Defender for Cloud – 1-year Pre Purchase Plan: Up to 22% savings
Microsoft Defender for Cloud provides Cloud Security Posture Management (CSPM), DevOps security management, and cloud workload protections (CWPP) across multi-cloud and hybrid environments.
I consider Defender for Cloud an indispensable part of the Microsoft security stack, whose pillars include Microsoft Defender XDR, Entra ID Premium, Microsoft Sentinel, Security Copilot, Defender for IoT, and Defender External Attack Surface Management (EASM).
Bundling and Discount opportunities in the Microsoft Security stack
Microsoft smartly takes advantage of the breadth of its security offerings to include opportunities for customers to save money via bundling, pre-commitment, and pre-purchase vehicles.
Three discount opportunities have been around for a few years:
- Microsoft Sentinel commitment tiers: Offer predictable costs and savings over Pay-As-You-Go rates by allowing customers to reserve daily data ingestion capacity for the analytics tier from 100 GB/day to 50,000 GB/day. They can be upgraded at any time and downgraded after 31 days. Usage exceeding the commitment tier will be billed at the same discounted rate.
See the chart at Figure 1 with savings up to 50% or more. Microsoft Sentinel commitment tiers have no corresponding discount in Defender for Cloud due to the variable nature of Microsoft Sentinel ingestion charges.
- Microsoft Defender for Server P2 (DfS P2) benefit: 500-MB per VM per day free data benefit for server logs (in specific security-related tables) ingested to Microsoft Sentinel for each server enrolled in Defender for Servers Plan 2. In practicality, since only certain data is subject to the credit, the net discount most customers experience averages about 210-MB per server per day.
- Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers: There is a data grant of up to 5MB per user per day to ingest Microsoft 365 data for specific security data tables.
Figure 1 – Microsoft Sentinel Commitment Tiers incent high-volume customers with up to 50% savings or more.
Two additional discounts are more recently available (Summer 2024 timeframe), these are pre-purchase plans for Microsoft Sentinel and Microsoft Defender for Cloud. See the chart at Figure 2 with savings up to 25% for Microsoft Sentinel and up to 22% for Defender for Cloud.
- Microsoft Sentinel pre-purchase plan: Save on your Microsoft Sentinel analytics tier costs when you buy a pre-purchase plan. Pre-purchase plans are commit units (CUs) bought at discounted tiers in your purchasing currency for a specific product. The more you buy, the greater the discount. Purchased CUs pay down qualifying costs in US dollars (USD). So, if Microsoft Sentinel generates a retail cost of $100, then 100 Microsoft Sentinel CUs (SCUs) are consumed.
- Microsoft Defender for Cloud pre-purchase plan: You can save on your Microsoft Defender for Cloud costs when you prepurchase Microsoft Defender for Cloud commit units (DCU) for one year. A Defender for Cloud prepurchase applies to all Defender for Cloud plans. You can think of the prepurchase as a pool of prepaid Defender for Cloud commit units. Usage is deducted from the pool, regardless of the workload.
Figure 2 – Microsoft Sentinel and Microsoft Defender for Cloud Pre-purchase tiers.
Pre-purchase plan discounts
Unlike the Microsoft Sentinel commitment tiers–which are based on the quantity of ingested data measured in GB per day–the Microsoft Sentinel and Microsoft Defender for Cloud pre-purchase plan discounts are based solely on the dollars (or native currency) expected to be billed in the coming year.
How commit units work
Pre-purchase plans are commit units (CUs) bought at discounted tiers in your purchasing currency for a specific product. The more you buy, the greater the discount. Purchased CUs pay down qualifying costs in US dollars (USD). So, if Microsoft Sentinel generates a retail cost of $100, then 100 Microsoft Sentinel CUs (SCUs) are consumed. Likewise, if Microsoft Defender for Cloud bills a retail cost of $100, then 100 Microsoft Defender for Cloud CUs (DCUs) are consumed.
Your pre-purchase plans automatically use your CUs to pay for eligible costs during their one-year terms or until the CUs run out. Your pre-purchase plan SCUs start paying for your Microsoft Sentinel workspace costs and your pre-purchase plan DCUs start paying for your Defender for Cloud plan costs without having to redeploy or reassign the plans. By default, plans are configured to renew at the end of their one-year terms.
Finding and taking advantage of the pre-purchase plan discounts
The Microsoft Sentinel commitment tier discount and pre-purchase plan have been very popular, with many SIEM customers using this option to save money. Perhaps due to the high and variable cost of SIEM ingestion, Microsoft Sentinel customers are acutely aware of their SIEM costs and have been more likely to take advantage of all available discounts.
Further, an interesting dynamic involving the visibility of pre-purchase plans is that for the last year, the pre-purchase plan for Microsoft Sentinel was found on the main Microsoft Sentinel pricing page in a section titled “Microsoft Sentinel 1 year Pre-Purchase Plan (P3)”. This elevated the visibility of the pre-purchase plan to Microsoft Sentinel customers.
Strangely, in recent months the Microsoft Sentinel pricing page underwent a major revision and the “Pre-Purchase Plan (P3)” section was removed. In contrast, the Microsoft Defender for Cloud pricing page continues to include a “Defender for Cloud – 1-year Pre Purchase Plan” section. Yet, Defender for Cloud customer utilization of pre-purchase plans has lagged behind that of Microsoft Sentinel customers—perhaps due to higher attention paid to Sentinel costs due to their variable nature.
Purchasing pre-purchase plans
For both Microsoft Sentinel and Microsoft Defender for Cloud, pre-purchase plans are actually purchased from the “Reservations” page in the Azure portal. From the Reservations page, click on the Add button to purchase reservations as seen in Figure 3.
Important note: Since only billing account admins can see the Reservations page in the Azure portal, security customers may have a hard time finding these discounts.
Figure 3 – Purchasing pre-purchase plans for security products in the Azure portal can only be done by Billing Account Admins.
Deciding which pre-purchase plan is right for you
The first thing is to determine if you could benefit from the Defender for Cloud Pre-purchase plan at all. From the Defender for Cloud pre-purchase plan chart in Figure 2, we observe the lowest tier’s break-even point is $4,500. So, if you are spending more than $4,500 per year on Defender for Cloud ($375 per month) in protection charges, you are a candidate to save money by investing in a pre-purchase plan.
Should you ‘pull the trigger’ on your first purchase as soon as your monthly charges exceed $375? Probably not, because there is the potential to lose money in the deal if you don’t reach your expected spend on Defender for Cloud during the year the pre-purchase plan is active. Read FinOps expert Keith Knowles’ article A Finance Take on Defender for Cloud Commit Units: Do the Math for a deep dive into when and how to best utilize the Defender for Cloud pre-purchase plan.
Determine how much you are spending per month on Defender for Cloud
The Defender for Cloud -> Management -> Environment settings -> Defender Plans page is where you turn on some or all Defender for Cloud protection plans, both CSPM and CWPP plan types. The same page also give you some idea of the monthly cost of protection given the quantities of protectable assets in your Azure subscription.
Figure 4 is a screenshot of a representative Defender for Cloud customer’s subscription that has turned on all the applicable plans for their environment. This customer has these protectible resources:
- 73 resources protected by Defender for Cloud CSPM ($5 / resource / month)
- 44 servers protected by Defender for Server Plan 2 ($15 / server / month)
- 8 SQL databases ($15 / instance / month)
- 31 Storage accounts ($0.02/10K transactions=classic price, $10/Storage account/month=new price)
- 11 Key Vaults ($0.25 / vault / month)
- 1 Azure Resource Manager (ARM) ($5 / subscription / month)
Figure 4 – Defender for Cloud Environment settings page: where individual plans are turned on or off.
You should not base your decision on which pre-purchase plan (if any) is right for you based only on what you can see on the Environment settings -> Defender Plans page. The definitive record of what Defender for Cloud is costing you per month will be found in an Azure service billing invoice for the preceding month.
Figure 5 is a composite screenshot of just the Defender for Cloud costs for a given month (Subscription -> Billing -> Invoices -> <previous month> Azure services). Adding up the Defender for Cloud costs and multiplying by twelve (12) will give you your estimated annual cost at the current consumption rate.
Figure 5 – Extracting the Defender for Cloud cost line items from a monthly Azure services invoice.
Calculating the right pre-purchase plan(s)
Once you learn what your expected charges might be for the next year at current capacity and utilization, you can apply some awareness of your company’s expected operations in the next year.
- The total exceeds $4,500 by a large amount (the minimum break-even), so some use of the Defender for Cloud pre-purchase plan will save you money.
- Looking at the quantities and types of protected resources, are those expected to remain essentially static for the next year, or will there be reductions or additions expected during that time?
- How close is your annual estimate to the next higher level of pre-purchase? The closer to the next higher threshold, the most risk there is un under-consuming during the coming year and getting upside down on the costs.
Taking the costs seen in Figure 5, I recommend you create a little worksheet like that illustrated in Figure 6 to verify what approach is best for you.
Figure 6 – Worksheet to figure out which Defender for Cloud pre-purchase plan(s) to buy.
- The leftmost part of the worksheet is where you start: If you didn’t use any pre-purchase plan at all.
- The central section of the worksheet creates an estimate using as many pre-purchase plans as needed to fully cover and exceed all expected costs with pre-purchase plans. This solution will always be over your expected spend—the point of the exercise is to determine by how much.
- The rightmost part of the worksheet creates an estimate using as many pre-purchase plans as needed, excepting the smallest tier plan. This creates a ‘cushion’ of Pay-as-you-go (PAYG) funds in addition to the pre-purchase credits.
The worksheet in Figure 6 shows us that the net savings (8%)–using one $10K pre-purchase plan with the remainder $4K PAYG costs–is better than the net savings (5%) to be expected buying a $10K and a $5K pre-purchase plan and sacrificing $998 in unconsumed Defender for Cloud pre-purchase credits.
There is no one right answer here. Each environment needs a unique analysis performed, in awareness of company expectations for shrinkage or growth, and of the organization’s appetite for risk.
Bottom line: If you are a Defender for Cloud customer with annual Defender for Cloud billing that exceeds $4,500, and you don’t expect to radically reduce your Azure resource counts in the next year, include Defender for Cloud Pre-purchase units in your Azure budgeting.
————————————————————————————————————-
#MVPBuzz #DefenderforCloud #FinOps #Azure #MicrosoftSentinel #DefenderXDR #SIEM