Microsoft Security Copilot

Overview

Microsoft Security Copilot is Microsoft's flagship generative AI product for cybersecurity, built on top of OpenAI's GPT-4 model and fed by Microsoft's own threat intelligence graph. It sits inside the Microsoft security stack — Defender XDR, Sentinel, Intune, Entra ID, Purview — and gives analysts a natural language interface to query telemetry, summarize incidents, reverse-engineer scripts, and draft response actions. The pitch is straightforward: your analysts spend too much time on repetitive cognitive work, and Copilot can absorb some of that load.

Microsoft announced Security Copilot in March 2023 and moved it to general availability in April 2024 with a consumption-based pricing model built around Security Compute Units (SCUs). It isn't a standalone product — it's an embedded experience that surfaces inside the tools you're already using, which is both its biggest strength and its most obvious limitation. If you're running a Microsoft-heavy environment, Copilot has access to a staggering amount of context. If you're not, it's looking through a keyhole.

The product targets Tier 1 and Tier 2 SOC analysts primarily, but Microsoft has been expanding the use cases toward identity teams, compliance analysts, and even IT admins who need to troubleshoot Intune policy conflicts. It's ambitious in scope, and that ambition creates some unevenness in quality across the different modules.

How It Works

Under the hood, Security Copilot uses a combination of GPT-4 and Microsoft's own security-specific models that have been fine-tuned on their threat intelligence corpus. When you ask a question in natural language, the system translates it into the appropriate query language — KQL for Sentinel and Defender, Graph API calls for Entra, and so on — executes it against your tenant data, and returns results with an AI-generated summary. The whole loop typically takes 5 to 30 seconds depending on query complexity and data volume.

Integration is done at the tenant level through Azure. You provision SCUs, connect your Microsoft 365 and Azure subscriptions, and Copilot automatically ingests data from whatever Microsoft security products you have licensed. There's also a plugin architecture that allows third-party integrations, though in practice the third-party plugin ecosystem is thin. A handful of vendors — ServiceNow, Tanium, a few others — have published plugins, but the experience is noticeably worse than the native Microsoft integrations.

The data residency picture is worth understanding. Copilot processes data within your Azure region, and Microsoft claims no customer data is used to train the underlying models. Your prompts and responses are stored for up to 90 days for the session history feature, which some compliance teams have flagged as a concern. The audit log integration is decent — every Copilot interaction gets logged and is searchable, which matters for regulated industries.

One technical detail that doesn't get enough attention: Copilot operates in "sessions" that maintain context within a conversation but don't carry state between sessions. This means if you investigated an incident on Monday and want to pick up Tuesday, you're starting from scratch unless you saved the session. It's a workflow friction point that adds up over time, especially for complex investigations that span multiple days.

What We Liked

The natural language to KQL translation is the feature that earns its keep. We threw a range of queries at it, from simple ("show me failed logins for user jsmith in the last 24 hours") to moderately complex ("find all processes launched by users who authenticated from TOR exit nodes this week"), and the hit rate on producing correct, runnable KQL was around 80%. That's not perfect, but for junior analysts who'd otherwise spend 20 minutes wrestling with KQL syntax, it's a real time saver. The generated queries often taught us syntax tricks we didn't know, which is a nice side effect.

Incident summarization is the other standout. When you're staring at a Sentinel incident with 47 correlated alerts across three entities, getting a plain-English summary that identifies the likely kill chain stage and affected assets in 15 seconds is valuable. We tested it on a simulated BEC attack chain and the summary correctly identified the initial phish, the token theft, the mailbox rule creation, and the lateral movement — all in a format you could paste into a Slack channel for the incident commander. During a real incident at 2 AM, that matters more than any benchmark.

The script analysis capability surprised us. We fed it obfuscated PowerShell — the kind of base64-encoded, variable-substitution-heavy mess that attackers actually use — and Copilot deobfuscated it correctly, identified the C2 callback, extracted the IP address, and cross-referenced it against Microsoft's threat intel. The whole process took maybe 20 seconds. Doing that manually would've been a 15-minute task for a mid-level analyst, and a junior analyst might not have gotten there at all.

The Entra ID integration also deserves a mention. Asking Copilot "is this user risky?" and getting back a synthesized view of their sign-in anomalies, device compliance status, group memberships, and recent privilege changes — all in one response — replaces a workflow that used to involve clicking through four different admin portals. It's the kind of quality-of-life improvement that doesn't make for exciting demos but saves real time.

What Fell Short

The accuracy on complex queries is a problem. That 80% hit rate on KQL generation sounds fine until you consider what happens with the other 20%. Copilot doesn't fail loudly — it produces queries that look correct, execute without errors, but return wrong results. A query that should've filtered to a specific time window silently drops the time constraint. A join that should've been an inner join becomes a left join, inflating the result set. If your analysts don't know KQL well enough to spot these errors, they're worse off than if they'd written the query themselves, because they trust the AI output. This is the core tension with all AI-assisted analysis tools, and Microsoft hasn't solved it.

The consumption-based pricing creates genuine anxiety. SCUs are consumed every time Copilot processes a request, and complex queries burn through more units. During a real incident investigation where analysts are asking rapid-fire questions, you can chew through a surprising amount of capacity. We saw one simulated incident response session consume what would've been roughly $200 in SCUs over two hours. Multiply that by a busy SOC handling multiple incidents per day, and the monthly bill becomes hard to predict. Some organizations have told us they've started rationing Copilot usage, which completely defeats the purpose.

The third-party integration story is weak. Microsoft talks about the plugin ecosystem like it's a thriving marketplace, but in reality most organizations run a mixed security stack, and Copilot is essentially blind to anything that isn't a Microsoft product or one of the handful of supported plugins. If your SIEM is Splunk, your EDR is CrowdStrike, and your identity platform is Okta, Security Copilot can't see any of that data. You end up with an AI that has partial visibility, which can be actively misleading — it will make confident statements based on incomplete information.

Pricing and Value

Microsoft prices Security Copilot on a consumption basis using Security Compute Units. You provision a minimum of one SCU at roughly $4/hour ($2,920/month), and Microsoft recommends at least three SCUs for a typical SOC. That puts the floor around $8,760/month before you've processed a single query. In practice, most organizations we've spoken with are running 3-5 SCUs and spending $10,000-$20,000/month. That's a significant budget line item, and because consumption varies with usage intensity, it's difficult to forecast accurately. There are no per-user seats or flat-rate options — it's strictly consumption-based, which punishes you during your busiest (and most important) periods.

Compared to alternatives like CrowdStrike Charlotte AI (which is a flat add-on to your Falcon license) or SentinelOne Purple AI (included in certain SKUs), the pricing model feels adversarial. You're essentially being metered on how much you use a security tool during security incidents, which is exactly when you need it most. The value is real for Microsoft-centric organizations, but you need to go in with a clear budget cap and usage monitoring, or the bills will surprise you.

Who Should Use This

Security Copilot makes the most sense for organizations that are already deep in the Microsoft security ecosystem — running Defender XDR as their primary EDR, Sentinel as their SIEM, and Entra ID for identity. If you're in that camp and your SOC has a mix of junior and senior analysts, the productivity gains are real and measurable. Mid-size enterprises (500-5,000 employees) with a 5-15 person security team seem to get the best ROI, because they're big enough to have real triage volume but not so big that they've already built custom tooling to solve the same problems.

If your security stack is multi-vendor, skip this. You'll spend $10K+/month for an AI that can only see half your environment, and the partial visibility problem will create more confusion than clarity. Similarly, if you're a small team (under 5 people) running lean, the consumption costs don't pencil out — you're better off investing in training your analysts on KQL directly.

The Bottom Line

Security Copilot is a genuinely impressive technical achievement that's hamstrung by its own pricing model and platform dependencies. When it works — and in a Microsoft-heavy environment, it often does — it measurably accelerates analyst workflows in ways that compound over hundreds of incidents per year. The KQL generation alone would justify the cost for some teams. But the consumption-based pricing feels like it was designed by Azure's billing team rather than by anyone who's ever worked in a SOC, and the walled-garden limitation means a huge swath of potential customers simply can't extract enough value. We came away thinking this will be a very good product in 18 months, once the plugin ecosystem matures and Microsoft gets more aggressive on pricing. Right now, it's a strong buy only if your stack is already purple.