What Each Plan Covers, Where the Capability Gap Sits, and Why Most Organisations End Up on E5 Anyway. Defender for Endpoint Plan 1 prevents threats. Plan 2 prevents threats and hunts them after they evade prevention. The licensing question is whether the $13/user/month gap between P1 and P2 is justified by capabilities your security team will actually operationalise.
Part of the Microsoft Advisory resource library. For M365 cost analysis, see M365 Licensing Cost 2026. For Copilot prerequisites including security layers, see Copilot Licence Requirements. For the full FAQ, see Microsoft Licensing FAQ: 50 Questions.
Microsoft Defender for Endpoint is Microsoft's enterprise endpoint protection platform (EPP) and endpoint detection and response (EDR) product. Microsoft splits it into two plans that map to fundamentally different security philosophies and operational requirements.
P1 prevents threats from executing on endpoints through next-generation antimalware, attack surface reduction rules, device-based conditional access, and web content filtering. P1 answers the question: "Can we stop known and unknown threats before they execute?" It is a preventive technology that operates without requiring a security operations team to monitor alerts and investigate incidents.
P2 is everything in P1 plus a full endpoint detection and response (EDR) platform. P2 adds the ability to detect threats that evade prevention, investigate them across the kill chain, hunt proactively for indicators of compromise, and automate remediation. P2 answers a different question: "When prevention fails, can we find, understand, and eradicate the threat?" It assumes an active security operations capability.
The P1/P2 decision is not about which plan has more features. It is about whether your organisation has the security operations maturity to consume P2's detection and response capabilities. An organisation that deploys P2 without a SOC, internal or managed, pays the P2 premium for P1-level outcomes because the EDR alerts go unmonitored, the hunting capabilities go unused, and automated investigation gathers evidence nobody reviews.
Understanding where P1 and P2 are included, where they cost extra, and how they interact with the M365 licensing stack is essential for making the right commercial decision.
Defender for Endpoint P1 is included at no additional cost in Microsoft 365 E3, Microsoft 365 A3 (education), and Microsoft 365 Business Premium. It is also available as a standalone add-on. P1 replaced the older Microsoft Defender Antivirus + Intune-managed endpoint security. The inclusion of P1 in E3 was Microsoft's response to competitive pressure from CrowdStrike, SentinelOne, and other next-gen endpoint vendors. E3 now includes a credible EPP layer without additional spend.
Defender for Endpoint P2 is included in Microsoft 365 E5, Microsoft 365 E5 Security, Microsoft 365 A5 (education), and Defender for Endpoint P2 standalone. The most common path to P2 is through M365 E5, which bundles P2 with every other advanced security, compliance, and analytics product Microsoft offers.
| Acquisition Path | P1 | P2 | List Price/User/Mo |
|---|---|---|---|
| Microsoft 365 E3 | ✓ | ✗ | $36.00 |
| Microsoft 365 Business Premium | ✓ | ✗ | $22.00 |
| Microsoft 365 E5 | ✓ | ✓ | $57.00 |
| M365 E5 Security (add-on to E3) | ✓ | ✓ | $12.00 |
| Defender for Endpoint P1 standalone | ✓ | ✗ | $3.00 |
| Defender for Endpoint P2 standalone | ✓ | ✓ | $5.20 |
| Defender for Endpoint P2 (add-on to E3) | ✓ | ✓ | $5.20 |
For organisations on M365 E3 that want P2, two paths exist: E3 + E5 Security add-on ($36 + $12 = $48/user/month) or full E5 ($57/user/month). The $9 difference buys Power BI Pro, Phone System, and additional compliance and analytics features included in E5 but not in E5 Security.
For organisations that need Power BI or Teams Phone alongside security, full E5 at $57 delivers substantially more value than E3 + E5 Security at $48. See M365 Licensing Cost 2026 for the complete E3-to-E5 value analysis.
The full feature comparison reveals that P1 and P2 are not two tiers of the same product. They are two fundamentally different products sharing a common agent. P1 is an endpoint protection platform. P2 is an endpoint protection platform plus a security operations platform.
| Capability | Plan 1 | Plan 2 |
|---|---|---|
| Next-generation antimalware (real-time) | ✓ | ✓ |
| Attack surface reduction (ASR rules, exploit protection) | ✓ | ✓ |
| Device-based conditional access | ✓ | ✓ |
| Web content filtering | ✓ | ✓ |
| Network protection (block malicious URLs/IPs) | ✓ | ✓ |
| Firewall management through Intune | ✓ | ✓ |
| APIs and SIEM integration (prevention events) | ✓ | ✓ |
| Unified security management portal | ✓ | ✓ |
| P2-Only Capabilities | ||
| Endpoint Detection & Response (EDR) | ✗ | ✓ |
| Automated investigation and remediation (AIR) | ✗ | ✓ |
| Advanced threat hunting (KQL-based) | ✗ | ✓ |
| Threat analytics and campaign tracking | ✗ | ✓ |
| Threat and vulnerability management (TVM) | ✗ | ✓ |
| Sandbox detonation (deep analysis) | ✗ | ✓ |
| 6 months endpoint data retention | ✗ | ✓ |
| Microsoft Threat Experts (opt-in) | ✗ | ✓ |
| Attack simulations | ✗ | ✓ |
Understanding each P2-exclusive capability in operational terms, not marketing terms, reveals what the $5.20/user/month premium delivers and what it demands from your security team.
EDR is the core of the P1/P2 divide. When a threat evades P1's prevention layer and executes on an endpoint, EDR continuously records endpoint telemetry (process creation, file modifications, network connections, registry changes, DLL loads) and makes this data searchable. Security analysts can trace the attack chain from initial access through lateral movement to data exfiltration, and take response actions: isolate device, collect investigation package, restrict app execution, or run live response sessions.
Operational requirement: An organisation with 5,000 endpoints typically sees 50–200 EDR alerts per day, of which 5–15 require analyst investigation. Without dedicated security analysts, EDR becomes an expensive logging system.
AIR is Microsoft's answer to the SOC staffing challenge. When EDR raises an alert, AIR automatically investigates: examines the suspicious entity, traces related processes and files, checks reputation data, and determines a recommended remediation action. In full automation mode, AIR takes action without analyst approval. In semi-automation mode, it investigates and recommends but waits for approval.
AIR can resolve 50–70% of common alerts automatically, significantly reducing SOC workload. However, full automation requires confidence in decision quality. A false positive can isolate a production server. Most organisations start in semi-automation and transition to full automation for specific alert categories after 3–6 months of validation.
Threat hunting allows security analysts to proactively search across 30 days of raw endpoint telemetry using Kusto Query Language (KQL). Rather than waiting for EDR to generate an alert, hunters write queries to find indicators of compromise, unusual behaviour patterns, or specific threat actor techniques across the entire endpoint estate.
Operational requirement: Threat hunting is the most expertise-intensive capability in P2. It requires analysts who understand both KQL syntax and attack techniques at a MITRE ATT&CK framework level. An organisation without at least one dedicated threat hunter will not extract value from this capability. Threat hunting requires specialised security skills that command $120K–$180K salaries in 2026.
TVM provides a real-time inventory of software vulnerabilities across all onboarded endpoints, prioritised by exploitability, exposure, and business impact. It integrates with Intune and Configuration Manager to create remediation tickets directly from vulnerability findings. TVM is perhaps the most broadly useful P2 capability because it serves IT operations and compliance teams, not just the SOC.
Deep analysis submits suspicious files to a Microsoft-hosted sandbox for behavioural analysis. The sandbox executes the file in an instrumented environment and reports on all actions taken: files created, registry modifications, network connections, process spawning. This provides definitive verdicts on files that automated analysis cannot classify. It is invoked selectively during incident investigation.
Your organisation meets all of these criteria: you have no dedicated SOC or MSSP, your security team consists of IT generalists who manage security alongside other responsibilities, your regulatory environment does not mandate EDR-level detection and response, you are replacing a traditional antivirus product (Symantec, McAfee, Trend Micro) and P1 represents an upgrade, and your risk tolerance accepts that threats which evade prevention may persist undetected until they cause visible damage.
For these organisations, P1 in M365 E3 provides a material security improvement over legacy antivirus at zero incremental cost.
Your organisation meets any of these criteria: you operate a SOC (internal or outsourced to an MSSP), your regulatory environment mandates EDR (PCI DSS 4.0, NIST CSF, CMMC Level 2+, financial services regulators, healthcare HIPAA), you have experienced a significant security incident and need detection and response to prevent recurrence, your cyber insurance policy requires or incentivises EDR deployment, or you are deploying Microsoft 365 Copilot and need the security telemetry P2 provides through integration with Microsoft Defender XDR.
The compliance mandate is expanding. PCI DSS 4.0 (mandatory March 2025) requires mechanisms to detect and address failures of critical security control systems and to promptly respond to security incidents. CMMC Level 2 requires incident handling and security continuous monitoring. Financial services regulators in the US, UK, and EU increasingly expect EDR as a baseline. If compliance is on your roadmap within 24 months, factor P2 into your licensing plan now rather than retrofitting later.
In practice, the standalone P1 vs P2 decision is often overridden by the broader M365 licensing trajectory. Microsoft has designed the E5 bundle so that the security, compliance, and analytics features collectively create an overwhelming value argument for organisations that need any 3–4 of the E5-exclusive features.
Consider an organisation on E3 ($36) that needs: Defender for Endpoint P2 ($5.20), Defender for Office 365 P2 ($5.00), Entra ID P2 ($9.00), and Microsoft Purview Information Protection P2 ($5.00). The add-on total is $24.20 on top of E3 = $60.20/user/month.
M365 E5 costs $57/user/month and includes all four products plus Power BI Pro, Phone System, audio conferencing, advanced compliance, and advanced analytics. E5 is $3.20/month cheaper than buying the individual add-ons while including substantially more features.
| Path | Security Features | Extras Included | Cost/User/Mo |
|---|---|---|---|
| E3 + P2 standalone only | P1 + P2 endpoint only | None | $41.20 |
| E3 + E5 Security add-on | Full Defender XDR suite | All E5 security products | $48.00 |
| E3 + cherry-picked add-ons | Varies | Only selected products | $50–$62 |
| M365 E5 | Full Defender XDR suite | Power BI Pro, Phone System, advanced compliance, analytics | $57.00 |
This is the "E5 gravity well." The economic pull toward E5 intensifies as organisations adopt more Microsoft security products. The standalone P2 purchase at $5.20 makes sense only for organisations that need P2 and nothing else from the E5 security stack. The moment a second E5 security product becomes necessary, the add-on arithmetic tilts toward E5. Microsoft designed this deliberately: the E5 bundle eliminates the viability of cherry-picking individual security products at scale.
Defender for Endpoint extends beyond Windows desktops to servers, macOS, Linux, iOS, and Android. Each platform has different licensing implications.
Microsoft Defender for Servers (through Microsoft Defender for Cloud in Azure) is the recommended path for protecting Windows Server workloads. This is a separate product licensed per server, billed through Azure at approximately $15/server/month (Plan 1) or $30/server/month (Plan 2). Defender for Servers Plan 2 includes P2 capabilities plus server-specific features: just-in-time VM access, file integrity monitoring, and adaptive application controls.
Microsoft's licensing guidance indicates server protection requires either Defender for Servers or standalone Defender for Endpoint for Servers licences. M365 E5 per-user licences cover user devices, not server workloads. This distinction is frequently misunderstood and creates compliance risk.
Defender for Endpoint supports macOS and Linux with the same P1/P2 feature split as Windows, and the same licence covers these platforms. A user with M365 E3 (P1) or M365 E5 (P2) can onboard their Mac or Linux workstation without additional cost. The user licence covers up to 5 devices per user across all supported platforms.
iOS and Android receive mobile threat defence under the same user licence. Mobile capabilities are identical between P1 and P2. The EDR-specific features that differentiate P2 do not apply to mobile platforms. There is no incremental value in P2 for a user who only uses mobile devices.
Common compliance gap: Many organisations onboard servers to Defender for Endpoint using their M365 E5 user licences without proper server coverage. Microsoft audit teams can identify this gap. Budget Defender for Servers through Azure at $15–$30/server/month separately from your M365 E5 per-user licences.
Defender for Endpoint does not exist in isolation. In the Microsoft security ecosystem, it feeds into Microsoft Defender XDR (Extended Detection and Response, formerly Microsoft 365 Defender), which correlates signals across endpoints, email, identity, and cloud apps. The XDR correlation layer is where P2 delivers its greatest value. An endpoint alert combined with an identity anomaly and a suspicious email delivery creates a unified incident that is far more actionable than any single signal.
The XDR correlation layer only functions when multiple Defender products are deployed: Defender for Endpoint (P2), Defender for Office 365 (P2), Defender for Identity, and Defender for Cloud Apps. Deploying only Defender for Endpoint P2 without the other Defender products provides EDR capability but misses the cross-domain correlation that justifies the XDR architecture. This is another force in the E5 gravity well: P2's value increases when paired with other E5-included security products.
For organisations considering Microsoft Copilot, the security integration becomes even more relevant. Copilot for Security (a separate product) leverages Defender XDR data to provide AI-powered incident investigation, threat summarisation, and KQL query generation. The data richness available to Copilot for Security directly depends on the breadth of Defender products deployed.
The P1/P2 decision often includes a parallel evaluation of third-party alternatives. For organisations already on M365 E5, the incremental cost of Defender P2 is zero, making it exceptionally difficult for any third-party vendor to compete on price.
Generally considered the EDR market leader in threat detection quality and threat intelligence. Approximately $12–$25/endpoint/month depending on volume and features. Falcon OverWatch (managed threat hunting) is a strong differentiator.
Competes on autonomous response speed and simplified operations. Similar pricing range to CrowdStrike. Vigilance MDR (managed detection and response) provides the managed services layer.
Competes on integration depth within the Microsoft ecosystem and the zero-incremental-cost position for E5 customers. For E3 customers, P2 standalone at $5.20 still undercuts CrowdStrike and SentinelOne on price.
For an organisation already on M365 E5, adding CrowdStrike at $15/endpoint/month represents pure incremental cost for a capability already included in E5. The third-party alternative must deliver measurably superior detection, response, or operational efficiency to justify this overlap. The counter-argument: organisations with advanced security operations teams may find CrowdStrike's OverWatch or SentinelOne's Vigilance MDR superior to Microsoft's Defender Experts offering. The managed services layer is where third-party vendors differentiate most strongly.
Five strategies to optimise Defender for Endpoint licensing cost while maintaining security coverage.
Deploy P2 only to user populations and endpoints covered by SOC monitoring (internal or MSSP). Deploy P1 to endpoints outside SOC coverage. If your MSSP monitors 3,000 of your 10,000 endpoints, licence 3,000 users with P2 and leave 7,000 on E3's included P1. Saves $36,400/month versus universal P2.
If you need P2 plus any other E5 security product, model the full E5 cost against E3 + add-ons. In most scenarios, 3+ add-ons make E5 cheaper than the sum of parts. Do not purchase P2 standalone without first running this calculation.
P2 standalone list price is $5.20/user/month. Within an EA negotiation, bundled with other Microsoft commitments, the effective rate typically drops to $3.50–$4.50. Bundle P2 negotiation with your M365 and Azure renewals for cross-leverage. See EA Negotiation Strategies.
Do not assume M365 E5 user licences cover server endpoints. Budget Defender for Servers through Azure at $15–$30/server/month separately. For Azure VMs, Defender for Servers is the architecturally correct approach and includes features (JIT access, file integrity monitoring) that Defender for Endpoint does not provide for servers.
P2 without operational capability is wasted spend. If you do not have a SOC, budget for an MSSP that monitors Defender for Endpoint ($8–$15/endpoint/month for managed EDR). The total cost of P2 + MSSP ($13–$20/endpoint/month) should be compared against P1 + no managed service.
Yes. Defender for Endpoint Plan 1 is included in M365 E3, M365 A3, and M365 Business Premium at no additional cost. P1 provides next-generation antimalware, attack surface reduction rules, device-based conditional access, and web content filtering. It does not include EDR, threat hunting, automated investigation, or vulnerability management. Those are P2-only capabilities.
P1 is prevention; P2 is prevention plus detection and response. P1 stops threats from executing (antimalware, ASR, conditional access). P2 adds the ability to detect threats that evade prevention, investigate them across the kill chain, hunt proactively, automate remediation, and manage vulnerabilities. The operational requirement is the key difference: P1 works without a SOC, P2 requires security operations capability to deliver value.
$5.20/user/month standalone, or included in M365 E5 ($57/user/month) and M365 E5 Security add-on ($12/user/month on top of E3). The standalone price is list. EA negotiation typically achieves $3.50–$4.50. For organisations needing 3+ E5 security products, full E5 is usually cheaper than E3 + individual add-ons.
Not necessarily. P2's value comes from EDR, threat hunting, and automated investigation, capabilities that require security operations staff or an MSSP. Without a SOC, P2 alerts go unmonitored and hunting capabilities go unused. Options: stay on P1 (free in E3), deploy P2 with Automated Investigation in full automation mode (requires tuning but reduces SOC dependency), or deploy P2 with an MSSP ($8–$15/endpoint/month) to provide the monitoring and response layer.
No. M365 E5 per-user licences cover user devices (desktops, laptops, up to 5 per user, plus mobile). Server workloads require separate licensing: Microsoft Defender for Servers through Azure ($15–$30/server/month) or standalone Defender for Endpoint for Servers licences. This is a common compliance gap. Many organisations onboard servers to Defender for Endpoint using E5 user licences without proper server coverage.
If you are already on M365 E5, Defender P2 is included at zero incremental cost. CrowdStrike at $12–$25/endpoint/month must deliver measurably superior detection or managed services to justify the overlap. If you are on E3, the comparison is P2 standalone ($5.20) vs CrowdStrike ($12–$25), where CrowdStrike is generally considered stronger in threat intelligence and managed hunting (OverWatch). The decision depends on existing M365 tier, security operations maturity, and whether you value Microsoft ecosystem integration or best-of-breed detection quality.
Yes. You can assign P2 licences to users/endpoints with SOC coverage and leave others on P1 (included in E3). This is the recommended approach for organisations where only a subset of endpoints are monitored by security operations. The Microsoft 365 Defender portal supports mixed P1/P2 environments. P1 endpoints show prevention data only, P2 endpoints show full EDR telemetry and hunting data.
Defender for Business is a simplified EDR-lite product for SMBs (up to 300 users), included in M365 Business Premium. It provides a subset of P2 capabilities (simplified EDR, automated investigation, vulnerability management) with a streamlined portal designed for IT generalists rather than security analysts. If your organisation has more than 300 users, Defender for Business is not available. You need P1 or P2 through the enterprise licensing path.