foundation for organizations adopting agentic AI by serving as a centralized control plane for AI agents. It supports visibility, permission management, and governance of agent behavior, helping organizations extend established security and identity practices from users to agents as AI usage scales.
Expert-led services. Microsoft also offers expert-led security services, including technical advisory, managed detection and response (MDR), and incident response, that complement its security solutions. Although not included in the scope of this analysis, these services provide additional flexibility for organizations seeking expert guidance as they scale AI, agents, and Zero Trust–aligned security practices.
Microsoft 365 E7. Microsoft 365 E7 is not included in the scope of this analysis, but as of May 1, 2026, it is generally available. This “Frontier Suite” includes Microsoft Copilot, Agent 365, and Entra Suite, illustrating how Microsoft continues to evolve its productivity, AI, and security offerings by bringing together AI experiences and enterprise-grade security and governance for both human and agent identities. When organizations adopt Microsoft 365 E7, it may provide additional flexibility to extend AI and agentic workloads with the same infrastructure of Microsoft Security tools evaluated in this study.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

Microsoft licensing and consumption costs of $10.6 million. This study uses the $21 per user per month uplift from the Microsoft 365 E3 to E5 cost as a proxy for the Microsoft license cost. The composite incurs additional consumption costs for Microsoft Sentinel and Defender for Cloud.
Professional services and internal labor costs of $2.8 million. The composite incurs upfront professional services and internal implementation costs. It has annual ongoing professional services costs primarily for security operations center (SOC) management, as well as internal costs for user training and platform management.

The financial analysis that is based on the interviews found that a composite organization experiences benefits of $30.0 million over three years versus costs of $13.4 million, adding up to a net present value (NPV) of $16.6 million and an ROI of 124%.

Total cost of ownership (TCO) savings over three years

$3,006,650

“I like Microsoft because it’s the only vendor that provides a single view or a single location for all the security needs: cloud posture, endpoint protection management, data loss prevention. You don’t have that many vendors today that have the Swiss Army Knife-style platform.”

Regional CISO, engineering

“Microsoft Security allows us to deploy modern solutions and be on the leading edge of technologies at enterprise scale.”

Senior information security officer, NGO

Key Statistics

124%

Return on investment (ROI)

$30.0 million

Benefits PV

$16.6 million

Net present value (NPV)

<6 months

Payback

Benefits (Three-Year)

[CHART DIV CONTAINER]

Improved security posture Avoided costs - external spend Avoided costs - internal IT labor Enable business innovation

The Microsoft Security Customer Journey

Drivers leading to the Microsoft Security investment

Interviews

Role	Industry	Region	Employees
Senior information security officer Senior IT officer	NGO	Global	30,000
Regional CIO	Government	United States	80,000
Director of technology and security	Healthcare	United States	4,000
Regional CISO	Engineering	Canada	24,000
Senior director, global information security	Hospitality	Global	170,000
Identity and access management (IAM) engineer End user computing manager	Retail	Europe	24,000
Senior enterprise architect	Petrochemical	Global	5,000
Global CISO	Professional services	Global	275,000
Associate director	Professional services	Global	50,000

Key Challenges

Before fully moving to Microsoft Security, interviewees and survey respondents used a collection of point solutions for threat protection, data security, identity and access, and device management. This approach led to coverage gaps, labor inefficiencies, and excessive license and consumption costs. Additionally, the patchwork security environment inhibited business through operational inefficiencies, resource drain, and downtime.

Interviewees noted how their organizations struggled with common challenges, including:

Inadequate threat protection of prior solutions. Interviewees noted that their prior environments of stitched-together security tools provided inadequate protection against a growing variety of complex threats. Interviewees singled out their identity and access solutions as being unsecure, driving their adoption of new Microsoft Security solutions.
Lack of adherence to internal compliance policies. Interviewees highlighted compliance as particularly difficult to enforce without dedicated tools and automation. Before deploying Microsoft solutions, interviewees relied on targeted manual enforcement and/or employee honor systems, which resulted in lax compliance.
Lack of resources to holistically approach Zero Trust. Interviewees’ organizations wanted to adopt Zero Trust to reduce their threat surface across users, data, and applications, but limited staff and fragmented tooling slowed execution, particularly as cloud and AI adoption increased.
Overworked teams. Interviewees said that their organizations’ security teams had limited budgets, and bringing in additional resources was not an option. These teams needed that required limited integration management and provided automation for rote tasks.

“What goals/challenges did your organization hope to address?”

[CHART DIV CONTAINER]

Improve security posture Contain costs related to security, compliance, and/or identity technology tools Improve business performance by enabling growth Provide efficiencies for security teams Enable business innovation Improve compliance and better meet regulatory requirements Others

“One of the driving factors was our CIO wanted it now, and we could get Intune up and running in near real time as opposed to going through the RFP process, contracting, cyber reviews, configuration, onboarding, and testing. It could have been a six- to nine-month process had we chosen an alternative solution.”

Senior director, global information security, hospitality

Composite Organization

Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:

Description of composite. The composite organization is a global, B2B organization with 10,000 employees. It currently employs 15 security and compliance FTEs who regularly use Microsoft Security solutions.
Deployment characteristics. The composite organization previously followed a point solution integration approach that tied together various data security, compliance, and identity solutions. It also had a Microsoft 365 E3 license, so it explored moving to the solutions included in the E5 license. It now uses Microsoft solutions across all five product families: Microsoft Defender, Microsoft Entra, Microsoft Intune, Microsoft Purview, and Microsoft Sentinel. The composite built its SOC on Microsoft Sentinel, and it has a professional services contract for threat detection as part of the SOC operation.
The composite organization took a “good, better, best” approach to implementing Microsoft Security, which involved establishing better visibility across all systems and reactive responses to threats (good), proactive management to address vulnerabilities before active attacks (better), and more automation and cross-vector protections (best).

KEY ASSUMPTIONS

10,000 employees
15 security and compliance FTEs
Uses solutions across all five product families

Analysis Of Benefits

Quantified benefit data as applied to the composite

Total Benefits

Ref.	Benefit	Year 1	Year 2	Year 3	Total	Present Value
Atr	Improved security posture	$499,500	$720,000	$855,000	$2,074,500	$1,691,506
Btr	Avoided costs — external spend	$3,856,680	$4,672,125	$5,660,280	$14,189,085	$11,619,985
Ctr	Avoided costs — internal IT labor	$404,820	$719,550	$968,760	$2,093,130	$1,690,531
Dtr	Enabled business and innovation	$3,698,000	$7,396,000	$7,396,000	$18,490,000	$15,030,939
	Total benefits (risk-adjusted)	$8,459,000	$13,507,675	$14,880,040	$36,846,715	$30,032,961

Improved Security Posture

Evidence and data. Microsoft Security products from the five product families improved interviewees’ security posture in several ways: It improved threat blocking and reduced the number of incidents, improved compliance and data loss prevention, achieved faster mean time to detect (MTTD) and mean time to respond (MTTR), provided better visibility into endpoint activity, and reduced the blast radius. Organizations’ security roadmaps varied and started with either threats, identity, or compliance based on their needs. Interviewees and survey respondents shared the following examples of how their security posture improved:

The regional CIO for a government organization estimated that the combination of Microsoft Intune and Microsoft Defender strengthened their device posture, reducing MTTD and MTTR by 50%. They added that Microsoft Entra improved their identity risk by 30%, and Microsoft Sentinel improved their security response times by 25% to 30% with auto remediation and fewer false positives.
The senior enterprise architect at a petrochemicals firm explained that Microsoft Security products offered proactive security recommendations they found highly useful when deploying and configuring security tools. The proper configurations and improved visibility into phishing provided by their Microsoft Security deployment helped them reduce attacks by 20% to 30%. They elaborated: “Visibility has gone up, not because of bad things, but because we never looked at it. Now we are able to do some real insider risk investigations and report on it.”
The two interviewees at the NGO stated that Microsoft Security products had materially reduced their organization’s overall cybersecurity risk, as exhibited by their cybersecurity premiums remaining flat. The senior information security officer stated: “The one concrete thing we can point to is our cybersecurity insurance premiums. … We check all the boxes, and there are other people that don’t.”
The healthcare firm saw a 30% to 40% increase in first run identification of events and reduced trap events by 20% when using Microsoft Defender. The director of technology and security detailed: “We also got much greater performance out of having one solution provider, and Defender really blossomed in the environment with being able to see more on the inbound side of activities when it came to email especially. … When it came to the detect and the respond portion of the [NIST] framework as far as specific KPIs, we’re seeing a lot more threat detection in that Defender suite.”
The regional CISO for the engineering firm explained: “[Purview] helped us to identify potential misuse of the platforms, [such as] when people classify something as confidential and a few minutes later classify it as internal. I noticed this behavior of misclassification used to bypass controls, and in one of the investigations, the data that was being sent was not supposed to be sent to an external entity. Considering the labels and the rules that we have set, I estimate a 30% [reduction in insider risk with Purview].”
The hospitality organization used Microsoft Purview to identify traffic patterns moving in and out of its environment and was able to flag improperly provisioned SharePoint sites, reducing insider risk by an estimated 25%. The senior director of global information security elaborated, “A tool like Purview that allows us to have better visibility and resultant governance over confidential information that could trigger data breach responses is going to reduce the likelihood because we’re going to see it and we’ve already potentially configured technical prohibitive controls to prevent it from happening.”
Among survey respondents, 68% indicated that they decreased the risk of data breaches, 58% had fewer data breaches, and 52% were in better compliance with their company’s and/or regulatory requirements.

Modeling and assumptions. Based on the interviews and survey, Forrester assumes the following about the composite organization:

In an average year, the composite organization’s annual risk exposure that is addressable by Microsoft Security products is $2.3 million.³ This risk is calculated based on the number of employees and assumes use of the full Microsoft Security portfolio, which addresses external attacks targeting organizations, external attacks targeting remote environments, internal incidents, and attacks or incidents involving the external ecosystem.⁴
After completing the Microsoft Security deployment, the composite reduces its likelihood of a breach by up to 30%. This benefit progresses over the three-year analysis as the composite organization moves through the good, better, best approach to its security deployment.
The composite also reduces the cost of successful breaches by up to 25%. With faster MTTD and MTTR and a reduced blast radius, the organization limits the damage of any successful incident and minimizes downtime for end users impacted by security-related outages.

Risks. This benefit may vary for other organizations. Specific risk concerns include:

The prior frequency of breaches and the total cost of a breach.
Which Microsoft Security solutions an organization deploys and the maturity of its IT security organization related to threat detection and remediation.

Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.7 million.

30%

Reduction in data breach exposure

25%

Reduction in cost to remediate remaining breaches

“From the endpoint perspective, we’ve seen fewer incidents. The incidents we have, we are now able to see them and respond to them quicker.”

Director of technology and security, healthcare

“I’m better able to enforce Zero Trust because of the data [in Defender and Sentinel]. It can correlate and aggregate data from all these various products, and that’s what’s going to really offer a lot of enhanced value to your enterprise.”

Regional CIO, government

Improved Security Posture

Ref.	Metric	Source		Year 1	Year 2	Year 3
A1	Annual risk exposure addressable with Microsoft Security solutions	Forrester research		$2,250,000	$2,250,000	$2,250,000
A2	Reduced likelihood of a breach from addressable attacks with Microsoft Security solutions	Interviews and survey		15%	25%	30%
A3	Savings due to reduced likelihood of a breach	A1*A2		$337,500	$562,500	$675,000
A4	Reduction in total cost of remaining breaches	Interviews and survey		15%	20%	25%
A5	Savings from lower costs associated with remaining breaches	(A1-A3)*A4		$286,875	$337,500	$393,750
At	Improved security posture	A3+A5		$624,375	$900,000	$1,068,750
	Risk adjustment	↓20%
Atr	Improved security posture (risk-adjusted)			$499,500	$720,000	$855,000
Three-year total: $2,074,500			Three-year present value: $1,691,506

Avoided Costs — External Spend

Evidence and data. Moving from a point solution integration approach to a unified Microsoft Security platform lowered license costs for interviewees and survey respondents. For those who already had Microsoft 365 E5 licenses, the savings could be larger if considered a sunk cost for the business case. Additionally, organizations discontinued external professional services spend associated with the ongoing use of incumbent point solutions. Interviewees and survey respondents shared the following examples of how they reduced external spend:

The senior information security officer for the NGO stated: “The pace at which we’ve adopted [Microsoft Security solutions] has allowed us to retire a lot of legacy tools. So we’ve avoided a lot of legacy debts from aging systems as a result of the strategy.” They added that replacing Active Directory with Entra ID allowed them to retire domain controllers in regional offices worldwide, avoiding further hardware and maintenance spend.
Multiple interviewees directly replaced a best-of-breed point solution with a Microsoft Security product included in their organization’s existing E5 licensing and saw immediate savings by discontinuing those products. The regional CIO in government stated that moving from their incumbent IAM solution to Entra ID reduced their TCO by 10% to 20%, and the regional CISO at the engineering firm said they recognized a 20% savings using Defender for Cloud over an alternative cloud security product.
The senior director of global information security for the hospitality firm explained that using the Microsoft Security portfolio lowered their organization’s licensing spend, “The alternatives were at least 15% or more from a licensing perspective.” They also described avoiding $500,000 in professional services costs required to integrate their point solution deployment: “We value that it’s an integrated solution. It’s not a bunch of bolt-on APIs that we then have to do mass configuration to set up and then manage through a lifecycle process. That’s the benefit of things like Intune and Purview. It’s a lower level of effort. It’s a quicker go-live model. In some cases, it’s a matter of flipping a switch and you’re live.”
The retail organization lowered its security TCO by 50% by moving its security portfolio into Microsoft. The IAM engineer explained: “Total cost of ownership has been a big point for us. Before, we had to have our own different team that took care of the infrastructure. We had another team taking care of the security of the same infrastructure. We had to find resources that could develop only on that specific platform. It was very difficult to find people, and also applying security or introducing patching came at a very high cost. Now we are getting the best security built into the product from industry leaders.”
Among survey respondents, 37% reported reduced costs due to license or tool consolidation. Reduced spend on licenses was the driving factor in reducing costs (61%), but respondents also indicated that they had lowered internal management costs (46%), hardware spend (36%), and professional service costs (32%).

Modeling and assumptions. Based on the interviews and survey, Forrester assumes the following about the composite organization:

The composite reduces its security portfolio TCO by up to 30% over three years when using Microsoft Security products instead of alternative point solutions. This benefit is incremental as the organization’s Microsoft Security roadmap matures and it discontinues additional point solutions. The TCO comparison includes licenses, management labor, and any required hardware.
The composite organization incurs $330,000 in annual professional service fees related to the management and maintenance of its incumbent security solutions.

Risks. This benefit may vary for other organizations. Specific risk concerns include:

The extent to which an organization consolidates onto Microsoft’s portfolio.
Existing contracts and the speed at which an organization can deprecate licenses or decommission hardware.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $11.6 million.

20%

Lower TCO when consolidating on Microsoft Security portfolio

“Microsoft offers an overall comprehensive set of security tools and functionality at a competitive price point.”

Regional CIO, government

Avoided Costs — External Spend

Ref.	Metric	Source		Year 1	Year 2	Year 3
B1	Avoided external technology spend	Y1: Et(1+20%) Y2: Et(1+25%) Y3: Et*(1+30%)		$3,955,200	$4,861,250	$5,959,200
B2	Lower cost of consolidation onto Microsoft Security portfolio compared to previous solutions	B1-Et		$659,200	$972,250	$1,375,200
B3	Professional services (non-Microsoft scenario)	F1*(1+10%)		$330,000	$330,000	$330,000
Bt	Avoided costs — external spend	B1+B3		$4,285,200	$5,191,250	$6,289,200
	Risk adjustment	↓10%
Btr	Avoided costs — external spend (risk-adjusted)			$3,856,680	$4,672,125	$5,660,280
Three-year total: $14,189,085			Three-year present value: $11,619,985

Avoided Costs — Internal IT Labor

Evidence and data. According to interviewees, consolidating onto a single platform had the biggest impact on team efficiency, largely because point solution integration created more upfront and ongoing work, including maintenance and workflow complexity. They stressed that even if cost was not an issue, it was nearly impossible to recruit and retain enough IT security professionals. Interviewees and survey respondents shared the following examples of how they could provide the same or better security without having to significantly grow the size of their IT and security teams:

Reducing password resets and IAM issues was particularly beneficial for interviewees. The engineering organization saw a 70% reduction in help desk tickets related to IAM after adopting Entra, which meant avoiding thousands of tickets per month. The petrochemical firm enabled self-service for password resets that reduced IT tickets by 30%.
The hospitality firm saw significant time savings across its entire security and IT team, including a 50% time reduction to monitor Microsoft 365 for compliance as documents are now scanned and properly classified upon creation. The firm also reduced audit activities by 40% to 50% as evidence for auditors was readily visible and available in the Microsoft deployment.
The regional CIO at the government organization saw their security team become 25% more productive, noting the auto remediation capabilities of Microsoft Sentinel. The director of technology and security at the healthcare organization also highlighted a 25% to 30% efficiency improvement for their security engineering team, who no longer had to worry about patching and configuration and were redeployed to new projects like IoT security.
The healthcare organization avoided hiring an additional one to two FTEs, which was important as it had a limited budget. The director of technology and security explained, “Once we got the Defender suite deployed, definitively there has been a reduction in the upkeep of that, maybe a 5% reduction, maybe even up to 10% of the work required to keep the clients installed and functioning where we’re having to actually monitor and remediate issues with the clients for Defender.”
The regional CISO for an engineering firm explained that they leveraged Microsoft Purview to automatically enforce compliance policies and reduce the time spent on compliance activities by 15%. Previously, they would have to hold awareness meetings with users and then perform manual monitoring and enforcement.

Modeling and assumptions. Based on the interviews and survey, Forrester assumes the following about the composite organization:

The composite organization employs 10 helpdesk FTEs, 10 security FTEs, and five compliance FTEs who work with Microsoft Security products directly.
Without Microsoft Security, the composite organization would need to increase helpdesk team size by 25%, security team size by 40%, and compliance team size by 30% by Year 3.
The average fully burdened annual salaries for these FTEs are $83,200 for helpdesk, $162,500 for security, and $145,600 for compliance.

Risks. This benefit may vary for other organizations. Specific risk concerns include:

The size of relevant IT, security, and compliance teams.
The extent of consolidation onto Microsoft Security solutions and the degree of automation, artificial intelligence, and machine learning applied.
Prevailing labor rates.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.7 million.

40%

Avoided additional security labor by Year 3

“Which IT groups/user types have saved time/have been more efficient since adopting Microsoft Security solutions?”

[CHART DIV CONTAINER]

SecOps IT ops Helpdesk DevOps Internal audit and compliance Developers

Base: 244 global IT and security decision-makers at large enterprises using Microsoft Security as their end-to-end security solution across security, compliance, and identity
Source: Microsoft Security Solutions Study, a commissioned study conducted by Forrester Consulting

“We’ve seen a reduction [in time] when we have an event. So we don’t have the security staff to sit there and monitor some logs and go through a lot of that on a day-to-day basis. But when we do have an event identified, the research into those root causes or the root issue at hand is much faster.”

Director of technology and security, healthcare

“We probably would have had to rely on both internal and short-term staff augmentation of subject matter experts, whatever that alternative tooling would have been.”

Senior director, global information security, hospitality

Avoided Costs — Internal IT Labor

Ref.	Metric	Source		Year 1	Year 2	Year 3
C1	Helpdesk FTEs			10	10	10
C2	Avoided additional helpdesk headcount	C115%(Y1) C120%(Y2) C1*25%Y3		1.5	2.0	2.5
C3	Average fully burdened annual salary for a helpdesk FTE	Composite		$83,200	$83,200	$83,200
C4	Subtotal: Helpdesk labor savings	C2*C3		$124,800	$166,400	$208,000
C5	Security FTEs			10	10	10
C6	Avoided additional security team headcount	C520%(Y1) C530%(Y2) C5*40%(Y3)		2.0	3.0	4.0
C7	Average fully burdened annual salary for a security FTE	Composite		$162,500	$162,500	$162,500
C8	Subtotal: Security labor savings	C6*C7		$325,000	$487,500	$650,000
C9	Compliance FTEs			5	5	5
C10	Avoided additional compliance team headcount	C90%(Y1) C920%(Y2) C9*30%(Y3)		0.0	1.0	1.5
C11	Average fully burdened annual salary for a compliance FTE	Composite		$145,600	$145,600	$145,600
C12	Subtotal: Compliance labor savings	C10*C11		$0	$145,600	$218,400
Ct	Avoided costs — internal IT labor	C4+C8+C12		$449,800	$799,500	$1,076,400
	Risk adjustment	↓10%
Ctr	Avoided costs — internal IT labor (risk-adjusted)			$404,820	$719,550	$968,760
Three-year total: $2,093,130			Three-year present value: $1,690,531

Enabled Business And Innovation

Evidence and data. Interviewees noted that their organizations must always balance creating secure and compliant environments, providing business users the access and tools they need to be productive, and avoiding excessive friction in business processes. Improved business outcomes could manifest in many ways, such as better user productivity, better internal and external collaboration, faster time to market, and increased revenues. Interviewees stressed the importance and benefits of providing security in ways that improved business productivity and outcomes, including the following examples:

The senior director of global information security for the hospitality firm explained that adopting Microsoft Security solutions reduced barriers to enable a work-from-home model that ultimately made their employees more productive: “It’s good to know that the end user has a secure, corporate-supported device to facilitate those out-of-office work obligations. And instead, people aren’t leaving their laptops in the office, forwarding emails home, connecting to either a call or dialing in from who knows where, and [not thinking about] how it is secured. So, it gives us greater control over those activities while also facilitating people to have easy, timely, readily available solutions.”
The petrochemical firm automated guest account management, reducing friction in working with its vast partner ecosystem. The senior enterprise architect explained, “Fully automated Azure guest accounts no longer managed by internal users streamline third-party onboarding.”
The IAM engineer and end user computing manager for a retail firm explained that their workforce used a large portfolio of applications to complete their day-to-day work. With Microsoft Entra, they automated access management for these tools, which had a meaningful impact on worker productivity. Their firm also experienced labor savings for employee onboarding and offboarding, as well as reduced time until employees became fully productive. The end user computing manager explained: “To operate the stores, you have employees, and they need to access almost 50-plus tools to actually do their day-to-day job, and those tools require access and obviously access requires manual effort. Cost is very high if you have high employee turnover. We have automated all this stuff through [the Microsoft] platform.”
Among survey respondents, 56% saw increased user productivity, and 51% saw increased revenue after adopting Microsoft Security solutions.

Modeling and assumptions. Based on the interviews and survey, Forrester assumes the following about the composite organization:

Improved employee productivity is used as a proxy for various forms of improved business outcomes since employees should create value that is equal to their compensation (at a minimum).
Each employee saves an average of 50 minutes per week from improved SSO, more efficient device onboarding, better system performance compared to VPN access, and better collaboration tool and process support. The composite realizes half of this benefit Year 1 as it completes the rollout and moves through the good, better, best progression.
The average fully burdened hourly rate across all 10,000 employees is $43.

Risks. This benefit may vary for other organizations. Specific risk concerns include:

Previous security systems and processes.
The type of employees and nature of their work.
An organization’s geography and the prevailing labor rates.

Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $15 million.

Hours saved per year

“You indicated that adopting Microsoft Security solutions improved business outcomes at your organization. Which of the following has your organization experienced as a result?”

[CHART DIV CONTAINER]

Increased user productivity for non-IT employees Increased revenue Faster time to market for new products and services Better collaboration with external parties

Base: 202 global IT and security decision-makers at large enterprises using Microsoft Security as their end-to-end security solution across security, compliance, and identity
Source: Microsoft Security Solutions Study, a commissioned study conducted by Forrester Consulting

“[Microsoft Security] allows us to deploy modern solutions and be on the leading edge of technologies at enterprise scale.”

Senior information security officer, NGO

Enabled Business And Innovation

Ref.	Metric	Source		Year 1	Year 2	Year 3
D1	Annual time savings per employee (hours)	Survey and interviews (50% in Year 1)		21.5	43.0	43.0
D2	Average fully burdened hourly rate for employees	Composite		$43.00	$43.00	$43.00
D3	Headcount	Composite		10,000	10,000	10,000
D4	Productivity recapture			50%	50%	50%
Dt	Enabled business and innovation	D1D2D3*D4		$4,622,500	$9,245,000	$9,245,000
	Risk adjustment	↓20%
Dtr	Enabled business and innovation (risk-adjusted)			$3,698,000	$7,396,000	$7,396,000
Three-year total: $18,490,000			Three-year present value: $15,030,939

Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:

Supports Zero Trust. Interviewees noted that Microsoft Security helped them move from a Zero Trust mindset to consistent enforcement across identity, access, and security operations, improving response times, reducing risk, and supporting secure adoption of new technologies. A senior information security officer for an NGO explained: “So XSOAR was actually a Zero Trust project, and I think one of the reasons we’re measuring mean time to respond now is as a result of XSOAR. We have seen improvements because we’ve implemented XSOAR playbooks.”
Streamlines processes to find and train talent. Interviewees noted that it was much easier to find talent to use and manage Microsoft products than alternative vendors. They added that familiarity with the product portfolio and low-code/no-code features had allowed them to repurpose existing IT resources for their security teams. The senior enterprise architect at a petrochemical company stated: “Almost 30% to 40% of our security team is prior infrastructure or plant operations, IT operations. Even during our last investigation, the desktop manager, he was helping because he’s extremely smooth in the Microsoft stack, the APIs, the logging, and everything else. We have definitely seen a huge benefit to adopting one portfolio or one stack for people and processes alike.”
Improves employee experience. Interviewees noted that adopting a unified Microsoft platform for security reduced friction for users and led to better system performance. Employees appreciated automated self-service features for identity and access. The senior IT officer for an NGO stated, “User experience is also better because we’ve gotten rid of this legacy debt and we have a more modern experience.”

“You previously indicated that your organization has adopted a Zero Trust approach as a benefit. What metrics or outcomes best demonstrate the impact of Zero Trust adoption at your organization?”

[CHART DIV CONTAINER]

Improved identity protection MFA/Conditional Access coverage Device compliance/EDR coverage Privileged access reduction (PIM/JIT) Minimized blast radius Reduction in lateral movement ZTNA/SASE adoption Data protection metrics SecOps outcomes

Base: 297 global IT and security decision-makers at large enterprises using Microsoft Security as their end-to-end security solution across security, compliance, and identity
Source: Microsoft Security Solutions Study, a commissioned study conducted by Forrester Consulting

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement Microsoft Security and later realize additional uses and business opportunities, including:

Security Copilot. Some interviewees noted that Security Copilot helps them move from alert overload to decisive action by bringing AI directly into the flow of work, enabling them to triage faster, focus on what matters most, and operate far more efficiently as security demands evolve. The associate director for a professional services firm explained: “I have eight people working on security and identity. Across everything they do, they are each saving 8 to 10 hours per week because of Security Copilot.” The interviewee added that Security Copilot plays prominently into their future plans: “One year from now, if I didn’t have Security Copilot, I would need to add four people to my team. I had an open rec for that and removed it.” Finally, the interviewee explained that organizational efficiencies seen from Security Copilot extended beyond their security practitioners: “We receive 1,500 to 2,000 tickets a year for business user security lockouts. With Security Copilot, we’ve been able to reduce the amount of downtime from 5 hours to 1 hour.”
Agent 365. As companies adopt agentic AI, they need to understand and prepare for new security and operational issues. Agent 365 can improve visibility, simplify management, and reduce associated security and compliance risks. The global CISO for a professional services firm explained, “Agent 365 gives me line of sight across all my agents and instant insights into what is going on.”
Expert-led services. Microsoft also offers expert-led security services, including technical advisory, MDR, and incident response, that complement its security solutions. Although not included in the scope of this analysis, these services provide additional flexibility for organizations seeking expert guidance as they scale AI, agents, and Zero Trust–aligned security practices.
Microsoft 365 E7. Microsoft 365 E7 is not included in the scope of this analysis, but as of May 1, 2026, it is generally available. This “Frontier Suite” includes Microsoft Copilot, Agent 365, and Entra Suite, illustrating how Microsoft continues to evolve its productivity, AI, and security offerings by bringing together AI experiences and enterprise-grade security and governance for both human and agent identities. When organizations adopt Microsoft 365 E7, it may provide additional flexibility to extend AI and agentic workloads with the same infrastructure of Microsoft Security tools evaluated in this study.

“Microsoft has done an excellent job developing security agents such as identity and intelligence. … Microsoft is innovating as fast as tech startups in the space.”

Global CISO, professional services

“We don’t have to do third-party integration for managing other agents, which would require a separate management team. That would probably be six to seven people.”

Global CISO, professional services

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).

Analysis Of Costs

Quantified cost data as applied to the composite

Total Costs

Ref.	Cost	Initial	Year 1	Year 2	Year 3	Total	Present Value
Etr	Microsoft licensing and consumption costs	$0	$3,625,600	$4,277,900	$5,042,400	$12,945,900	$10,619,884
Ftr	Professional services and internal labor costs	$1,291,583	$610,500	$610,500	$610,500	$3,123,083	$2,809,806
	Total costs (risk-adjusted)	$1,291,583	$4,236,100	$4,888,400	$5,652,900	$16,068,983	$13,429,690

Microsoft Licensing And Consumption Costs

Evidence and data. External costs primarily consisted of Microsoft licenses and consumption charges for Microsoft Sentinel and Defender for Cloud. Many interviewees had existing Microsoft 365 E5 licenses and therefore did not incur additional costs for adopting Microsoft Security solutions. However, those on a lower-tier license required an upgraded subscription or step-up purchase.

Modeling and assumptions. Based on the interviews and survey, Forrester assumes the following about the composite organization:

The $21 per user per month difference in list price between the Microsoft 365 E3 and E5 licenses is used as a proxy for the costs of the Microsoft security, compliance, and identity solutions. The total costs used in this study are consistent with prior TEI studies looking at Microsoft’s security solutions. The reader is encouraged to speak with their Microsoft account manager or partner to understand what their actual costs will be.
Consumption costs for Microsoft Defender for Cloud and Microsoft Sentinel are based on a 10,000-user organization that ingests between 500 and 1,500 GB daily over the three-year analysis.

Risks. Costs may vary based on:

The size of the organization.
Negotiated discounts on licenses.
The breadth of products deployed.

Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $10.6 million.

Microsoft Licensing And Consumption Costs

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
E1	E5 licenses	D3	0	10,000	10,000	10,000
E2	Annual per license cost	$21*12 months	$0	$252	$252	$252
E3	Microsoft Sentinel consumption costs	Composite	0	$620,000	$1,200,000	$1,800,000
E4	Microsoft Defender for Cloud consumption costs	Composite		$156,000	$169,000	$264,000
Et	Microsoft licensing and consumption costs	E1*E2+E3+E4	$0	$3,296,000	$3,889,000	$4,584,000
	Risk adjustment	↑10%
Etr	Microsoft licensing and consumption costs (risk-adjusted)		$0	$3,625,600	$4,277,900	$5,042,400
Three-year total: $12,945,900			Three-year present value: $10,619,884

Professional Services And Internal Labor Costs

Evidence and data. Interviewees generally said that implementing Microsoft Security was easier than other solutions because of the native integrations across solution families. The majority of survey respondents took four to nine months to fully deploy and configure their Microsoft Security solutions — 36% faster on average when compared to alternative approaches. Interviewees described ongoing effort for routine operational activities as relatively small and reported using some professional services for implementation and fine-tuning.

Modeling and assumptions. Based on the interviews and survey, Forrester assumes the following about the composite organization:

The initial implementation lasts seven months and requires four FTEs.
Ongoing solution management requires 1.5 FTEs.
Each of the 15 FTEs interacting with Microsoft Security solutions receives 40 hours of training during implementation and 10 hours in subsequent years.
The organization incurs $750,000 in professional services fees during implementation, with an ongoing $300,000 contract.

Risks. Costs may vary based on:

The size of an organization and its deployment and the number of products used.
Prevailing labor rates.

Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.8 million.

Professional Services And Internal Labor Costs

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
F1	Professional services costs	Composite	$750,000	$300,000	$300,000	$300,000
F2	Implementation cost	4 FTEs7 months(C7/12 months)	$379,167
F3	Ongoing support costs	1.5 FTEs*C7		$243,750	$243,750	$243,750
F4	Training costs	Initial: 15 FTEs40 hours$75 Y1 to Y3: 15 FTEs10 hours$75	$45,000	$11,250	$11,250	$11,250
Ft	Professional services and internal labor costs	F1+F2+F3+F4	$1,174,167	$555,000	$555,000	$555,000
	Risk adjustment	↑10%
Ftr	Professional services and internal labor costs (risk-adjusted)		$1,291,583	$610,500	$610,500	$610,500
Three-year total: $3,123,083			Three-year present value: $2,809,806

Financial Summary

Consolidated Three-Year, Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

[CHART DIV CONTAINER]

Total costs Total benefits Cumulative net benefits Initial Year 1 Year 2 Year 3

Cash Flow Analysis (Risk-Adjusted)

	Initial	Year 1	Year 2	Year 3	Total	Present Value
Total costs	($1,291,583)	($4,236,100)	($4,888,400)	($5,652,900)	($16,068,983)	($13,429,690)
Total benefits	$0	$8,459,000	$13,507,675	$14,880,040	$36,846,715	$30,032,961
Net benefits	($1,291,583)	$4,222,900	$8,619,275	$9,227,140	$20,777,732	$16,603,271
ROI						124%
Payback						<6 months

Please Note

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Microsoft Security.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Microsoft Security can have on an organization.

Due Diligence

Interviewed Microsoft stakeholders and Forrester analysts to gather data relative to Microsoft Security.

Interviews

Interviewed 10 decision-makers at organizations using Microsoft Security to obtain data about costs, benefits, and risks.

Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.

Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.

Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Total Economic Impact Approach

Benefits

Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.

Costs

Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.

Flexibility

Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.

Risks

Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

Financial Terminology

Present value (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PVs of costs and benefits feed into the total NPV of cash flows.

Net present value (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.

Return on investment (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.

Discount rate

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.

Payback

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

Appendix A

Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

Appendix B

Survey Demographics

[CONTENT]

ROLE
Manager	43%
Director	28%
Vice president	20%
C-level executive	9%

[CONTENT]

INDUSTRY
Manufacturing and materials	8%
Consumer product goods	7%
Energy, utilities, and/or waste management	7%
Financial services and/or insurance	7%
Retail	7%
Healthcare	6%
Transportation and logistics	6%
Agriculture, food, and/or beverage	5%
Media and entertainment, including advertising	5%
Construction	4%
Electronics	4%
Marketing	4%
Technology and/or technology services	4%
Travel and hospitality	4%
Business or professional services	3%
Chemicals and/or metals	3%
Consumer services	3%
Education	3%
Legal services	3%
Government	2%
Nonprofits	2%
Telecommunications services	2%

[CONTENT]

REGION
United States	32%
Canada	17%
Brazil	8%
Mexico	7%
India	6%
Japan	6%
United Kingdom	5%
Australia	4%
France	3%
Germany	3%
Italy	2%
The Netherlands	2%
Spain	2%
Norway	1%
Sweden	1%
Switzerland	1%

[CONTENT]

EMPLOYEES
1,000 to 2,499 employees	27%
2,500 to 4,999 employees	26%
5,000 to 9,999 employees	27%
10,000 or more employees	20%
Percentages may not total 100 due to rounding.

Appendix C

Endnotes

¹ Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

² Microsoft 365 E5 is a premium enterprise subscription providing comprehensive productivity apps (Office, Teams, Excel) paired with advanced security, AI-powered threat protection, compliance tools and analytics.

³ Cumulative breach costs are computed using the composite organization’s size (revenue or number of employees) as an input to a regression analysis of reported total cumulative costs for all breaches for organizations that experienced at least one breach in the past 12 months. Source: Forrester’s Security Survey, 2025, “Using your best estimate, what was the total cumulative cost of all breaches experienced by your organization in the past 12 months?” Base: 1,740 global security decision-makers who have experienced a breach in the past 12 months. The cumulative breach cost is then multiplied by a 67% likelihood for organizations to experience one or more breaches in a given year. Source: Forrester’s Security Survey, 2025, “How many times do you estimate that your organization’s sensitive data was potentially compromised or breached in the past 12 months?” Base: 2,643 global security decision-makers.

⁴ Percentage of breaches by primary attack vector, as reported by security decision-makers whose organizations experienced at least one breach in the last 12 months. Source: Forrester’s Security Survey, 2025, “Of the times that your organization’s sensitive data was potentially compromised or breached in the past 12 months, please indicate how many of each fall into the categories below.” Base: 1,766 global security decision-makers who have experienced a breach in the past 12 months.

Disclosures

Readers should be aware of the following:

This study is commissioned by Microsoft and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Microsoft Security. For any interactive functionality, the intent is for the questions to solicit inputs specific to a prospect’s business. Forrester believes that this analysis is representative of what companies may achieve with Microsoft Security based on the inputs provided and any assumptions made. Forrester does not endorse Microsoft or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, Microsoft and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and Microsoft make no warranties of any kind.

Microsoft reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Microsoft provided the customer names for the interviews but did not participate in the interviews.

Consulting Team:

Sam Conway
Jonathan Lipsitz

Published

April 2026

Executive Summary

Key Findings

Key Statistics

The Microsoft Security Customer Journey

Key Challenges

Composite Organization

Analysis Of Benefits

Improved Security Posture

Avoided Costs — External Spend

Avoided Costs — Internal IT Labor

Enabled Business And Innovation

Unquantified Benefits

Flexibility

Analysis Of Costs

Microsoft Licensing And Consumption Costs

Professional Services And Internal Labor Costs

Financial Summary

TEI Framework And Methodology

Glossary

Total Economic Impact Approach

Financial Terminology

Appendixes

Appendix A

Appendix B

Appendix C

Disclosures