The Fundamental Distinction: Prevention vs Detection & Response
Microsoft Defender for Endpoint is Microsoft’s enterprise endpoint protection platform (EPP) and endpoint detection and response (EDR) product. Microsoft splits it into two plans that map to fundamentally different security philosophies and operational requirements.
Plan 1 (P1) is an endpoint protection platform. It prevents threats from executing on endpoints through next-generation antimalware, attack surface reduction rules, device-based conditional access, and web content filtering. P1 answers the question: “Can we stop known and unknown threats before they execute?” It is a preventive technology that operates without requiring a security operations team to monitor alerts and investigate incidents.
Plan 2 (P2) is everything in P1 plus a full endpoint detection and response (EDR) platform. P2 adds the ability to detect threats that evade prevention, investigate them across the kill chain, hunt proactively for indicators of compromise, and automate remediation. P2 answers a different question: “When prevention fails, can we find, understand, and eradicate the threat?” It is a detective and response technology that assumes an active security operations capability.
“The P1/P2 decision is not about which plan has more features. It is about whether your organisation has the security operations maturity to consume P2’s detection and response capabilities. An organisation that deploys P2 without a SOC — internal or managed — pays the P2 premium for P1-level outcomes because the EDR alerts go unmonitored, the hunting capabilities go unused, and automated investigation gathers evidence nobody reviews.”
Licensing and Bundling
Understanding where P1 and P2 are included, where they cost extra, and how they interact with the M365 licensing stack is essential for making the right commercial decision.
Where P1 Is Included
Defender for Endpoint P1 is included at no additional cost in Microsoft 365 E3, Microsoft 365 A3 (education), and Microsoft 365 Business Premium. It is also available as a standalone M365 add-on licensing guide to M365 E3 for organisations that want P1 on specific plans. P1 replaced the older Microsoft Defender Antivirus + Intune-managed endpoint security that was previously the E3 security story. The inclusion of P1 in E3 was Microsoft’s response to competitive pressure from CrowdStrike, SentinelOne, and other next-gen endpoint vendors — E3 now includes a credible EPP layer without additional spend.
Where P2 Is Included
Defender for Endpoint P2 is included in Microsoft 365 E5, Microsoft 365 E5 Security, Microsoft 365 A5 (education), and Microsoft Defender for Endpoint P2 standalone. The most common path to P2 is through M365 E5, which bundles P2 with every other advanced security, compliance, and analytics product Microsoft offers.
Pricing Summary
| Acquisition Path | P1 Included | P2 Included | List Price/User/Month |
|---|---|---|---|
| Microsoft 365 E3 | ✓ | ✗ | $36.00 |
| Microsoft 365 Business Premium | ✓ | ✗ | $22.00 |
| Microsoft 365 E5 | ✓ | ✓ | $57.00 |
| Microsoft 365 E5 Security (add-on to E3) | ✓ | ✓ | $12.00 |
| Defender for Endpoint P1 standalone | ✓ | ✗ | $3.00 |
| Defender for Endpoint P2 standalone | ✓ | ✓ | $5.20 |
| Defender for Endpoint P2 (add-on to E3) | ✓ | ✓ | $5.20 |
The E5 Security Add-On vs Full E5 Calculation
For organisations on M365 E3 that want P2, two paths exist: E3 + E5 Security add-on ($36 + $12 = $48/user/month) or full E5 ($57/user/month). The $9 difference buys Power BI Pro, Phone System, and additional compliance and analytics features included in E5 but not in E5 Security. For organisations that need Power BI or Teams Phone alongside security, full E5 at $57 delivers substantially more value than E3 + E5 Security at $48. See M365 Licensing Cost 2026 for the complete E3-to-E5 value analysis.
Capability Comparison: P1 vs P2
The full feature comparison reveals that P1 and P2 are not two tiers of the same product — they are two fundamentally different products sharing a common agent. P1 is an endpoint protection platform. P2 is an endpoint protection platform plus a security operations platform.
| Capability | Plan 1 | Plan 2 |
|---|---|---|
| Next-generation antimalware (real-time protection) | ✓ | ✓ |
| Attack surface reduction (ASR rules, exploit protection) | ✓ | ✓ |
| Device-based conditional access | ✓ | ✓ |
| Web content filtering | ✓ | ✓ |
| Network protection (block malicious URLs/IPs) | ✓ | ✓ |
| Firewall management through Intune | ✓ | ✓ |
| APIs and SIEM integration (prevention events) | ✓ | ✓ |
| Unified security management portal | ✓ | ✓ |
| P2-Only Capabilities | ||
| Endpoint Detection & Response (EDR) | ✗ | ✓ |
| Automated investigation and remediation (AIR) | ✗ | ✓ |
| Advanced threat hunting (KQL-based) | ✗ | ✓ |
| Threat analytics and campaign tracking | ✗ | ✓ |
| Threat and vulnerability management (TVM) | ✗ | ✓ |
| Sandbox detonation (deep analysis) | ✗ | ✓ |
| 6 months endpoint data retention | ✗ | ✓ |
| Microsoft Threat Experts (opt-in) | ✗ | ✓ |
| Microsoft Defender for Endpoint attack simulations | ✗ | ✓ |
P2-Only Capabilities: What You Actually Get
Understanding each P2-exclusive capability in operational terms — not marketing terms — reveals what the $5.20/user/month premium delivers and what it demands from your security team.
Endpoint Detection and Response (EDR)
EDR is the core of the P1/P2 divide. When a threat evades P1’s prevention layer and executes on an endpoint, EDR continuously records endpoint telemetry (process creation, file modifications, network connections, registry changes, DLL loads) and makes this data searchable through the Microsoft 365 Defender portal. Security analysts can see exactly what happened on a compromised endpoint, trace the attack chain from initial access through lateral movement to data exfiltration, and take response actions (isolate device, collect investigation package, restrict app execution, run live response sessions).
Operational requirement: EDR generates a continuous stream of alerts ranked by severity and confidence. An organisation with 5,000 endpoints typically sees 50–200 EDR alerts per day, of which 5–15 require analyst investigation. Without dedicated security analysts to triage, investigate, and respond to these alerts, EDR becomes an expensive logging system. The value of EDR is entirely dependent on having human or automated response capability to act on what it detects.
Automated Investigation and Remediation (AIR)
AIR is Microsoft’s answer to the SOC staffing challenge. When EDR raises an alert, AIR automatically investigates: it examines the suspicious entity, traces related processes and files, checks reputation data, and determines a recommended remediation action (quarantine file, isolate device, clean registry). In full automation mode, AIR takes remediation actions without analyst approval. In semi-automation mode, it investigates and recommends but waits for analyst approval before acting.
AIR can resolve 50–70% of common alerts automatically, significantly reducing the SOC workload. However, full automation requires confidence in the system’s decision quality — a false positive in full automation mode can isolate a production server or quarantine a legitimate business application. Most organisations start in semi-automation and transition to full automation for specific alert categories after 3–6 months of validation. The configuration and tuning of AIR automation levels is itself an operational task requiring security engineering expertise.
Advanced Threat Hunting
Threat hunting allows security analysts to proactively search across 30 days of raw endpoint telemetry using Kusto Query Language (KQL). Rather than waiting for EDR to generate an alert, hunters write queries to find indicators of compromise, unusual behaviour patterns, or specific threat actor techniques across the entire endpoint estate.
Operational requirement: Threat hunting is the most expertise-intensive capability in P2. It requires analysts who understand both KQL syntax and attack techniques at a MITRE ATT&CK framework level. An organisation without at least one dedicated threat hunter (internal or through a managed service) will not extract value from this capability. Threat hunting is not a capability that IT generalists adopt — it requires specialised security skills that command $120K–$180K salaries in 2026.
Threat and Vulnerability Management (TVM)
TVM provides a real-time inventory of software vulnerabilities across all onboarded endpoints, prioritised by exploitability, exposure, and business impact. It integrates with Intune and Configuration Manager to create remediation tickets directly from vulnerability findings. TVM is perhaps the most broadly useful P2 capability because it serves IT operations and compliance teams, not just the SOC. Even organisations without mature security operations benefit from a consolidated vulnerability view of their endpoint estate.
Sandbox Detonation (Deep Analysis)
Deep analysis submits suspicious files to a Microsoft-hosted sandbox for behavioural analysis. The sandbox executes the file in an instrumented environment and reports on all actions taken: files created, registry modifications, network connections, process spawning. This provides definitive verdicts on files that automated analysis cannot classify. Deep analysis is invoked selectively for specific files during incident investigation — it is not applied to every file the endpoint encounters.
The Decision Framework: When P1 Is Sufficient vs When P2 Is Required
P1 Is Sufficient When
Your organisation meets all of these criteria: you have no dedicated security operations centre or managed security service provider (MSSP), your security team consists of IT generalists who manage security alongside other responsibilities, your regulatory environment does not mandate EDR-level detection and response capabilities, you are replacing a traditional antivirus product (Symantec, McAfee, Trend Micro) and P1 represents an upgrade, and your risk tolerance accepts that threats which evade prevention may persist undetected until they cause visible damage.
For these organisations, P1 in M365 E3 provides a material security improvement over legacy antivirus at zero incremental cost. The next-generation antimalware engine, attack surface reduction rules, and device-based conditional access represent genuine advancement in endpoint protection that does not require SOC operations to deliver value.
P2 Is Required When
Your organisation meets any of these criteria: you operate a security operations centre (internal or outsourced to an MSSP), your regulatory environment mandates EDR capabilities (PCI DSS 4.0, NIST CSF, CMMC Level 2+, financial services regulators, healthcare HIPAA security rules with meaningful enforcement), you have experienced a significant security incident and need detection and response capabilities to prevent recurrence, your cyber insurance policy requires or incentivises EDR deployment (increasingly common — many insurers now mandate EDR for policy renewal), or you are deploying Microsoft 365 Copilot and need the security telemetry that P2 provides through integration with Microsoft Defender XDR for AI-usage monitoring and data security incident response.
The Compliance Mandate Is Expanding
The regulatory landscape is moving toward requiring EDR, not just EPP. PCI DSS 4.0 (mandatory March 2025) requires mechanisms to “detect and address failures of critical security control systems” and to “promptly identify and respond to suspected and confirmed security incidents” — capabilities that map to EDR, not basic antivirus. CMMC Level 2 requires “incident handling” and “security continuous monitoring” capabilities. Financial services regulators in the US, UK, and EU increasingly expect EDR as a baseline. If compliance is on your roadmap within 24 months, factor P2 into your licensing plan now rather than retrofitting later.
The E5 Gravity Well: Why Most Organisations End Up on P2
In practice, the standalone P1 vs P2 decision is often overridden by the broader M365 licensing trajectory. Microsoft has designed the E5 bundle so that the security, compliance, and analytics features collectively create an overwhelming value argument for organisations that need any 3–4 of the E5-exclusive features.
Need Expert Microsoft Security Licensing Advisory?
Redress Compliance provides independent Microsoft licensing advisory — fixed-fee, no vendor affiliations.
Explore Microsoft Advisory Services →Consider an organisation on E3 ($36) that needs: Defender for Endpoint P2 (standalone $5.20), Defender for Office 365 P2 ($5.00), Entra ID P2 ($9.00), and Microsoft Purview Information Protection P2 ($5.00). The add-on total is $24.20 on top of E3 = $60.20/user/month. M365 E5 costs $57/user/month and includes all four products plus Power BI Pro, Phone System, audio conferencing, advanced compliance, and advanced analytics. E5 is $3.20/month cheaper than buying the individual add-ons while including substantially more features.
| Path | Security Features | Extras Included | Cost/User/Mo |
|---|---|---|---|
| E3 + P2 standalone only | P1 + P2 endpoint only | None | $41.20 |
| E3 + E5 Security add-on | Full Defender XDR suite | All E5 security products | $48.00 |
| E3 + cherry-picked add-ons | Varies | Only selected products | $50–$62 |
| M365 E5 | Full Defender XDR suite | Power BI Pro, Phone System, advanced compliance, analytics | $57.00 |
This is the “E5 gravity well” — the economic pull toward E5 that intensifies as organisations adopt more Microsoft security products. The standalone P2 purchase at $5.20 makes sense only for organisations that need P2 and nothing else from the E5 security stack. The moment a second E5 security product becomes necessary, the add-on arithmetic tilts toward E5. Microsoft designed this deliberately: the E5 bundle eliminates the viability of cherry-picking individual security products at scale.
Server and Non-Windows Endpoint Licensing
Defender for Endpoint extends beyond Windows desktops to servers, macOS, Linux, iOS, and Android. Each platform has different licensing implications.
Windows Server
Microsoft Defender for Servers (through Microsoft Defender for Cloud in Azure) is the recommended path for protecting Windows Server workloads. This is a separate product from Defender for Endpoint and is licensed per server, billed through Azure consumption at approximately $15/server/month (Plan 1) or $30/server/month (Plan 2). Defender for Servers Plan 2 includes Defender for Endpoint P2 capabilities on the server plus additional server-specific features including just-in-time VM access, file integrity monitoring, and adaptive application controls.
Alternatively, organisations with M365 E5 or standalone Defender for Endpoint P2 licences can onboard Windows Server endpoints directly to Defender for Endpoint. However, Microsoft’s licensing guidance indicates that server protection requires either Defender for Servers or standalone Defender for Endpoint for Servers licences — the M365 E5 per-user licence covers user devices (desktops, laptops, mobile), not server workloads. This distinction is frequently misunderstood and creates compliance risk for organisations that onboard servers to Defender for Endpoint using their M365 E5 licences without separate server coverage.
macOS, Linux, iOS, and Android
Defender for Endpoint supports macOS and Linux with the same P1/P2 feature split as Windows, and the same licence covers these platforms. A user with an M365 E3 licence (P1 included) or an M365 E5 licence (P2 included) can onboard their Mac or Linux workstation without additional cost. The user licence covers up to 5 devices per user across all supported platforms.
iOS and Android receive mobile threat defence capabilities under the same user licence: app-based protection, web content filtering, phishing protection, and conditional access integration. Mobile capabilities are identical between P1 and P2 — the EDR-specific features that differentiate P2 on desktop/server do not apply to mobile platforms. This means there is no incremental value in P2 for a user who only uses mobile devices.
Integration with Microsoft Defender XDR
Defender for Endpoint does not exist in isolation. In the Microsoft security ecosystem, it feeds into Microsoft Defender XDR (Extended Detection and Response, formerly Microsoft 365 Defender), which correlates signals across endpoints, email, identity, and cloud apps. The XDR correlation layer is where P2 delivers its greatest value — an endpoint alert combined with an identity anomaly and a suspicious email delivery creates a unified incident that is far more actionable than any single signal.
📊 Free Assessment Tool
P1 or P2 — which Defender tier is right for your organisation? Our free assessment models the cost and security trade-offs.
Take the Free Assessment →However, the XDR correlation layer only functions when multiple Defender products are deployed: Defender for Endpoint (P2), Defender for Office 365 (P2), Defender for Identity, and Defender for Cloud Apps. Deploying only Defender for Endpoint P2 without the other Defender products provides EDR capability but misses the cross-domain correlation that justifies the XDR architecture. This is another force in the E5 gravity well: P2’s value increases when paired with other E5-included security products, making the bundle more compelling than the standalone purchase.
For organisations considering Microsoft Copilot, the security integration becomes even more relevant. Copilot for Security (a separate product) leverages Defender XDR data to provide AI-powered incident investigation, threat summarisation, and KQL query generation. The data richness available to Copilot for Security directly depends on the breadth of Defender products deployed — with P2 providing the endpoint telemetry layer.
Third-Party Comparison: Defender P2 vs CrowdStrike Falcon vs SentinelOne
The P1/P2 decision often includes a parallel evaluation of third-party alternatives. For organisations already on M365 E5, the incremental cost of Defender for Endpoint P2 is zero — making it exceptionally difficult for any third-party vendor to compete on price. The competitive analysis shifts from cost to capability.
CrowdStrike Falcon Insight XDR and SentinelOne Singularity both provide EDR capabilities equivalent to or exceeding Defender for Endpoint P2 in specific areas. CrowdStrike is generally considered the EDR market leader in threat detection quality and threat intelligence. SentinelOne competes on autonomous response speed and simplified operations. Defender for Endpoint P2 competes on integration depth within the Microsoft ecosystem and the zero-incremental-cost position for E5 customers.
The licensing consideration: CrowdStrike and SentinelOne both cost approximately $12–$25/endpoint/month for their EDR tiers, depending on volume, features selected, and contract term. For an organisation already on M365 E5, adding CrowdStrike at $15/endpoint/month represents pure incremental cost for a capability already included in E5. The third-party alternative must deliver measurably superior detection, response, or operational efficiency to justify this overlap. For organisations on E3 with standalone P2 at $5.20/user/month, the cost gap narrows but still favours Defender for most environments.
The counter-argument: organisations with advanced security operations teams may find CrowdStrike’s Falcon OverWatch (managed threat hunting) or SentinelOne’s Vigilance MDR (managed detection and response) superior to Microsoft’s Defender Experts offering. The managed services layer — human expertise applied on top of the technology — is where third-party vendors differentiate most strongly.
Optimisation Strategies
Five strategies to optimise Defender for Endpoint licensing cost while maintaining security coverage:
1. Segment by security operations maturity. Deploy P2 only to user populations and endpoints covered by SOC monitoring (internal or MSSP). Deploy P1 to endpoints outside SOC coverage. If your MSSP monitors 3,000 of your 10,000 endpoints, licence 3,000 users with P2 and leave 7,000 on E3’s included P1. Saves $36,400/month versus universal P2.
2. Evaluate E5 vs add-on arithmetic before purchasing P2 standalone. If you need P2 plus any other E5 security product, model the full E5 cost against E3 + add-ons. In most scenarios, 3+ add-ons make E5 cheaper than the sum of parts. Do not purchase P2 standalone without first running this calculation.
3. Negotiate P2 as part of your EA, not as a standalone SKU. P2 standalone list price is $5.20/user/month. Within an EA negotiation, bundled with other Microsoft commitments, the effective rate typically drops to $3.50–$4.50. Bundle P2 negotiation with your M365 and Azure renewals for cross-leverage. See EA Negotiation Strategies.
4. Use Defender for Servers for server workloads. Do not assume M365 E5 user licences cover server endpoints. Budget Defender for Servers through Azure at $15–$30/server/month separately. For Azure VMs, Defender for Servers is the architecturally correct approach and includes features (JIT access, file integrity monitoring) that Defender for Endpoint does not provide for servers.
5. Factor in managed services cost. P2 without operational capability is wasted spend. If you do not have a SOC, budget for an MSSP that monitors Defender for Endpoint ($8–$15/endpoint/month for managed EDR). The total cost of P2 + MSSP ($13–$20/endpoint/month) should be compared against P1 + no managed service — the security improvement may justify the cost, but only if the MSSP genuinely monitors and responds to alerts.