A buyer side guide to Microsoft threat protection licensing in 2026. How the Defender family is sold, when E5 Security wins, and where standalone seats double pay.
Microsoft threat protection is licensed through the Defender family, sold either as standalone per user plans or bundled into E5 and E5 Security, and the cheapest path depends entirely on how many pieces you actually need.
This guide is for security and procurement leaders sizing Microsoft threat protection in 2026. Read it with the Microsoft security licensing guide and the Microsoft Practice page so the security design and the commercial design stay aligned.
Threat protection runs through the Defender brand. Each product can be bought on its own per user, or you can take the whole set inside a larger Microsoft 365 suite. The Microsoft Product Terms govern the entitlements.
Standalone plans let an E3 estate add only the parts it needs. That keeps cost tight when a team wants one or two products rather than the full stack.
Bundling wins once you would buy three or more Defender products for the same users. At that point the E5 Security add on usually costs less than the sum of the standalone seats.
The decision turns on coverage breadth. A narrow need favors standalone, a broad security mandate favors E5 Security, and a full productivity plus security refresh favors E5.
Microsoft threat protection licensing paths compared
| Path | Best fit | Watch out for |
|---|---|---|
| Standalone Defender | One or two products needed | Cost climbs fast past three |
| E5 Security add on | E3 base, broad security need | Pay only for users who need it |
| Full E5 | Productivity plus security refresh | Double paying standalone SKUs |
Plan 1 gives core prevention. Plan 2 adds detection, response, and hunting. Microsoft documents the split, and a team that can act on alerts needs Plan 2.
Sentinel is the cloud SIEM and is metered by data ingestion, not by user. It complements Defender but lives on a separate consumption budget, so model it apart from the seat count.
Filter noisy logs before they bill and route low value sources to cheaper tiers. Sentinel pricing rewards disciplined data sources over a raw firehose.
The standard pitch is that any security minded estate should buy E5 Security across every user to be safe. We disagree. In roughly 24 of the 40 estates we reviewed, more than a third of E5 Security seats sat on users who never generated a Defender alert worth an analyst response. The buyer side move is to license the full stack to the roles a security operations team actually monitors, hold the rest on Plan 1 or standalone, and tune Sentinel ingestion separately. Breadth of license is not the same as breadth of coverage.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
The most common waste is buying standalone Defender for users who already hold an E5 seat. The capability is paid for twice.
Morten Andersen. Co Founder. Ex IBM, ex Oracle.
Cost control starts with mapping need to seat. Not every user needs every Defender product, and the suite already covers many of them.
Microsoft threat protection is licensed mainly through the Defender family, sold either as standalone plans per user or bundled into the Microsoft 365 E5 and E5 Security suites. You can buy a single Defender product or take the whole stack inside a larger M365 SKU.
E5 Security is an add on for E3 customers that bundles Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, and Defender for Cloud Apps. It gives most of the E5 security value without the full E5 price jump.
No. Every major Defender product can be bought standalone per user, so an E3 estate can add only the pieces it needs. E5 or E5 Security makes sense when you would otherwise buy three or more Defender products separately.
Plan 1 covers core endpoint protection like next generation antivirus and attack surface reduction. Plan 2 adds endpoint detection and response, automated investigation, and threat hunting. Most security teams that justify Defender at all need Plan 2.
Sentinel is the cloud SIEM and is licensed separately by data ingestion and analytics, not per user. It pairs with Defender but its cost model is consumption based, so it is budgeted apart from the Defender seat licenses.
Map which users truly need each Defender product, avoid double paying for capabilities already inside an E5 seat, and compare the standalone stack against E5 Security before committing. Sentinel ingestion should be tuned separately to control consumption cost.
No. In our reviews more than a third of E5 Security seats sat on users who never generated a Defender alert worth a response. License the full stack to the roles a security operations team monitors, and hold the rest on Plan 1 or standalone.
Across the security estates we reviewed, three in five were double paying for Defender on E5 holders. Removing those duplicates and right sizing Endpoint plans by role typically recovered a meaningful share of the security line before any renewal talk.
Microsoft renewal moves, the EA framework, the M365 SKU framework, the Copilot framework, and the buyer side moves across the full Microsoft estate.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.
The most common waste is buying standalone Defender for users who already hold an E5 seat. The capability is paid for twice.
500+ enterprise clients. 11 vendor practices. Industry recognized. One conversation can change what you pay for the next three years.
One short note on Microsoft 365 and security licensing, Defender packaging, EA renewals, and the buyer side moves we are running in client engagements.
