Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
What Is Security Copilot? Core Capabilities The Agent Ecosystem Integrations Pricing & Licensing Limitations In the Microsoft Stack
Light / Dark
Microsoft Copilot

What Is Microsoft Security Copilot? Pricing, Agents & Limitations (2026)

Microsoft Security Copilot pairs OpenAI's large language models with Microsoft's proprietary threat intelligence to give security teams an AI-powered assistant for incident response, threat hunting, and vulnerability analysis. It is not a chatbot dropped into the SOC. It is an orchestration layer that connects to Defender XDR, Sentinel, Entra, Intune, and Purview, pulling real telemetry into AI-generated analysis. Here is exactly what it does, what it costs, and where it falls short.

Security Copilot at a Glance

Microsoft Security Copilot is a generative AI-powered security solution that combines OpenAI's large language models with a security-specific model trained on Microsoft's threat intelligence, which processes over 78 trillion security signals daily. It is available as a standalone portal at securitycopilot.microsoft.com and embedded directly inside Defender XDR, Sentinel, Entra, Intune, and Purview.

The core concept: you ask questions in natural language, and Security Copilot translates those questions into queries across your security stack, synthesizes the results, and presents findings in plain English. Rather than writing KQL queries by hand to hunt for indicators of compromise, you describe what you are looking for and the system generates the query, runs it, and interprets the output.

$4/hr
Per SCU (Provisioned)
Microsoft Learn
12
Microsoft-Built Agents
Microsoft Learn
5
Embedded Products
Defender, Sentinel, Entra, Intune, Purview
550%
Faster Phishing Triage (Vendor-Reported)
Microsoft Security
400
SCUs/mo per 1K E5 Users
Microsoft Learn

Core Capabilities

Security Copilot is not a general-purpose chatbot. Its capabilities are purpose-built for security operations center (SOC) workflows. Here is what it actually does across the products where it is embedded:

Incident Summarization

When Defender XDR flags an incident, Security Copilot generates a narrative summary: what happened, which users and devices were affected, what indicators of compromise (IOCs) were found, and the attack timeline. This replaces the manual process of correlating alerts, reading log entries, and piecing together the story. The summary is generated in natural language and exportable as a PDF report.

Script and File Analysis

Drop a suspicious script or binary into Security Copilot and it reverse-engineers the code, identifies malicious behavior, and maps techniques to the MITRE ATT&CK framework. This is particularly useful for SOC analysts who encounter obfuscated PowerShell scripts or encoded payloads and need to understand what the code does without manually deobfuscating it.

Guided Response

After analyzing an incident, Security Copilot generates step-by-step remediation instructions. It recommends specific actions: isolate this device, block this IP, revoke this user's session token, update this conditional access policy. The analyst reviews and approves each step rather than executing blindly.

550%
faster malicious email detection with the Phishing Triage Agent, according to Microsoft's vendor-reported benchmarks. Independent validation of this figure has not been published.

Natural Language to KQL

Security analysts describe what they want to find, and Security Copilot translates the description into Kusto Query Language (KQL) queries for Sentinel and Defender. Example: "Show me all sign-ins from outside the United States in the last 48 hours where MFA was not completed" becomes a syntactically correct KQL query ready to run. The analyst can review, edit, and execute the generated query.

Device and Identity Summarization

Point Security Copilot at a device or user identity and it pulls together a complete profile: installed software, vulnerability exposure, recent sign-in activity, group memberships, conditional access policy compliance, and risk signals from Entra and Intune.

Automated Reporting and Promptbooks

Security Copilot supports automated PDF report generation for incident documentation and executive briefings. Promptbooks are saved sequences of prompts that standardize repeatable investigation workflows, so a tier-1 analyst can follow the same investigation playbook as a senior responder.

The Agent Ecosystem

Security Copilot goes beyond a single chat interface. Microsoft has built 12 autonomous agents and partnered with over 30 third-party vendors to create agents that handle specific security tasks without constant human prompting. These agents operate within the same security boundary as the rest of the Microsoft stack, inheriting your existing role-based access controls. For background on how Microsoft Copilot agents work across the broader Copilot ecosystem, see our dedicated agent guide.

Microsoft-Built Agents (12 Total)

Defender agents:

  • Phishing Triage Agent – Automatically triages phishing alerts, distinguishing real threats from false positives
  • Alert Triage Agent – Classifies and prioritizes security alerts across Defender XDR
  • Threat Intelligence Agent – Enriches alerts with Microsoft's threat intelligence data
  • Natural Language Threat Hunting Agent – Translates plain-English questions into KQL hunting queries

Entra agents:

  • Conditional Access Optimization Agent – Identifies missing or misconfigured zero trust policies (204% more gaps found versus manual review, per Microsoft's vendor-reported data)
  • Risky User Remediation Agent – Investigates compromised accounts and recommends remediation steps
  • Access Review Agent – Reviews user access rights and flags over-provisioned permissions
  • App Lifecycle Management Agent – Monitors application registrations for security risks

Intune and Purview agents:

  • Policy Configuration Agent – Reviews and recommends device management policies
  • Change Assessment Agent – Evaluates the impact of policy changes before deployment
  • Device Removal Agent – Handles secure offboarding of devices from the environment
  • Data Security Posture Management Agent (Purview) – Monitors data classification policies and sensitivity label compliance
  • Alert Triage Agent (Purview) – Triages data loss prevention alerts and recommends remediation steps

Partner-Built Agents (30+)

Third-party vendors have built agents that plug into Security Copilot's plugin architecture. Notable examples:

  • glueckkanja Forensic Agent – Deep forensic investigation of compromised endpoints
  • adaQuest Ransomware Kill Chain Investigator – Maps ransomware attack chains and recommends containment
  • Invoke Identity Workload ID Agent – Investigates workload identity and service principal abuse
FREE TEMPLATE

NIST AI RMF Self-Assessment

Self-assess against the NIST AI Risk Management Framework

Download Free →

Integrations and Plugin Architecture

Security Copilot connects to both Microsoft's native security stack and a growing list of third-party tools through a plugin-based architecture. This means the AI assistant can pull data from sources across your security environment, not only from Microsoft products.

Defender XDR
Extended detection and response across endpoints, email, identity, and cloud apps. Security Copilot is embedded directly in the incident view.
Microsoft Sentinel
SIEM and SOAR platform for log aggregation, correlation, and automated response. Copilot generates KQL queries and incident narratives.
Entra & Intune
Identity and access management plus device management. Copilot reviews conditional access policies, investigates risky sign-ins, and assesses policy changes.
Third-Party Plugins
ServiceNow, Jamf, CyberArk, Splunk, Darktrace, Shodan, CrowdSec, Censys, URLScan, and more through the plugin architecture.

The plugin architecture also supports custom plugins, so organizations can connect Security Copilot to internal APIs, proprietary threat feeds, or ticketing systems not covered by the built-in integrations. For guidance on securing Copilot Studio agents that connect to these data sources, see our dedicated guide.

Pricing and Licensing

Security Copilot does not use a flat per-user fee. It uses a consumption-based model built around Security Compute Units (SCUs), which are billing units that measure how much processing power your security AI tasks consume. This model is closer to how cloud compute is billed than how traditional SaaS licenses work.

Billing Model Rate Details
Provisioned SCUs $4/SCU/hour Minimum 1 SCU; billed monthly based on hourly reservation
Overage SCUs $6/SCU/hour Pay-as-you-go for demand spikes above provisioned capacity
1 SCU continuous ~$2,920/month 1 SCU running 24/7 for a full month
Recommended start (3 SCU) ~$8,760/month Microsoft's recommended starting point for most organizations
M365 E5 inclusion Included 400 SCUs/month per 1,000 user licenses (max 10,000 SCUs/month)
E5 overage Throttled (hard cap) $6/SCU pay-as-you-go coming at a future date
M365 E7 ($99/user/mo) Included via E5 E7 includes E5, so the same Security Copilot entitlement applies

Key distinction: E5 uses a monthly pool billing model where only actual consumption is deducted from the pool, not hourly blocks. Standalone customers provision SCUs by the hour. An Azure subscription is required for standalone deployment but is NOT required for E5/E7 inclusion. E5 is currently $57/user/month, increasing to $60/user/month from July 2026. For full Microsoft Copilot pricing across all tiers, see our pricing guide.

Security Analyst
Uses Security Copilot daily for incident triage, script analysis, and KQL query generation. Consumes SCUs per investigation. For a team of 5-10 analysts, expect 3-5 provisioned SCUs as a baseline. See the cybersecurity hub.
CISO / Security Leadership
Evaluates ROI on Security Copilot against headcount costs. If your E5 license already includes 400 SCUs/month, the marginal cost for Security Copilot is zero up to that pool. Budget decisions change dramatically depending on whether you are on E5 or standalone.
IT Administrator
Manages SCU provisioning, monitors consumption dashboards, and configures role-based access for Security Copilot. Intune and Entra agents are especially relevant for IT ops teams managing device compliance and identity security.

Limitations and Considerations

Security Copilot has real constraints that security teams need to understand before deploying it in production environments.

No Government Cloud Support
Security Copilot is not available for GCC, GCC High, DoD, or Azure Government environments. Organizations operating under FedRAMP, ITAR, or DoD IL4/IL5 requirements cannot use Security Copilot. This is a hard exclusion with no workaround, and it eliminates a significant portion of the U.S. federal and defense security market.
OBO Authentication Model
Security Copilot uses On-Behalf-Of (OBO) authentication, meaning it inherits the calling user's access scope. If a SOC analyst has overly broad permissions, Security Copilot will have those same broad permissions. This makes permission hygiene a prerequisite, not an afterthought. Organizations with messy RBAC will expose more data through Security Copilot than they intend.
English-Optimized, Other Languages Degraded
Security Copilot is optimized for English. Queries and responses in other languages may have reduced accuracy, especially for nuanced security terminology and KQL generation. Multinational SOC teams operating in non-English primary languages should validate output quality before relying on it for triage decisions.
Probabilistic Output Requires Human Validation
Security Copilot generates code, queries, and analysis using probabilistic AI models. The output can be incorrect, incomplete, or misleading. Treating generated KQL queries or remediation steps as authoritative without human review is a security risk. Every output should be validated before execution, especially for containment and remediation actions.
No IoT/OT Support
IoT and operational technology environments are not supported by Security Copilot. Organizations with industrial control systems, SCADA networks, or large IoT deployments will not be able to use Security Copilot for threat analysis in those environments. Defender for IoT data is not available to Security Copilot agents.
No Tenant Transfers; Deletion Is Permanent
Security Copilot workspaces cannot be transferred between Azure tenants. If you need to migrate tenants, you start over. Deletion of promptbooks, sessions, and custom plugins is permanent with no recovery option. Plan your data retention strategy before deploying.

How Security Copilot Fits the Microsoft Security Stack

Security Copilot is not a standalone security product. It is an AI layer that sits on top of Microsoft's existing security stack and amplifies the capabilities of each component. Understanding where it fits is essential for evaluating whether it adds value to your current deployment.

Defender XDR provides the detection and response engine: endpoint protection, email security, identity threat detection, and cloud app security. Security Copilot adds natural language investigation, automated incident narratives, and guided remediation on top of Defender's alert pipeline.

Sentinel is the SIEM and SOAR platform that aggregates logs from across your environment (not just Microsoft products). Security Copilot generates KQL queries for Sentinel data, summarizes complex investigations, and creates automated response playbooks.

Entra handles identity and access management. Security Copilot's conditional access optimization agent and risky user remediation agent operate within Entra to find policy gaps and investigate compromised identities.

Intune manages device compliance and configuration. Security Copilot agents review policy configurations, assess change impact, and handle device offboarding through Intune's management plane.

Purview governs data classification, sensitivity labels, and data loss prevention. Security Copilot's Purview agents monitor data security posture and triage DLP alerts.

The practical question: If you are already running Defender XDR, Sentinel, and Entra on M365 E5, Security Copilot's 400 SCU/month inclusion means you can test AI-assisted security operations at zero marginal cost. If you are not on E5, the standalone pricing starts at roughly $2,920/month for a single SCU, which is a meaningful investment for smaller security teams. Start with the E5 pool if you have it. For a broader view of Microsoft Copilot across all product lines, see our overview.

Related Reading
Guide
How to Configure Microsoft Security Copilot
Step-by-step deployment guide: SCU provisioning, RBAC setup, plugin configuration, and promptbook creation.
 Guide
Troubleshooting Microsoft Security Copilot
Common issues, error resolution, and performance optimization for Security Copilot deployments.
 Breakdown
What Is Microsoft Copilot? Every Version Explained
The full Microsoft Copilot ecosystem: free chat, M365 add-ons, GitHub, Security, and Copilot Studio.

Go Deeper

Resources from across Tech Jacks Solutions

Security Hub

Enterprise security frameworks and defense strategies

Threat Intelligence

This week's AI and cybersecurity threat briefings

Agent Threat Landscape

Security risks specific to autonomous AI agents

FREENIST AI RMF Self-Assessment

Self-assess against the NIST AI Risk Management Framework

CISSP Certification

The gold standard for enterprise security leadership
Fact-checked against vendor documentation and official sources, May 2026
Microsoft, Microsoft Security Copilot, Microsoft 365, Microsoft Defender, Microsoft Sentinel, Microsoft Entra, Microsoft Intune, Microsoft Purview, Azure, and Windows are trademarks of Microsoft Corporation. All other trademarks are property of their respective owners. This article is not sponsored, endorsed, or approved by Microsoft.
Before You Use AI
Your Privacy

Microsoft Security Copilot processes data within your Azure or M365 tenant. Data processed by Security Copilot is not used to train foundation models. The product uses On-Behalf-Of authentication, inheriting the calling user's access scope. Enterprise tenants can configure data residency through Azure region selection. Review your organization's data classification and RBAC policies before granting Security Copilot access to your security telemetry.

Manage your Microsoft privacy settings
Mental Health & AI Dependency

Security operations teams face high-stress environments. While AI assistants can reduce alert fatigue, over-reliance on automated triage without critical review can lead to missed threats or false confidence. If you or someone you know is experiencing distress:

  • 988 Suicide & Crisis Lifeline – Call or text 988 (US)
  • SAMHSA Helpline – 1-800-662-4357
  • Crisis Text Line – Text HOME to 741741

AI systems can produce plausible-sounding but incorrect guidance. For mental health, medical, legal, or financial decisions, always consult a qualified professional.

NIST AI Risk Framework
Your Rights & Our Transparency

Under GDPR and CCPA, you have the right to access, correct, and delete your personal data. Tech Jacks Solutions maintains editorial independence from all vendors, including Microsoft. This article was not sponsored, reviewed, or approved by Microsoft. We do not receive affiliate commissions from Microsoft Security Copilot or M365 licenses. Our evaluations are based on primary documentation, independent analysis, and verified vendor disclosures. The EU AI Act classifies certain AI-assisted security tools under specific risk categories.

Microsoft Privacy Statement AI Governance Hub EU AI Act overview