Microsoft Defender for Cloud — CNAPP for Azure + AWS + GCP

Q: Is Defender for Cloud just CSPM, or does it cover workloads too?

Both. The free Foundational CSPM tier ships with every Azure subscription and surfaces secure-score recommendations. Defender CSPM (paid) adds attack-path analysis + agentless scanning. Defender for Servers / SQL / Storage / Containers / APIs / Key Vault / Resource Manager / Cosmos DB are individually-licensed workload protection plans — each ~per-resource per-hour or per-GB.

Q: Does Defender for Cloud work on AWS + GCP, not just Azure?

Yes. Multi-cloud is first-class — connect AWS accounts + GCP projects via the multi-cloud connector. CSPM coverage spans AWS Config + GCP Security Command Center signals; workload protection extends Defender for Servers + Containers to EC2/EKS + GCE/GKE.

Q: How does Defender for Cloud relate to Microsoft Sentinel?

Defender for Cloud generates security recommendations + alerts in the cloud-resource layer; Sentinel is the SIEM that ingests those alerts + correlates them with identity + endpoint + email signals. Native connector — recommendations + alerts flow to Sentinel out of the box at no extra ingestion cost beyond your Sentinel commit-tier.

Q: What's the most useful single feature?

Attack Path Analysis (paid Defender CSPM tier). Synthesises asset graph + identity + network + secrets to show exploitable attack chains from internet-exposed entry points to crown-jewel resources. Single most actionable output we deliver in Defender for Cloud engagements.

Q: How much does Defender CSPM cost?

~₹490-680 per Azure resource per month (₹/USD published rate × ₹98). For multi-cloud — comparable per AWS / GCP resource counts. Foundational CSPM (free tier) handles most basic posture-management; pay for the premium tier when you need attack paths + agentless scanning + DevOps integration.

Q: Does Defender for Cloud replace third-party CNAPP (Wiz / Lacework / Orca)?

For Microsoft-anchored estates with substantial Azure workload, increasingly yes. Defender CSPM's attack-path analysis + agentless scanning + Defender XDR integration close the gap that motivated CNAPP adoption in 2021-2023. Third-party CNAPP wins on cross-cloud depth + container-runtime detection nuance + specific compliance-template breadth. For 70%+ Azure-anchored Indian enterprises, Defender for Cloud is the right answer in 2026.

Q: DPDP + CERT-In angle — what does Defender for Cloud deliver?

Compliance dashboard with built-in standards: ISO 27001, PCI DSS, NIST SP 800-53, SOC 2, CIS benchmarks. India-specific overlays via Compliance Manager (Purview) — DPDP, RBI Cyber Security Framework, SEBI CSCRF mappings. Defender CSPM produces the gap-list + Sentinel detects the events when controls slip.

Q: What's the 30-day Defender for Cloud activation plan?

Week 1: connect Azure subscriptions + AWS / GCP via multi-cloud connector; enable Foundational CSPM. Week 2: enable Defender for Servers + Defender for SQL on production; baseline secure-score. Week 3: enable Defender CSPM (paid) for attack-path analysis on internet-facing assets. Week 4: integrate to Sentinel + Defender XDR; build playbooks for high-confidence detections. Ogma's CNAPP enablement service runs this end-to-end.

Published 04 Jun 2026 · By Pawan Sharma · Cloud Security · 15 min read

Microsoft Defender for Cloud is the CNAPP that ships native to your Azure tenant — Cloud Security Posture Management, agentless + agent-based workload protection across servers, databases, containers, APIs, and the multi-cloud connector for AWS + GCP. For Microsoft-anchored Indian enterprises in 2026, it's increasingly replacing third-party CNAPP. This post is the operational map — what's free, what's paid, what to enable on day 30, and where Defender for Cloud meets DPDP + CERT-In compliance.

Multi-cloud

Azure + AWS + GCP

Multi-cloud connector — one CNAPP across all three clouds.

Free CSPM

Foundational tier

Secure-score + recommendations free with every Azure subscription.

Attack Paths

Defender CSPM

Asset-graph + identity + network synthesis. The killer feature.

Sentinel-native

SIEM integration

Recommendations + alerts flow to Sentinel free, no extra ingest cost.

The product stack in one table

Plan	What it does	Pricing model
Foundational CSPM	Secure score, security recommendations, regulatory compliance dashboard, security policies	Free (every Azure subscription)
Defender CSPM	Attack-path analysis, agentless scanning (VMs + containers), DevOps security, governance rules	~₹490-680 / billable resource / month
Defender for Servers (P1/P2)	FIM, MDE integration, vulnerability assessment, OS-level threat detection	~₹490 (P1) / ~₹1,330 (P2) per server per month
Defender for SQL	Vulnerability assessment + threat detection for Azure SQL, SQL on VM, AWS RDS	~₹1,470 / SQL server / month
Defender for Storage	Malware scan, sensitive-data discovery, anomaly detection for Azure Storage	Per-storage-account + per-GB scanned
Defender for Containers	K8s security posture, agentless image scanning, runtime threat detection	~₹0.78 / vCPU / hour
Defender for APIs	Discovery + runtime protection for APIs published via Azure API Management	~₹0.07 / 100 calls (preview pricing)
Defender for Key Vault / Resource Manager / Cosmos DB	Per-resource threat detection	Various per-resource / per-operation tiers

Source: Microsoft Defender for Cloud pricing, May 2026, Azure Central India. INR conversion at ₹98/USD where USD published. Always verify against the live Azure pricing page at quote time. Many of these meter on actual usage — sizing assessment before commitment.

Attack Path Analysis — the killer feature

Defender CSPM premium feature

Why this single output justifies the CSPM upgrade

Attack Path Analysis synthesises the cloud asset graph + identity relationships + network exposure + secrets + vulnerabilities to surface exploitable attack chains end-to-end. Instead of "you have 14,000 secure-score findings" — it tells you "this internet-exposed Azure VM has SSH on 22, weak credentials, and an attached managed identity with Contributor on the Production resource group". Three findings, one priority.

What we see in field engagements:

Average mid-market Azure tenant: 8-15 critical attack paths on first scan
Top 3 typically: weak NSG + identity sprawl, stale service-principal credentials, overprivileged AKS workload identities
30-day remediation reduces attack-path count by 70-85% with focused IaC + identity tightening

The 30-day activation plan

Days 1-7 — Connect subscriptions + enable Foundational CSPM

All Azure subscriptions on board; AWS accounts + GCP projects via multi-cloud connector; secure-score baseline captured; regulatory compliance dashboard live with ISO 27001 + CIS + DPDP overlay.

Days 8-14 — Defender for Servers + SQL on production

P2 on internet-facing + crown-jewel workloads; P1 on the rest. Defender for SQL on every production database server. Vulnerability assessment running.

Days 15-21 — Defender CSPM premium for attack paths

Agentless scanning lights up; first attack-path analysis run. Triage top 10 critical paths with IaC + identity remediation.

Days 22-30 — Sentinel + XDR integration + playbooks

Sentinel data connector enabled (recommendations + alerts free). Logic Apps playbook for top-3 high-confidence detections (e.g., suspicious sign-in from foreign country to admin role). DPDP / RBI compliance dashboard tracking begins.

DPDP + RBI + CERT-In angle

Indian regulation	Defender for Cloud control
DPDP Sec 8(5) — reasonable safeguards	Secure-score baseline + regulatory dashboard + monthly delta tracking
CERT-In Direction 20(3)/2022 — incident reporting in 6 hours	Defender alerts → Sentinel → Logic Apps playbook → CERT-In notification template (Ogma builds this)
RBI Cyber Security Framework — VA + PT cadence	Vulnerability assessment continuous; quarterly attack-path remediation report
SEBI CSCRF — quarterly assurance attestation	Compliance Manager + Purview overlay; auditable trail across controls
IRDAI Information & Cyber Security guidelines	Defender for Servers + SQL + Storage on PII workloads; Insider Risk (Purview) for handling

When third-party CNAPP still wins

▸ Heavy AWS / GCP estate

If Azure is <30% of cloud spend and AWS / GCP are first-class, third-party CNAPP's depth on the non-Azure side may matter more.

▸ Container runtime detection nuance

Wiz / Sysdig / Aqua have deeper eBPF-based runtime detection if K8s is the centre of gravity.

▸ Niche compliance template breadth

Industry-specific compliance frameworks (HIPAA, FedRAMP, specific country regulators) — third-party CNAPP often ships more pre-built templates.

FAQ

Is Defender for Cloud just CSPM, or does it cover workloads too?

Both. The free Foundational CSPM tier ships with every Azure subscription and surfaces secure-score recommendations. Defender CSPM (paid) adds attack-path analysis + agentless scanning. Defender for Servers / SQL / Storage / Containers / APIs / Key Vault / Resource Manager / Cosmos DB are individually-licensed workload protection plans — each ~per-resource per-hour or per-GB.

Does Defender for Cloud work on AWS + GCP, not just Azure?

Yes. Multi-cloud is first-class — connect AWS accounts + GCP projects via the multi-cloud connector. CSPM coverage spans AWS Config + GCP Security Command Center signals; workload protection extends Defender for Servers + Containers to EC2/EKS + GCE/GKE.

How does Defender for Cloud relate to Microsoft Sentinel?

Defender for Cloud generates security recommendations + alerts in the cloud-resource layer; Sentinel is the SIEM that ingests those alerts + correlates them with identity + endpoint + email signals. Native connector — recommendations + alerts flow to Sentinel out of the box at no extra ingestion cost beyond your Sentinel commit-tier.

What's the most useful single feature?

Attack Path Analysis (paid Defender CSPM tier). Synthesises asset graph + identity + network + secrets to show exploitable attack chains from internet-exposed entry points to crown-jewel resources. Single most actionable output we deliver in Defender for Cloud engagements.

How much does Defender CSPM cost?

~₹490-680 per Azure resource per month (₹/USD published rate × ₹98). For multi-cloud — comparable per AWS / GCP resource counts. Foundational CSPM (free tier) handles most basic posture-management; pay for the premium tier when you need attack paths + agentless scanning + DevOps integration.

Does Defender for Cloud replace third-party CNAPP (Wiz / Lacework / Orca)?

For Microsoft-anchored estates with substantial Azure workload, increasingly yes. Defender CSPM's attack-path analysis + agentless scanning + Defender XDR integration close the gap that motivated CNAPP adoption in 2021-2023. Third-party CNAPP wins on cross-cloud depth + container-runtime detection nuance + specific compliance-template breadth. For 70%+ Azure-anchored Indian enterprises, Defender for Cloud is the right answer in 2026.

DPDP + CERT-In angle — what does Defender for Cloud deliver?

Compliance dashboard with built-in standards: ISO 27001, PCI DSS, NIST SP 800-53, SOC 2, CIS benchmarks. India-specific overlays via Compliance Manager (Purview) — DPDP, RBI Cyber Security Framework, SEBI CSCRF mappings. Defender CSPM produces the gap-list + Sentinel detects the events when controls slip.

What's the 30-day Defender for Cloud activation plan?

Week 1: connect Azure subscriptions + AWS / GCP via multi-cloud connector; enable Foundational CSPM. Week 2: enable Defender for Servers + Defender for SQL on production; baseline secure-score. Week 3: enable Defender CSPM (paid) for attack-path analysis on internet-facing assets. Week 4: integrate to Sentinel + Defender XDR; build playbooks for high-confidence detections. Ogma's CNAPP enablement service runs this end-to-end.

Free Defender for Cloud attack-path scan

Activate Defender CSPM in your tenant, return your top-10 attack paths in 7 working days

Ogma runs the multi-cloud connector + Defender CSPM agentless scan against your subscription, returns prioritised attack-path remediation plan, and converts to a Sentinel + Defender XDR-integrated 30-day rollout if you choose to proceed.

Request the attack-path scan or explore the Defender for Cloud landing

Sources

Tags Microsoft Defender for Cloud CNAPP CSPM Azure AWS GCP India

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.