Microsoft Copilot for Security — the 90-day rollout playbook

Published 05 Jun 2026 · By Pawan Sharma · AI & Security · 14 min read

Microsoft Copilot for Security is GA, priced by Security Compute Unit (SCU), and increasingly the default GenAI layer in Microsoft-anchored SOCs. The pilots that fail don't fail on the model — they fail on the rollout shape. This post is the 90-day plan we run with Indian SOC teams: what to provision, which plugins to enable when, what prompt patterns earn the SCU budget, and what ROI looks like at day 90.

~₹390 / hr

Per provisioned SCU

~$4/hr converted. Hourly scale up/down. Mid-market SOC: 3-5 SCUs typical.

25-40%

Tier-1 time saved

Field observation, Indian SOCs. Microsoft published benchmarks: 30-50%.

90 days

To operational ROI

Provisioning + plugin integration + Promptbooks + measurement.

Sentinel-native

Plugin depth

Defender XDR + Entra + Intune + Purview + Defender for Cloud built-in.

Three workflows where Copilot for Security earns its keep

▸ Incident triage narrative

Selects a Sentinel incident, pulls correlated Defender XDR signals + Entra sign-ins + endpoint context. Returns full kill-chain narrative in seconds. What used to take a Tier-2 analyst 20-40 minutes now drafts in 30 seconds.

▸ KQL co-author

Natural-language hunting prompt → working KQL. "Find every Entra sign-in from a country we don't operate in, where MFA challenge was bypassed, in the last 14 days." Returns valid KQL ready to run.

▸ Post-incident report drafting

End-of-incident button — Copilot drafts a compliance-ready post-incident report (executive summary, technical detail, MITRE mapping, remediation actions, lessons learned). Tier-1 reviews + ships in 10 minutes vs hours.

The 90-day rollout

Days 1-30 — Foundation

Provision 1-2 SCUs in Central India. Enable Sentinel + Defender XDR + Entra ID + Intune plugins. Build Promptbook library covering top-10 daily Tier-1 workflows. Pilot with 3 senior analysts; collect prompt patterns that work.

Days 31-60 — Expansion

Extend plugins: ServiceNow / Jira ticket population, Defender for Cloud attack-path summarisation, Purview compliance status. Expand seat access to full Tier-1 + Tier-2 teams. Begin SCU usage measurement vs ticket-closure throughput.

Days 61-90 — Optimisation + ROI baseline

Automate post-incident report generation. SCU-rightsizing — most teams over-provision early and can step down 20-30% after measurement. Baseline ROI: Tier-1 tickets per analyst per shift, mean-time-to-resolution, post-incident report turnaround.

SCU sizing — the actual math

SOC profile	Provisioned SCUs (typical peak)	Monthly INR @ ₹390/SCU/hr (12 hr peak × 22 days)
Lean mid-market (5-10 analysts)	2-3 SCUs	~₹2.0-3.1 lakh
Mid-market growth (15-25 analysts)	4-6 SCUs	~₹4.1-6.2 lakh
Large enterprise (40+ analysts, 24x7)	10-15 SCUs (round-clock)	~₹28-42 lakh

Source: Microsoft Copilot for Security pricing, May 2026. ~$4/hr per provisioned SCU; INR @ ₹98/USD. SCUs scale up/down by the hour — actual bills depend on usage pattern; figures above assume 12-hour peak window × 22 working days. 24x7 ops obviously higher.

The pilot patterns we see fail

Avoid these three mistakes

What separates Copilot for Security pilots that ROI from those that don't

"Turn it on for analysts and see what happens" — no Promptbook library, no plugin integration baseline. Analysts try it twice, get inconsistent results, give up. Spend continues but value doesn't.
Provision peak capacity from day 1 — 10 SCUs on day 1 of a pilot with 3 analysts. Burns ~₹15+ lakh/month before any measurement. Start with 1-2 SCUs; scale on actual demand.
Skip the post-incident report automation — this is the workflow where Copilot's ROI is most visible to leadership. Compliance + report cadence improvements show up in audit cycles and justify the SCU spend.

ROI baseline — what to measure

▸ Tickets closed per analyst per shift

Baseline week 0 vs week 13. Expect 25-50% lift on Tier-1 routine alerts.

▸ Mean time to resolution

Especially on multi-signal incidents — Copilot narrative cuts MTTR by 30-40% in published cases.

▸ Post-incident report turnaround

Hours not days. Compliance evidence quality + cadence improves visibly.

▸ Hunting hypothesis throughput

KQL co-author unlocks analysts who couldn't write KQL fluently — broader hunt coverage.

FAQ

How is Copilot for Security priced?

Per Security Compute Unit (SCU) per hour. One provisioned SCU = ~₹390/hr (~$4/hr). Minimum 1 SCU per workspace; provisioned capacity scales up/down by the hour. A typical mid-market SOC: 3-5 SCUs during peak hours, ~₹2-4 lakh/month.

What does Copilot for Security actually do day-to-day?

Three workflows where it earns its keep: (1) incident triage — pulls full kill-chain narrative from Sentinel + Defender XDR signals in seconds; (2) KQL query generation from natural language; (3) post-incident report drafting. Tier-1 analyst time-savings of 30-50% in published Microsoft benchmarks; in our field engagements 25-40% is realistic.

Does it work with Sentinel data only, or other SIEMs too?

Native plugins: Sentinel, Defender XDR, Entra ID, Intune, Defender for Cloud, Purview. Third-party: ServiceNow, Jira, Splunk (via search plugins), AbuseIPDB. Custom plugins via OpenAPI spec. For non-Microsoft SIEMs you give up most of the value — it's designed around the Microsoft signal graph.

Privacy + data residency?

Customer data stays in your tenant; Copilot doesn't train on it. Compute runs in selected Azure regions — for Indian tenants typically Central India + Southeast Asia depending on availability. Same data-residency story as Sentinel.

Is it actually production-ready for Indian SOCs?

Yes — but the rollout matters. Provisioning SCUs without operationalising the plugin set + analyst-prompt patterns burns budget for limited return. Most failed Copilot for Security pilots we audit went straight to 'turn it on for analysts' without the 30-60-90 ramp.

What's the right 90-day rollout shape?

Days 1-30: provision + Sentinel + Defender XDR plugin baseline + Promptbook library; pilot with 3 senior analysts. Days 31-60: extend to ServiceNow / Jira integration, ticket-auto-population playbooks; expand to full Tier-1 team. Days 61-90: post-incident report automation; SCU-rightsizing based on actual hourly use; ROI baseline against Tier-1 time.

How does it compare to building a custom Sentinel + OpenAI pipeline?

Copilot for Security ships ~9 months of engineering for free — Sentinel-native plugins, KQL co-author, incident-narrative templates, audit trail compliant with Microsoft Trust Center. Custom Sentinel + Azure OpenAI route works if you want full control + lower per-prompt cost at very high volumes, but loses the plugin ecosystem + native UI.

Can it replace Tier-1 SOC analysts?

No. It augments them — same way GitHub Copilot augments developers without replacing them. Realistic outcome: Tier-1 closes 30-50% more tickets per shift, escalates with richer context, writes better post-incident reports. The headcount math is 'do more with same' rather than 'do same with less'.

90-day Copilot for Security pilot — fully managed

SCU provisioning, plugin baseline, Promptbook library, ROI measurement

Ogma runs the 90-day rollout end-to-end — provisioning + Sentinel + Defender XDR plugin integration + Promptbook library tailored to your top-10 daily workflows + monthly SCU rightsizing + ROI baseline against Tier-1 throughput. Fixed scope, INR + GST quote.

Request the 90-day pilot or explore the Copilot for Security landing

Sources

Tags Microsoft Copilot AI SOC Sentinel India

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.

Microsoft Copilot for Security — the 90-day rollout playbook