Summary
Key Takeaways
Consumption-based pricing: Security Copilot uses Security Compute Units (SCUs), not per-user licensing. Provisioned SCUs cost $4/hour; overage SCUs cost $6/hour.
M365 E5 inclusion: If you’re on Microsoft 365 E5, you get 400 SCUs per month for every 1,000 users, capped at 10,000 SCUs. This was announced at Ignite 2025.
Rollout timeline: Already using Security Copilot with M365 E5? You got access on 18 November 2025. Everyone else on E5 will be activated over the coming months with 30 days’ notice.
Prerequisites are minimal: You need an Azure subscription and Microsoft Entra ID. You don’t need Defender, Sentinel, or any specific security product, though Security Copilot is far more useful if you have them.
Agents are the headline feature: 12 new Microsoft-built agents across Defender, Entra, Intune, and Purview, plus 30+ partner-built agents.
Standalone purchase still available: Not on E5? You can still provision SCUs directly via the
No GCC/DoD support: Security Copilot isn’t available for US government cloud customers.
1. What is Security Copilot?
Security Copilot is Microsoft’s generative AI assistant for security and IT professionals. Unlike Microsoft 365 Copilot, which helps with productivity across Office apps, Security Copilot is built specifically for security operations: investigating threats, analysing incidents, hunting for vulnerabilities, and automating security workflows.
What it does:
Security Copilot gives you insights and recommendations using Microsoft’s threat intelligence (processing over 100 trillion signals daily), industry best practices, and your own data from Microsoft and partner tools. You can:
Investigate and remediate security threats using natural language queries
Build KQL queries and analyse suspicious scripts
Understand risks and manage your security posture
Troubleshoot IT issues faster
Define and manage security policies
Configure secure lifecycle workflows
Develop reports for stakeholders
Automate tasks with autonomous agents
Integration points:
Security Copilot integrates with and embeds within multiple Microsoft security products: |
Microsoft Defender XDR (threat protection)・Microsoft Sentinel (SIEM and security analytics)・Microsoft Intune (endpoint management)・Microsoft Entra (identity and access management)・Microsoft Purview (data security and compliance)・Microsoft Defender for Cloud・Microsoft Defender Threat Intelligence・Azure Firewall・Microsoft Defender External Attack Surface Management |
The more of these you have deployed, the more valuable Security Copilot becomes. It can access data from these integrations and provide AI assistance grounded in your actual security telemetry. For more detail on capabilities, see Microsoft’s Security Copilot FAQ.
Standalone vs embedded experiences:
You can use Security Copilot in two ways:
Standalone portal: Go directly to securitycopilot.microsoft.com for comprehensive security investigations and promptbook execution.
Embedded experiences: Copilot capabilities appear directly within Defender, Entra, Intune, and Purview portals, so you get context-aware assistance without switching applications.
2. How Much Does Security Copilot Cost?
Security Copilot uses consumption-based pricing rather than traditional per-user licensing. Costs are measured in Security Compute Units (SCUs).
2.1 What is an SCU?
A Security Compute Unit measures the compute power required to run Security Copilot workloads. You consume SCUs when:
You execute prompts in the standalone portal
You interact with embedded Copilot features in Defender, Entra, Intune, or Purview
Agents perform automated tasks
Promptbooks execute sequences of prompts
Different operations consume different amounts. A simple prompt might consume a fraction of an SCU, while a complex incident summarisation or multi-step investigation consumes more. Consumption varies based on complexity; it’s not fixed.
2.2 Pricing Model
Security Copilot operates on a dual-capacity model: provisioned capacity for predictable workloads, and overage capacity for demand spikes.
Capacity Type | Rate | Billing |
|---|---|---|
Provisioned SCUs | $4/SCU/hour | Billed monthly based on hourly provisioning |
Overage SCUs | $6/SCU/hour | Billed only when used |
How billing works:
Provisioned capacity is billed by the hour. If you provision 4 SCUs, you pay $16/hour ($4 x 4) regardless of actual consumption, as long as you stay within that capacity.
Overage kicks in when you exceed your provisioned SCUs within an hour. You pay $6 per overage SCU consumed, up to your configured overage limit.
Billing is calculated in hourly blocks.
Example calculation:
You have 4 provisioned SCUs with an overage limit of 6 SCUs.
Scenario 1: You execute a prompt that consumes 3 SCUs and use incident summarisation in Defender, which consumes 0.5 SCU. Total: 3.5 SCUs. You’re charged for 4 provisioned SCUs at $4 each: $16 for that hour. |
Scenario 2: Same hour, you also run a promptbook consuming another 3.2 SCUs, bringing total hourly consumption to 7.2 SCUs. You’re charged for 4 provisioned SCUs ($16) plus 3.2 overage SCUs at $6 each ($19.20): $35.20 for that hour. |
2.3 Minimum Requirements
Minimum provisioned capacity: 1 SCU
Maximum provisioned capacity: 100 SCUs
Microsoft recommends: 3 SCUs as a starting point for evaluation, with overage set to unlimited
2.4 Estimating Costs
Microsoft provides an SCU capacity calculator to estimate usage based on:
Number of monthly users per experience (Defender, Intune, Purview, Entra, standalone)
Automation through Logic Apps and Promptbooks
The calculator shows maximum expected SCUs per hour and displays combinations of provisioned and overage SCUs with corresponding monthly cost ranges. You’ll need an Azure account to access it.
The estimation challenge:
Unlike per-user licensing, SCU consumption is inherently unpredictable. It depends on:
How many prompts your team executes
Complexity of prompts and investigations
Use of automated workflows and agents
Volume of incidents requiring AI-assisted analysis
Start small, monitor usage via the in-product dashboard, and adjust capacity based on actual patterns. Budget conservatively and set overage limits to prevent surprises. For current rates, see Microsoft’s Security Copilot pricing page.
3. Microsoft 365 E5 Inclusion
At Ignite 2025 (November 2025), Microsoft announced that Security Copilot would be included with Microsoft 365 E5 at no additional cost.
3.1 What’s Included
Aspect | Detail |
|---|---|
SCU allocation | 400 SCUs per month for every 1,000 paid user licences |
Maximum allocation | 10,000 SCUs per month (regardless of user count) |
Scaling | Pro-rata for fewer than 1,000 users |
Rollover | SCUs don’t roll over; allocations reset monthly |
Allocation examples:
400 users = 160 SCUs/month (400 x 0.4)
1,000 users = 400 SCUs/month
4,000 users = 1,600 SCUs/month
25,000+ users = 10,000 SCUs/month (cap applies)
3.2 Rollout Timeline
Customer Type | Timing |
|---|---|
Existing Security Copilot customers with M365 E5 (as of 18 Nov 2025) | Available immediately |
All other M365 E5 customers | Phased rollout over coming months; 30-day advance notification |
Activation process:
Security Copilot is automatically provisioned for eligible M365 E5 tenants
No Azure setup or consent flows required
You’ll see in-product banners and guided onboarding
No manual SCU provisioning needed
3.3 What’s Covered
Core experiences (included): | Not covered: |
|---|---|
✅ All chat, promptbook, and agentic scenarios across Entra, Intune, Purview, Defender, and the standalone portal ✅ Sentinel scenarios if you also use Sentinel (apply your included SCU allocation) ✅ Developer experiences: Agent Builder and APIs for creating custom agents, promptbooks, and integrations ✅ Partner-built agents: SCU costs included (until further notice) | 🔴 Sentinel data lake compute or storage costs 🔴 Non-agentic Data Security Investigations in Purview 🔴 Azure Logic Apps charges when used with Security Copilot 🔴 Partner agent licensing fees (you buy those separately via Security Store; SCU consumption is included, but partner licences aren’t) 🔴 Prerequisites for agents that need products outside M365 E5 |
3.4 Exceeding the Allocation
Currently, if you exceed your allocation, usage will be throttled at a future date. Microsoft plans to offer pay-as-you-go overage at $6 per SCU. You’ll get 30 days’ notice when this becomes available.
3.5 Comparison with Standalone Purchase
Aspect | M365 E5 Inclusion | Standalone Purchase |
|---|---|---|
Base cost | Included with E5 subscription | $4/SCU/hour provisioned |
SCU allocation | 400 per 1,000 users (max 10,000) | As provisioned |
Overage | Throttled (pay-as-you-go at $6/SCU coming) | $6/SCU/hour |
Azure subscription required | No (for included capacity) | Yes |
Manual provisioning | Not needed | Required |
If you’re already on M365 E5: This is significant value. With 5,000 E5 users, you get 2,000 SCUs monthly; provisioning equivalent capacity standalone would cost roughly $5,840/month ($4 x 2 SCUs x 730 hours, assuming 2 SCU average utilisation).
If you’re not on M365 E5: Standalone purchase remains available. If you’re considering upgrading to E5 primarily for Security Copilot, do the maths first: calculate whether the SCU value justifies the E5 premium over your current licensing. For full details, see Microsoft’s Security Copilot E5 documentation.
4. Licensing Requirements
Requirement | Detail |
|---|---|
Azure subscription | Required for standalone purchase; not required for M365 E5 inclusion |
Microsoft Entra ID | Required for user authentication |
Security product licences | Not mandatory, but integration value depends on what you’ve deployed |
Availability | Commercial cloud only; not available for GCC, GCC High, DoD, or Azure Government |
Clarification: You don’t need Defender, Sentinel, or any specific Microsoft security product. You can use Security Copilot without them. But the practical value is far higher when Security Copilot can access your security telemetry through these integrations.
For technical setup details, see Microsoft’s Getting Started with Security Copilot.
5. Security Copilot Agents
At Ignite 2025, Microsoft introduced a significant expansion of Security Copilot’s agent capabilities.
5.1 What Are Agents?
Agents are autonomous AI assistants that perform security tasks without continuous human prompting. They can triage alerts, optimise policies, and remediate issues. You retain oversight; you can review, approve, or override their actions.
5.2 Available Agents
Microsoft-built agents (12 in preview): | ➤ Defender: Phishing Triage, Alert Triage, Threat Intelligence, Natural Language Threat Hunting ➤ Entra: Conditional Access Optimisation, Risky User Remediation, Access Review, App Lifecycle Management ➤ Intune: Policy Configuration, Change Assessment, Device Removal ➤ Purview: Data Security Posture, Data Security Alert Triage |
Partner-built agents: | Over 30 available via the Microsoft Security Store. |
Custom agents: | You can build your own. |
5.3 Agent Licensing
All agent usage consumes SCUs like other Security Copilot features
On M365 E5, agent SCU consumption counts against your included allocation
Partner agents may need separate licensing from the partner; SCU costs are included in E5 entitlements (subject to change)
6. Managing Usage and Costs
6.1 Usage Monitoring Dashboard
Security Copilot’s in-product dashboard shows:
SCUs consumed over time
Provisioned vs overage usage
Plugins employed during sessions
Session initiators
Up to 90 days of historical data
The dashboard supports filtering and data export, so you can track consumption patterns and make informed decisions about capacity.
6.2 Adjusting Capacity
You can modify capacity at any time via:
Security Copilot portal: Owner settings, then Change units
Azure portal: Microsoft Security compute capacities
Changes take effect within minutes. Billing is calculated on hourly blocks.
6.3 Setting Overage Limits
To prevent unexpected costs, you can set a maximum overage limit:
Unlimited overage (Microsoft’s recommendation for uninterrupted operations)
Specific cap (e.g., maximum 10 overage SCUs per hour)
Zero overage (operations throttled when provisioned capacity runs out)
6.4 Cost Control Strategies
If you’re on standalone: | If you’re on M365 E5: |
|---|---|
Start with Microsoft’s recommended 3 SCUs with unlimited overage Monitor actual usage patterns for 1-2 months Adjust provisioned capacity to align with typical consumption Set overage limits based on acceptable cost variability | Monitor consumption against your included allocation Review the dashboard weekly during initial rollout If you’re consistently approaching the cap, consider whether additional standalone SCUs are justified Track which agents and promptbooks consume the most capacity |
6.5 Workspaces
Security Copilot supports multiple workspaces within a tenant. Workspaces help you:
Segment environments for different groups or compliance requirements
Configure specific plugins and agents per workspace
Set separate access controls
Important limitation: You can’t allocate SCUs by workspace. The total SCU pool is shared across your tenant, so you can’t limit specific teams to specific SCU budgets. For more, see Microsoft’s Managing Security Copilot Usage.
7. Integrations and Plugins
7.1 Microsoft Integrations
Security Copilot integrates with Microsoft products through built-in plugins. When enabled, Copilot can query data from these products and provide grounded responses.
Product | Capabilities |
|---|---|
Microsoft Defender XDR | Incident investigation, alert triage, threat hunting |
Microsoft Sentinel | Log analysis, KQL generation, incident correlation |
Microsoft Intune | Device compliance, policy analysis, troubleshooting |
Microsoft Entra | Identity risk assessment, Conditional Access analysis |
Microsoft Purview | Data classification, compliance posture |
Microsoft Defender for Cloud | Cloud security posture, vulnerability management |
Microsoft Defender Threat Intelligence | Threat actor profiles, indicator analysis |
Azure Firewall | Traffic analysis, rule recommendations |
Note: These products must be licensed and deployed separately. Security Copilot doesn’t include licences for them.
7.2 Microsoft Defender Threat Intelligence
Security Copilot includes access to Defender Threat Intelligence (Defender TI) at no extra cost:
Tenant-level Defender TI premium workbench access
Intel profiles, threat analysis, and internet data sets
All content and data for context on activity groups, tooling, and vulnerabilities
Exclusion: The Defender TI API remains separately licensed. Security Copilot access doesn’t include API rights.
7.3 Partner and Custom Plugins
Security Copilot supports non-Microsoft plugins for third-party integrations. Many partners have published plugins and agents in the Microsoft Security Store.
You can develop custom plugins using the Security Copilot API to extend capabilities to your own systems.
7.4 Connectors
Connectors let you invoke Security Copilot from automation workflows:
Logic Apps connector: Call Security Copilot from Azure Logic Apps workflows
Copilot Studio connector: Access Security Copilot from Copilot Studio automations
Connectors support actions such as submitting prompts and fetching prompt status, enabling security automation scenarios.
8. Licensing Scenarios
Scenario 1: Large Enterprise with M365 E5 |
|---|
Situation: 10,000 employees on Microsoft 365 E5, using Defender XDR and Sentinel. Included capacity: 4,000 SCUs/month (10,000 users x 0.4 = 4,000; under the 10,000 cap) |
What to do: Use your included capacity for SOC operations. Monitor usage; if you’re consistently near the cap, decide whether to wait for pay-as-you-go overage or provision additional standalone SCUs. |
Scenario 2: Mid-Size Organisation with M365 E5 |
|---|
Situation: 2,500 employees on Microsoft 365 E5, primarily using Defender and Intune. Included capacity: 1,000 SCUs/month |
What to do: Your included capacity should support moderate usage. Enable agents for alert triage and Conditional Access optimisation. Track consumption monthly. |
Scenario 3: Small Organisation with M365 E5 |
|---|
Situation: 200 employees on Microsoft 365 E5. Included capacity: 80 SCUs/month (200 x 0.4) |
What to do: Limited capacity means you should use it for targeted investigations rather than high-volume automation. Focus on the use cases that deliver most value within your allocation. |
Scenario 4: Organisation without M365 E5 |
|---|
Situation: 1,000 employees on Microsoft 365 E3, using Sentinel and Defender. |
Options: 1. Standalone Security Copilot: Provision SCUs via Azure. Start with 3 provisioned SCUs ($4 x 3 x 730 hours ~ $8,760/month) plus overage as needed. 2. Upgrade to M365 E5: E5 costs roughly $57/user/month; for 1,000 users, that’s $57,000/month. The Security Copilot inclusion alone doesn’t justify this upgrade. Only makes sense if E5’s other features (Defender P2, eDiscovery Premium, Audio Conferencing) also provide value. |
Scenario 5: MSSP Managing Multiple Customers |
|---|
Situation: Managed security service provider using Security Copilot across customer tenants. |
Considerations: ・If you’re an M365 E5 customer using Security Copilot for internal or customer management, you no longer need separate billing ・Azure Lighthouse lets you use your own SCU capacity against customer Sentinel workspaces ・Each customer tenant using Security Copilot independently needs its own capacity (via M365 E5 inclusion or standalone provisioning) |
9. What’s the Relationship to Microsoft 365 Copilot?
Security Copilot and Microsoft 365 Copilot are separate products with different purposes, pricing models, and licensing.
Aspect | Security Copilot | Microsoft 365 Copilot |
|---|---|---|
Purpose | Security operations | Productivity across Office apps |
Pricing model | Consumption-based (SCUs) | Per-user licensing ($30/user/month) |
Integrations | Defender, Sentinel, Intune, Entra, Purview | Word, Excel, PowerPoint, Outlook, Teams |
Data access | Security telemetry, threat intelligence | Microsoft Graph (emails, files, meetings) |
Target users | SOC analysts, security admins, IT admins | Knowledge workers |
M365 E5 inclusion | Yes (400 SCUs per 1,000 users) | No (separate purchase required) |
They don’t overlap. Security Copilot doesn’t help you write emails. Microsoft 365 Copilot doesn’t analyse security incidents or generate KQL queries.
They can be used together. You might deploy Microsoft 365 Copilot for general productivity and Security Copilot for your security team. The licences are additive, not interchangeable.
10. Frequently Asked Questions
How much does Security Copilot cost?
Standalone: $4 per SCU per hour for provisioned capacity, $6 per SCU per hour for overage. On M365 E5: 400 SCUs per month for every 1,000 users are included at no additional cost, up to 10,000 SCUs per month.
Is Security Copilot included with M365 E5?
Yes. Microsoft announced this at Ignite 2025. Rollout began 18 November 2025 for existing Security Copilot customers with M365 E5. Everyone else on E5 will be activated over the coming months with 30 days’ notice.
What if I exceed my included SCU allocation?
Usage beyond your allocation will be throttled at a future date. Microsoft plans to offer pay-as-you-go overage at $6 per SCU. You’ll get 30 days’ notice when this becomes available.
Do I need Defender or Sentinel to use Security Copilot?
No. There are no specific security product prerequisites. But Security Copilot’s value is much greater when integrated with Microsoft security products that provide the data for AI-assisted analysis.
What’s an SCU?
A Security Compute Unit measures compute power for Security Copilot workloads. Different operations consume different amounts. A simple prompt might consume a fraction of an SCU; complex investigations consume more.
Can SCUs be shared across workspaces?
No. The total SCU pool is shared across your tenant. You can’t allocate SCUs to specific workspaces or limit specific teams to specific SCU budgets.
Is Security Copilot available in GCC or government clouds?
No. It’s only available in commercial cloud environments. Not available for GCC, GCC High, DoD, or Azure Government.
What are Security Copilot agents?
Autonomous AI assistants that perform security tasks without continuous human prompting. Microsoft introduced 12 new agents at Ignite 2025 across Defender, Entra, Intune, and Purview, plus over 30 partner-built agents.
How do I estimate how many SCUs I need?
Use Microsoft’s capacity calculator. It provides estimates based on user counts, workloads, and automation usage. Microsoft recommends starting with 3 provisioned SCUs for evaluation.
11. Recent Changes
Date | Change |
|---|---|
November 2025 (Ignite) | Security Copilot included with M365 E5; 12 new Microsoft-built agents; 30+ partner agents; Security Store launched |
April 2025 | Overage SCUs generally available; usage monitoring dashboard enhanced |
April 2024 | Security Copilot reached general availability with consumption-based pricing |
Need Help?
Security Copilot’s consumption-based model introduces budgeting complexity that differs from traditional per-user licensing. If you’re negotiating a Microsoft agreement, evaluating the M365 E5 inclusion, or trying to forecast Security Copilot costs, get in touch.
We don’t sell Microsoft licences, so our advice is unbiased. We help you understand what you’re actually paying for.