M08 · Defender for Cloud

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): Defender for Cloud plan names, Secure Score controls, and portal paths change frequently; compliance standards are updated by their authoring bodies. Verify plan coverage and navigation against current Microsoft Learn before relying on specifics.

Learning objectives

By the end of this module you will be able to:

  1. Describe the difference between cloud security posture management (CSPM) and cloud workload protection (CWPP).
  2. Navigate the Secure Score and explain how recommendations improve it.
  3. Identify workload protection plans and what each covers (servers, containers, SQL, storage, Key Vault).
  4. Use the regulatory compliance dashboard to review a compliance standard.

1. CSPM vs. CWPP — two jobs, one product

Microsoft Defender for Cloud does two complementary things:

  • Cloud Security Posture Management (CSPM)prevent misconfiguration. Continuously assesses your cloud resources against security best practices, scores your posture, and recommends fixes. This is largely free/foundational for connected subscriptions.
  • Cloud Workload Protection (CWPP)detect threats at runtime. Per-resource-type protection plans that generate security alerts on active threats against servers, databases, storage, etc. These are the enhanced (paid) plans, billed per protected resource.
flowchart LR subgraph DFC["Microsoft Defender for Cloud"] CSPM["CSPM (posture)<br/>recommendations · Secure Score · attack paths<br/>foundational/free"] CWPP["CWPP (workload protection)<br/>runtime threat alerts per plan<br/>enhanced/paid"] end

Diagram alt text: A box labeled Microsoft Defender for Cloud contains two halves. The left half is CSPM, cloud security posture management, providing recommendations, Secure Score, and attack paths — foundational and free. The right half is CWPP, cloud workload protection, providing runtime threat alerts per plan — enhanced and paid.

One-line distinction: CSPM asks “are we configured safely?”; CWPP asks “is something attacking us right now?”

2. Secure Score

Secure Score is Defender for Cloud’s measure of your posture — a single percentage that rises as you remediate recommendations.

  • Recommendations — specific findings (“enable MFA for accounts,” “restrict NSG inbound,” “encrypt storage”), grouped into security controls.
  • Score calculation — each control is worth points; you earn a control’s points by remediating all its unhealthy resources. The overall score is the sum across controls, expressed as a percentage of the maximum.
  • Remediation steps — each recommendation includes the steps (and often a quick-fix / one-click remediation) to resolve it.

Prioritize by impact: recommendations are weighted; focus on high-value controls and quick wins first. In the lab you will implement one quick-win recommendation and watch its effect.

3. Workload protection plans (CWPP)

Each plan adds runtime threat detection for a resource type (coverage and names verified against Microsoft Learn, as of June 2026):

  • Defender for Servers — protects VMs (Azure and, via Arc, on-prem/multicloud). Integrates with Microsoft Defender for Endpoint for EDR, adds vulnerability assessment and adaptive/just-in-time controls.
  • Defender for Containers — Kubernetes posture (hardening recommendations) plus runtime threat detection for clusters and nodes, and registry image scanning.
  • Defender for SQL — threat detection for Azure SQL and SQL Server on VMs (e.g., anomalous queries, potential SQL injection, brute force), plus vulnerability assessment.
  • Defender for Storagemalware scanning of uploaded blobs and anomaly detection on storage activity (e.g., unusual access/exfiltration patterns).
  • Defender for Key Vault — alerts on unusual access patterns to secrets/keys (ties back to M02: Key Vault access is a high-value signal).

Other sub-plans (App Service, Resource Manager, DNS, APIs, databases) are surveyed in M09.

4. Attack path analysis and the cloud security graph

CSPM (enhanced) models how individual weaknesses chain together into a real attack:

  • The cloud security graph maps resources, their relationships, and their exposures.
  • Attack path analysis highlights traversable paths an attacker could follow — e.g., “internet-exposed VM → has a known vulnerability → has a managed identity → that identity can read a storage account with sensitive data.” Prioritizing the path fixes the chain, not just one node.

This is the cloud counterpart to the ATT&CK-driven, path-thinking mindset from M01. In the lab you will explore the attack path analysis view.

5. Regulatory compliance dashboard

The regulatory compliance dashboard maps your environment against compliance standards and shows pass/fail per control:

  • Built-in standards — e.g., CIS benchmarks, NIST, PCI DSS, and the Microsoft Cloud Security Benchmark (often applied by default).
  • Custom initiatives — you can add your own standards (built on Azure Policy initiatives, M02).
  • Failing controls — drill into a control to see which resources fail and how to remediate.

In the lab you will navigate the dashboard and identify a failing control. Compliance posture is powered by Azure Policy assessments — the M02 governance content underpins this view.

6. Module summary

  • Defender for Cloud combines CSPM (posture — recommendations, Secure Score, attack paths; foundational/free) and CWPP (runtime threat alerts via paid plans).
  • Secure Score aggregates recommendations grouped into controls; remediate all unhealthy resources in a control to earn its points; start with high-impact quick wins.
  • Workload protection plans cover Servers (MDE-integrated), Containers, SQL, Storage (malware scan + anomaly), and Key Vault (unusual access).
  • Attack path analysis uses the cloud security graph to surface chained, traversable risks.
  • The regulatory compliance dashboard maps the environment to standards (CIS, NIST, PCI DSS) and is powered by Azure Policy.

Glossary (first-use acronyms in this module)

  • CIS — Center for Internet Security (benchmarks).
  • CSPM — Cloud Security Posture Management.
  • CWPP — Cloud Workload Protection Platform.
  • EDR — Endpoint Detection and Response.
  • MFA — Multifactor Authentication.
  • NIST — National Institute of Standards and Technology.
  • NSG — Network Security Group.
  • PCI DSS — Payment Card Industry Data Security Standard.

Sources

Citations recorded per CLAUDE.md. Living documents; “as of June 2026” stamps indicate currency.

  1. Microsoft Learn — “What is Microsoft Defender for Cloud?” https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction
  2. Microsoft Learn — “Secure Score in Defender for Cloud.” https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls
  3. Microsoft Learn — “Cloud workload protection plans / overview of Defender plans.” https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction#cloud-workload-protections-cwp
  4. Microsoft Learn — “Identify and remediate attack paths.” https://learn.microsoft.com/azure/defender-for-cloud/how-to-manage-attack-path
  5. Microsoft Learn — “Regulatory compliance in Defender for Cloud.” https://learn.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard
  6. Microsoft Learn — “Microsoft cloud security benchmark.” https://learn.microsoft.com/security/benchmark/azure/

M08 of 10 · Microsoft Defender — Security Operations Fundamentals · maps to curriculum.md → M08 learning objectives 1–4. Student handout — distribute freely to learners. No answer keys contained.