Defender for Servers is the Defender for Cloud plan most likely to be quietly draining your budget, because it charges per VM. And you probably have a lot of VMs.
Why the Costs Add Up Fast
Most Defender plans charge at the resource level, but VMs are different. You might have hundreds. And Defender for Servers charges for every single one, every month.
At Plan 2 pricing of roughly £12 per server per month:
| VM Count | Monthly Cost | Annual Cost |
|---|---|---|
| 20 VMs | £240 | £2,880 |
| 50 VMs | £600 | £7,200 |
| 100 VMs | £1,200 | £14,400 |
| 200 VMs | £2,400 | £28,800 |
It scales linearly — no volume discount. Double your VMs, double the cost.
Plan 1 vs Plan 2: What Are You Getting?
Many teams don't know which plan they're on or what the difference is.
Plan 1 (~£4/server/month) covers the fundamentals: threat detection, Just-In-Time VM access, file integrity monitoring, and integration with Defender for Endpoint. For many workloads, this is sufficient.
Plan 2 (~£12/server/month) adds vulnerability assessment, adaptive application controls, 500MB/day of included Log Analytics data per server, extended threat hunting, container host hardening, and agentless scanning. It's a serious offering — but three times the cost, and not every server needs it.
The Double-Billing Gotcha
We see this more often than you'd expect: organisations with both Plan 1 and Plan 2 enabled simultaneously on the same subscription. It happens through a combination of policy assignments and Defender settings changed at different times. The result: roughly £16 per server per month instead of £12.
Azure doesn't warn you about this.
Not Every VM Needs the Same Protection
This is the real conversation. Security teams want maximum coverage. Finance wants to know why security tooling costs £28,000 a year. The answer is usually somewhere in the middle.
Plan 2 — Your Crown Jewels
- Production servers with sensitive customer data
- Domain controllers and identity infrastructure
- Internet-facing workloads
- Servers subject to compliance (PCI-DSS, ISO 27001)
The £12/month is justified here.
Plan 1 — Standard Production
- Application servers behind network segmentation
- Internal-only workloads with limited attack surface
- Servers in well-segmented VNets with NSGs and private endpoints
Basic threat detection and JIT access are valuable. Vulnerability scanning is nice to have but the risk profile doesn't demand it.
No Defender — Dev/Test
- Development VMs rebuilt regularly
- Test environments with no real data
- Temporary VMs spun up for load testing
Paying £12/month for a VM that gets deleted next week doesn't make sense.
The Log Analytics Angle
Plan 2 includes 500MB/day of Log Analytics data per server. If you're sending security logs from those servers into a workspace, you might be paying for that ingestion separately.
At current pricing, 500MB/day across 50 servers is 25GB/day — roughly £1,600/month if billed separately. In that scenario, Plan 2 partially pays for itself through the included data allowance. Worth doing the maths.
Don't Forget Arc-Connected Servers
If you've enrolled on-premises servers via Azure Arc and the subscription has Defender enabled, those machines are being billed too. We've seen environments where someone enabled Arc for testing, then Defender started charging for every connected server.
30 Arc servers on Plan 2 = £360/month you might not have budgeted for.
Quick Wins
- Standardise on one plan per subscription. Both P1 and P2 enabled? Pick one.
- Disable Defender on dev/test subscriptions. Or drop to Plan 1 at minimum.
- Check Arc-enrolled machines. Remove any enrolled for testing and forgotten.
- Evaluate Plan 1 vs Plan 2 per subscription. Not every subscription needs Plan 2.
- Factor in Log Analytics savings. The included data allowance might justify Plan 2 for some workloads.
A well-tiered setup typically saves 30-50% compared to blanket Plan 2, without meaningfully increasing risk.
Not sure where your cloud cost management stands? Take our 2-minute FinOps maturity test — 10 questions, instant results, no sign-up required.
Want a full Defender plan audit? Get a free FinOps assessment — we'll review every subscription.