There's a moment in every Azure cost review we do. We pull up the bill, the customer nods along through compute and storage, and then we hit Defender for Cloud. The reaction is always the same: "Wait, that much? For security?"
Defender for Cloud typically accounts for five to eight percent of total Azure spend. For a modest estate, that's thousands a month. For larger environments, tens of thousands. Most of it unnecessary.
How You End Up Over-Protected
The problem starts with how Defender is enabled. Microsoft presents a simple choice: enable all plans at the subscription level. One toggle, full protection, job done. Who wants to be the person who left a security gap?
That's exactly what Microsoft is counting on.
Their recommendation is to enable everything. Of course it is — every plan you enable is another line on your invoice. That's not a security recommendation, it's a licensing strategy. Once those plans are on, they bill quietly in the background while everyone assumes it's just "the cost of security."
In reality, not every workload needs the same protection. Not every subscription carries the same risk profile. Treating them identically is like fitting every door in your house with a bank vault lock — technically more secure, but wildly disproportionate.
What You're Actually Paying For
Defender for Cloud isn't a single product. It's a collection of individual plans, each protecting a different resource type, each with its own pricing model.
Defender for Servers is usually the biggest line item. Plan 1 covers basic threat detection and endpoint protection. Plan 2 adds vulnerability scanning, just-in-time VM access, file integrity monitoring, and more. The cost difference between P1 and P2 is significant — and most VMs don't need P2.
Defender for Storage offers two billing models: per-account (flat rate) or per-transaction. The right choice depends on usage patterns, and getting it wrong is expensive.
Defender for SQL, Key Vault, App Service, Containers — each adds per-resource charges. Individually, some are excellent value. The problem is when they're all enabled indiscriminately across every subscription in your tenant.
The Waste Patterns We See Repeatedly
Certain patterns come up in almost every review.
Double-billing on servers. If both P1 and P2 are enabled on the same VMs, you pay for both. P2 includes everything in P1 — having both active is pure waste. It's not always obvious from the billing dashboard.
Wrong storage billing model. Per-transaction billing on high-traffic storage accounts can cost several times more than the flat-rate alternative. Yet per-transaction is often the default, and nobody revisits it.
Full protection on dev/test. The most common pattern. Production needs robust monitoring. But dev/test, sandboxes, proof-of-concept subscriptions? A developer spinning up test VMs doesn't need P2 server protection and full container scanning.
Plans that deliver minimal value. Some plans get enabled because they were part of the "enable all" toggle and never get individually assessed. The security value relative to cost is negligible.
Security Spending Should Be Proportional to Risk
That's not a controversial statement, yet most Azure environments treat Defender as all-or-nothing.
The organisations that get this right classify subscriptions by risk tier, evaluate each plan against actual resource types and threat models, and right-size server plans based on exposure. They run the numbers on billing models against real transaction volumes.
The result isn't less security — it's smarter security. And the freed-up spend goes towards things that genuinely improve posture: better architecture, staff training, incident response planning. Not paying for Defender plans that protect resources you don't have.
What This Looks Like in Practice
In a recent review, we found a mid-size organisation running full Defender coverage across 12 subscriptions — including four dev/test environments and two sandboxes that hadn't been touched in months. They had P1 and P2 running simultaneously on every server, per-transaction storage billing on accounts handling millions of operations daily, and low-value plans enabled across the board.
The security posture after optimisation? Identical for production workloads. The monthly Defender bill? Down by over 60%.
That's the pattern we see consistently. Organisations aren't choosing to overspend on security — they just never revisited the defaults.
Think your Defender spend is higher than it needs to be? Request a FinOps assessment and we'll show you exactly where the savings are.