Microsoft Security Copilot is a generative AI assistant for security and IT operations. It's available as a standalone portal and embedded inside Microsoft Defender, Entra, Intune, Purview, and Sentinel. As of 2026, the way organizations license this tool has shifted significantly, particularly for those already invested in the Microsoft 365 ecosystem.
The Short Version
There are three ways to get Microsoft Security Copilot today: standalone Security Compute Units (SCUs) at $4/hour, included with Microsoft 365 E5, or included with Microsoft 365 E7 (which itself includes E5). The E5 inclusion benefit announced at Ignite 2025 gives you 400 SCUs per month for every 1,000 paid E5 licenses, up to 10,000 SCUs/month, at no additional cost. If you already own E5 and are still paying for separately provisioned SCUs, you're likely overpaying.
What Microsoft Security Copilot Does
Security Copilot takes a natural-language prompt (such as "summarize the last phishing incident involving user X and show me lateral movement") and pulls context from your connected Microsoft security products to generate a grounded, actionable answer. The audience is SOC analysts, IT admins, and identity teams, not end users.
Typical daily use cases include:
- Incident investigation: turning a raw Defender alert into a plain-English timeline with recommended next steps
- Threat hunting: translating a natural-language question into KQL for Defender or Sentinel
- Script analysis: inspecting suspicious PowerShell, Python, or Bash before running it
- Vulnerability prioritization: ranking CVEs against what's actually exposed in your environment (versus the full theoretical list)
- Report generation: writing the executive-friendly version of an incident summary without the analyst spending 90 minutes on it
The deeper value comes from the "embedded agents" Microsoft added in late 2025. These are prebuilt, role-specific agents baked into the products your team already uses, such as the Phishing triage agent in Microsoft Defender, the Conditional Access optimization agent in Microsoft Entra, the Vulnerability remediation agent in Microsoft Intune, and the Data security agent in Microsoft Purview. You don't have to leave the product you're working on to get Security Copilot's help.
The Pricing Picture
There are now three realistic paths to buying Security Copilot. Which one fits depends almost entirely on what you already own.
Path 1: Standalone Security Compute Units (SCUs)
The original 2024 model still exists:
- Provisioned SCUs: $4 per SCU per hour, billed hourly, minimum 1 SCU
- Overage SCUs: $6 per SCU per hour, used automatically when you exceed provisioned capacity (up to a cap you set)
- Prerequisite: an Azure subscription and Microsoft Entra ID
A single provisioned SCU running 24/7 costs roughly $2,920/month or $35,000/year. Microsoft's recommendation for evaluation is usually 3 SCUs, which is closer to $105,000/year. This path makes sense if you're not on E5 and want to pilot the product, or if your SOC is heavy enough that the E5 inclusion allocation wouldn't cover your usage anyway.
Path 2: Included with Microsoft 365 E5
Announced at Microsoft Ignite 2025, Security Copilot is now included with Microsoft 365 E5 at no additional cost:
- Allocation: 400 SCUs per month for every 1,000 paid E5 user licenses
- Cap: up to 10,000 SCUs per month
- Activation: automatic, with 30 days' notice before your tenant is enabled
- Overage: as of early 2026, there is no overage billing for E5 inclusion. If you exhaust your monthly allocation, analysts get throttled until the next reset.
| E5 Licenses | Included SCUs/month |
|---|---|
| 400 users | 160 SCUs |
| 1,000 users | 400 SCUs |
| 4,000 users | 1,600 SCUs |
| 25,000+ users | 10,000 SCUs (cap) |
Note that SCUs do not roll over: use them or lose them each month. Additionally, the inclusion is a hard cap for now. If your SOC is running agents aggressively during a major incident, you can exhaust a month's allocation faster than you'd expect.
Path 3: Included with Microsoft 365 E7
Microsoft 365 E7, generally available May 1, 2026, at $99/user/month, bundles E5, Copilot, Entra ID Suite, and Agent 365 into a single SKU. Because E7 includes E5, it carries the same Security Copilot entitlement.
Action Plan and Next Steps
Already on E5, already provisioning SCUs separately: Do not cancel your existing capacity before your tenant's E5 inclusion is activated. Once active, compare your historical SCU consumption against your new monthly allocation. Most organizations can drop their standalone capacity after activation.
Already on E5, never used Security Copilot: Wait for your tenant activation (you'll get 30 days' notice), then pilot it inside the products you already use. There's no reason to provision standalone SCUs first.
On E3 or Business Premium: Security Copilot technically works on E3, but with fewer connected data sources, and the standalone SCU economics are brutal at a smaller scale. If E5 is overkill, then standalone Security Copilot is probably too.
Evaluating E7 at launch: Confirm with your CSP partner whether Security Copilot activates at E7 GA or waits for the same phased E5 rollout.
Common Mistakes We See
Buying standalone SCUs when E5 inclusion is coming: A few analyst licenses' worth of usage rarely justifies $35,000+ per year in provisioned capacity when you already qualify for the inclusion allocation.
Treating the E5 allocation as unlimited: It isn't. Run the math on a busy incident response month, not an average one.
Ignoring the embedded experience: Teams that only use the standalone portal tend to under-adopt. Productivity gains show up faster inside Defender, Entra, and Intune.
Forgetting that Security Copilot inherits user permissions: It uses on-behalf-of authentication. If an analyst doesn't have access to a data source, Security Copilot won't reach past that boundary for them.
The Bottom Line
In 2026, the question is different than it was at launch. For most E5 customers, the right move is to wait for tenant activation and use what they already own. For teams on E3 or Business Premium, the calculus hinges on whether E5 is in your future for other reasons. For SOCs that consistently exhaust the inclusion allocation, a hybrid model (E5 inclusion plus supplemental provisioned SCUs) is the most likely landing spot.
Related Articles:
Copilot Use Cases: Unlocking Departmental Value & Productivity
Is Microsoft Copilot Secure? A Deep Dive into Risks and Best Practices
Everything You Need to Know About Microsoft 365 Copilot Business
Top Questions IT Leaders Have About Microsoft Copilot (And How to Answer Them)
