Microsoft Security Copilot pricing guide.

Microsoft Security Copilot is priced on Security Compute Units, provisioned by the hour, not on a per user license. This guide covers the SCU model, the sizing math, the Defender and Sentinel prerequisites, and the buyer side moves that keep the cost in check.

How is Microsoft Security Copilot priced in 2026?

Security Copilot is priced on consumption, not on a named user license. You provision Security Compute Units and Microsoft bills for the capacity you keep live, measured by the hour.

This is the single most important fact for a buyer. The cost is driven by provisioned capacity over time, not by how many analysts log in or how many prompts they run.

What is a Security Compute Unit?

A Security Compute Unit, or SCU, is the unit of compute that powers every Security Copilot task. Microsoft meters both the standalone portal and the features embedded in Microsoft Defender against the same SCU pool.

One SCU is the baseline. You provision more to raise throughput and lower the chance of a capacity limit during a busy investigation.

How does hourly provisioning work?

You set a number of provisioned SCUs in the Security Copilot portal. Microsoft bills that capacity per hour until you change it. You can raise or lower the number through the day, or on a schedule.

Because billing is hourly, capacity left live overnight and across the weekend costs the same as capacity in active use during the day. That is where most of the waste sits.

What does a single SCU cost per month?

List price sits near 4 dollars per SCU per hour. Run one SCU continuously and the monthly figure lands near 2,920 dollars, because there are roughly 730 hours in a month.

How many Security Compute Units does an enterprise actually need?

Most security operations teams start well with one to three SCUs. The right number depends on how many analysts run Security Copilot at the same time and how heavy each task is.

What drives baseline SCU demand?

Three factors set the floor. Concurrency, the weight of each task, and the share of work that runs unattended through automation.

• Concurrency: the number of analysts running Security Copilot at the same moment, not the size of the whole team.
• Task weight: a full incident summary across many alerts consumes more than a single prompt.
• Automation: logic apps and scheduled jobs that call Security Copilot draw on the same SCU pool.

Where does overprovisioning waste money?

The classic mistake is to provision for the worst incident of the quarter and then leave that capacity live every hour of every day.

A team that needs ten SCUs during a major incident does not need ten SCUs at three in the morning on a quiet Sunday. Capacity is adjustable, so flat provisioning is a choice, not a constraint.

How does Security Copilot fit with Defender and Sentinel licensing?

Security Copilot does not replace your security stack. It reasons over the data already in it, so its value tracks the quality of that data.

What are the prerequisite licenses?

Security Copilot reaches its potential when it sits on top of Microsoft Defender and Microsoft Sentinel. Without that signal it can still answer general questions, but the high value plays depend on connected data.

How do Sentinel data costs stack on top?

The deepest Security Copilot use cases lean on Microsoft Sentinel ingestion and analytics. That ingestion is billed separately by volume. Budget the SCU line and the data line together, or the total will surprise finance.

Where the common advice on Security Copilot pricing is wrong

The standard pitch is that Security Copilot is cheap because one SCU looks small next to an enterprise security budget. We disagree. In most of the evaluations we have reviewed, the real cost was not the headline SCU rate. It was the always on provisioning that nobody owned, plus the Sentinel ingestion the tool quietly pulled forward. The buyer side move is to treat the SCU number as a dial that a named owner adjusts to the shift pattern, and to model the data cost in the same business case. Run it flat and unowned and the bill compounds quietly every single hour.

56%

Median SCU cost cut from scheduling

12 to 18

Security Copilot evaluations 2024 to 2025

30%

Typical data cost added on top

Source: Redress Compliance advisory engagement file, 2024 to 2025.

Security Copilot is not billed by the prompt. It is billed by the hour you leave it switched on. The cheapest deployment is the one with an owner watching the dial.

What buyer side moves control Security Copilot cost?

Four moves keep Security Copilot spend tied to value rather than to the clock.

Move one. Start at one SCU

Begin with a single SCU and a narrow set of use cases. Prove value before you raise capacity.

Move two. Schedule capacity to the shift

Match provisioned SCUs to the security operations shift pattern. Scale down outside core hours and burst only for live incidents.

Move three. Measure real consumption

Use the usage monitoring in the portal to track consumption against provisioning. Adjust monthly. Treat the gap between the two as recoverable budget.

1. Provision to observed concurrency, not to total headcount.
2. Set a schedule that drops capacity overnight and on weekends.
3. Reserve burst capacity for declared incidents only.

Move four. Budget the data line

Model Sentinel ingestion and Defender coverage in the same business case as the SCUs. The data cost is part of the true cost of the tool.

Suggested reading

• Microsoft 365 Copilot licensing. The per user Copilot that sits beside the security tool.
• Microsoft 365 License Optimizer. Size the wider Microsoft stack the security budget competes with.
• Microsoft Knowledge Hub. The full Microsoft licensing library.
• Microsoft Practice. Independent buyer side Microsoft advisory.

What should a buyer do next?

1. Confirm whether Defender and Sentinel are already deployed and paid for.
2. Provision a single SCU and run a two week proof on real security operations work.
3. Pull the usage report and compare provisioned capacity against actual consumption.
4. Build a provisioning schedule that drops capacity outside core hours.
5. Model the Sentinel ingestion cost in the same business case as the SCUs.
6. Set a named owner for the SCU dial and a monthly review.
7. Run the Microsoft 365 License Optimizer to size the wider stack.
8. Engage independent Microsoft advisory before committing annual budget.

Related advisory: Microsoft negotiation and advisory, the Microsoft Knowledge Hub, and the Microsoft 365 Copilot licensing guide.

Frequently asked questions

Is Microsoft Security Copilot licensed per user?

No. Security Copilot is billed on Security Compute Units provisioned by the hour, not on a named user license. The cost tracks live capacity over time.

How much does one Security Compute Unit cost?

List price sits near 4 dollars per SCU per hour. One SCU running continuously costs roughly 2,920 dollars per month.

Can you turn Security Copilot capacity down?

Yes. You can raise or lower provisioned SCUs at any time, including on a schedule. Capacity left live overnight bills the same as capacity in active use.

Does Security Copilot need Microsoft Sentinel?

Not strictly, but the highest value use cases reason over Sentinel and Defender data. Without connected data the tool answers only general questions.

How many SCUs does a typical team need?

Most security operations teams start with one to three SCUs. The right number depends on analyst concurrency and task weight, not total headcount.

Is the Sentinel data cost included in the SCU price?

No. Sentinel ingestion is billed separately by volume. Budget the data line and the SCU line together to see the true cost.

What is the fastest way to overspend on Security Copilot?

Provision for the worst incident and leave that capacity live every hour. Flat always on provisioning is the most common source of waste.

Does Redress sell Microsoft licenses?

No. Redress Compliance is 100 percent buyer side and independent. We advise on the Microsoft negotiation and never resell Microsoft products.