Defender for Cloud: CSPM, Compliance, Workload Protection…

Defender for Cloud, the executive overview

Simple explanation

Microsoft Defender for Cloud is Azure’s Cloud-Native Application Protection Platform (CNAPP). One pane of glass for posture (are my resources configured securely?), compliance (am I aligned with this framework?), and threat protection (what’s attacking my workloads right now?). It covers Azure, AWS, GCP, and on-prem servers/Kubernetes via Azure Arc.

SC-500 expects you to know three layers:

Defender Cloud Security Posture Management (Defender CSPM) — agentless posture scanning, attack-path analysis, secret scanning, malware scanning of disks, and security explorer for ad-hoc graph queries across your environment.
Regulatory compliance — evaluation against frameworks (MCSB by default, plus ISO 27001, PCI DSS, NIST 800-53, SOC 2, CIS, country-specific).
Workload protection plans — per-workload threat protection that bolts on (Defender for Servers, SQL, Storage, Key Vault, Containers, App Service, DNS, Resource Manager, APIs, AI Service, etc.).

Defender CSPM

Defender CSPM (paid tier) extends the free CSPM with:

Defender CSPM (paid) capabilities — what you get over free CSPM
Defender CSPM capability	What it gives you
Agentless disk scanning	Snapshots VM/EBS/PD disks, scans for vulnerabilities, secrets, malware in a Defender-controlled environment — no in-guest agent
Attack-path analysis	Graph that traces 'an attacker who compromises X can reach Y' — combines posture findings, network reachability, identity, and data sensitivity
Cloud Security Explorer	Ad-hoc graph queries across your multi-cloud environment ('show me all internet-facing VMs that have a critical CVE and access a Key Vault')
Secret scanning	Plaintext secrets in VMs, storage, code repos (via Defender for DevOps) — discoverable in the recommendations + Security Explorer
Malware scanning of disks	Agentless detection of known malware on disk via the snapshot mechanism
Permissions Management integration	Surfaces overprivileged identities in the recommendations and attack paths
Governance rules	Assigns owners, deadlines, and notifications to recommendations; tracks SLA
Regulatory compliance enrichments	Additional compliance content beyond the free tier

Attack-path analysis

Attack paths are the single most-explained Defender CSPM capability in production reviews. Each path connects an entry point (e.g. an internet-facing VM) to a sensitive asset (e.g. a Key Vault holding production secrets) via the intermediate steps an attacker would take (compromise the VM, use the VM’s managed identity to read Key Vault). The path is rated by:

Risk level — informed by data sensitivity, exposure, and the criticality of the route.
Insights — what makes this path particularly bad (e.g. “VM has critical CVE”, “VM’s managed identity is overprivileged”, “Key Vault holds production-tagged secrets”).

Remediating an attack path typically only requires breaking one step in the chain (patch the VM, scope down the managed identity’s RBAC, lock down the Key Vault firewall). The path turns a list of disjointed recommendations into prioritised, motivated action.

Regulatory compliance

The Regulatory compliance view in Defender for Cloud maps your environment against compliance frameworks. Microsoft Cloud Security Benchmark (MCSB) is on by default. Additional standards can be added:

ISO/IEC 27001:2022
PCI DSS v4.0
NIST SP 800-53 Rev. 5
SOC 2 (Type 2)
CIS Microsoft Azure Foundations Benchmark
HIPAA HITRUST
FedRAMP High / Moderate
Country-specific frameworks (Australian PSPF, UK Cyber Essentials, NZISM-aligned standards, SWIFT CSCF, etc.)

For each standard, Defender for Cloud evaluates the in-scope subscriptions/connectors against the standard’s controls, marks each as Healthy / Unhealthy / Not applicable, and aggregates to a per-standard compliance percentage.

Attestations and exemptions

Manual attestation — for controls Microsoft cannot automatically evaluate (process controls, documented procedures), an admin attests with a justification. Counts toward compliance.
Exemptions — controls that genuinely don’t apply can be exempted with a reason and expiry. Doesn’t count as compliant — but doesn’t count as non-compliant either, and the exemption is auditable.

Workload protection plans

Each plan adds threat protection specific to its workload class:

Defender for Cloud workload protection plans — one column per workload class
Plan	Protects	Examples of detection
Defender for Servers (P1/P2)	Azure VMs + Arc-enabled servers	MDE EDR, JIT, agentless scanning, vulnerability assessment (covered Module 20)
Defender for SQL	Azure SQL DB, Managed Instance, SQL on VM/Arc, OSS DBs	Anomalous queries, SQL injection patterns, brute-force attempts
Defender for Storage	Storage accounts (blob, file, queue, table)	Anomalous access, suspicious uploads, malware scanning on upload (next-gen plan)
Defender for Key Vault	Key Vault data plane	Anomalous secret/key access patterns (covered Module 5)
Defender for Containers	AKS, ACR, Container Apps, ACI	Runtime threats, image vulns, K8s admission (covered Module 21)
Defender for App Service	App Service, Functions, Logic Apps Standard	Web shell upload, suspicious POST patterns, runtime threats
Defender for Resource Manager	Azure Resource Manager control plane	Suspicious resource operations, abnormal admin behaviour
Defender for DNS	Azure DNS resolution from Azure resources	DNS exfiltration patterns, communication with known-malicious domains
Defender for APIs	APIs published in Azure API Management	Sensitive data exposure in responses, unusual API consumption patterns
Defender for AI Service	Microsoft Foundry AI workloads	Prompt injection, jailbreak, data exfiltration via model (covered Module 18)

How plans are enabled

Per-subscription in Defender for Cloud > Environment settings > [subscription] > Defender plans. Some plans (Containers, Servers, SQL) have sub-options for things like agentless scanning enablement, MDE auto-onboarding, file integrity monitoring. The exam expects you to know that enabling is per-subscription and billing is per protected resource (per-VM, per-database, per-storage-account, etc.).

Free CSPM vs Defender CSPM — when is the paid tier needed?

Free CSPM gives you Secure Score and MCSB recommendations across all enabled subscriptions, always — no charge. It’s the default safety net.

Defender CSPM (paid) is the right answer on SC-500 when the scenario mentions any of:

Attack-path analysis or “show me how an attacker could reach X”
Agentless disk scanning for vulnerabilities, secrets, or malware
Cloud Security Explorer queries across the environment
Governance rules for recommendations (owners, deadlines, SLAs)
Integration with Permissions Management for overprivileged identity attack paths
DevOps repository scanning via Defender for DevOps

If the scenario is “show me my Secure Score” or “list MCSB recommendations”, free CSPM is sufficient. If it goes deeper (attack paths, secret scanning, explorer queries), the answer is Defender CSPM.

Scenario: Asha enables the CNAPP across Aurora’s estate

Asha at Aurora Health Service is standing up Microsoft Defender for Cloud across 47 subscriptions (Azure + AWS + GCP):

Free CSPM is on by default. Asha reviews Secure Score by subscription and assigns the worst-scoring subscriptions to their resource owners.
Defender CSPM (paid) enabled across all 47 subscriptions. Why: attack-path analysis is the executive view her CISO wants (“walk me through how an attacker could exfiltrate patient data”), and agentless secret + malware scanning closes posture gaps that MDE-only doesn’t reach.
Workload plans enabled selectively:
- Defender for Servers Plan 2 — all subscriptions (including AWS + GCP via the multicloud connectors).
- Defender for SQL — all subscriptions with Azure SQL.
- Defender for Storage — all subscriptions.
- Defender for Key Vault — all subscriptions.
- Defender for Containers — subscriptions hosting AKS clusters.
- Defender for App Service — subscriptions with App Service workloads.
- Defender for Resource Manager — root management group.
- Defender for APIs — subscriptions with APIM.
- Defender for AI Service — subscriptions hosting Foundry workloads.
Regulatory compliance: MCSB always on; add ISO/IEC 27001:2022 + NIST SP 800-53 Rev. 5 (US-facing partnerships) + HIPAA HITRUST (US-facing); quarterly review by the compliance team.
Governance rules assign recommendation ownership: storage-related recommendations route to the Data Platform team with a 14-day SLA; identity-related to the Identity Engineering team with a 7-day SLA.
Cloud Security Explorer — Asha builds a saved query: “All internet-facing resources that hold customer-sensitive data and have an attack path of length ≤ 3” — reviewed weekly.

The Defender for Cloud overview becomes Aurora’s monthly board-level security report. Attack paths drive sprint prioritisation. Compliance percentages roll up to the audit committee.